openstack/tripleo-heat-templates
Code Issues Proposed changes

Add kek_rewrap functionality to Barbican

Browse Source 
Add the ability to rewrap keks when the master key is updated
by simply doing an update.  Also, provide some needed ordering
in the steps involving MKEK and HMAC creation, sync and update.

Change-Id: I5e5a099173e82c04f4e0157049df08c8c7c47045
This commit is contained in:
Ade Lee
2019-03-05 16:34:41 +00:00
parent 17d1ed8d56
commit 80e2dad367
2 changed files with 74 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
deployment/barbican/barbican-api-container-puppet.yaml
View File

@@ -87,6 +87,10 @@ parameters:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11CryptoRewrapKeys:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: boolean
default: false
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
@@ -154,6 +158,12 @@ parameters:
Messaging client subscriber parameter to specify
an SSL connection to the messaging host.
type: string
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
conditions:
service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
@@ -165,6 +175,7 @@ conditions:
- thales_hsm_enabled
- atos_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
resources:
@@ -486,6 +497,13 @@ outputs:
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
- list_join:
- ''
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
- {get_param: DeployIdentifier}
command:
list_join:
- ' '
@@ -520,6 +538,13 @@ outputs:
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
- list_join:
- ''
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
- {get_param: DeployIdentifier}
command:
list_join:
- ' '
@@ -552,27 +577,41 @@ outputs:
- if:
- thales_hsm_enabled
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 0
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
- list_join:
- ''
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
- {get_param: DeployIdentifier}
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if:
- thales_hsm_enabled
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 0
start_order: 2
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
- list_join:
- ''
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
- {get_param: DeployIdentifier}
command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync:
start_order: 0
start_order: 3
image: *barbican_api_image
net: host
detach: false
@@ -589,7 +628,7 @@ outputs:
- "db upgrade"
- "'"
- barbican_api_secret_store_sync:
start_order: 1
start_order: 4
image: *barbican_api_image
net: host
detach: false
@@ -605,6 +644,30 @@ outputs:
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
- if:
- pkcs11_rewrap_pkeks
- barbican_api_rewrap_pkeks:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
- list_join:
- ''
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
- {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm rewrap_pkek"
- "'"
- {}
- barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5