Merge "Identify HSMs using labels instead of Slot ID" into stable/victoria
This commit is contained in:
commit
15b12bea61
|
@ -67,7 +67,7 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoLogin:
|
BarbicanPkcs11CryptoLogin:
|
||||||
description: Password to login to PKCS11 session
|
description: Password (PIN) to login to PKCS#11 session
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
default: ''
|
default: ''
|
||||||
|
@ -80,9 +80,17 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoSlotId:
|
BarbicanPkcs11CryptoSlotId:
|
||||||
description: Slot Id for the HSM
|
description: Slot Id for the PKCS#11 token to be used
|
||||||
type: string
|
type: string
|
||||||
default: '0'
|
default: '0'
|
||||||
|
BarbicanPkcs11CryptoTokenSerialNumber:
|
||||||
|
description: Serial number for PKCS#11 token to be used
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoTokenLabel:
|
||||||
|
description: Label for PKCS#11 token to be used
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
BarbicanPkcs11CryptoHMACKeyType:
|
BarbicanPkcs11CryptoHMACKeyType:
|
||||||
description: Cryptoki Key Type for Master HMAC key
|
description: Cryptoki Key Type for Master HMAC key
|
||||||
type: string
|
type: string
|
||||||
|
@ -168,7 +176,7 @@ conditions:
|
||||||
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
||||||
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
||||||
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
|
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
|
||||||
thales_or_atos_or_lunasa_hsm_enabled:
|
hsm_enabled:
|
||||||
or:
|
or:
|
||||||
- thales_hsm_enabled
|
- thales_hsm_enabled
|
||||||
- atos_hsm_enabled
|
- atos_hsm_enabled
|
||||||
|
@ -427,7 +435,7 @@ outputs:
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
if:
|
||||||
- thales_or_atos_or_lunasa_hsm_enabled
|
- hsm_enabled
|
||||||
- list_concat:
|
- list_concat:
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
|
@ -478,24 +486,17 @@ outputs:
|
||||||
- map_merge:
|
- map_merge:
|
||||||
- {get_param: LunasaVars}
|
- {get_param: LunasaVars}
|
||||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
- map_merge:
|
- map_merge:
|
||||||
- {get_param: LunasaVars}
|
- {get_param: LunasaVars}
|
||||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
- lunasa_client_ip:
|
- lunasa_client_ip:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
"{{$NETWORK_ip}}"
|
"{{$NETWORK_ip}}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: LunasaClientIPNetwork}
|
$NETWORK: {get_param: LunasaClientIPNetwork}
|
||||||
|
|
||||||
- name: set the slot id in hieradata
|
|
||||||
include_role:
|
|
||||||
name: tripleo_hieradata
|
|
||||||
tasks_from: ansible_hieradata.yml
|
|
||||||
vars:
|
|
||||||
hieradata_ansible_data:
|
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
|
|
||||||
when: lunasa_ha_slot is defined
|
|
||||||
- null
|
- null
|
||||||
- null
|
- null
|
||||||
docker_config:
|
docker_config:
|
||||||
|
@ -562,23 +563,11 @@ outputs:
|
||||||
- ' '
|
- ' '
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
- "hsm check_mkek --library-path"
|
- "hsm check_mkek --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
|
||||||
- "--slot-id"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
|
||||||
- "--passphrase"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
|
||||||
- "--label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
- "|| /usr/bin/barbican-manage"
|
- "|| /usr/bin/barbican-manage"
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
- "hsm gen_mkek --library-path"
|
- "hsm gen_mkek --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
|
||||||
- "--slot-id"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
|
||||||
- "--passphrase"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
|
||||||
- "--label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
- "'"
|
- "'"
|
||||||
- {}
|
- {}
|
||||||
|
@ -600,28 +589,10 @@ outputs:
|
||||||
- ' '
|
- ' '
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
- "hsm check_hmac --library-path"
|
- "hsm check_hmac --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
|
||||||
- "--slot-id"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
|
||||||
- "--passphrase"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
|
||||||
- "--label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||||
- "--key-type"
|
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
|
||||||
- "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
|
||||||
- "--slot-id"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
|
||||||
- "--passphrase"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
|
||||||
- "--label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||||
- "--key-type"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
|
||||||
- "--mechanism"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
|
|
||||||
- "'"
|
- "'"
|
||||||
- {}
|
- {}
|
||||||
- if:
|
- if:
|
||||||
|
|
|
@ -36,7 +36,7 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoLogin:
|
BarbicanPkcs11CryptoLogin:
|
||||||
description: Password to login to PKCS11 session
|
description: Password (PIN) to login to PKCS#11 session
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
default: ''
|
default: ''
|
||||||
|
@ -53,9 +53,17 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoSlotId:
|
BarbicanPkcs11CryptoSlotId:
|
||||||
description: Slot Id for the HSM
|
description: Slot Id for the PKCS#11 token to be used
|
||||||
type: string
|
type: string
|
||||||
default: '0'
|
default: '0'
|
||||||
|
BarbicanPkcs11CryptoTokenSerialNumber:
|
||||||
|
description: Serial number for PKCS#11 token to be used
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoTokenLabel:
|
||||||
|
description: Label for PKCS#11 token to be used
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
BarbicanPkcs11CryptoEncryptionMechanism:
|
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||||
description: Cryptoki Mechanism used for encryption
|
description: Cryptoki Mechanism used for encryption
|
||||||
type: string
|
type: string
|
||||||
|
@ -93,6 +101,8 @@ outputs:
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
||||||
|
|
|
@ -1,15 +1,17 @@
|
||||||
# A Heat environment file to enable the barbican PKCS11 crypto backend with
|
# A Heat environment file to enable the barbican PKCS#11 crypto backend using
|
||||||
# a Lunasa HSM.
|
# one or more Thales Luna Network HSMs.
|
||||||
# Note that barbican needs to be enabled in order to use this.
|
# Note that Barbican needs to be enabled in order to use this.
|
||||||
parameter_defaults:
|
parameter_defaults:
|
||||||
# In order to use this backend, you need to uncomment these values and
|
# In order to use this backend, you need to uncomment these values and
|
||||||
# provide the appropriate values.
|
# provide the appropriate values.
|
||||||
#
|
#
|
||||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
|
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
|
||||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM. Note that this parameter is only
|
#
|
||||||
# strictly required when setting up the Lunasa client in non-HA mode. In HA
|
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
|
||||||
# mode, whatever value is placed here will be overridden by the dynamically generated
|
# For single HSM deployments this value should be the partition label
|
||||||
# slot for the HA group created on the client.
|
# that will be assigned to the clients.
|
||||||
|
# For HA deployments this value should be the label for the HA group.
|
||||||
|
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
|
||||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
#
|
#
|
||||||
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
||||||
|
@ -36,13 +38,13 @@ parameter_defaults:
|
||||||
# lunasa_client_rotate_cert: (Optional) Set to true to generate a new
|
# lunasa_client_rotate_cert: (Optional) Set to true to generate a new
|
||||||
# client certificate and re-register clients during deployment.
|
# client certificate and re-register clients during deployment.
|
||||||
# lunasa_hsms: A list of HSMs. When more than one HSM is specified, they
|
# lunasa_hsms: A list of HSMs. When more than one HSM is specified, they
|
||||||
# will be configured as an HA pool. Each entry should specify the
|
# will be configured as an HA group. Each entry should specify the
|
||||||
# following:
|
# following:
|
||||||
# - hostname: Hostname for the HSM
|
# - hostname: Hostname for the HSM
|
||||||
# admin_password: admin password for the HSM, used to add a new client.
|
# admin_password: admin password for the HSM, used to add a new client
|
||||||
|
# for each controller node.
|
||||||
# partition: HSM partition to be assigned to the clients.
|
# partition: HSM partition to be assigned to the clients.
|
||||||
# partition_serial: serial number for the partition.
|
# partition_serial: serial number for the partition.
|
||||||
# lunasa_ha_label: HA group label Required only for HA mode.
|
|
||||||
|
|
||||||
resource_registry:
|
resource_registry:
|
||||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
||||||
|
|
Loading…
Reference in New Issue