Merge "Add kek_rewrap functionality to Barbican"
This commit is contained in:
Zuul
Gerrit Code Review
commit
db7ed1646e
|
|
@ -87,6 +87,10 @@ parameters:
|
|||
description: Cryptoki Mechanism used to generate Master HMAC Key
|
||||
type: string
|
||||
default: 'CKM_AES_KEY_GEN'
|
||||
BarbicanPkcs11CryptoRewrapKeys:
|
||||
description: Cryptoki Mechanism used to generate Master HMAC Key
|
||||
type: boolean
|
||||
default: false
|
||||
ThalesHSMNetworkName:
|
||||
description: The network that the HSM is listening on.
|
||||
type: string
|
||||
|
|
@ -154,6 +158,12 @@ parameters:
|
|||
Messaging client subscriber parameter to specify
|
||||
an SSL connection to the messaging host.
|
||||
type: string
|
||||
DeployIdentifier:
|
||||
default: ''
|
||||
type: string
|
||||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
|
||||
conditions:
|
||||
service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
|
||||
|
|
@ -165,6 +175,7 @@ conditions:
|
|||
- thales_hsm_enabled
|
||||
- atos_hsm_enabled
|
||||
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
||||
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
|
|
@ -486,6 +497,13 @@ outputs:
|
|||
- /etc/proteccio:/etc/proteccio
|
||||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||
- null
|
||||
environment:
|
||||
# NOTE: this should force this container to re-run on each
|
||||
# update (scale-out, etc.)
|
||||
- list_join:
|
||||
- ''
|
||||
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
|
||||
- {get_param: DeployIdentifier}
|
||||
command:
|
||||
list_join:
|
||||
- ' '
|
||||
|
|
@ -520,6 +538,13 @@ outputs:
|
|||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
environment:
|
||||
# NOTE: this should force this container to re-run on each
|
||||
# update (scale-out, etc.)
|
||||
- list_join:
|
||||
- ''
|
||||
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
|
||||
- {get_param: DeployIdentifier}
|
||||
command:
|
||||
list_join:
|
||||
- ' '
|
||||
|
|
@ -552,27 +577,41 @@ outputs:
|
|||
- if:
|
||||
- thales_hsm_enabled
|
||||
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
|
||||
start_order: 0
|
||||
start_order: 1
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
environment:
|
||||
# NOTE: this should force this container to re-run on each
|
||||
# update (scale-out, etc.)
|
||||
- list_join:
|
||||
- ''
|
||||
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
|
||||
- {get_param: DeployIdentifier}
|
||||
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
||||
- {}
|
||||
- if:
|
||||
- thales_hsm_enabled
|
||||
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
||||
start_order: 0
|
||||
start_order: 2
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
environment:
|
||||
# NOTE: this should force this container to re-run on each
|
||||
# update (scale-out, etc.)
|
||||
- list_join:
|
||||
- ''
|
||||
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
|
||||
- {get_param: DeployIdentifier}
|
||||
command: "/opt/nfast/bin/rfs-sync --update"
|
||||
- {}
|
||||
- barbican_api_db_sync:
|
||||
start_order: 0
|
||||
start_order: 3
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
|
|
@ -589,7 +628,7 @@ outputs:
|
|||
- "db upgrade"
|
||||
- "'"
|
||||
- barbican_api_secret_store_sync:
|
||||
start_order: 1
|
||||
start_order: 4
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
|
|
@ -605,6 +644,30 @@ outputs:
|
|||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "db sync_secret_stores --verbose"
|
||||
- "'"
|
||||
- if:
|
||||
- pkcs11_rewrap_pkeks
|
||||
- barbican_api_rewrap_pkeks:
|
||||
start_order: 4
|
||||
image: *barbican_api_image
|
||||
net: host
|
||||
detach: false
|
||||
user: root
|
||||
volumes: *barbican_api_volumes
|
||||
environment:
|
||||
# NOTE: this should force this container to re-run on each
|
||||
# update (scale-out, etc.)
|
||||
- list_join:
|
||||
- ''
|
||||
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
|
||||
- {get_param: DeployIdentifier}
|
||||
command:
|
||||
list_join:
|
||||
- ' '
|
||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||
- "hsm rewrap_pkek"
|
||||
- "'"
|
||||
- {}
|
||||
- barbican_api:
|
||||
# NOTE(alee): Barbican should start after keystone processes
|
||||
start_order: 5
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
features:
|
||||
- Added ability to rewrap project KEKs (key encryption keys) when doing an
|
||||
upgrade. This allows deployers to rewrap KEKs whenever they rotate the
|
||||
master KEK and HMAC keys when using the PKCS#11 plugin behind Barbican.
|
||||
- Also added some needed ordering for master key creation, sync and update
|
||||
when using a Thales HSM behind Barbican.
|
||||
Loading…
Reference in New Issue