diff options
author | Delia Popescu <delia.popescu@enea.com> | 2018-08-07 11:43:11 +0300 |
---|---|---|
committer | Delia Popescu <delia.popescu@enea.com> | 2018-08-07 10:32:01 +0000 |
commit | a1635b63db18d1a5388ca4f4d9a21cbcdb7fc4c4 (patch) | |
tree | 48ac791812eb1b41cba1fa96a034af09daf6712e | |
parent | 7fe07e31a3aca294b4093ba238ce648fa4cb0f38 (diff) |
Enable barbican itegration on compute nodes
Configure barbican for cinder-volumes and nova-compute
to use encrypted volumes
Disable default glance image signature verification with
barbican enabled
JIRA: FUNCTEST-981
Change-Id: I35660234526780a2277e459f3fa21a67d96ce7d7
Signed-off-by: Delia Popescu <delia.popescu@enea.com>
-rw-r--r-- | mcp/patches/0016-Disable-glance-signature-verification.patch | 36 | ||||
-rw-r--r-- | mcp/patches/patches.list | 1 | ||||
-rw-r--r-- | mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml | 1 |
3 files changed, 38 insertions, 0 deletions
diff --git a/mcp/patches/0016-Disable-glance-signature-verification.patch b/mcp/patches/0016-Disable-glance-signature-verification.patch new file mode 100644 index 000000000..55f641800 --- /dev/null +++ b/mcp/patches/0016-Disable-glance-signature-verification.patch @@ -0,0 +1,36 @@ +:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +: Copyright (c) 2018 Mirantis Inc., Enea AB and others. +: +: All rights reserved. This program and the accompanying materials +: are made available under the terms of the Apache License, Version 2.0 +: which accompanies this distribution, and is available at +: http://www.apache.org/licenses/LICENSE-2.0 +:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +From: Delia Popescu <delia.popescu@enea.com> +Date: Mon, 6 Aug 2018 17:09:14 +0300 +Subject: [PATCH] Disable glance signature verification + +Disable glance signature verification if barbican +integration is enabled on compute nodes + +Signed-off-by: Delia Popescu <delia.popescu@enea.com> +--- + nova/files/queens/nova-compute.conf.Debian | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nova/files/queens/nova-compute.conf.Debian b/nova/files/queens/nova-compute.conf.Debian +index d471a264..47a4e890 100644 +--- a/nova/files/queens/nova-compute.conf.Debian ++++ b/nova/files/queens/nova-compute.conf.Debian +@@ -5447,9 +5447,9 @@ api_servers = {{ compute.image.get('protocol', 'http') }}://{{ compute.image.hos + # below depend on this option being enabled. + # (boolean value) + {%- if compute.get('barbican', {}).get('enabled', False) %} +-verify_glance_signatures=true ++#verify_glance_signatures=true + {%- else %} +-#verify_glance_signatures=false ++verify_glance_signatures=false + {%- endif %} + + # DEPRECATED: diff --git a/mcp/patches/patches.list b/mcp/patches/patches.list index baa15d79d..2f9107156 100644 --- a/mcp/patches/patches.list +++ b/mcp/patches/patches.list @@ -10,3 +10,4 @@ /usr/share/salt-formulas/env: 0010-maas-region-allow-timeout-override.patch /usr/share/salt-formulas/env: 0011-system.repo-Debian-Add-keyserver-proxy-support.patch /usr/share/salt-formulas/env: 0015-Set-ovs-bridges-as-L3-interfaces.patch +/usr/share/salt-formulas/env: 0016-Disable-glance-signature-verification.patch diff --git a/mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml b/mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml index a027113ae..359ca131d 100644 --- a/mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml +++ b/mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml @@ -22,6 +22,7 @@ parameters: _param: interface_mtu: 9000 linux_system_codename: xenial + barbican_integration_enabled: true nova: compute: libvirt_service: libvirtd |