Browse Source

Merge "Add new options for Barbican PKCS#11 backend" into stable/victoria

changes/76/793276/1
Zuul 3 weeks ago
committed by Gerrit Code Review
parent
commit
1de10d41aa
6 changed files with 54 additions and 10 deletions
  1. +17
    -3
      deployment/barbican/barbican-api-container-puppet.yaml
  2. +15
    -1
      deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
  3. +11
    -2
      environments/barbican-backend-pkcs11-atos.yaml
  4. +1
    -2
      environments/barbican-backend-pkcs11-lunasa.yaml
  5. +1
    -2
      environments/barbican-backend-pkcs11-thales.yaml
  6. +9
    -0
      releasenotes/notes/add-support-for-barbican-pkcs11-options-a2ec14369518b40e.yaml

+ 17
- 3
deployment/barbican/barbican-api-container-puppet.yaml View File

@ -88,7 +88,14 @@ parameters:
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: Label for PKCS#11 token to be used
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
type: string
default: ''
BarbicanPkcs11CryptoTokenLabels:
description: List of comma separated labels for the tokens to be used.
This is typically a single label, but some devices may require
more than one label for Load Balancing and High Availability
configurations.
type: string
default: ''
BarbicanPkcs11CryptoHMACKeyType:
@ -183,6 +190,7 @@ conditions:
- lunasa_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead.
@ -491,11 +499,17 @@ outputs:
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- lunasa_client_ip:
str_replace:
template:


+ 15
- 1
deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml View File

@ -61,7 +61,14 @@ parameters:
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: Label for PKCS#11 token to be used
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
type: string
default: ''
BarbicanPkcs11CryptoTokenLabels:
description: List of comma separated labels for the tokens to be used.
This is typically a single label, but some devices may require
more than one label for Load Balancing and High Availability
configurations.
type: string
default: ''
BarbicanPkcs11CryptoEncryptionMechanism:
@ -84,6 +91,11 @@ parameters:
description: Always set CKA_SENSITIVE=CK_TRUE
type: boolean
default: true
BarbicanPkcs11CryptoOsLockingOk:
description: Set CKF_OS_LOCKING_OK flag when initializing the client
library.
type: boolean
default: false
BarbicanPkcs11CryptoGlobalDefault:
description: Whether this plugin is the global default plugin
type: boolean
@ -103,9 +115,11 @@ outputs:
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels}
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk}
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}

+ 11
- 2
environments/barbican-backend-pkcs11-atos.yaml View File

@ -5,7 +5,10 @@ parameter_defaults:
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoTokenLabels: The token label for the virtual HSM to be used.
# This is typically a single label, but may be more than one if you are using
# multiple HSMs in Load Balancing mode, and the HSMs have different labels.
# When listing more than one, separate them using a comma (,).
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
@ -18,13 +21,19 @@ parameter_defaults:
BarbicanPkcs11CryptoATOSEnabled: true
BarbicanPkcs11CryptoEnabled: true
BarbicanPkcs11AlwaysSetCkaSensitive: false
BarbicanPkcs11CryptoOsLockingOk: true
ATOSVars:
atos_client_working_dir: /tmp/atos_client_install
# atos_client_iso_location:
# atos_client_iso_name:
# atos_client_cert_location:
# atos_client_key_loaction:
# atos_hsm_ip_address:
# atos_hsms: # -- A list of HSMs. When more than one HSM is specified,
# # they will be configured in Load Balancing mode.
# - name: my-hsm-hostanme.example.com
# server_cert_location: https://user@PASSWORD:example.com/cert.CRT
# ip: 127.0.0.1
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

+ 1
- 2
environments/barbican-backend-pkcs11-lunasa.yaml View File

@ -7,11 +7,10 @@ parameter_defaults:
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
#
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
# For single HSM deployments this value should be the partition label
# that will be assigned to the clients.
# For HA deployments this value should be the label for the HA group.
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
#
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers


+ 1
- 2
environments/barbican-backend-pkcs11-thales.yaml View File

@ -6,9 +6,8 @@ parameter_defaults:
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
# This is typically the label given to the Operator Card Set (OCS)
# BarbicanPkcs11CryptoSlotId (optional): Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'


+ 9
- 0
releasenotes/notes/add-support-for-barbican-pkcs11-options-a2ec14369518b40e.yaml View File

@ -0,0 +1,9 @@
---
features:
- |
Added new options for deploying Barbican with PKCS#11 backends:
`BarbicanPkcs11CryptoTokenLabels` and `BarbicanPkcs11CryptoOsLockingOk`
deprecations:
- |
The `BarbicanPkcs11CryptoTokenLabel` option has been deprecated and
replaced with the `BarbicanPkcs11CryptoTokenLabels` option.

Loading…
Cancel
Save