openstack/ansible-role-lunasa-hsm
Code Issues Proposed changes

Add parameters for previously hardcoded values

Browse Source 
This patch adds a few parameters to replace previously hardcoded values
in shell commands:

* lunasa_client_device
* lunasa_appliance_user
* lunasa_ssh_cipher

All parameters use the previously hardcoded values as the default for
backwards compatibility.

Change-Id: I47b3e6ab34cca37533d5be668a3dfbf4e8208ae8
This commit is contained in:
Douglas Mendizabal
2025-05-15 14:21:47 -04:00
parent f82c4666c9
commit 4a384f4fbe
5 changed files with 48 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.rst
View File

@ -16,6 +16,14 @@ Thales Luna Network HSM.
* - Name
- Default Value
- Description
* - lunasa_appliance_user:
- admin
- Appliance User account used to log into the HSM to manage clients
and parititon assignments.
* - lunasa_ssh_cipher:
- aes256-cbc
- `-c cipher_spec` argument passed to SSH/SCP when connecting to the HSM
as the `lunasa_appliance_user`.
* - lunasa_client_working_dir
- /tmp/lunasa_client_install
- Working directory in the target host.
@ -28,6 +36,10 @@ Thales Luna Network HSM.
* - lunasa_client_installer_path
- None
- Path to the instal.sh script inside the tarball.
* - lunasa_client_device
- sa
- Luna product parameter passed to the Luna client software install.sh
script.
* - lunasa_client_pin
- None
- The HSM Partition Password (PKCS#11 PIN) to be used by the client.

3
defaults/main.yaml
View File

@ -1,6 +1,9 @@
---
lunasa_client_working_dir: /tmp/lunasa_client_install
lunasa_client_rotate_cert: false
lunasa_client_device: sa
lunasa_appliance_user: admin
lunasa_ha_label: myHAgroup
lunasa_user_id: 42493
lunasa_group_id: 42493
lunasa_ssh_cipher: aes256-cbc

2
tasks/main.yaml
View File

@ -34,7 +34,7 @@
- name: Run the install.sh script
ansible.builtin.shell: |
set -o pipefail && echo y | bash {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} -p sa -c sdk
set -o pipefail && echo y | bash {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} -p {{ lunasa_client_device }} -c sdk
args:
creates: /usr/lib/libCryptoki2_64.so
become: true

32
tasks/register_client.yaml
View File

@ -3,11 +3,20 @@
ansible.builtin.debug:
msg: "Registering client: {{ client_name }} [host: {{ client_host }}, CN: {{ client_cert_cn }}] with HSM: {{ hsm_hostname }}"
- name: Default to not passing a cipher to scp/ssh
ansible.builtin.set_fact:
luna_ssh_cipher_parameter: ""
- name: Use ssh cipher when set
ansible.builtin.set_fact:
luna_ssh_cipher_parameter: "-c {{ lunasa_ssh_cipher }}"
when: lunasa_ssh_cipher
- name: Get the hsm server cert from the hsm_server
ansible.builtin.shell: >
sshpass -p '{{ hsm_admin_password }}'
scp -O -o StrictHostKeyChecking=false -c aes256-cbc
admin@{{ hsm_hostname }}:server.pem
scp -O -o StrictHostKeyChecking=false {{ luna_ssh_cipher_parameter }}
{{ lunasa_appliance_user }}@{{ hsm_hostname }}:server.pem
/usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
args:
creates: /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
@ -26,8 +35,8 @@
- name: Check for existing clients
ansible.builtin.shell: >
sshpass -p '{{ hsm_admin_password }}'
ssh -o StrictHostKeyChecking=false -c aes256-cbc admin@{{ hsm_hostname }}
-C client list
ssh -o StrictHostKeyChecking=false {{ luna_ssh_cipher_parameter }}
{{ lunasa_appliance_user }}@{{ hsm_hostname }} -C client list
register: client_list
- name: Fail if client is already registered, but we don't have that cert
@ -40,8 +49,8 @@
- name: Delete existing client when rotating certs
ansible.builtin.shell: >
sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }}
-C "client delete -f -c {{ client_name }}"
sshpass -p '{{ hsm_admin_password }}' ssh {{ luna_ssh_cipher_parameter }}
{{ lunasa_appliance_user }}@{{ hsm_hostname }} -C "client delete -f -c {{ client_name }}"
when:
- client_name in client_list.stdout
- lunasa_client_rotate_cert
@ -52,13 +61,15 @@
block:
- name: Copy the NTL client cert to the HSM
ansible.builtin.shell: >
sshpass -p '{{ hsm_admin_password }}' scp -O -c aes256-cbc
sshpass -p '{{ hsm_admin_password }}'
scp -O {{ luna_ssh_cipher_parameter }}
/usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem
admin@{{ hsm_hostname }}:{{ client_host }}.pem
{{ lunasa_appliance_user }}@{{ hsm_hostname }}:{{ client_host }}.pem
- name: Register the client
ansible.builtin.shell: >
sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }}
sshpass -p '{{ hsm_admin_password }}'
ssh {{ luna_ssh_cipher_parameter }} {{ lunasa_appliance_user }}@{{ hsm_hostname }}
-C "client register -c {{ client_name }} {{ client_reg_opt }} {{ client_host }}"
register: client_register
failed_when:
@ -67,7 +78,8 @@
- name: Assign client to an HSM partition
ansible.builtin.shell: |
sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }} \
sshpass -p '{{ hsm_admin_password }}' ssh {{ luna_ssh_cipher_parameter }} \
{{ lunasa_appliance_user }}@{{ hsm_hostname }} \
-C "client assignPartition -c {{ client_name }} -p {{ hsm_partition }}"
register: assign_partition
failed_when:

11
tasks/unregister_client.yaml
View File

@ -1,8 +1,17 @@
---
- name: Default to not passing a cipher to scp/ssh
ansible.builtin.set_fact:
luna_ssh_cipher_parameter: ""
- name: Use ssh cipher when set
ansible.builtin.set_fact:
luna_ssh_cipher_parameter: "-c {{ lunasa_ssh_cipher }}"
when: lunasa_ssh_cipher
- name: Delete clients from HSM
ansible.builtin.shell: >
sshpass -p '{{ item.admin_password }}' ssh -o StrictHostKeyChecking=false
-c aes256-cbc admin@{{ item.hostname }}
{{ luna_ssh_cipher_parameter }} {{ lunasa_appliance_user }}@{{ item.hostname }}
-C "client delete -f -c {{ client_name }}"
loop: "{{ lunasa_hsms }}"
ignore_errors: true