# A Heat environment file to enable the barbican PKCS#11 crypto backend using
# one or more Thales Luna Network HSMs.
# Note that Barbican needs to be enabled in order to use this.
parameter_defaults:
  # In order to use this backend, you need to uncomment these values and
  # provide the appropriate values.
  #
  # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
  #
  # BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
  #   For single HSM deployments this value should be the partition label
  #   that will be assigned to the clients.
  #   For HA deployments this value should be the label for the HA group.
  # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
  #
  # LunasaClientIPNetwork: (Optional) Network to be used by the controllers
  #   to connect to the HSM.  By default this option is empty ('') and the
  #   controllers are registered on the HSM using the controller's FQDN.
  #   When this option is set, the controllers will be registered using the
  #   controller's IP on this network instead.

  BarbicanPkcs11CryptoLibraryPath:         '/usr/lib/libCryptoki2_64.so'
  BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
  BarbicanPkcs11CryptoHMACKeyType:         'CKK_AES'
  BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_AES_KEY_GEN'
  BarbicanPkcs11CryptoMKEKLabel:           'barbican_mkek_0'
  BarbicanPkcs11CryptoMKEKLength:          '32'
  BarbicanPkcs11CryptoHMACLabel:           'barbican_hmac_0'
  BarbicanPkcs11CryptoLunasaEnabled:       true
  BarbicanPkcs11CryptoEnabled:             true
  BarbicanPkcs11AlwaysSetCkaSensitive:     true

  LunasaVars:
    # lunasa_client_tarball_location: URI where the CipherTools tarball can be downloaded.
    # lunasa_client_tarball_name: Filename for the CipherTools tarball.
    # lunasa_client_installer_path: path to install.sh in the tarball.
    # lunasa_client_rotate_cert:  (Optional) Set to true to generate a new
    #   client certificate and re-register clients during deployment.
    # lunasa_hsms:  A list of HSMs.  When more than one HSM is specified, they
    #    will be configured as an HA group.  Each entry should specify the
    #    following:
    #  - hostname: Hostname for the HSM
    #    admin_password: admin password for the HSM, used to add a new client
    #      for each controller node.
    #    partition: HSM partition to be assigned to the clients.
    #    partition_serial: serial number for the partition.

resource_registry:
  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml