Add new Luna HSM parameter for Barbican

This patch adds a new parameter for deploying Barbican with a Thales Luna Network HSM (LunasaClientIPNetwork). LunasaClientIPNetwork can be used to register controller nodes with the HSM using the controller's IP address on the given network instead of its fqdn. Co-Authored-By: Ade Lee <alee@redhat.com> Depends-On: If0eb393ca970206cc95c7453641f33781eb698b2 Change-Id: I02d577939b0002b0e605ac0cbbda54e05e0b206f
2020-07-13 15:36:51 -05:00 · 2020-07-13 15:36:51 -05:00 · ead85251e9
commit ead85251e9
parent 24bf5c449f
2 changed files with 43 additions and 13 deletions
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@ -114,6 +114,12 @@ parameters:
    description: Hash of lunasa-hsm role variables used to
                 install Lunasa client software.
    type: json
+  LunasaClientIPNetwork:
+    description: >
+      (Optional) When set Barbican nodes will be registered with
+      the HSMs using the IP from this network instead of the FQDN.
+    type: string
+    default: ''
  BarbicanPassword:
    description: The password for the barbican service account.
    type: string
@ -170,6 +176,9 @@ conditions:
  pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
  pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
  enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
+  # Luna Clients use FQDN by default.  When LunasaClientIPNetwork is set we
+  # will use the Controller's IP address from that network instead.
+  lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}

 resources:

@ -477,7 +486,21 @@ outputs:
                    include_role:
                      name: lunasa_hsm
                    vars:
-                      {get_param: LunasaVars}
+                      if:
+                        - lunasa_hsm_use_fqdn
+                        - map_merge:
+                          - {get_param: LunasaVars}
+                          - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
+                        - map_merge:
+                          - {get_param: LunasaVars}
+                          - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
+                          - lunasa_client_ip:
+                              str_replace:
+                                template:
+                                  "{{$NETWORK_ip}}"
+                                params:
+                                  $NETWORK: {get_param: LunasaClientIPNetwork}
+
                  - name: set the slot id in hieradata
                    include_role:
                      name: tripleo_hieradata
@ -485,7 +508,7 @@ outputs:
                    vars:
                      hieradata_ansible_data:
                        barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
-                    when: lunasa_ha_slot
+                    when: lunasa_ha_slot is defined
              - null
        - null
      docker_config:
--- a/environments/barbican-backend-pkcs11-lunasa.yaml
+++ b/environments/barbican-backend-pkcs11-lunasa.yaml
@ -11,6 +11,12 @@ parameter_defaults:
  #   mode, whatever value is placed here will be overridden by the dynamically generated
  #   slot for the HA group created on the client.
  # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
+  #
+  # LunasaClientIPNetwork: (Optional) Network to be used by the controllers
+  #   to connect to the HSM.  By default this option is empty ('') and the
+  #   controllers are registered on the HSM using the controller's FQDN.
+  #   When this option is set, the controllers will be registered using the
+  #   controller's IP on this network instead.

  BarbicanPkcs11CryptoLibraryPath:         '/usr/lib/libCryptoki2_64.so'
  BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
@ -22,20 +28,21 @@ parameter_defaults:
  BarbicanPkcs11CryptoLunasaEnabled:       true
  BarbicanPkcs11CryptoEnabled:             true
  BarbicanPkcs11AlwaysSetCkaSensitive:     true
+
  LunasaVars:
    # lunasa_client_tarball_location: URI where the CipherTools tarball can be downloaded.
    # lunasa_client_tarball_name: Filename for the CipherTools tarball.
    # lunasa_client_installer_path: path to install.sh in the tarball.
-    # lunasa_hsms:  A list of HSMs with the following format:
-    # lunasa_hsms:
-    #  - name: Name of the HSM
-    #    hostname: Hostname for the HSM
-    #    admin_password: admin password for the HSM
-    #    partition: HSM partition for this client to be assigned
-    #    partition_serial: serial number for the partition
-    #    client_ip: IP for the client - TODO: figure out how to pass this correctly
-    # lunasa_ha_label: HA group label Required only for HA mode.  This will trigger the
-    #    installer to create an HA group comprising of the HSMs in lunasa_hsms.
-    # lunasa_partition_password: PKCS#11 password for the partitition
+    # lunasa_client_rotate_cert:  (Optional) Set to true to generate a new
+    #   client certificate and re-register clients during deployment.
+    # lunasa_hsms:  A list of HSMs.  When more than one HSM is specified, they
+    #    will be configured as an HA pool.  Each entry should specify the
+    #    following:
+    #  - hostname: Hostname for the HSM
+    #    admin_password: admin password for the HSM, used to add a new client.
+    #    partition: HSM partition to be assigned to the clients.
+    #    partition_serial: serial number for the partition.
+    # lunasa_ha_label: HA group label Required only for HA mode.
+
 resource_registry:
  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml