Merge "Add support for encrypting Barbican API"

ansible/roles/barbican/defaults/main.yml

@@ -16,12 +16,14 @@ barbican_services:
         external: false
         port: "{{ barbican_api_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
       barbican_api_external:
         enabled: "{{ enable_barbican }}"
         mode: "http"
         external: true
         port: "{{ barbican_api_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
   barbican-keystone-listener:
     container_name: barbican_keystone_listener
     group: barbican-keystone-listener
@@ -142,3 +144,8 @@ barbican_ks_roles:
   - "{{ barbican_creator_role }}"
   - "{{ barbican_observer_role }}"
   - "{{ barbican_audit_role }}"
+
+####################
+# TLS
+####################
+barbican_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

ansible/roles/barbican/tasks/config.yml

@@ -49,7 +49,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool
 
 - name: Copying over config.json files for services
   template:

ansible/roles/barbican/templates/barbican-api.ini.j2

 [uwsgi]
-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
-protocol = http
+{% if barbican_enable_tls_backend | bool %}
+https-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }},/etc/barbican/certs/barbican-cert.pem,/etc/barbican/certs/barbican-key.pem
+{% else %}
+http-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
+{% endif %}
 processes = {{ openstack_service_workers }}
 lazy = true
 vacuum = true

ansible/roles/barbican/templates/barbican-api.json.j2

@@ -19,7 +19,19 @@
             "owner": "barbican",
             "perm": "0600",
             "optional": true
-        }{% if barbican_policy_file is defined %},
+        }{% if barbican_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/barbican-cert.pem",
+            "dest": "/etc/barbican/certs/barbican-cert.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/barbican-key.pem",
+            "dest": "/etc/barbican/certs/barbican-key.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        }{% endif %}{% if barbican_policy_file is defined %},
         {
             "source": "{{ container_config_directory }}/{{ barbican_policy_file }}",
             "dest": "/etc/barbican/{{ barbican_policy_file }}",

releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml

@@ -2,7 +2,7 @@
 features:
   - |
     Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
-    When used in conjunction with enabling TLS for service API endpoints,
-    network communcation will be encrypted end to end, from client through
-    HAProxy to the backend service.
+    to the Keystone, Glance, Heat, Placement, Horizon, Barbican, and Cinder
+    services. When used in conjunction with enabling TLS for service API
+    endpoints, network communcation will be encrypted end to end, from client
+    through HAProxy to the backend service.