Add Barbican docs

mnasiadka · mnasiadka · commit 50a6bacaa721 · 2023-06-27T16:41:35.000+02:00
diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst
@@ -206,3 +206,69 @@ Enable the required TLS variables in kayobe and kolla
 .. code-block::
 
    kayobe overcloud service deploy
+
+Barbican integration
+====================
+
+Enable Barbican in kayobe
+-------------------------
+
+Set the following in kayobe-config/etc/kayobe/kolla.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla.yml
+
+.. code-block::
+
+   kolla_enable_barbican: yes
+
+Generate secrets_barbican_approle_secret_id
+-------------------------------------------
+
+1. Run ``uuidgen`` to generate secret id
+2. Insert into secrets.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/secrets.yml
+
+.. code-block::
+
+   secrets_barbican_approle_secret_id: "YOUR-SECRET-GOES-HERE"
+
+Create required configuration in Vault
+--------------------------------------
+
+Run vault-deploy-barbican.yml custom playbook
+
+.. code-block::
+
+   kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-barbican.yml
+
+Add secrets_barbican_approle_id to secrets
+------------------------------------------
+
+Insert into secrets.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/secrets.yml
+
+.. code-block::
+
+   secrets_barbican_approle_id: "YOUR-APPROLE-ID-GOES-HERE"
+
+Configure Barbican
+------------------
+
+Put required configuration in kayobe-config/etc/kayobe/kolla/config/barbican.conf or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla/config/barbican.conf
+
+.. code-block::
+
+   [secretstore]
+   namespace=barbican.secretstore.plugin
+   enable_multiple_secret_stores=false
+   enabled_secretstore_plugins=vault_plugin
+
+   [vault_plugin]
+   vault_url = https://{{ internal_net_vip_address }}:8200
+   use_ssl = True
+   approle_role_id = {{ secrets_barbican_approle_role_id }}
+   approle_secret_id = {{ secrets_barbican_approle_secret_id }}
+   kv_mountpoint = barbican
+
+Deploy Barbican
+---------------
+
+.. code-block::
+
+   kayobe overcloud service deploy -kt barbican
diff --git a/etc/kayobe/ansible/vault-deploy-barbican.yml b/etc/kayobe/ansible/vault-deploy-barbican.yml
@@ -7,6 +7,12 @@
     vault_api_addr: "https://{{ kolla_internal_fqdn }}:8200"
     vault_ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
   tasks:
+    - name: Assert that secrets_barbican_approle_secret_id is defined
+      assert:
+        that:
+          - secrets_barbican_approle_secret_id is defined
+        fail_msg: "Please define secrets_barbican_approle_secret_id in your secrets.yml"
+
     - name: Include Vault keys
       include_vars:
         file: "{{ kayobe_env_config_path }}/vault/overcloud-vault-keys.json"
