b253d564f7
This simplifies the ServiceNetMap/VipSubnetMap interfaces to use parameter merge strategy and removes the *Defaults interfaces. Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
123 lines
5.2 KiB
YAML
123 lines
5.2 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
Barbican API PKCS#11 crypto backend configured with Puppet
|
|
|
|
parameters:
|
|
# Required default parameters
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
BarbicanPkcs11CryptoLibraryPath:
|
|
description: Path to vendor PKCS11 library
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoLogin:
|
|
description: Password (PIN) to login to PKCS#11 session
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
BarbicanPkcs11CryptoMKEKLabel:
|
|
description: Label for Master KEK
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoMKEKLength:
|
|
description: Length of Master KEK in bytes
|
|
type: string
|
|
default: '256'
|
|
BarbicanPkcs11CryptoHMACLabel:
|
|
description: Label for the HMAC key
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoSlotId:
|
|
description: Slot Id for the PKCS#11 token to be used
|
|
type: string
|
|
default: '0'
|
|
BarbicanPkcs11CryptoTokenSerialNumber:
|
|
description: Serial number for PKCS#11 token to be used
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoTokenLabel:
|
|
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoTokenLabels:
|
|
description: List of comma separated labels for the tokens to be used.
|
|
This is typically a single label, but some devices may require
|
|
more than one label for Load Balancing and High Availability
|
|
configurations.
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoEncryptionMechanism:
|
|
description: Cryptoki Mechanism used for encryption
|
|
type: string
|
|
default: 'CKM_AES_CBC'
|
|
BarbicanPkcs11CryptoHMACKeyType:
|
|
description: Cryptoki Key Type for Master HMAC key
|
|
type: string
|
|
default: 'CKK_AES'
|
|
BarbicanPkcs11CryptoHMACKeygenMechanism:
|
|
description: Cryptoki Mechanism used to generate Master HMAC Key
|
|
type: string
|
|
default: 'CKM_AES_KEY_GEN'
|
|
BarbicanPkcs11CryptoAESGCMGenerateIV:
|
|
description: Generate IVs for CKM_AES_GCM encryption mechanism
|
|
type: boolean
|
|
default: true
|
|
BarbicanPkcs11AlwaysSetCkaSensitive:
|
|
description: Always set CKA_SENSITIVE=CK_TRUE
|
|
type: boolean
|
|
default: true
|
|
BarbicanPkcs11CryptoOsLockingOk:
|
|
description: Set CKF_OS_LOCKING_OK flag when initializing the client
|
|
library.
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoGlobalDefault:
|
|
description: Whether this plugin is the global default plugin
|
|
type: boolean
|
|
default: false
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Barbican PKCS#11 backend.
|
|
value:
|
|
service_name: barbican_backend_pkcs11_crypto
|
|
config_settings:
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk}
|
|
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|