Merge "Add template code to configure hsm backends for barbican"
This commit is contained in:
commit
df10ea7afa
docker/services
environments
puppet/services
releasenotes/notes
@ -49,10 +49,76 @@ parameters:
|
|||||||
default: false
|
default: false
|
||||||
description: Remove package if the service is being disabled during upgrade
|
description: Remove package if the service is being disabled during upgrade
|
||||||
type: boolean
|
type: boolean
|
||||||
|
BarbicanPkcs11CryptoATOSEnabled:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
BarbicanPkcs11CryptoThalesEnabled:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
BarbicanPkcs11CryptoEnabled:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
BarbicanPkcs11CryptoLibraryPath:
|
||||||
|
description: Path to vendor PKCS11 library
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoLogin:
|
||||||
|
description: Password to login to PKCS11 session
|
||||||
|
type: string
|
||||||
|
hidden: true
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoMKEKLabel:
|
||||||
|
description: Label for Master KEK
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoMKEKLength:
|
||||||
|
description: Length of Master KEK in bytes
|
||||||
|
type: string
|
||||||
|
default: '256'
|
||||||
|
BarbicanPkcs11CryptoHMACLabel:
|
||||||
|
description: Label for the HMAC key
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoSlotId:
|
||||||
|
description: Slot Id for the HSM
|
||||||
|
type: string
|
||||||
|
default: '0'
|
||||||
|
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||||
|
description: Cryptoki Mechanism used for encryption
|
||||||
|
type: string
|
||||||
|
default: 'CKM_AES_CBC'
|
||||||
|
BarbicanPkcs11CryptoHMACKeyType:
|
||||||
|
description: Cryptoki Key Type for Master HMAC key
|
||||||
|
type: string
|
||||||
|
default: 'CKK_AES'
|
||||||
|
BarbicanPkcs11CryptoHMACKeygenMechanism:
|
||||||
|
description: Cryptoki Mechanism used to generate Master HMAC Key
|
||||||
|
type: string
|
||||||
|
default: 'CKM_AES_KEY_GEN'
|
||||||
|
ThalesHSMNetworkName:
|
||||||
|
description: The network that the HSM is listening on.
|
||||||
|
type: string
|
||||||
|
default: 'internal_api'
|
||||||
|
ThalesVars:
|
||||||
|
default: {}
|
||||||
|
description: Hash of tripleo-barbican-thales variables used to
|
||||||
|
install Thales client software.
|
||||||
|
type: json
|
||||||
|
ATOSVars:
|
||||||
|
default: {}
|
||||||
|
description: Hash of tripleo-barbican-atos variables used to
|
||||||
|
install ATOS client software.
|
||||||
|
type: json
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
|
||||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
|
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
||||||
|
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
||||||
|
thales_or_atos_hsm_enabled:
|
||||||
|
or:
|
||||||
|
- thales_hsm_enabled
|
||||||
|
- atos_hsm_enabled
|
||||||
|
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
@ -119,128 +185,384 @@ outputs:
|
|||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
external_deploy_tasks:
|
||||||
|
if:
|
||||||
|
- thales_hsm_enabled
|
||||||
|
-
|
||||||
|
- name: Add ip addresses to the RFS server
|
||||||
|
when: step == '2'
|
||||||
|
block:
|
||||||
|
- name: get the ip addresses for the barbican nodes
|
||||||
|
set_fact:
|
||||||
|
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
|
||||||
|
thales_client_ips:
|
||||||
|
str_replace:
|
||||||
|
template: >-
|
||||||
|
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
|
||||||
|
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
|
||||||
|
{%- endfor %}
|
||||||
|
params:
|
||||||
|
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
|
||||||
|
thales_bootstrap_client_ip:
|
||||||
|
str_replace:
|
||||||
|
template: >-
|
||||||
|
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
|
||||||
|
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
|
||||||
|
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
|
||||||
|
{%- endif %}
|
||||||
|
{%- endfor %}
|
||||||
|
params:
|
||||||
|
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
|
||||||
|
thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]}
|
||||||
|
thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]}
|
||||||
|
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
|
||||||
|
|
||||||
|
- name: set playbook vars
|
||||||
|
set_fact:
|
||||||
|
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
|
||||||
|
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
|
||||||
|
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
|
||||||
|
|
||||||
|
- name: creating working directory
|
||||||
|
file:
|
||||||
|
path: "{{thales_rfs_playbook_dir}}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: generate an inventory
|
||||||
|
copy:
|
||||||
|
dest: "{{thales_rfs_inventory}}"
|
||||||
|
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
|
||||||
|
|
||||||
|
- name: write SSH key to file
|
||||||
|
copy:
|
||||||
|
dest: "{{thales_rfs_keyfile}}"
|
||||||
|
content: {get_param: [ThalesVars, thales_rfs_key]}
|
||||||
|
mode: 0400
|
||||||
|
|
||||||
|
- name: generate playbook to run
|
||||||
|
copy:
|
||||||
|
dest: "{{thales_rfs_playbook}}"
|
||||||
|
content: |
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
remote_user: "{{thales_rfs_user}}"
|
||||||
|
vars:
|
||||||
|
thales_client_ips: "{{thales_client_ips}}"
|
||||||
|
thales_hsm_ip_address: "{{thales_hsm_ip_address}}"
|
||||||
|
thales_hsm_config_location: "{{thales_hsm_config_location}}"
|
||||||
|
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
|
||||||
|
roles:
|
||||||
|
- tripleo-barbican-thales-rfs
|
||||||
|
|
||||||
|
- name: call ansible on rfs server
|
||||||
|
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
|
||||||
|
|
||||||
|
- name: clean up working directory
|
||||||
|
file:
|
||||||
|
path: "{{thales_rfs_playbook_dir}}"
|
||||||
|
state: absent
|
||||||
|
- null
|
||||||
|
deploy_steps_tasks:
|
||||||
|
if:
|
||||||
|
- thales_or_atos_hsm_enabled
|
||||||
|
- list_concat:
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- thales_hsm_enabled
|
||||||
|
-
|
||||||
|
- name: Thales client install
|
||||||
|
when: step == '2'
|
||||||
|
block:
|
||||||
|
- set_fact:
|
||||||
|
my_thales_client_ip:
|
||||||
|
str_replace:
|
||||||
|
template:
|
||||||
|
"{{$NETWORK_ip}}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: ThalesHSMNetworkName}
|
||||||
|
- include_role:
|
||||||
|
name: tripleo-barbican-thales
|
||||||
|
vars:
|
||||||
|
{get_param: ThalesVars}
|
||||||
|
- null
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- atos_hsm_enabled
|
||||||
|
-
|
||||||
|
- name: ATOS client install
|
||||||
|
when: step == '2'
|
||||||
|
block:
|
||||||
|
- include_role:
|
||||||
|
name: tripleo-barbican-atos
|
||||||
|
vars:
|
||||||
|
{get_param: ATOSVars}
|
||||||
|
- null
|
||||||
|
- null
|
||||||
|
|
||||||
docker_config:
|
docker_config:
|
||||||
# db sync runs before permissions set by kolla_config
|
# db sync runs before permissions set by kolla_config
|
||||||
step_2:
|
step_2:
|
||||||
get_attr: [BarbicanApiLogging, docker_config, step_2]
|
map_merge:
|
||||||
|
- get_attr: [BarbicanApiLogging, docker_config, step_2]
|
||||||
|
- if:
|
||||||
|
- atos_hsm_enabled
|
||||||
|
- barbican_init_atos_directory:
|
||||||
|
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
|
||||||
|
user: root
|
||||||
|
volumes:
|
||||||
|
- /etc/proteccio:/etc/proteccio
|
||||||
|
- /usr/lib64/libnetshm.so:/usr/lib64/libnethsm.so
|
||||||
|
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
|
||||||
|
- {}
|
||||||
step_3:
|
step_3:
|
||||||
barbican_api_db_sync:
|
map_merge:
|
||||||
start_order: 0
|
- if:
|
||||||
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
|
- pkcs11_plugin_enabled
|
||||||
net: host
|
- barbican_api_create_mkek:
|
||||||
detach: false
|
start_order: 0
|
||||||
user: root
|
image: *barbican_api_image
|
||||||
volumes: &barbican_api_volumes
|
net: host
|
||||||
list_concat:
|
detach: false
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
user: root
|
||||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
volumes: &barbican_api_volumes
|
||||||
-
|
list_concat:
|
||||||
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||||
command:
|
-
|
||||||
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
|
||||||
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
||||||
# final single quote that's part of the list_join.
|
-
|
||||||
list_join:
|
if:
|
||||||
- ' '
|
- thales_hsm_enabled
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
-
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- /opt/nfast:/opt/nfast
|
||||||
- "db upgrade"
|
- null
|
||||||
- "'"
|
-
|
||||||
barbican_api_secret_store_sync:
|
if:
|
||||||
start_order: 1
|
- atos_hsm_enabled
|
||||||
image: *barbican_api_image
|
-
|
||||||
net: host
|
- /etc/proteccio:/etc/proteccio
|
||||||
detach: false
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||||
user: root
|
- null
|
||||||
volumes: *barbican_api_volumes
|
command:
|
||||||
command:
|
list_join:
|
||||||
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
- ' '
|
||||||
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
# final single quote that's part of the list_join.
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
list_join:
|
- "hsm check_mkek --library-path"
|
||||||
- ' '
|
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
- "--slot-id"
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||||
- "db sync_secret_stores --verbose"
|
- "--passphrase"
|
||||||
- "'"
|
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||||
barbican_api:
|
- "--label"
|
||||||
# NOTE(alee): Barbican should start after keystone processes
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
start_order: 5
|
- "|| /usr/bin/barbican-manage"
|
||||||
image: *barbican_api_image
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
net: host
|
- "hsm gen_mkek --library-path"
|
||||||
privileged: false
|
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||||
restart: always
|
- "--slot-id"
|
||||||
user: root
|
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||||
healthcheck:
|
- "--passphrase"
|
||||||
test: /openstack/healthcheck
|
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||||
volumes:
|
- "--label"
|
||||||
list_concat:
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- "'"
|
||||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
- {}
|
||||||
-
|
- if:
|
||||||
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
|
- pkcs11_plugin_enabled
|
||||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
- barbican_api_create_hmac:
|
||||||
-
|
start_order: 0
|
||||||
if:
|
image: *barbican_api_image
|
||||||
- internal_tls_enabled
|
net: host
|
||||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
detach: false
|
||||||
- ''
|
user: root
|
||||||
-
|
volumes: *barbican_api_volumes
|
||||||
if:
|
command:
|
||||||
- internal_tls_enabled
|
list_join:
|
||||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
- ' '
|
||||||
- ''
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
environment: &kolla_env
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- "hsm check_hmac --library-path"
|
||||||
barbican_keystone_listener:
|
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||||
start_order: 6
|
- "--slot-id"
|
||||||
image: {get_param: DockerBarbicanKeystoneListenerImage}
|
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||||
net: host
|
- "--passphrase"
|
||||||
privileged: false
|
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||||
restart: always
|
- "--label"
|
||||||
user: barbican
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||||
healthcheck:
|
- "--key-type"
|
||||||
test:
|
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
||||||
list_join:
|
- "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
||||||
|
- "--slot-id"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
||||||
|
- "--passphrase"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
||||||
|
- "--label"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||||
|
- "--key-type"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
||||||
|
- "--mechanism"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
|
||||||
|
- "'"
|
||||||
|
- {}
|
||||||
|
- if:
|
||||||
|
- thales_hsm_enabled
|
||||||
|
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
|
||||||
|
start_order: 0
|
||||||
|
image: *barbican_api_image
|
||||||
|
net: host
|
||||||
|
detach: false
|
||||||
|
user: root
|
||||||
|
volumes: *barbican_api_volumes
|
||||||
|
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
||||||
|
- {}
|
||||||
|
- if:
|
||||||
|
- thales_hsm_enabled
|
||||||
|
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
||||||
|
start_order: 0
|
||||||
|
image: *barbican_api_image
|
||||||
|
net: host
|
||||||
|
detach: false
|
||||||
|
user: root
|
||||||
|
volumes: *barbican_api_volumes
|
||||||
|
command: "/opt/nfast/bin/rfs-sync --update"
|
||||||
|
- {}
|
||||||
|
- barbican_api_db_sync:
|
||||||
|
start_order: 0
|
||||||
|
image: *barbican_api_image
|
||||||
|
net: host
|
||||||
|
detach: false
|
||||||
|
user: root
|
||||||
|
volumes: *barbican_api_volumes
|
||||||
|
command:
|
||||||
|
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
||||||
|
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
||||||
|
# final single quote that's part of the list_join.
|
||||||
|
list_join:
|
||||||
- ' '
|
- ' '
|
||||||
- - '/openstack/healthcheck'
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
- yaql:
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
expression: str($.data.port)
|
- "db upgrade"
|
||||||
data:
|
- "'"
|
||||||
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
|
- barbican_api_secret_store_sync:
|
||||||
volumes:
|
start_order: 1
|
||||||
list_concat:
|
image: *barbican_api_image
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
net: host
|
||||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
detach: false
|
||||||
-
|
user: root
|
||||||
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
|
volumes: *barbican_api_volumes
|
||||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
command:
|
||||||
environment: *kolla_env
|
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
||||||
barbican_worker:
|
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
||||||
start_order: 7
|
# final single quote that's part of the list_join.
|
||||||
image: {get_param: DockerBarbicanWorkerImage}
|
list_join:
|
||||||
net: host
|
|
||||||
privileged: false
|
|
||||||
restart: always
|
|
||||||
user: barbican
|
|
||||||
healthcheck:
|
|
||||||
test:
|
|
||||||
list_join:
|
|
||||||
- ' '
|
- ' '
|
||||||
- - '/openstack/healthcheck'
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
- yaql:
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
expression: str($.data.port)
|
- "db sync_secret_stores --verbose"
|
||||||
data:
|
- "'"
|
||||||
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
|
- barbican_api:
|
||||||
volumes:
|
# NOTE(alee): Barbican should start after keystone processes
|
||||||
list_concat:
|
start_order: 5
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
image: *barbican_api_image
|
||||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
net: host
|
||||||
-
|
privileged: false
|
||||||
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
|
restart: always
|
||||||
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
user: root
|
||||||
environment: *kolla_env
|
healthcheck:
|
||||||
|
test: /openstack/healthcheck
|
||||||
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||||
|
-
|
||||||
|
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
|
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||||
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||||
|
- null
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- thales_hsm_enabled
|
||||||
|
-
|
||||||
|
- /opt/nfast:/opt/nfast
|
||||||
|
- null
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- atos_hsm_enabled
|
||||||
|
-
|
||||||
|
- /etc/proteccio:/etc/proteccio
|
||||||
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||||
|
- null
|
||||||
|
environment: &kolla_env
|
||||||
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
- barbican_keystone_listener:
|
||||||
|
start_order: 6
|
||||||
|
image: {get_param: DockerBarbicanKeystoneListenerImage}
|
||||||
|
net: host
|
||||||
|
privileged: false
|
||||||
|
restart: always
|
||||||
|
user: barbican
|
||||||
|
healthcheck:
|
||||||
|
test:
|
||||||
|
list_join:
|
||||||
|
- ' '
|
||||||
|
- - '/openstack/healthcheck'
|
||||||
|
- yaql:
|
||||||
|
expression: str($.data.port)
|
||||||
|
data:
|
||||||
|
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
|
||||||
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||||
|
-
|
||||||
|
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
|
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||||
|
environment: *kolla_env
|
||||||
|
- barbican_worker:
|
||||||
|
start_order: 7
|
||||||
|
image: {get_param: DockerBarbicanWorkerImage}
|
||||||
|
net: host
|
||||||
|
privileged: false
|
||||||
|
restart: always
|
||||||
|
user: barbican
|
||||||
|
healthcheck:
|
||||||
|
test:
|
||||||
|
list_join:
|
||||||
|
- ' '
|
||||||
|
- - '/openstack/healthcheck'
|
||||||
|
- yaql:
|
||||||
|
expression: str($.data.port)
|
||||||
|
data:
|
||||||
|
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
|
||||||
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||||
|
-
|
||||||
|
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
|
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- thales_hsm_enabled
|
||||||
|
-
|
||||||
|
- /opt/nfast:/opt/nfast
|
||||||
|
- null
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- atos_hsm_enabled
|
||||||
|
-
|
||||||
|
- /etc/proteccio:/etc/proteccio
|
||||||
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||||
|
- null
|
||||||
|
environment: *kolla_env
|
||||||
host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]}
|
host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]}
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
- when: step|int == 3
|
- when: step|int == 3
|
||||||
|
29
environments/barbican-backend-pkcs11-atos.yaml
Normal file
29
environments/barbican-backend-pkcs11-atos.yaml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
|
||||||
|
# that barbican needs to be enabled in order to use this.
|
||||||
|
parameter_defaults:
|
||||||
|
# In order to use this backend, you need to uncomment these values and
|
||||||
|
# provide the appropriate values.
|
||||||
|
#
|
||||||
|
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
|
||||||
|
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
||||||
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
|
||||||
|
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
|
||||||
|
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
|
||||||
|
BarbicanPkcs11CryptoHMACKeyType: 'CKK_GENERIC_SECRET'
|
||||||
|
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_GENERIC_SECRET_KEY_GEN'
|
||||||
|
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
|
||||||
|
BarbicanPkcs11CryptoMKEKLength: 32
|
||||||
|
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
|
||||||
|
BarbicanPkcs11CryptoATOSEnabled: true
|
||||||
|
BarbicanPkcs11CryptoEnabled: true
|
||||||
|
ATOSVars:
|
||||||
|
atos_client_working_dir: /tmp/atos_client_install
|
||||||
|
# atos_client_iso_location:
|
||||||
|
# atos_client_iso_name:
|
||||||
|
# atos_client_cert_location:
|
||||||
|
# atos_client_key_loaction:
|
||||||
|
# atos_hsm_ip_address:
|
||||||
|
|
||||||
|
resource_registry:
|
||||||
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
|
38
environments/barbican-backend-pkcs11-thales.yaml
Normal file
38
environments/barbican-backend-pkcs11-thales.yaml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
# A Heat environment file to enable the barbican PKCS11 crypto backend with
|
||||||
|
# a Thales HSM.
|
||||||
|
# Note that barbican needs to be enabled in order to use this.
|
||||||
|
parameter_defaults:
|
||||||
|
# In order to use this backend, you need to uncomment these values and
|
||||||
|
# provide the appropriate values.
|
||||||
|
#
|
||||||
|
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
|
||||||
|
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
||||||
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
|
||||||
|
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
|
||||||
|
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
|
||||||
|
BarbicanPkcs11CryptoHMACKeyType: 'CKK_SHA256_HMAC'
|
||||||
|
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_NC_SHA256_HMAC_KEY_GEN'
|
||||||
|
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
|
||||||
|
BarbicanPkcs11CryptoMKEKLength: '32'
|
||||||
|
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
|
||||||
|
BarbicanPkcs11CryptoThalesEnabled: true
|
||||||
|
BarbicanPkcs11CryptoEnabled: true
|
||||||
|
ThalesVars:
|
||||||
|
thales_client_working_dir: /tmp/thales_client_install
|
||||||
|
# thales_client_tarball_location: URI where the CipherTools tarball can be downloaded.
|
||||||
|
# thales_client_tarball_name: Filename for the CipherTools tarball.
|
||||||
|
thales_client_path: linux/libc6_11/amd64/nfast
|
||||||
|
thales_client_uid: 42481
|
||||||
|
thales_client_gid: 42481
|
||||||
|
# thales_km_data_location: URL where the RFS kmdata tarball can be downloaded.
|
||||||
|
# thales_km_data_tarball_name: Filename for the kmdata tarball.
|
||||||
|
# thales_hsm_ip_address: IP address for the HSM
|
||||||
|
# thales_rfs_server_ip_address: IP address for the RFS Server.
|
||||||
|
# thales_hsm_config_location: The directory where the hsm configuration is stored in
|
||||||
|
# your RFS server. e.g. hsm-XXXX-XXXX-XXXX.
|
||||||
|
# thales_rfs_user: Username used to log into RFS server.
|
||||||
|
# thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
|
||||||
|
|
||||||
|
resource_registry:
|
||||||
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
|
@ -11,6 +11,7 @@ parameter_defaults:
|
|||||||
# BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
|
# BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
|
||||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
||||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
BarbicanPkcs11CryptoEnabled: true
|
||||||
|
|
||||||
resource_registry:
|
resource_registry:
|
||||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
|
||||||
|
@ -34,22 +34,44 @@ parameters:
|
|||||||
BarbicanPkcs11CryptoLibraryPath:
|
BarbicanPkcs11CryptoLibraryPath:
|
||||||
description: Path to vendor PKCS11 library
|
description: Path to vendor PKCS11 library
|
||||||
type: string
|
type: string
|
||||||
|
default: ''
|
||||||
BarbicanPkcs11CryptoLogin:
|
BarbicanPkcs11CryptoLogin:
|
||||||
description: Password to login to PKCS11 session
|
description: Password to login to PKCS11 session
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
|
default: ''
|
||||||
BarbicanPkcs11CryptoMKEKLabel:
|
BarbicanPkcs11CryptoMKEKLabel:
|
||||||
description: Label for Master KEK
|
description: Label for Master KEK
|
||||||
type: string
|
type: string
|
||||||
|
default: ''
|
||||||
BarbicanPkcs11CryptoMKEKLength:
|
BarbicanPkcs11CryptoMKEKLength:
|
||||||
description: Length of Master KEK in bytes
|
description: Length of Master KEK in bytes
|
||||||
type: number
|
type: string
|
||||||
|
default: '256'
|
||||||
BarbicanPkcs11CryptoHMACLabel:
|
BarbicanPkcs11CryptoHMACLabel:
|
||||||
description: Label for the HMAC key
|
description: Label for the HMAC key
|
||||||
type: string
|
type: string
|
||||||
|
default: ''
|
||||||
BarbicanPkcs11CryptoSlotId:
|
BarbicanPkcs11CryptoSlotId:
|
||||||
description: Slot Id for the HSM
|
description: Slot Id for the HSM
|
||||||
type: number
|
type: string
|
||||||
|
default: '0'
|
||||||
|
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||||
|
description: Cryptoki Mechanism used for encryption
|
||||||
|
type: string
|
||||||
|
default: 'CKM_AES_CBC'
|
||||||
|
BarbicanPkcs11CryptoHMACKeyType:
|
||||||
|
description: Cryptoki Key Type for Master HMAC key
|
||||||
|
type: string
|
||||||
|
default: 'CKK_AES'
|
||||||
|
BarbicanPkcs11CryptoHMACKeygenMechanism:
|
||||||
|
description: Cryptoki Mechanism used to generate Master HMAC Key
|
||||||
|
type: string
|
||||||
|
default: 'CKM_AES_KEY_GEN'
|
||||||
|
BarbicanPkcs11CryptoAESGCMGenerateIV:
|
||||||
|
description: Generate IVs for CKM_AES_GCM encryption mechanism
|
||||||
|
type: boolean
|
||||||
|
default: true
|
||||||
BarbicanPkcs11CryptoGlobalDefault:
|
BarbicanPkcs11CryptoGlobalDefault:
|
||||||
description: Whether this plugin is the global default plugin
|
description: Whether this plugin is the global default plugin
|
||||||
type: boolean
|
type: boolean
|
||||||
@ -61,10 +83,14 @@ outputs:
|
|||||||
value:
|
value:
|
||||||
service_name: barbican_backend_pkcs11_crypto
|
service_name: barbican_backend_pkcs11_crypto
|
||||||
config_settings:
|
config_settings:
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
|
||||||
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|
||||||
|
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Added code in the barbican-api.yaml template to allow barbican to be
|
||||||
|
configured to run with either an ATOS or Thales HSM back-end. Also
|
||||||
|
added environment files with all the required variables. The added code
|
||||||
|
installs and configures the client software on the barbican nodes,
|
||||||
|
generates the required kets for the PKCS#11 plugin, and configures
|
||||||
|
barbican correctly. For the Thales case, it also contacts the RFS server
|
||||||
|
to add the new clients to the HSM.
|
Loading…
x
Reference in New Issue
Block a user