You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
122 lines
5.1 KiB
122 lines
5.1 KiB
heat_template_version: wallaby |
|
|
|
description: > |
|
Barbican API PKCS#11 crypto backend configured with Puppet |
|
|
|
parameters: |
|
# Required default parameters |
|
ServiceData: |
|
default: {} |
|
description: Dictionary packing service data |
|
type: json |
|
ServiceNetMap: |
|
default: {} |
|
description: Mapping of service_name -> network name. Typically set |
|
via parameter_defaults in the resource registry. This |
|
mapping overrides those in ServiceNetMapDefaults. |
|
type: json |
|
RoleName: |
|
default: '' |
|
description: Role name on which the service is applied |
|
type: string |
|
RoleParameters: |
|
default: {} |
|
description: Parameters specific to the role |
|
type: json |
|
EndpointMap: |
|
default: {} |
|
description: Mapping of service endpoint -> protocol. Typically set |
|
via parameter_defaults in the resource registry. |
|
type: json |
|
BarbicanPkcs11CryptoLibraryPath: |
|
description: Path to vendor PKCS11 library |
|
type: string |
|
default: '' |
|
BarbicanPkcs11CryptoLogin: |
|
description: Password (PIN) to login to PKCS#11 session |
|
type: string |
|
hidden: true |
|
default: '' |
|
BarbicanPkcs11CryptoMKEKLabel: |
|
description: Label for Master KEK |
|
type: string |
|
default: '' |
|
BarbicanPkcs11CryptoMKEKLength: |
|
description: Length of Master KEK in bytes |
|
type: string |
|
default: '256' |
|
BarbicanPkcs11CryptoHMACLabel: |
|
description: Label for the HMAC key |
|
type: string |
|
default: '' |
|
BarbicanPkcs11CryptoSlotId: |
|
description: Slot Id for the PKCS#11 token to be used |
|
type: string |
|
default: '0' |
|
BarbicanPkcs11CryptoTokenSerialNumber: |
|
description: Serial number for PKCS#11 token to be used |
|
type: string |
|
default: '' |
|
BarbicanPkcs11CryptoTokenLabel: |
|
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead. |
|
type: string |
|
default: '' |
|
BarbicanPkcs11CryptoTokenLabels: |
|
description: List of comma separated labels for the tokens to be used. |
|
This is typically a single label, but some devices may require |
|
more than one label for Load Balancing and High Availability |
|
configurations. |
|
type: string |
|
default: '' |
|
BarbicanPkcs11CryptoEncryptionMechanism: |
|
description: Cryptoki Mechanism used for encryption |
|
type: string |
|
default: 'CKM_AES_CBC' |
|
BarbicanPkcs11CryptoHMACKeyType: |
|
description: Cryptoki Key Type for Master HMAC key |
|
type: string |
|
default: 'CKK_AES' |
|
BarbicanPkcs11CryptoHMACKeygenMechanism: |
|
description: Cryptoki Mechanism used to generate Master HMAC Key |
|
type: string |
|
default: 'CKM_AES_KEY_GEN' |
|
BarbicanPkcs11CryptoAESGCMGenerateIV: |
|
description: Generate IVs for CKM_AES_GCM encryption mechanism |
|
type: boolean |
|
default: true |
|
BarbicanPkcs11AlwaysSetCkaSensitive: |
|
description: Always set CKA_SENSITIVE=CK_TRUE |
|
type: boolean |
|
default: true |
|
BarbicanPkcs11CryptoOsLockingOk: |
|
description: Set CKF_OS_LOCKING_OK flag when initializing the client |
|
library. |
|
type: boolean |
|
default: false |
|
BarbicanPkcs11CryptoGlobalDefault: |
|
description: Whether this plugin is the global default plugin |
|
type: boolean |
|
default: false |
|
|
|
outputs: |
|
role_data: |
|
description: Role data for the Barbican PKCS#11 backend. |
|
value: |
|
service_name: barbican_backend_pkcs11_crypto |
|
config_settings: |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive} |
|
barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk} |
|
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|
|
|