From ead85251e95ce69ef64237905ace970fe406a06a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Mon, 13 Jul 2020 15:36:51 -0500 Subject: [PATCH] Add new Luna HSM parameter for Barbican This patch adds a new parameter for deploying Barbican with a Thales Luna Network HSM (LunasaClientIPNetwork). LunasaClientIPNetwork can be used to register controller nodes with the HSM using the controller's IP address on the given network instead of its fqdn. Co-Authored-By: Ade Lee Depends-On: If0eb393ca970206cc95c7453641f33781eb698b2 Change-Id: I02d577939b0002b0e605ac0cbbda54e05e0b206f --- .../barbican-api-container-puppet.yaml | 27 +++++++++++++++-- .../barbican-backend-pkcs11-lunasa.yaml | 29 ++++++++++++------- 2 files changed, 43 insertions(+), 13 deletions(-) diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index af4d42806f..a1f707d9f2 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -114,6 +114,12 @@ parameters: description: Hash of lunasa-hsm role variables used to install Lunasa client software. type: json + LunasaClientIPNetwork: + description: > + (Optional) When set Barbican nodes will be registered with + the HSMs using the IP from this network instead of the FQDN. + type: string + default: '' BarbicanPassword: description: The password for the barbican service account. type: string @@ -170,6 +176,9 @@ conditions: pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]} pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + # Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we + # will use the Controller's IP address from that network instead. + lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']} resources: @@ -477,7 +486,21 @@ outputs: include_role: name: lunasa_hsm vars: - {get_param: LunasaVars} + if: + - lunasa_hsm_use_fqdn + - map_merge: + - {get_param: LunasaVars} + - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} + - map_merge: + - {get_param: LunasaVars} + - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} + - lunasa_client_ip: + str_replace: + template: + "{{$NETWORK_ip}}" + params: + $NETWORK: {get_param: LunasaClientIPNetwork} + - name: set the slot id in hieradata include_role: name: tripleo_hieradata @@ -485,7 +508,7 @@ outputs: vars: hieradata_ansible_data: barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}" - when: lunasa_ha_slot + when: lunasa_ha_slot is defined - null - null docker_config: diff --git a/environments/barbican-backend-pkcs11-lunasa.yaml b/environments/barbican-backend-pkcs11-lunasa.yaml index 62b93183a5..01c6a7b945 100644 --- a/environments/barbican-backend-pkcs11-lunasa.yaml +++ b/environments/barbican-backend-pkcs11-lunasa.yaml @@ -11,6 +11,12 @@ parameter_defaults: # mode, whatever value is placed here will be overridden by the dynamically generated # slot for the HA group created on the client. # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin + # + # LunasaClientIPNetwork: (Optional) Network to be used by the controllers + # to connect to the HSM. By default this option is empty ('') and the + # controllers are registered on the HSM using the controller's FQDN. + # When this option is set, the controllers will be registered using the + # controller's IP on this network instead. BarbicanPkcs11CryptoLibraryPath: '/usr/lib/libCryptoki2_64.so' BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC' @@ -22,20 +28,21 @@ parameter_defaults: BarbicanPkcs11CryptoLunasaEnabled: true BarbicanPkcs11CryptoEnabled: true BarbicanPkcs11AlwaysSetCkaSensitive: true + LunasaVars: # lunasa_client_tarball_location: URI where the CipherTools tarball can be downloaded. # lunasa_client_tarball_name: Filename for the CipherTools tarball. # lunasa_client_installer_path: path to install.sh in the tarball. - # lunasa_hsms: A list of HSMs with the following format: - # lunasa_hsms: - # - name: Name of the HSM - # hostname: Hostname for the HSM - # admin_password: admin password for the HSM - # partition: HSM partition for this client to be assigned - # partition_serial: serial number for the partition - # client_ip: IP for the client - TODO: figure out how to pass this correctly - # lunasa_ha_label: HA group label Required only for HA mode. This will trigger the - # installer to create an HA group comprising of the HSMs in lunasa_hsms. - # lunasa_partition_password: PKCS#11 password for the partitition + # lunasa_client_rotate_cert: (Optional) Set to true to generate a new + # client certificate and re-register clients during deployment. + # lunasa_hsms: A list of HSMs. When more than one HSM is specified, they + # will be configured as an HA pool. Each entry should specify the + # following: + # - hostname: Hostname for the HSM + # admin_password: admin password for the HSM, used to add a new client. + # partition: HSM partition to be assigned to the clients. + # partition_serial: serial number for the partition. + # lunasa_ha_label: HA group label Required only for HA mode. + resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml