Add support for configuring load_sharing mode

Change-Id: Ia5fedaf5b1dbe7d8958c04a3e8534098d4bbd548
2021-02-10 16:02:46 -05:00 · 2021-02-10 16:02:46 -05:00 · fa73732ec5
parent 8590934320
commit fa73732ec5
8 changed files with 80 additions and 24 deletions
--- a/README.rst
+++ b/README.rst
@ -48,23 +48,16 @@ Role Variables
     - Full URL where a copy of the client software tarball can be downloaded.
   * - thales_client_path
     - linux/libc6_11/amd64/nfast
-     - Path tho the client software directory inside the tarball
+     - Path to the client software directory inside the tarball
   * - thales_km_data_tarball_name
     - None
     - Filename for the KM Data tarball
   * - thales_km_data_location
     - None
     - Full URL where a copy of the KM Data tarball can be downloaded.
-   * - thales_hsm_ip_address
-     - None
-     - IPv4 address for the Thales HSM.
   * - thales_rfs_ip_address
     - None
     - IPv4 address for the Thales RFS host.
-   * - thales_hsm_config_location
-     - None
-     - Unique hsm diretory name where the RFS configuration is stored.
-       (e.g. hsm-XXX-XXX-XXX)
   * - thales_client_ips
     - None
     - Whitespace separated list of IP addresses to be added to RFS config.
@ -72,6 +65,9 @@ Role Variables
     - None
     - Bootstrap client IP address.  This IP will be allowed to update RFS
       server.
+   * - nshield_hsms
+     - None
+     - List of one or more HSM devices


 Requirements
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@ -5,3 +5,4 @@ thales_client_working_dir: /tmp/thales_client_install
 thales_client_gid: 42481
 thales_client_uid: 42481
 thales_client_path: linux/libc6_11/amd64/nfast
+thales_load_sharing_enabled: false
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@ -0,0 +1,5 @@
+---
+- name: legacy vars warning
+  debug:
+    msg: "WARNING: Using legacy thales_hsm_ip_address and
+         thales_hsm_config_location variables.  Please udpate your vars file.
--- a/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml
+++ b/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    This version adds support for using more than one nshield HSM in load
+    sharing mode.  There is a new variable `nshield_hsms` that accepts
+    a list of HSM IP addresses and associated esn data.  See
+    `vars.yaml.sample` for an example.  Note that HSM Pools are
+    not supported at this time.
+deprecations:
+  - |
+    Two variables have been deprecated: `thales_hsm_ip_address` and
+    `thales_hsm_config_location`.  You should use the new `nshield_hsms` list
+    to specify these values instead.  See `vars.yaml.sample` for an example.
--- a/tasks/client.yaml
+++ b/tasks/client.yaml
@ -79,13 +79,6 @@
      dest: /opt/nfast
      remote_src: yes

- name: run anonkneti to get hash
-  command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}"
-  register: anonkneti
-
- name: output of anonkneti
-  debug: var=anonkneti.stdout_lines
-
 - name: create cknfastrc
  copy:
      dest: /opt/nfast/cknfastrc
@ -94,6 +87,12 @@
      force: no
      mode: 0644

+- name: add load sharing if enabled
+  lineinfile:
+      path: /opt/nfast/cknfastrc
+      line: CKNFAST_LOADSHARING = 1
+  when: "{{ nshield_hsms|length  > 1 }}"
+
 - name: create snmp.conf
  copy:
      dest: /opt/nfast/etc/snmp/snmp.conf
@ -102,8 +101,18 @@
      force: yes
      mode: 0644

- name: enroll client to HSM
-  command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }}
+- name: enroll client to hsms
+  block:
+    - name: run anonkneti to get hash for "{{ item.ip }}"
+      command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
+      register: anonkneti
+
+    - name: output of anonkneti
+      debug: var=anonkneti.stdout_lines
+
+    - name: enroll client to HSM "{{ item.ip }}"
+      command: /opt/nfast/bin/nethsmenroll --force {{ item }} {{ anonkneti.stdout_lines[0] }}
+  loop: "{{ nshield_hsms }}"

 - name:  set selinux contexts for /opt/nfast
  command: restorecon -R /opt/nfast
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -1,4 +1,14 @@
 ---
+- name: allow using legacy variables for backwards compatibility
+  set_fact:
+    args:
+      nshield_hsms:
+        - name: Legacy variables HSM
+          esn: "{{ thales_hsm_config_location }}"
+          ip: "{{ thales_hsm_ip_address }}"
+  when: nshield_hsms is not defined and thales_hsm_ip_address is defined
+  notify: legacy vars warning
+
 - name: Include client installation tasks
  include_tasks: client.yaml
  when: thales_install_client
--- a/tasks/rfs.yaml
+++ b/tasks/rfs.yaml
@ -1,14 +1,17 @@
 ---
 # This role adds a new IP address to the RFS conf file

- name: run script to add {{ thales_client_ips }} to config.new
-  script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config --ips {{ thales_client_ips }}"
+- name: add client ips to hsms
+  block:
+    - name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ item.esn }}"
+      script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/{{ item.esn }}/config --ips {{ thales_client_ips }}"

- name: push new config to the HSM and check that it was successful
-  shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ thales_hsm_ip_address }} /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new"  # noqa 204
-  register: result
-  until: result.rc == 0
-  retries: 10
+    - name: push new config to the HSM and check that it was successful
+      shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/{{ item.esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/{{ item.esn }}/config/config /opt/nfast/kmdata/{{ item.esn }}/config/config.new"  # noqa 204
+      register: result
+      until: result.rc == 0
+      retries: 10
+  loop: "{{ nshield_hsms }}"

 - name: allow bootstrap server to update the RFS server
  command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth  {{ thales_bootstrap_client_ip }}"
--- a/vars.yaml.sample
+++ b/vars.yaml.sample
@ -0,0 +1,19 @@
+---
+thales_client_working_dir: /tmp/thales_client_install
+thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz
+thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz
+thales_client_path: linux/libc6_11/amd64/nfast
+thales_client_uid:  42481
+thales_client_gid:  42481
+thales_km_data_location: http://myserver.example.com/kmdata.tar.gz
+thales_km_data_tarball_name: kmdata.tar.gz
+thales_rfs_server_ip_address: 192.168.5.20
+nshield_hsms:
+  - name: "My HSM 1"
+    ip: 192.168.1.1
+    esn: hsm-F90F-02A0-B937
+  - name: "My HSM 2"
+    ip: 192.168.1.1
+    esn: hsm-A90F-02B0-4E37
+thales_rfs_user: admin
+thales_rfs_key: RSA Private key in PEM format used to log into RFS server.