Merge "Identify HSMs using labels instead of Slot ID"
This commit is contained in:
Zuul
Gerrit Code Review
commit
d2f4983ced
|
|
@ -67,7 +67,7 @@ parameters:
|
|||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoLogin:
|
||||
description: Password to login to PKCS11 session
|
||||
description: Password (PIN) to login to PKCS#11 session
|
||||
type: string
|
||||
hidden: true
|
||||
default: ''
|
||||
|
|
@ -80,9 +80,17 @@ parameters:
|
|||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoSlotId:
|
||||
description: Slot Id for the HSM
|
||||
description: Slot Id for the PKCS#11 token to be used
|
||||
type: string
|
||||
default: '0'
|
||||
BarbicanPkcs11CryptoTokenSerialNumber:
|
||||
description: Serial number for PKCS#11 token to be used
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoTokenLabel:
|
||||
description: Label for PKCS#11 token to be used
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoHMACKeyType:
|
||||
description: Cryptoki Key Type for Master HMAC key
|
||||
type: string
|
||||
|
|
@ -168,7 +176,7 @@ conditions:
|
|||
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
||||
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
||||
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
|
||||
thales_or_atos_or_lunasa_hsm_enabled:
|
||||
hsm_enabled:
|
||||
or:
|
||||
- thales_hsm_enabled
|
||||
- atos_hsm_enabled
|
||||
|
|
@ -427,7 +435,7 @@ outputs:
|
|||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- thales_or_atos_or_lunasa_hsm_enabled
|
||||
- hsm_enabled
|
||||
- list_concat:
|
||||
-
|
||||
if:
|
||||
|
|
@ -478,24 +486,17 @@ outputs:
|
|||
- map_merge:
|
||||
- {get_param: LunasaVars}
|
||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- map_merge:
|
||||
- {get_param: LunasaVars}
|
||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- lunasa_client_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"{{$NETWORK_ip}}"
|
||||
params:
|
||||
$NETWORK: {get_param: LunasaClientIPNetwork}
|
||||
|
||||
- name: set the slot id in hieradata
|
||||
include_role:
|
||||
name: tripleo_hieradata
|
||||
tasks_from: ansible_hieradata.yml
|
||||
vars:
|
||||
hieradata_ansible_data:
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
|
||||
when: lunasa_ha_slot is defined
|
||||
- null
|
||||
- null
|
||||
docker_config:
|
||||
|
|
@ -562,23 +563,11 @@ outputs:
|
|||
- ' '
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "hsm check_mkek --library-path"
|
||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||
- "--slot-id"
|
||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||
- "--passphrase"
|
||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||
- "--label"
|
||||
- "hsm check_mkek --label"
|
||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||
- "|| /usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "hsm gen_mkek --library-path"
|
||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||
- "--slot-id"
|
||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||
- "--passphrase"
|
||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||
- "--label"
|
||||
- "hsm gen_mkek --label"
|
||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||
- "'"
|
||||
- {}
|
||||
|
|
@ -600,28 +589,10 @@ outputs:
|
|||
- ' '
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "hsm check_hmac --library-path"
|
||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||
- "--slot-id"
|
||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||
- "--passphrase"
|
||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||
- "--label"
|
||||
- "hsm check_hmac --label"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||
- "--key-type"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
||||
- "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
|
||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||
- "--slot-id"
|
||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||
- "--passphrase"
|
||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||
- "--label"
|
||||
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||
- "--key-type"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
||||
- "--mechanism"
|
||||
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
|
||||
- "'"
|
||||
- {}
|
||||
- if:
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ parameters:
|
|||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoLogin:
|
||||
description: Password to login to PKCS11 session
|
||||
description: Password (PIN) to login to PKCS#11 session
|
||||
type: string
|
||||
hidden: true
|
||||
default: ''
|
||||
|
|
@ -53,9 +53,17 @@ parameters:
|
|||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoSlotId:
|
||||
description: Slot Id for the HSM
|
||||
description: Slot Id for the PKCS#11 token to be used
|
||||
type: string
|
||||
default: '0'
|
||||
BarbicanPkcs11CryptoTokenSerialNumber:
|
||||
description: Serial number for PKCS#11 token to be used
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoTokenLabel:
|
||||
description: Label for PKCS#11 token to be used
|
||||
type: string
|
||||
default: ''
|
||||
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||
description: Cryptoki Mechanism used for encryption
|
||||
type: string
|
||||
|
|
@ -93,6 +101,8 @@ outputs:
|
|||
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,17 @@
|
|||
# A Heat environment file to enable the barbican PKCS11 crypto backend with
|
||||
# a Lunasa HSM.
|
||||
# Note that barbican needs to be enabled in order to use this.
|
||||
# A Heat environment file to enable the barbican PKCS#11 crypto backend using
|
||||
# one or more Thales Luna Network HSMs.
|
||||
# Note that Barbican needs to be enabled in order to use this.
|
||||
parameter_defaults:
|
||||
# In order to use this backend, you need to uncomment these values and
|
||||
# provide the appropriate values.
|
||||
#
|
||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
|
||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM. Note that this parameter is only
|
||||
# strictly required when setting up the Lunasa client in non-HA mode. In HA
|
||||
# mode, whatever value is placed here will be overridden by the dynamically generated
|
||||
# slot for the HA group created on the client.
|
||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
|
||||
#
|
||||
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
|
||||
# For single HSM deployments this value should be the partition label
|
||||
# that will be assigned to the clients.
|
||||
# For HA deployments this value should be the label for the HA group.
|
||||
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
|
||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||
#
|
||||
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
||||
|
|
@ -36,13 +38,13 @@ parameter_defaults:
|
|||
# lunasa_client_rotate_cert: (Optional) Set to true to generate a new
|
||||
# client certificate and re-register clients during deployment.
|
||||
# lunasa_hsms: A list of HSMs. When more than one HSM is specified, they
|
||||
# will be configured as an HA pool. Each entry should specify the
|
||||
# will be configured as an HA group. Each entry should specify the
|
||||
# following:
|
||||
# - hostname: Hostname for the HSM
|
||||
# admin_password: admin password for the HSM, used to add a new client.
|
||||
# admin_password: admin password for the HSM, used to add a new client
|
||||
# for each controller node.
|
||||
# partition: HSM partition to be assigned to the clients.
|
||||
# partition_serial: serial number for the partition.
|
||||
# lunasa_ha_label: HA group label Required only for HA mode.
|
||||
|
||||
resource_registry:
|
||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
||||
|
|
|
|||
Loading…
Reference in New Issue