Skip to content
This repository has been archived by the owner on Feb 29, 2024. It is now read-only.

Commit

Permalink
Merge "Add new options for Barbican PKCS#11 backend" into stable/vict…
Browse files Browse the repository at this point in the history
…oria
  • Loading branch information
Zuul authored and openstack-gerrit committed May 22, 2021
2 parents 0b6a003 + 9b67d64 commit 1de10d4
Show file tree
Hide file tree
Showing 6 changed files with 54 additions and 10 deletions.
20 changes: 17 additions & 3 deletions deployment/barbican/barbican-api-container-puppet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,14 @@ parameters:
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: Label for PKCS#11 token to be used
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
type: string
default: ''
BarbicanPkcs11CryptoTokenLabels:
description: List of comma separated labels for the tokens to be used.
This is typically a single label, but some devices may require
more than one label for Load Balancing and High Availability
configurations.
type: string
default: ''
BarbicanPkcs11CryptoHMACKeyType:
Expand Down Expand Up @@ -183,6 +190,7 @@ conditions:
- lunasa_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead.
Expand Down Expand Up @@ -491,11 +499,17 @@ outputs:
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- lunasa_client_ip:
str_replace:
template:
Expand Down
16 changes: 15 additions & 1 deletion deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,14 @@ parameters:
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: Label for PKCS#11 token to be used
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
type: string
default: ''
BarbicanPkcs11CryptoTokenLabels:
description: List of comma separated labels for the tokens to be used.
This is typically a single label, but some devices may require
more than one label for Load Balancing and High Availability
configurations.
type: string
default: ''
BarbicanPkcs11CryptoEncryptionMechanism:
Expand All @@ -84,6 +91,11 @@ parameters:
description: Always set CKA_SENSITIVE=CK_TRUE
type: boolean
default: true
BarbicanPkcs11CryptoOsLockingOk:
description: Set CKF_OS_LOCKING_OK flag when initializing the client
library.
type: boolean
default: false
BarbicanPkcs11CryptoGlobalDefault:
description: Whether this plugin is the global default plugin
type: boolean
Expand All @@ -103,9 +115,11 @@ outputs:
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels}
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk}
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
13 changes: 11 additions & 2 deletions environments/barbican-backend-pkcs11-atos.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ parameter_defaults:
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoTokenLabels: The token label for the virtual HSM to be used.
# This is typically a single label, but may be more than one if you are using
# multiple HSMs in Load Balancing mode, and the HSMs have different labels.
# When listing more than one, separate them using a comma (,).
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin

BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
Expand All @@ -18,13 +21,19 @@ parameter_defaults:
BarbicanPkcs11CryptoATOSEnabled: true
BarbicanPkcs11CryptoEnabled: true
BarbicanPkcs11AlwaysSetCkaSensitive: false
BarbicanPkcs11CryptoOsLockingOk: true

ATOSVars:
atos_client_working_dir: /tmp/atos_client_install
# atos_client_iso_location:
# atos_client_iso_name:
# atos_client_cert_location:
# atos_client_key_loaction:
# atos_hsm_ip_address:
# atos_hsms: # -- A list of HSMs. When more than one HSM is specified,
# # they will be configured in Load Balancing mode.
# - name: my-hsm-hostanme.example.com
# server_cert_location: https://user@PASSWORD:example.com/cert.CRT
# ip: 127.0.0.1

resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
3 changes: 1 addition & 2 deletions environments/barbican-backend-pkcs11-lunasa.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,10 @@ parameter_defaults:
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
#
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
# For single HSM deployments this value should be the partition label
# that will be assigned to the clients.
# For HA deployments this value should be the label for the HA group.
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
#
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
Expand Down
3 changes: 1 addition & 2 deletions environments/barbican-backend-pkcs11-thales.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,8 @@ parameter_defaults:
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
# This is typically the label given to the Operator Card Set (OCS)
# BarbicanPkcs11CryptoSlotId (optional): Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin

BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
features:
- |
Added new options for deploying Barbican with PKCS#11 backends:
`BarbicanPkcs11CryptoTokenLabels` and `BarbicanPkcs11CryptoOsLockingOk`
deprecations:
- |
The `BarbicanPkcs11CryptoTokenLabel` option has been deprecated and
replaced with the `BarbicanPkcs11CryptoTokenLabels` option.

0 comments on commit 1de10d4

Please sign in to comment.