diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index e2435eead6..8fecff533c 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -379,9 +379,15 @@ outputs: {%- endfor %} params: $THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName} - thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]} - thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]} thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]} + nshield_hsms: {get_param: [ThalesVars, nshield_hsms]} + + - name: allow using legacy variables for backwards compatibility + set_fact: + nshield_hsms: + - name: Legacy variables HSM + ip: {get_param: [ThalesVars, thales_hsm_ip_address]} + when: nshield_hsms|length == 0 - name: set playbook vars set_fact: @@ -415,9 +421,8 @@ outputs: vars: thales_configure_rfs: true thales_client_ips: "{{thales_client_ips}}" - thales_hsm_ip_address: "{{thales_hsm_ip_address}}" - thales_hsm_config_location: "{{thales_hsm_config_location}}" thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}" + nshield_hsms: "{{nshield_hsms}}" roles: - thales_hsm diff --git a/environments/barbican-backend-pkcs11-thales.yaml b/environments/barbican-backend-pkcs11-thales.yaml index 413816e1bd..60eb0a2db6 100644 --- a/environments/barbican-backend-pkcs11-thales.yaml +++ b/environments/barbican-backend-pkcs11-thales.yaml @@ -6,7 +6,9 @@ parameter_defaults: # provide the appropriate values. # # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session - # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM + # BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used. + # This is typically the label given to the Operator Card Set (OCS) + # BarbicanPkcs11CryptoSlotId (optional): Slot Id for the HSM # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so' @@ -28,12 +30,26 @@ parameter_defaults: thales_client_gid: 42481 # thales_km_data_location: URL where the RFS kmdata tarball can be downloaded. # thales_km_data_tarball_name: Filename for the kmdata tarball. - # thales_hsm_ip_address: IP address for the HSM - # thales_rfs_server_ip_address: IP address for the RFS Server. + # nshield_hsms: Dictionary including details about relevant HSMs. If more than HSM + # is in the list, the HSMs will be configured in load sharing mode for HA. + # e.g. nshield_hsms: + # - name: hsm 1 + # ip: X.X.X.X + # - name: hsm 2 + # ip: Y.Y.Y.Y # thales_hsm_config_location: The directory where the hsm configuration is stored in # your RFS server. e.g. hsm-XXXX-XXXX-XXXX. + # thales_rfs_server_ip_address: IP address for the RFS Server. # thales_rfs_user: Username used to log into RFS server. # thales_rfs_key: RSA Private key in PEM format used to log into RFS server. + # + # The following parameter are deprecated and can be used to configure connection to a + # single HSM. It is better to use the nshield_hsms parameter above instead: + # thales_hsm_ip_address: IP address for the HSM + # + # This parameter is deprecated and is no longer needed: + # thales_hsm_config_location: The directory where the hsm configuration is stored in + # your RFS server. e.g. hsm-XXXX-XXXX-XXXX. resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml diff --git a/releasenotes/notes/barbican-thales-ha-581fbe9b5ef4dc87.yaml b/releasenotes/notes/barbican-thales-ha-581fbe9b5ef4dc87.yaml new file mode 100644 index 0000000000..5eba8f94f6 --- /dev/null +++ b/releasenotes/notes/barbican-thales-ha-581fbe9b5ef4dc87.yaml @@ -0,0 +1,11 @@ +--- +features: + - The logic to configure the connection from barbican to nShield HSMs has + been augmented to parse a nshield_hsms parameter, which allows the + specification of multiple HSMs. The underlying ansible role + (ansible-role-thales-hsm) will configure the HSMs in load sharing mode + to provide HA. +deprecations: + - Some parameters within ThalesVars have been deprecated. These are - + thales_hsm_ip_address and thales_hsm_config_location. See + environments/barbican-backend-pkcs11-thales.yaml for details.