Add new Luna HSM parameter for Barbican
This patch adds a new parameter for deploying Barbican with
a Thales Luna Network HSM (LunasaClientIPNetwork).
LunasaClientIPNetwork can be used to register controller nodes
with the HSM using the controller's IP address on the given
network instead of its fqdn.
Co-Authored-By: Ade Lee <alee@redhat.com>
Depends-On: If0eb393ca970206cc95c7453641f33781eb698b2
Change-Id: I02d577939b0002b0e605ac0cbbda54e05e0b206f
(cherry picked from commit ead85251e9
)
This commit is contained in:
parent
8f2a74eee6
commit
3dd00efb87
|
@ -109,6 +109,12 @@ parameters:
|
||||||
description: Hash of lunasa-hsm role variables used to
|
description: Hash of lunasa-hsm role variables used to
|
||||||
install Lunasa client software.
|
install Lunasa client software.
|
||||||
type: json
|
type: json
|
||||||
|
LunasaClientIPNetwork:
|
||||||
|
description: >
|
||||||
|
(Optional) When set Barbican nodes will be registered with
|
||||||
|
the HSMs using the IP from this network instead of the FQDN.
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
BarbicanPassword:
|
BarbicanPassword:
|
||||||
description: The password for the barbican service account.
|
description: The password for the barbican service account.
|
||||||
type: string
|
type: string
|
||||||
|
@ -164,6 +170,9 @@ conditions:
|
||||||
- lunasa_hsm_enabled
|
- lunasa_hsm_enabled
|
||||||
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
||||||
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
||||||
|
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
|
||||||
|
# will use the Controller's IP address from that network instead.
|
||||||
|
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
|
@ -461,7 +470,21 @@ outputs:
|
||||||
include_role:
|
include_role:
|
||||||
name: lunasa_hsm
|
name: lunasa_hsm
|
||||||
vars:
|
vars:
|
||||||
{get_param: LunasaVars}
|
if:
|
||||||
|
- lunasa_hsm_use_fqdn
|
||||||
|
- map_merge:
|
||||||
|
- {get_param: LunasaVars}
|
||||||
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
- map_merge:
|
||||||
|
- {get_param: LunasaVars}
|
||||||
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
- lunasa_client_ip:
|
||||||
|
str_replace:
|
||||||
|
template:
|
||||||
|
"{{$NETWORK_ip}}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: LunasaClientIPNetwork}
|
||||||
|
|
||||||
- name: set the slot id in hieradata
|
- name: set the slot id in hieradata
|
||||||
include_role:
|
include_role:
|
||||||
name: tripleo_hieradata
|
name: tripleo_hieradata
|
||||||
|
@ -469,7 +492,7 @@ outputs:
|
||||||
vars:
|
vars:
|
||||||
hieradata_ansible_data:
|
hieradata_ansible_data:
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
|
||||||
when: lunasa_ha_slot
|
when: lunasa_ha_slot is defined
|
||||||
- null
|
- null
|
||||||
- null
|
- null
|
||||||
docker_config:
|
docker_config:
|
||||||
|
|
|
@ -11,6 +11,12 @@ parameter_defaults:
|
||||||
# mode, whatever value is placed here will be overridden by the dynamically generated
|
# mode, whatever value is placed here will be overridden by the dynamically generated
|
||||||
# slot for the HA group created on the client.
|
# slot for the HA group created on the client.
|
||||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
#
|
||||||
|
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
||||||
|
# to connect to the HSM. By default this option is empty ('') and the
|
||||||
|
# controllers are registered on the HSM using the controller's FQDN.
|
||||||
|
# When this option is set, the controllers will be registered using the
|
||||||
|
# controller's IP on this network instead.
|
||||||
|
|
||||||
BarbicanPkcs11CryptoLibraryPath: '/usr/lib/libCryptoki2_64.so'
|
BarbicanPkcs11CryptoLibraryPath: '/usr/lib/libCryptoki2_64.so'
|
||||||
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
|
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
|
||||||
|
@ -22,20 +28,21 @@ parameter_defaults:
|
||||||
BarbicanPkcs11CryptoLunasaEnabled: true
|
BarbicanPkcs11CryptoLunasaEnabled: true
|
||||||
BarbicanPkcs11CryptoEnabled: true
|
BarbicanPkcs11CryptoEnabled: true
|
||||||
BarbicanPkcs11AlwaysSetCkaSensitive: true
|
BarbicanPkcs11AlwaysSetCkaSensitive: true
|
||||||
|
|
||||||
LunasaVars:
|
LunasaVars:
|
||||||
# lunasa_client_tarball_location: URI where the CipherTools tarball can be downloaded.
|
# lunasa_client_tarball_location: URI where the CipherTools tarball can be downloaded.
|
||||||
# lunasa_client_tarball_name: Filename for the CipherTools tarball.
|
# lunasa_client_tarball_name: Filename for the CipherTools tarball.
|
||||||
# lunasa_client_installer_path: path to install.sh in the tarball.
|
# lunasa_client_installer_path: path to install.sh in the tarball.
|
||||||
# lunasa_hsms: A list of HSMs with the following format:
|
# lunasa_client_rotate_cert: (Optional) Set to true to generate a new
|
||||||
# lunasa_hsms:
|
# client certificate and re-register clients during deployment.
|
||||||
# - name: Name of the HSM
|
# lunasa_hsms: A list of HSMs. When more than one HSM is specified, they
|
||||||
# hostname: Hostname for the HSM
|
# will be configured as an HA pool. Each entry should specify the
|
||||||
# admin_password: admin password for the HSM
|
# following:
|
||||||
# partition: HSM partition for this client to be assigned
|
# - hostname: Hostname for the HSM
|
||||||
# partition_serial: serial number for the partition
|
# admin_password: admin password for the HSM, used to add a new client.
|
||||||
# client_ip: IP for the client - TODO: figure out how to pass this correctly
|
# partition: HSM partition to be assigned to the clients.
|
||||||
# lunasa_ha_label: HA group label Required only for HA mode. This will trigger the
|
# partition_serial: serial number for the partition.
|
||||||
# installer to create an HA group comprising of the HSMs in lunasa_hsms.
|
# lunasa_ha_label: HA group label Required only for HA mode.
|
||||||
# lunasa_partition_password: PKCS#11 password for the partitition
|
|
||||||
resource_registry:
|
resource_registry:
|
||||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
||||||
|
|
Loading…
Reference in New Issue