Merge "Add new options for Barbican PKCS#11 backend" into stable/victoria
This commit is contained in:
commit
1de10d41aa
@ -88,7 +88,14 @@ parameters:
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoTokenLabel:
|
||||
description: Label for PKCS#11 token to be used
|
||||
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoTokenLabels:
|
||||
description: List of comma separated labels for the tokens to be used.
|
||||
This is typically a single label, but some devices may require
|
||||
more than one label for Load Balancing and High Availability
|
||||
configurations.
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoHMACKeyType:
|
||||
@ -183,6 +190,7 @@ conditions:
|
||||
- lunasa_hsm_enabled
|
||||
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
||||
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
||||
pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
|
||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
|
||||
# will use the Controller's IP address from that network instead.
|
||||
@ -491,11 +499,17 @@ outputs:
|
||||
- map_merge:
|
||||
- {get_param: LunasaVars}
|
||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- if:
|
||||
- pkcs11_tokens_unset
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
||||
- map_merge:
|
||||
- {get_param: LunasaVars}
|
||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- if:
|
||||
- pkcs11_tokens_unset
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
||||
- lunasa_client_ip:
|
||||
str_replace:
|
||||
template:
|
||||
|
@ -61,7 +61,14 @@ parameters:
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoTokenLabel:
|
||||
description: Label for PKCS#11 token to be used
|
||||
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoTokenLabels:
|
||||
description: List of comma separated labels for the tokens to be used.
|
||||
This is typically a single label, but some devices may require
|
||||
more than one label for Load Balancing and High Availability
|
||||
configurations.
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||
@ -84,6 +91,11 @@ parameters:
|
||||
description: Always set CKA_SENSITIVE=CK_TRUE
|
||||
type: boolean
|
||||
default: true
|
||||
BarbicanPkcs11CryptoOsLockingOk:
|
||||
description: Set CKF_OS_LOCKING_OK flag when initializing the client
|
||||
library.
|
||||
type: boolean
|
||||
default: false
|
||||
BarbicanPkcs11CryptoGlobalDefault:
|
||||
description: Whether this plugin is the global default plugin
|
||||
type: boolean
|
||||
@ -103,9 +115,11 @@ outputs:
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk}
|
||||
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|
||||
|
@ -5,7 +5,10 @@ parameter_defaults:
|
||||
# provide the appropriate values.
|
||||
#
|
||||
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
|
||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
||||
# BarbicanPkcs11CryptoTokenLabels: The token label for the virtual HSM to be used.
|
||||
# This is typically a single label, but may be more than one if you are using
|
||||
# multiple HSMs in Load Balancing mode, and the HSMs have different labels.
|
||||
# When listing more than one, separate them using a comma (,).
|
||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||
|
||||
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
|
||||
@ -18,13 +21,19 @@ parameter_defaults:
|
||||
BarbicanPkcs11CryptoATOSEnabled: true
|
||||
BarbicanPkcs11CryptoEnabled: true
|
||||
BarbicanPkcs11AlwaysSetCkaSensitive: false
|
||||
BarbicanPkcs11CryptoOsLockingOk: true
|
||||
|
||||
ATOSVars:
|
||||
atos_client_working_dir: /tmp/atos_client_install
|
||||
# atos_client_iso_location:
|
||||
# atos_client_iso_name:
|
||||
# atos_client_cert_location:
|
||||
# atos_client_key_loaction:
|
||||
# atos_hsm_ip_address:
|
||||
# atos_hsms: # -- A list of HSMs. When more than one HSM is specified,
|
||||
# # they will be configured in Load Balancing mode.
|
||||
# - name: my-hsm-hostanme.example.com
|
||||
# server_cert_location: https://user@PASSWORD:example.com/cert.CRT
|
||||
# ip: 127.0.0.1
|
||||
|
||||
resource_registry:
|
||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
||||
|
@ -7,11 +7,10 @@ parameter_defaults:
|
||||
#
|
||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
|
||||
#
|
||||
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
|
||||
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
|
||||
# For single HSM deployments this value should be the partition label
|
||||
# that will be assigned to the clients.
|
||||
# For HA deployments this value should be the label for the HA group.
|
||||
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
|
||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||
#
|
||||
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
||||
|
@ -6,9 +6,8 @@ parameter_defaults:
|
||||
# provide the appropriate values.
|
||||
#
|
||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
|
||||
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
|
||||
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
|
||||
# This is typically the label given to the Operator Card Set (OCS)
|
||||
# BarbicanPkcs11CryptoSlotId (optional): Slot Id for the HSM
|
||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||
|
||||
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
|
||||
|
@ -0,0 +1,9 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Added new options for deploying Barbican with PKCS#11 backends:
|
||||
`BarbicanPkcs11CryptoTokenLabels` and `BarbicanPkcs11CryptoOsLockingOk`
|
||||
deprecations:
|
||||
- |
|
||||
The `BarbicanPkcs11CryptoTokenLabel` option has been deprecated and
|
||||
replaced with the `BarbicanPkcs11CryptoTokenLabels` option.
|
Loading…
Reference in New Issue
Block a user