diff --git a/README.rst b/README.rst index 1ec5a2e..fed7e9b 100644 --- a/README.rst +++ b/README.rst @@ -22,20 +22,35 @@ Role Variables * - atos_client_iso_location - None - Full URL where a copy of ATOS Client ISO can be downloaded. - * - atos_hsm_ip_address - - None - - IPv4 address for the ATOS HSM. * - atos_client_cert_location - None - Full URL where the client certificate can be downloaded. * - atos_client_key_location - None - Full URL where the client key can be downloaded. - * - atos_server_cert_location + * - atos_hsms - None - - Full URL where the server certificate can be downloaded. + - List of one or more HSM devices. Requirements ------------ - ansible >= 2.4 + +Usage +----- + +You'll need to set up a temporary HTTP server somewhere that is accessible +to the node where this role will be applied. The HTTP server should serve +the following: + +- ATOS Client Software ISO file. +- HSM Server Certificate file(s). +- HSM Client Certificate file. +- HSM Client Key file associated with the Client Certificate. + +Due to the sensitive nature of the Certificate and Key files, you should +use TLS encryption and username and passwords to access the HTTP server. + +Use the hostname and user/password for your HTTP server for the full URL values +that need to be set for this role. See `vars.yaml.example`. diff --git a/handlers/main.yaml b/handlers/main.yaml new file mode 100644 index 0000000..b857c94 --- /dev/null +++ b/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- name: legacy vars warning + debug: + msg: "WARNING: Using legacy atos_server_cert_location and atos_hsm_ip_address + variables. Please udpate your vars file." diff --git a/releasenotes/notes/add-high-availability-support-44343eaf5563f5c7.yaml b/releasenotes/notes/add-high-availability-support-44343eaf5563f5c7.yaml new file mode 100644 index 0000000..b601106 --- /dev/null +++ b/releasenotes/notes/add-high-availability-support-44343eaf5563f5c7.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + This version adds support for using more than one ATOS HSM in High + Availability mode. There is a new variable `atos_hsms` that accepts + a list of HSM IP addresses and associated Certificates. See + `vars.yaml.sample` for an example. +deprecations: + - | + Two variables have been deprecated: `atos_hsm_ip_address` and + `atos_server_cert_location`. You should use the new `atos_hsms` list + to specify these values instead. See `vars.yaml.sample` for an example. diff --git a/setup.cfg b/setup.cfg index cfc888d..25fb4af 100644 --- a/setup.cfg +++ b/setup.cfg @@ -3,12 +3,12 @@ name = ansible-role-atos-hsm summary = ansible-role-atos-hsm - Ansible role to configure ATOS HSM clients. description-file = README.rst -author = TripleO Team +author = OpenStack Barbican Team author-email = alee@redhat.com -home-page = https://github.com/dmend/ansible-role-atos-hsm +home-page = https://opendev.org/openstack/ansible-role-atos-hsm classifier = License :: OSI Approved :: Apache Software License - Development Status :: 4 - Beta + Development Status :: 5 - Production/Stable Intended Audience :: Developers Intended Audience :: System Administrators Intended Audience :: Information Technology diff --git a/tasks/main.yaml b/tasks/main.yaml index 10a7239..9dec98b 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -32,21 +32,20 @@ "Press the key to exit the installation program": "\n" when: not atos_client.stat.exists -- name: create proteccio.rc - copy: - dest: /etc/proteccio/proteccio.rc - content: | - [PROTECCIO] - IPaddr={{ atos_hsm_ip_address }} - SSL=1 - SrvCert=server_cert.crt +- name: allow using legacy variables for backwards compatibility + set_fact: + args: + atos_hsms: + - name: Legacy variables HSM + server_cert_location: "{{ atos_server_cert_location }}" + ip: "{{ atos_hsm_ip_address }}" + when: atos_hsms is not defined and atos_hsm_ip_address is defined + notify: legacy vars warning - [CLIENT] - Mode=0 - LoggingLevel=7 - LogFile=proteccio.log - ClntKey=proteccio_client.key - ClntCert=proteccio_client.crt +- name: create proteccio.rc + template: + src: proteccio.rc.j2 + dest: /etc/proteccio/proteccio.rc - name: Get the client cert get_url: @@ -62,9 +61,10 @@ - name: Get the server cert get_url: - url: "{{ atos_server_cert_location }}" - dest: /etc/proteccio/server_cert.crt + url: "{{ item.server_cert_location }}" + dest: "/etc/proteccio/{{ item.ip | replace('.', '_') }}.CRT" force: no + loop: "{{ atos_hsms }}" - name: run nethsmstatus to confirm connection # noqa 301 command: nethsmstatus diff --git a/templates/proteccio.rc.j2 b/templates/proteccio.rc.j2 new file mode 100644 index 0000000..c0612a8 --- /dev/null +++ b/templates/proteccio.rc.j2 @@ -0,0 +1,17 @@ +{% for item in atos_hsms %} +[PROTECCIO] +IPaddr={{ item.ip }} +SSL=1 +SrvCert={{ item.ip | replace('.', '_') }}.CRT + +{% endfor %} +[CLIENT] +{% if atos_hsms|length > 1 %} +Mode=2 +{% else %} +Mode=0 +{% endif %} +LoggingLevel=7 +LogFile=/var/log/barbican/atos.log +ClntKey=proteccio_client.key +ClntCert=proteccio_client.crt diff --git a/test-requirements.txt b/test-requirements.txt index 6dd128e..89e2495 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1 +1,2 @@ ansible-lint +reno diff --git a/vars.yaml.sample b/vars.yaml.sample new file mode 100644 index 0000000..a08eaaf --- /dev/null +++ b/vars.yaml.sample @@ -0,0 +1,12 @@ +--- +atos_client_iso_name: "ClientSoftwareISO-1.X.iso" +atos_client_iso_location: "https://user:PASSWORD@intranet.example/hsm/client/ClientSoftwareISO-1.X.iso" +atos_client_cert_location: "https://user:PASSWORD@intranet.example/hsm/client/client_cert.crt" +atos_client_key_location: "https://user:PASSWORD@intranet.example/hsm/client/client_key.key" +atos_hsms: + - name: "MyHSM 1" + server_cert_location: "https://user:PASSWORD@intranet.example/hsm/server/myhsm_1.crt" + ip: 192.168.1.1 + - name: "MyHSM 2" + server_cert_location: "https://user:PASSWORD@intranet.example/hsm/server/myhsm_2.crt" + ip: 192.168.1.2