Deploy Dogtag¶

Dogtag is one of the Barbican plugins that represents a back end for storing symmetric keys, for example, for volume encryption, as well as passwords, and X.509 certificates.

To deploy the Dogtag back end for Barbican:

1. Open the classes/cluster/<cluster_name>/ directory of your Git project repository.

2. In openstack/control.yml, add the Dogtag class and specify the required parameters. For example:

   classes:
   - system.dogtag.server.cluster
   
   ...
   
   parameters:
     _param:
       dogtag_master_host: ${_param:openstack_control_node01_hostname}.${_param:cluster_domain}
       haproxy_dogtag_bind_port: 8444
       cluster_dogtag_port: 8443
       # Dogtag listens on 8443 but there is no way to bind it to a
       # Specific IP, as in this setup Dogtag is installed on ctl nodes
       # Change port on haproxy side to avoid binding conflict.
       haproxy_dogtag_bind_port: 8444
       cluster_dogtag_port: 8443
       dogtag_master_host: ctl01.${linux:system:domain}
       dogtag_pki_admin_password: workshop
       dogtag_pki_client_database_password: workshop
       dogtag_pki_client_pkcs12_password: workshop
       dogtag_pki_ds_password: workshop
       dogtag_pki_token_password: workshop
       dogtag_pki_security_domain_password: workshop
       dogtag_pki_clone_pkcs12_password: workshop
     dogtag:
       server:
         ldap_hostname: ${linux:network:fqdn}
         ldap_dn_password: workshop
         ldap_admin_password: workshop
         export_pem_file_path: /etc/dogtag/kra_admin_cert.pem
   

3. In classes/cluster/<cluster_name>/infra/config/init.yml, add the - system.salt.master.formula.pkg.dogtag class to the classes section.

   For example:

   classes:
   - system.salt.master.formula.pkg.dogtag
   ...
   

4. In classes/cluster/<cluster_name>/infra/config/nodes.yml, specify the dogtag_cluster_role: master parameter in the openstack_control_node01 section, and the dogtag_cluster_role: slave parameter in the openstack_control_node02 and openstack_control_node03 sections.

   For example:

   node:
     openstack_control_node01:
       classes:
       - service.galera.master.cluster
       - service.dogtag.server.cluster.master
       params:
         mysql_cluster_role: master
         linux_system_codename: xenial
         dogtag_cluster_role: master
     openstack_control_node02:
       classes:
       - service.galera.slave.cluster
       - service.dogtag.server.cluster.slave
       params:
         mysql_cluster_role: slave
         linux_system_codename: xenial
         dogtag_cluster_role: slave
     openstack_control_node03:
       classes:
       - service.galera.slave.cluster
       - service.dogtag.server.cluster.slave
       params:
         mysql_cluster_role: slave
         linux_system_codename: xenial
         dogtag_cluster_role: slave
   

5. Commit and push the changes to the project Git repository.

6. Log in to the Salt Master node.

7. Update your Salt formulas at the system level:

   1. Change the directory to /srv/salt/reclass.
   2. Run the git pull origin master command.
   3. Run the salt-call state.sls salt.master command.

8. Apply the following states:

   salt -C 'I@salt:master' state.sls salt,reclass
   salt -C 'I@dogtag:server and *01*' state.sls dogtag.server
   salt -C 'I@dogtag:server' state.sls dogtag.server
   salt -C 'I@haproxy:proxy' state.sls haproxy
   

9. Proceed to Deploy Barbican with the Dogtag back end.