From 5069751256fb218d56ce1f30552de678bd56b48a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Thu, 19 Dec 2019 16:19:37 +0000
Subject: [PATCH] Add HA (load balancing) support

This patch add support for configuring proteccio to use
more than one HSM.  When more than one HSM is provided
the proteccio client is configured for High Availability (HA).

This patch changes the format of the variables and should
be released as a new major version. (e.g. 1.0.0).

Change-Id: Ib9989ee72a67f71275e31b966bff7673072fb3f8
---
 README.rst                                    | 25 ++++++++++++---
 handlers/main.yaml                            |  5 +++
 ...availability-support-44343eaf5563f5c7.yaml | 12 +++++++
 setup.cfg                                     |  6 ++--
 tasks/main.yaml                               | 32 +++++++++----------
 templates/proteccio.rc.j2                     | 17 ++++++++++
 test-requirements.txt                         |  1 +
 vars.yaml.sample                              | 12 +++++++
 8 files changed, 86 insertions(+), 24 deletions(-)
 create mode 100644 handlers/main.yaml
 create mode 100644 releasenotes/notes/add-high-availability-support-44343eaf5563f5c7.yaml
 create mode 100644 templates/proteccio.rc.j2
 create mode 100644 vars.yaml.sample

diff --git a/README.rst b/README.rst
index 1ec5a2e..fed7e9b 100644
--- a/README.rst
+++ b/README.rst
@@ -22,20 +22,35 @@ Role Variables
    * - atos_client_iso_location
      - None
      - Full URL where a copy of ATOS Client ISO can be downloaded.
-   * - atos_hsm_ip_address
-     - None
-     - IPv4 address for the ATOS HSM.
    * - atos_client_cert_location
      - None
      - Full URL where the client certificate can be downloaded.
    * - atos_client_key_location
      - None
      - Full URL where the client key can be downloaded.
-   * - atos_server_cert_location
+   * - atos_hsms
      - None
-     - Full URL where the server certificate can be downloaded.
+     - List of one or more HSM devices.
 
 Requirements
 ------------
 
  - ansible >= 2.4
+
+Usage
+-----
+
+You'll need to set up a temporary HTTP server somewhere that is accessible
+to the node where this role will be applied.  The HTTP server should serve
+the following:
+
+- ATOS Client Software ISO file.
+- HSM Server Certificate file(s).
+- HSM Client Certificate file.
+- HSM Client Key file associated with the Client Certificate.
+
+Due to the sensitive nature of the Certificate and Key files, you should
+use TLS encryption and username and passwords to access the HTTP server.
+
+Use the hostname and user/password for your HTTP server for the full URL values
+that need to be set for this role.  See `vars.yaml.example`.
diff --git a/handlers/main.yaml b/handlers/main.yaml
new file mode 100644
index 0000000..b857c94
--- /dev/null
+++ b/handlers/main.yaml
@@ -0,0 +1,5 @@
+---
+- name: legacy vars warning
+  debug:
+    msg: "WARNING: Using legacy atos_server_cert_location and atos_hsm_ip_address
+          variables.  Please udpate your vars file."
diff --git a/releasenotes/notes/add-high-availability-support-44343eaf5563f5c7.yaml b/releasenotes/notes/add-high-availability-support-44343eaf5563f5c7.yaml
new file mode 100644
index 0000000..b601106
--- /dev/null
+++ b/releasenotes/notes/add-high-availability-support-44343eaf5563f5c7.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    This version adds support for using more than one ATOS HSM in High
+    Availability mode.  There is a new variable `atos_hsms` that accepts
+    a list of HSM IP addresses and associated Certificates.  See
+    `vars.yaml.sample` for an example.
+deprecations:
+  - |
+    Two variables have been deprecated: `atos_hsm_ip_address` and
+    `atos_server_cert_location`.  You should use the new `atos_hsms` list
+    to specify these values instead.  See `vars.yaml.sample` for an example.
diff --git a/setup.cfg b/setup.cfg
index cfc888d..25fb4af 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -3,12 +3,12 @@ name = ansible-role-atos-hsm
 summary = ansible-role-atos-hsm - Ansible role to configure ATOS HSM clients.
 description-file =
     README.rst
-author = TripleO Team
+author = OpenStack Barbican Team
 author-email = alee@redhat.com
-home-page = https://github.com/dmend/ansible-role-atos-hsm
+home-page = https://opendev.org/openstack/ansible-role-atos-hsm
 classifier =
   License :: OSI Approved :: Apache Software License
-  Development Status :: 4 - Beta
+  Development Status :: 5 - Production/Stable
   Intended Audience :: Developers
   Intended Audience :: System Administrators
   Intended Audience :: Information Technology
diff --git a/tasks/main.yaml b/tasks/main.yaml
index 10a7239..9dec98b 100644
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -32,21 +32,20 @@
       "Press the <Enter> key to exit the installation program": "\n"
   when: not atos_client.stat.exists
 
-- name: create proteccio.rc
-  copy:
-      dest: /etc/proteccio/proteccio.rc
-      content: |
-          [PROTECCIO]
-          IPaddr={{ atos_hsm_ip_address }}
-          SSL=1
-          SrvCert=server_cert.crt
+- name: allow using legacy variables for backwards compatibility
+  set_fact:
+    args:
+      atos_hsms:
+        - name: Legacy variables HSM
+          server_cert_location: "{{ atos_server_cert_location }}"
+          ip: "{{ atos_hsm_ip_address }}"
+  when: atos_hsms is not defined and atos_hsm_ip_address is defined
+  notify: legacy vars warning
 
-          [CLIENT]
-          Mode=0
-          LoggingLevel=7
-          LogFile=proteccio.log
-          ClntKey=proteccio_client.key
-          ClntCert=proteccio_client.crt
+- name: create proteccio.rc
+  template:
+      src: proteccio.rc.j2
+      dest: /etc/proteccio/proteccio.rc
 
 - name: Get the client cert
   get_url:
@@ -62,9 +61,10 @@
 
 - name: Get the server cert
   get_url:
-      url: "{{ atos_server_cert_location }}"
-      dest: /etc/proteccio/server_cert.crt
+      url: "{{ item.server_cert_location }}"
+      dest: "/etc/proteccio/{{ item.ip | replace('.', '_') }}.CRT"
       force: no
+  loop: "{{ atos_hsms }}"
 
 - name: run nethsmstatus to confirm connection  # noqa 301
   command: nethsmstatus
diff --git a/templates/proteccio.rc.j2 b/templates/proteccio.rc.j2
new file mode 100644
index 0000000..c0612a8
--- /dev/null
+++ b/templates/proteccio.rc.j2
@@ -0,0 +1,17 @@
+{% for item in atos_hsms %}
+[PROTECCIO]
+IPaddr={{ item.ip }}
+SSL=1
+SrvCert={{ item.ip | replace('.', '_') }}.CRT
+
+{% endfor %}
+[CLIENT]
+{% if atos_hsms|length > 1 %}
+Mode=2
+{% else %}
+Mode=0
+{% endif %}
+LoggingLevel=7
+LogFile=/var/log/barbican/atos.log
+ClntKey=proteccio_client.key
+ClntCert=proteccio_client.crt
diff --git a/test-requirements.txt b/test-requirements.txt
index 6dd128e..89e2495 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1 +1,2 @@
 ansible-lint
+reno
diff --git a/vars.yaml.sample b/vars.yaml.sample
new file mode 100644
index 0000000..a08eaaf
--- /dev/null
+++ b/vars.yaml.sample
@@ -0,0 +1,12 @@
+---
+atos_client_iso_name:      "ClientSoftwareISO-1.X.iso"
+atos_client_iso_location:  "https://user:PASSWORD@intranet.example/hsm/client/ClientSoftwareISO-1.X.iso"
+atos_client_cert_location: "https://user:PASSWORD@intranet.example/hsm/client/client_cert.crt"
+atos_client_key_location:  "https://user:PASSWORD@intranet.example/hsm/client/client_key.key"
+atos_hsms:
+  - name:                 "MyHSM 1"
+    server_cert_location: "https://user:PASSWORD@intranet.example/hsm/server/myhsm_1.crt"
+    ip:                   192.168.1.1
+  - name:                 "MyHSM 2"
+    server_cert_location: "https://user:PASSWORD@intranet.example/hsm/server/myhsm_2.crt"
+    ip:                   192.168.1.2