303f85c92b
This will be essential for allowing migrations to different (more secure) plugins Change-Id: Ib45708fa6f8770b7737fff1990cc86e71e4bd634
83 lines
2.7 KiB
Puppet
83 lines
2.7 KiB
Puppet
# == Class: barbican::plugins::p11_crypto
|
|
#
|
|
# Sets up Barbican API p11_crypto secret_store plugin
|
|
#
|
|
# === Parameters
|
|
#
|
|
# [*p11_crypto_plugin_library_path*]
|
|
# (optional) Path to vendor PKCS11 library
|
|
# Defaults to $::os_service_default
|
|
#
|
|
# [*p11_crypto_plugin_login*]
|
|
# (optional) Password to login to PKCS11 session
|
|
# Required if p11_crypto_plugin is enabled.
|
|
# Defaults to undef
|
|
#
|
|
# [*p11_crypto_plugin_mkek_label*]
|
|
# (optional) Label to identify master KEK in the HSM
|
|
# Required if p11_crypto_plugin is enabled.
|
|
# Defaults to undef
|
|
#
|
|
# [*p11_crypto_plugin_mkek_length*]
|
|
# (optional) Length in bytes of master KEK
|
|
# Required if p11_crypto_plugin is enabled.
|
|
# Defaults to undef
|
|
#
|
|
# [*p11_crypto_plugin_hmac_label*]
|
|
# (optional) Label to identify master KEK in the HSM
|
|
# Required if p11_crypto_plugin is enabled.
|
|
# Defaults to undef
|
|
#
|
|
# [*p11_crypto_plugin_slot_id*]
|
|
# (optional) HSM Slot id
|
|
# Required if p11_crypto_plugin is enabled.
|
|
# Defaults to undef
|
|
#
|
|
# [*global_default*]
|
|
# (optional) set plugin as global default
|
|
# Defaults to false
|
|
#
|
|
class barbican::plugins::p11_crypto (
|
|
$p11_crypto_plugin_library_path = $::os_service_default,
|
|
$p11_crypto_plugin_login = undef,
|
|
$p11_crypto_plugin_mkek_label = undef,
|
|
$p11_crypto_plugin_mkek_length = undef,
|
|
$p11_crypto_plugin_hmac_label = undef,
|
|
$p11_crypto_plugin_slot_id = undef,
|
|
$global_default = false,
|
|
) {
|
|
|
|
include ::barbican::deps
|
|
|
|
if $p11_crypto_plugin_login == undef {
|
|
fail('p11_crypto_plugin_login must be defined')
|
|
}
|
|
if $p11_crypto_plugin_mkek_label == undef {
|
|
fail('p11_crypto_plugin_mkek_label must be defined')
|
|
}
|
|
if $p11_crypto_plugin_mkek_length == undef {
|
|
fail('p11_crypto_plugin_mkek_length must be defined')
|
|
}
|
|
if $p11_crypto_plugin_hmac_label == undef {
|
|
fail('p11_crypto_plugin_hmac_label must be defined')
|
|
}
|
|
if $p11_crypto_plugin_slot_id == undef {
|
|
fail('p11_crypto_plugin_slot_id must be defined')
|
|
}
|
|
|
|
barbican_config {
|
|
'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
|
|
'p11_crypto_plugin/login': value => $p11_crypto_plugin_login;
|
|
'p11_crypto_plugin/mkek_label': value => $p11_crypto_plugin_mkek_label;
|
|
'p11_crypto_plugin/mkek_length': value => $p11_crypto_plugin_mkek_length;
|
|
'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label;
|
|
'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id;
|
|
}
|
|
|
|
barbican_config {
|
|
'secretstore:pkcs11/secret_store_plugin': value => 'store_crypto';
|
|
'secretstore:pkcs11/crypto_plugin': value => 'p11_crypto';
|
|
'secretstore:pkcs11/global_default': value => $global_default;
|
|
}
|
|
}
|