Add template code to configure hsm backends for barbican
Adds support for the Thales and ATOS client software. Change-Id: I79f8608431fecc58c8bdeba2de4a692a7ee388e9 Co-Authored-By: Douglas Mendizabal <dmendiza@redhat.com>
This commit is contained in:
parent
795dfcfdce
commit
17e0087e43
@ -49,10 +49,76 @@ parameters:
|
||||
default: false
|
||||
description: Remove package if the service is being disabled during upgrade
|
||||
type: boolean
|
||||
BarbicanPkcs11CryptoATOSEnabled:
|
||||
type: boolean
|
||||
default: false
|
||||
BarbicanPkcs11CryptoThalesEnabled:
|
||||
type: boolean
|
||||
default: false
|
||||
BarbicanPkcs11CryptoEnabled:
|
||||
type: boolean
|
||||
default: false
|
||||
BarbicanPkcs11CryptoLibraryPath:
|
||||
description: Path to vendor PKCS11 library
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoLogin:
|
||||
description: Password to login to PKCS11 session
|
||||
type: string
|
||||
hidden: true
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoMKEKLabel:
|
||||
description: Label for Master KEK
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoMKEKLength:
|
||||
description: Length of Master KEK in bytes
|
||||
type: string
|
||||
default: '256'
|
||||
BarbicanPkcs11CryptoHMACLabel:
|
||||
description: Label for the HMAC key
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoSlotId:
|
||||
description: Slot Id for the HSM
|
||||
type: string
|
||||
default: '0'
|
||||
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||
description: Cryptoki Mechanism used for encryption
|
||||
type: string
|
||||
default: 'CKM_AES_CBC'
|
||||
BarbicanPkcs11CryptoHMACKeyType:
|
||||
description: Cryptoki Key Type for Master HMAC key
|
||||
type: string
|
||||
default: 'CKK_AES'
|
||||
BarbicanPkcs11CryptoHMACKeygenMechanism:
|
||||
description: Cryptoki Mechanism used to generate Master HMAC Key
|
||||
type: string
|
||||
default: 'CKM_AES_KEY_GEN'
|
||||
ThalesHSMNetworkName:
|
||||
description: The network that the HSM is listening on.
|
||||
type: string
|
||||
default: 'internal_api'
|
||||
ThalesVars:
|
||||
default: {}
|
||||
description: Hash of tripleo-barbican-thales variables used to
|
||||
install Thales client software.
|
||||
type: json
|
||||
ATOSVars:
|
||||
default: {}
|
||||
description: Hash of tripleo-barbican-atos variables used to
|
||||
install ATOS client software.
|
||||
type: json
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
||||
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
||||
thales_or_atos_hsm_enabled:
|
||||
or:
|
||||
- thales_hsm_enabled
|
||||
- atos_hsm_enabled
|
||||
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
@ -119,128 +185,384 @@ outputs:
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
external_deploy_tasks:
|
||||
if:
|
||||
- thales_hsm_enabled
|
||||
-
|
||||
- name: Add ip addresses to the RFS server
|
||||
when: step == '2'
|
||||
block:
|
||||
- name: get the ip addresses for the barbican nodes
|
||||
set_fact:
|
||||
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
|
||||
thales_client_ips:
|
||||
str_replace:
|
||||
template: >-
|
||||
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
|
||||
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
|
||||
{%- endfor %}
|
||||
params:
|
||||
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
|
||||
thales_bootstrap_client_ip:
|
||||
str_replace:
|
||||
template: >-
|
||||
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
|
||||
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
|
||||
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
params:
|
||||
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
|
||||
thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]}
|
||||
thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]}
|
||||
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
|
||||
|
||||
- name: set playbook vars
|
||||
set_fact:
|
||||
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
|
||||
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
|
||||
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
|
||||
|
||||
- name: creating working directory
|
||||
file:
|
||||
path: "{{thales_rfs_playbook_dir}}"
|
||||
state: directory
|
||||
|
||||
- name: generate an inventory
|
||||
copy:
|
||||
dest: "{{thales_rfs_inventory}}"
|
||||
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
|
||||
|
||||
- name: write SSH key to file
|
||||
copy:
|
||||
dest: "{{thales_rfs_keyfile}}"
|
||||
content: {get_param: [ThalesVars, thales_rfs_key]}
|
||||
mode: 0400
|
||||
|
||||
- name: generate playbook to run
|
||||
copy:
|
||||
dest: "{{thales_rfs_playbook}}"
|
||||
content: |
|
||||
---
|
||||
- hosts: all
|
||||
remote_user: "{{thales_rfs_user}}"
|
||||
vars:
|
||||
thales_client_ips: "{{thales_client_ips}}"
|
||||
thales_hsm_ip_address: "{{thales_hsm_ip_address}}"
|
||||
thales_hsm_config_location: "{{thales_hsm_config_location}}"
|
||||
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
|
||||
roles:
|
||||
- tripleo-barbican-thales-rfs
|
||||
|
||||
- name: call ansible on rfs server
|
||||
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
|
||||
|
||||
- name: clean up working directory
|
||||
file:
|
||||
path: "{{thales_rfs_playbook_dir}}"
|
||||
state: absent
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- thales_or_atos_hsm_enabled
|
||||
- list_concat:
|
||||
-
|
||||
if:
|
||||
- thales_hsm_enabled
|
||||
-
|
||||
- name: Thales client install
|
||||
when: step == '2'
|
||||
block:
|
||||
- set_fact:
|
||||
my_thales_client_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"{{$NETWORK_ip}}"
|
||||
params:
|
||||
$NETWORK: {get_param: ThalesHSMNetworkName}
|
||||
- include_role:
|
||||
name: tripleo-barbican-thales
|
||||
vars:
|
||||
{get_param: ThalesVars}
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- atos_hsm_enabled
|
||||
-
|
||||
- name: ATOS client install
|
||||
when: step == '2'
|
||||
block:
|
||||
- include_role:
|
||||
name: tripleo-barbican-atos
|
||||
vars:
|
||||
{get_param: ATOSVars}
|
||||
- null
|
||||
- null
|
||||
|
||||
docker_config:
|
||||
# db sync runs before permissions set by kolla_config
|
||||
step_2:
|
||||
get_attr: [BarbicanApiLogging, docker_config, step_2]
|
||||
map_merge:
|
||||
- get_attr: [BarbicanApiLogging, docker_config, step_2]
|
||||
- if:
|
||||
- atos_hsm_enabled
|
||||
- barbican_init_atos_directory:
|
||||
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
|
||||
user: root
|
||||
volumes:
|
||||
- /etc/proteccio:/etc/proteccio
|
||||
- /usr/lib64/libnetshm.so:/usr/lib64/libnethsm.so
|
||||
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
|
||||
- {}
|
||||
step_3:
|
||||
barbican_api_db_sync:
|
||||
start_order: 0
|
||||
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: &barbican_api_volumes
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||
-
|
||||
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
|
||||
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
||||
command:
|
||||
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
||||
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
||||
# final single quote that's part of the list_join.
|
||||
list_join:
|
||||
- ' '
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "db upgrade"
|
||||
- "'"
|
||||
barbican_api_secret_store_sync:
|
||||
start_order: 1
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
command:
|
||||
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
||||
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
||||
# final single quote that's part of the list_join.
|
||||
list_join:
|
||||
- ' '
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "db sync_secret_stores --verbose"
|
||||
- "'"
|
||||
barbican_api:
|
||||
# NOTE(alee): Barbican should start after keystone processes
|
||||
start_order: 5
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
user: root
|
||||
healthcheck:
|
||||
test: /openstack/healthcheck
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||
- ''
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||
- ''
|
||||
environment: &kolla_env
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
barbican_keystone_listener:
|
||||
start_order: 6
|
||||
image: {get_param: DockerBarbicanKeystoneListenerImage}
|
||||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
user: barbican
|
||||
healthcheck:
|
||||
test:
|
||||
list_join:
|
||||
map_merge:
|
||||
- if:
|
||||
- pkcs11_plugin_enabled
|
||||
- barbican_api_create_mkek:
|
||||
start_order: 0
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: &barbican_api_volumes
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||
-
|
||||
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
|
||||
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
||||
-
|
||||
if:
|
||||
- thales_hsm_enabled
|
||||
-
|
||||
- /opt/nfast:/opt/nfast
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- atos_hsm_enabled
|
||||
-
|
||||
- /etc/proteccio:/etc/proteccio
|
||||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||
- null
|
||||
command:
|
||||
list_join:
|
||||
- ' '
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "hsm check_mkek --library-path"
|
||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||
- "--slot-id"
|
||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||
- "--passphrase"
|
||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||
- "--label"
|
||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||
- "|| /usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "hsm gen_mkek --library-path"
|
||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||
- "--slot-id"
|
||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||
- "--passphrase"
|
||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||
- "--label"
|
||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||
- "'"
|
||||
- {}
|
||||
- if:
|
||||
- pkcs11_plugin_enabled
|
||||
- barbican_api_create_hmac:
|
||||
start_order: 0
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
command:
|
||||
list_join:
|
||||
- ' '
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "hsm check_hmac --library-path"
|
||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||
- "--slot-id"
|
||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||
- "--passphrase"
|
||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||
- "--label"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||
- "--key-type"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
||||
- "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
|
||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||
- "--slot-id"
|
||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||
- "--passphrase"
|
||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||
- "--label"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||
- "--key-type"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
||||
- "--mechanism"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
|
||||
- "'"
|
||||
- {}
|
||||
- if:
|
||||
- thales_hsm_enabled
|
||||
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
|
||||
start_order: 0
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
||||
- {}
|
||||
- if:
|
||||
- thales_hsm_enabled
|
||||
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
||||
start_order: 0
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
command: "/opt/nfast/bin/rfs-sync --update"
|
||||
- {}
|
||||
- barbican_api_db_sync:
|
||||
start_order: 0
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
command:
|
||||
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
||||
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
||||
# final single quote that's part of the list_join.
|
||||
list_join:
|
||||
- ' '
|
||||
- - '/openstack/healthcheck'
|
||||
- yaql:
|
||||
expression: str($.data.port)
|
||||
data:
|
||||
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||
environment: *kolla_env
|
||||
barbican_worker:
|
||||
start_order: 7
|
||||
image: {get_param: DockerBarbicanWorkerImage}
|
||||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
user: barbican
|
||||
healthcheck:
|
||||
test:
|
||||
list_join:
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "db upgrade"
|
||||
- "'"
|
||||
- barbican_api_secret_store_sync:
|
||||
start_order: 1
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
command:
|
||||
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
||||
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
||||
# final single quote that's part of the list_join.
|
||||
list_join:
|
||||
- ' '
|
||||
- - '/openstack/healthcheck'
|
||||
- yaql:
|
||||
expression: str($.data.port)
|
||||
data:
|
||||
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||
environment: *kolla_env
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "db sync_secret_stores --verbose"
|
||||
- "'"
|
||||
- barbican_api:
|
||||
# NOTE(alee): Barbican should start after keystone processes
|
||||
start_order: 5
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
user: root
|
||||
healthcheck:
|
||||
test: /openstack/healthcheck
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- thales_hsm_enabled
|
||||
-
|
||||
- /opt/nfast:/opt/nfast
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- atos_hsm_enabled
|
||||
-
|
||||
- /etc/proteccio:/etc/proteccio
|
||||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||
- null
|
||||
environment: &kolla_env
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
- barbican_keystone_listener:
|
||||
start_order: 6
|
||||
image: {get_param: DockerBarbicanKeystoneListenerImage}
|
||||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
user: barbican
|
||||
healthcheck:
|
||||
test:
|
||||
list_join:
|
||||
- ' '
|
||||
- - '/openstack/healthcheck'
|
||||
- yaql:
|
||||
expression: str($.data.port)
|
||||
data:
|
||||
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||
environment: *kolla_env
|
||||
- barbican_worker:
|
||||
start_order: 7
|
||||
image: {get_param: DockerBarbicanWorkerImage}
|
||||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
user: barbican
|
||||
healthcheck:
|
||||
test:
|
||||
list_join:
|
||||
- ' '
|
||||
- - '/openstack/healthcheck'
|
||||
- yaql:
|
||||
expression: str($.data.port)
|
||||
data:
|
||||
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||
-
|
||||
if:
|
||||
- thales_hsm_enabled
|
||||
-
|
||||
- /opt/nfast:/opt/nfast
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- atos_hsm_enabled
|
||||
-
|
||||
- /etc/proteccio:/etc/proteccio
|
||||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||
- null
|
||||
environment: *kolla_env
|
||||
host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]}
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
|
29
environments/barbican-backend-pkcs11-atos.yaml
Normal file
29
environments/barbican-backend-pkcs11-atos.yaml
Normal file
@ -0,0 +1,29 @@
|
||||
# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
|
||||
# that barbican needs to be enabled in order to use this.
|
||||
parameter_defaults:
|
||||
# In order to use this backend, you need to uncomment these values and
|
||||
# provide the appropriate values.
|
||||
#
|
||||
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
|
||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||
|
||||
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
|
||||
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
|
||||
BarbicanPkcs11CryptoHMACKeyType: 'CKK_GENERIC_SECRET'
|
||||
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_GENERIC_SECRET_KEY_GEN'
|
||||
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
|
||||
BarbicanPkcs11CryptoMKEKLength: 32
|
||||
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
|
||||
BarbicanPkcs11CryptoATOSEnabled: true
|
||||
BarbicanPkcs11CryptoEnabled: true
|
||||
ATOSVars:
|
||||
atos_client_working_dir: /tmp/atos_client_install
|
||||
# atos_client_iso_location:
|
||||
# atos_client_iso_name:
|
||||
# atos_client_cert_location:
|
||||
# atos_client_key_loaction:
|
||||
# atos_hsm_ip_address:
|
||||
|
||||
resource_registry:
|
||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
|
38
environments/barbican-backend-pkcs11-thales.yaml
Normal file
38
environments/barbican-backend-pkcs11-thales.yaml
Normal file
@ -0,0 +1,38 @@
|
||||
# A Heat environment file to enable the barbican PKCS11 crypto backend with
|
||||
# a Thales HSM.
|
||||
# Note that barbican needs to be enabled in order to use this.
|
||||
parameter_defaults:
|
||||
# In order to use this backend, you need to uncomment these values and
|
||||
# provide the appropriate values.
|
||||
#
|
||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
|
||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||
|
||||
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
|
||||
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
|
||||
BarbicanPkcs11CryptoHMACKeyType: 'CKK_SHA256_HMAC'
|
||||
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_NC_SHA256_HMAC_KEY_GEN'
|
||||
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
|
||||
BarbicanPkcs11CryptoMKEKLength: '32'
|
||||
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
|
||||
BarbicanPkcs11CryptoThalesEnabled: true
|
||||
BarbicanPkcs11CryptoEnabled: true
|
||||
ThalesVars:
|
||||
thales_client_working_dir: /tmp/thales_client_install
|
||||
# thales_client_tarball_location: URI where the CipherTools tarball can be downloaded.
|
||||
# thales_client_tarball_name: Filename for the CipherTools tarball.
|
||||
thales_client_path: linux/libc6_11/amd64/nfast
|
||||
thales_client_uid: 42481
|
||||
thales_client_gid: 42481
|
||||
# thales_km_data_location: URL where the RFS kmdata tarball can be downloaded.
|
||||
# thales_km_data_tarball_name: Filename for the kmdata tarball.
|
||||
# thales_hsm_ip_address: IP address for the HSM
|
||||
# thales_rfs_server_ip_address: IP address for the RFS Server.
|
||||
# thales_hsm_config_location: The directory where the hsm configuration is stored in
|
||||
# your RFS server. e.g. hsm-XXXX-XXXX-XXXX.
|
||||
# thales_rfs_user: Username used to log into RFS server.
|
||||
# thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
|
||||
|
||||
resource_registry:
|
||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
|
@ -11,6 +11,7 @@ parameter_defaults:
|
||||
# BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
|
||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||
BarbicanPkcs11CryptoEnabled: true
|
||||
|
||||
resource_registry:
|
||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
|
||||
|
@ -34,22 +34,44 @@ parameters:
|
||||
BarbicanPkcs11CryptoLibraryPath:
|
||||
description: Path to vendor PKCS11 library
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoLogin:
|
||||
description: Password to login to PKCS11 session
|
||||
type: string
|
||||
hidden: true
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoMKEKLabel:
|
||||
description: Label for Master KEK
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoMKEKLength:
|
||||
description: Length of Master KEK in bytes
|
||||
type: number
|
||||
type: string
|
||||
default: '256'
|
||||
BarbicanPkcs11CryptoHMACLabel:
|
||||
description: Label for the HMAC key
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoSlotId:
|
||||
description: Slot Id for the HSM
|
||||
type: number
|
||||
type: string
|
||||
default: '0'
|
||||
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||
description: Cryptoki Mechanism used for encryption
|
||||
type: string
|
||||
default: 'CKM_AES_CBC'
|
||||
BarbicanPkcs11CryptoHMACKeyType:
|
||||
description: Cryptoki Key Type for Master HMAC key
|
||||
type: string
|
||||
default: 'CKK_AES'
|
||||
BarbicanPkcs11CryptoHMACKeygenMechanism:
|
||||
description: Cryptoki Mechanism used to generate Master HMAC Key
|
||||
type: string
|
||||
default: 'CKM_AES_KEY_GEN'
|
||||
BarbicanPkcs11CryptoAESGCMGenerateIV:
|
||||
description: Generate IVs for CKM_AES_GCM encryption mechanism
|
||||
type: boolean
|
||||
default: true
|
||||
BarbicanPkcs11CryptoGlobalDefault:
|
||||
description: Whether this plugin is the global default plugin
|
||||
type: boolean
|
||||
@ -61,10 +83,14 @@ outputs:
|
||||
value:
|
||||
service_name: barbican_backend_pkcs11_crypto
|
||||
config_settings:
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
|
||||
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|
||||
|
@ -0,0 +1,10 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Added code in the barbican-api.yaml template to allow barbican to be
|
||||
configured to run with either an ATOS or Thales HSM back-end. Also
|
||||
added environment files with all the required variables. The added code
|
||||
installs and configures the client software on the barbican nodes,
|
||||
generates the required kets for the PKCS#11 plugin, and configures
|
||||
barbican correctly. For the Thales case, it also contacts the RFS server
|
||||
to add the new clients to the HSM.
|
Loading…
Reference in New Issue
Block a user