diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index e6f03370f2..508357f6fb 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -87,6 +87,10 @@ parameters: description: Cryptoki Mechanism used to generate Master HMAC Key type: string default: 'CKM_AES_KEY_GEN' + BarbicanPkcs11CryptoRewrapKeys: + description: Cryptoki Mechanism used to generate Master HMAC Key + type: boolean + default: false ThalesHSMNetworkName: description: The network that the HSM is listening on. type: string @@ -154,6 +158,12 @@ parameters: Messaging client subscriber parameter to specify an SSL connection to the messaging host. type: string + DeployIdentifier: + default: '' + type: string + description: > + Setting this to a unique value will re-run any deployment tasks which + perform configuration on a Heat stack-update. conditions: service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']} @@ -165,6 +175,7 @@ conditions: - thales_hsm_enabled - atos_hsm_enabled pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]} + pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]} resources: @@ -486,6 +497,13 @@ outputs: - /etc/proteccio:/etc/proteccio - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so - null + environment: + # NOTE: this should force this container to re-run on each + # update (scale-out, etc.) + - list_join: + - '' + - - 'TRIPLEO_DEPLOY_IDENTIFIER=' + - {get_param: DeployIdentifier} command: list_join: - ' ' @@ -520,6 +538,13 @@ outputs: detach: false user: root volumes: *barbican_api_volumes + environment: + # NOTE: this should force this container to re-run on each + # update (scale-out, etc.) + - list_join: + - '' + - - 'TRIPLEO_DEPLOY_IDENTIFIER=' + - {get_param: DeployIdentifier} command: list_join: - ' ' @@ -552,27 +577,41 @@ outputs: - if: - thales_hsm_enabled - barbican_api_update_rfs_server_with_mkek_and_hmac_keys: - start_order: 0 + start_order: 1 image: *barbican_api_image net: host detach: false user: root volumes: *barbican_api_volumes + environment: + # NOTE: this should force this container to re-run on each + # update (scale-out, etc.) + - list_join: + - '' + - - 'TRIPLEO_DEPLOY_IDENTIFIER=' + - {get_param: DeployIdentifier} command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit" - {} - if: - thales_hsm_enabled - barbican_api_get_mkek_and_hmac_keys_from_rfs: - start_order: 0 + start_order: 2 image: *barbican_api_image net: host detach: false user: root volumes: *barbican_api_volumes + environment: + # NOTE: this should force this container to re-run on each + # update (scale-out, etc.) + - list_join: + - '' + - - 'TRIPLEO_DEPLOY_IDENTIFIER=' + - {get_param: DeployIdentifier} command: "/opt/nfast/bin/rfs-sync --update" - {} - barbican_api_db_sync: - start_order: 0 + start_order: 3 image: *barbican_api_image net: host detach: false @@ -589,7 +628,7 @@ outputs: - "db upgrade" - "'" - barbican_api_secret_store_sync: - start_order: 1 + start_order: 4 image: *barbican_api_image net: host detach: false @@ -605,6 +644,30 @@ outputs: - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - "db sync_secret_stores --verbose" - "'" + - if: + - pkcs11_rewrap_pkeks + - barbican_api_rewrap_pkeks: + start_order: 4 + image: *barbican_api_image + net: host + detach: false + user: root + volumes: *barbican_api_volumes + environment: + # NOTE: this should force this container to re-run on each + # update (scale-out, etc.) + - list_join: + - '' + - - 'TRIPLEO_DEPLOY_IDENTIFIER=' + - {get_param: DeployIdentifier} + command: + list_join: + - ' ' + - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" + - {get_attr: [BarbicanApiLogging, cmd_extra_args]} + - "hsm rewrap_pkek" + - "'" + - {} - barbican_api: # NOTE(alee): Barbican should start after keystone processes start_order: 5 diff --git a/releasenotes/notes/add-kek-rewrap-to-barbican-ef930dda85fe1e1d.yaml b/releasenotes/notes/add-kek-rewrap-to-barbican-ef930dda85fe1e1d.yaml new file mode 100644 index 0000000000..abc5052c41 --- /dev/null +++ b/releasenotes/notes/add-kek-rewrap-to-barbican-ef930dda85fe1e1d.yaml @@ -0,0 +1,7 @@ +--- +features: + - Added ability to rewrap project KEKs (key encryption keys) when doing an + upgrade. This allows deployers to rewrap KEKs whenever they rotate the + master KEK and HMAC keys when using the PKCS#11 plugin behind Barbican. + - Also added some needed ordering for master key creation, sync and update + when using a Thales HSM behind Barbican.