Add HA (load balancing) support

This patch add support for configuring proteccio to use
more than one HSM.  When more than one HSM is provided
the proteccio client is configured for High Availability (HA).

This patch changes the format of the variables and should
be released as a new major version. (e.g. 1.0.0).

Change-Id: Ib9989ee72a67f71275e31b966bff7673072fb3f8

README.rst

@@ -22,20 +22,35 @@ Role Variables
    * - atos_client_iso_location
      - None
      - Full URL where a copy of ATOS Client ISO can be downloaded.
-   * - atos_hsm_ip_address
-     - None
-     - IPv4 address for the ATOS HSM.
    * - atos_client_cert_location
      - None
      - Full URL where the client certificate can be downloaded.
    * - atos_client_key_location
      - None
      - Full URL where the client key can be downloaded.
-   * - atos_server_cert_location
+   * - atos_hsms
      - None
-     - Full URL where the server certificate can be downloaded.
+     - List of one or more HSM devices.
 
 Requirements
 ------------
 
  - ansible >= 2.4
+
+Usage
+-----
+
+You'll need to set up a temporary HTTP server somewhere that is accessible
+to the node where this role will be applied.  The HTTP server should serve
+the following:
+
+- ATOS Client Software ISO file.
+- HSM Server Certificate file(s).
+- HSM Client Certificate file.
+- HSM Client Key file associated with the Client Certificate.
+
+Due to the sensitive nature of the Certificate and Key files, you should
+use TLS encryption and username and passwords to access the HTTP server.
+
+Use the hostname and user/password for your HTTP server for the full URL values
+that need to be set for this role.  See `vars.yaml.example`.

handlers/main.yaml

@@ -0,0 +1,5 @@
+---
+- name: legacy vars warning
+  debug:
+    msg: "WARNING: Using legacy atos_server_cert_location and atos_hsm_ip_address
+          variables.  Please udpate your vars file."

releasenotes/notes/add-high-availability-support-44343eaf5563f5c7.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    This version adds support for using more than one ATOS HSM in High
+    Availability mode.  There is a new variable `atos_hsms` that accepts
+    a list of HSM IP addresses and associated Certificates.  See
+    `vars.yaml.sample` for an example.
+deprecations:
+  - |
+    Two variables have been deprecated: `atos_hsm_ip_address` and
+    `atos_server_cert_location`.  You should use the new `atos_hsms` list
+    to specify these values instead.  See `vars.yaml.sample` for an example.

setup.cfg

@@ -3,12 +3,12 @@ name = ansible-role-atos-hsm
 summary = ansible-role-atos-hsm - Ansible role to configure ATOS HSM clients.
 description-file =
     README.rst
-author = TripleO Team
+author = OpenStack Barbican Team
 author-email = alee@redhat.com
-home-page = https://github.com/dmend/ansible-role-atos-hsm
+home-page = https://opendev.org/openstack/ansible-role-atos-hsm
 classifier =
   License :: OSI Approved :: Apache Software License
-  Development Status :: 4 - Beta
+  Development Status :: 5 - Production/Stable
   Intended Audience :: Developers
   Intended Audience :: System Administrators
   Intended Audience :: Information Technology

tasks/main.yaml

@@ -32,21 +32,20 @@
       "Press the <Enter> key to exit the installation program": "\n"
   when: not atos_client.stat.exists
 
-- name: create proteccio.rc
-  copy:
-      dest: /etc/proteccio/proteccio.rc
-      content: |
-          [PROTECCIO]
-          IPaddr={{ atos_hsm_ip_address }}
-          SSL=1
-          SrvCert=server_cert.crt
+- name: allow using legacy variables for backwards compatibility
+  set_fact:
+    args:
+      atos_hsms:
+        - name: Legacy variables HSM
+          server_cert_location: "{{ atos_server_cert_location }}"
+          ip: "{{ atos_hsm_ip_address }}"
+  when: atos_hsms is not defined and atos_hsm_ip_address is defined
+  notify: legacy vars warning
 
-          [CLIENT]
-          Mode=0
-          LoggingLevel=7
-          LogFile=proteccio.log
-          ClntKey=proteccio_client.key
-          ClntCert=proteccio_client.crt
+- name: create proteccio.rc
+  template:
+      src: proteccio.rc.j2
+      dest: /etc/proteccio/proteccio.rc
 
 - name: Get the client cert
   get_url:
@@ -62,9 +61,10 @@
 
 - name: Get the server cert
   get_url:
-      url: "{{ atos_server_cert_location }}"
-      dest: /etc/proteccio/server_cert.crt
+      url: "{{ item.server_cert_location }}"
+      dest: "/etc/proteccio/{{ item.ip | replace('.', '_') }}.CRT"
       force: no
+  loop: "{{ atos_hsms }}"
 
 - name: run nethsmstatus to confirm connection  # noqa 301
   command: nethsmstatus

templates/proteccio.rc.j2

@@ -0,0 +1,17 @@
+{% for item in atos_hsms %}
+[PROTECCIO]
+IPaddr={{ item.ip }}
+SSL=1
+SrvCert={{ item.ip | replace('.', '_') }}.CRT
+
+{% endfor %}
+[CLIENT]
+{% if atos_hsms|length > 1 %}
+Mode=2
+{% else %}
+Mode=0
+{% endif %}
+LoggingLevel=7
+LogFile=/var/log/barbican/atos.log
+ClntKey=proteccio_client.key
+ClntCert=proteccio_client.crt

test-requirements.txt

@@ -1 +1,2 @@
 ansible-lint
+reno

vars.yaml.sample

@@ -0,0 +1,12 @@
+---
+atos_client_iso_name:      "ClientSoftwareISO-1.X.iso"
+atos_client_iso_location:  "https://user:PASSWORD@intranet.example/hsm/client/ClientSoftwareISO-1.X.iso"
+atos_client_cert_location: "https://user:PASSWORD@intranet.example/hsm/client/client_cert.crt"
+atos_client_key_location:  "https://user:PASSWORD@intranet.example/hsm/client/client_key.key"
+atos_hsms:
+  - name:                 "MyHSM 1"
+    server_cert_location: "https://user:PASSWORD@intranet.example/hsm/server/myhsm_1.crt"
+    ip:                   192.168.1.1
+  - name:                 "MyHSM 2"
+    server_cert_location: "https://user:PASSWORD@intranet.example/hsm/server/myhsm_2.crt"
+    ip:                   192.168.1.2