Add support for configuring load_sharing mode

Change-Id: Ia5fedaf5b1dbe7d8958c04a3e8534098d4bbd548
openstack · Feb 17, 2021 · e82db3b · e82db3b
1 parent 8590934
commit e82db3b
Show file tree

Hide file tree

Showing 11 changed files with 94 additions and 33 deletions.
diff --git a/README.rst b/README.rst
@@ -48,30 +48,26 @@ Role Variables
      - Full URL where a copy of the client software tarball can be downloaded.
    * - thales_client_path
      - linux/libc6_11/amd64/nfast
-     - Path tho the client software directory inside the tarball
+     - Path to the client software directory inside the tarball
    * - thales_km_data_tarball_name
      - None
      - Filename for the KM Data tarball
    * - thales_km_data_location
      - None
      - Full URL where a copy of the KM Data tarball can be downloaded.
-   * - thales_hsm_ip_address
-     - None
-     - IPv4 address for the Thales HSM.
    * - thales_rfs_ip_address
      - None
      - IPv4 address for the Thales RFS host.
-   * - thales_hsm_config_location
-     - None
-     - Unique hsm diretory name where the RFS configuration is stored.
-       (e.g. hsm-XXX-XXX-XXX)
    * - thales_client_ips
      - None
      - Whitespace separated list of IP addresses to be added to RFS config.
    * - thales_bootstrap_client_ip
      - None
      - Bootstrap client IP address.  This IP will be allowed to update RFS
        server.
+   * - nshield_hsms
+     - None
+     - List of one or more HSM devices
 
 
 Requirements

diff --git a/files/add_ips.py b/files/add_ips.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 #
 # Copyright 2018 Red Hat, Inc.
 #

diff --git a/handlers/main.yaml b/handlers/main.yaml
@@ -0,0 +1,5 @@
+---
+- name: legacy vars warning
+  debug:
+    msg: "WARNING: Using legacy thales_hsm_ip_address and
+         thales_hsm_config_location variables.  Please udpate your vars file."
diff --git a/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml b/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    This version adds support for using more than one nshield HSM in load
+    sharing mode.  There is a new variable `nshield_hsms` that accepts
+    a list of HSM IP addresses.  See `vars.yaml.sample` for an example.
+    Note that HSM Pools are not supported at this time.
+deprecations:
+  - |
+    Two variables have been deprecated: `thales_hsm_ip_address` and
+    `thales_hsm_config_location`.  You should use the new `nshield_hsms` list
+    to specify these values instead.  See `vars.yaml.sample` for an example.
diff --git a/tasks/client.yaml b/tasks/client.yaml
@@ -79,19 +79,10 @@
       dest: /opt/nfast
       remote_src: yes
 
-- name: run anonkneti to get hash
-  command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}"
-  register: anonkneti
-
-- name: output of anonkneti
-  debug: var=anonkneti.stdout_lines
-
 - name: create cknfastrc
-  copy:
+  template:
+      src: cknfastrc.j2
       dest: /opt/nfast/cknfastrc
-      content: |
-          CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
-      force: no
       mode: 0644
 
 - name: create snmp.conf
@@ -102,8 +93,9 @@
       force: yes
       mode: 0644
 
-- name: enroll client to HSM
-  command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }}
+- name: enroll client to hsms
+  include_tasks: client_enroll.yaml
+  loop: "{{ nshield_hsms }}"
 
 - name:  set selinux contexts for /opt/nfast
   command: restorecon -R /opt/nfast

diff --git a/tasks/client_enroll.yaml b/tasks/client_enroll.yaml
@@ -0,0 +1,10 @@
+---
+- name: run anonkneti to get hash for "{{ item.ip }}"
+  command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
+  register: anonkneti
+
+- name: output of anonkneti
+  debug: var=anonkneti.stdout_lines
+
+- name: enroll client to HSM "{{ item.ip }}"
+  command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}
diff --git a/tasks/main.yaml b/tasks/main.yaml
@@ -1,8 +1,17 @@
 ---
-- name: Include client installation tasks
-  include_tasks: client.yaml
-  when: thales_install_client
+- name: allow using legacy variables for backwards compatibility
+  set_fact:
+    args:
+      nshield_hsms:
+        - name: Legacy variables HSM
+          ip: "{{ thales_hsm_ip_address }}"
+  when: nshield_hsms is not defined and thales_hsm_ip_address is defined
+  notify: legacy vars warning
 
 - name: Include RFS tasks
   include_tasks: rfs.yaml
   when: thales_configure_rfs
+
+- name: Include client installation tasks
+  include_tasks: client.yaml
+  when: thales_install_client
diff --git a/tasks/rfs.yaml b/tasks/rfs.yaml
@@ -1,14 +1,9 @@
 ---
 # This role adds a new IP address to the RFS conf file
 
-- name: run script to add {{ thales_client_ips }} to config.new
-  script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config --ips {{ thales_client_ips }}"
-
-- name: push new config to the HSM and check that it was successful
-  shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ thales_hsm_ip_address }} /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new"  # noqa 204
-  register: result
-  until: result.rc == 0
-  retries: 10
+- name: add client ips to hsms
+  include_tasks: rfs_register_client.yaml
+  loop: "{{ nshield_hsms }}"
 
 - name: allow bootstrap server to update the RFS server
   command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth  {{ thales_bootstrap_client_ip }}"
diff --git a/tasks/rfs_register_client.yaml b/tasks/rfs_register_client.yaml
@@ -0,0 +1,21 @@
+---
+- name: run anonkneti to get esn for "{{ item.ip }}"
+  command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
+  register: anonkneti
+
+- name: output of anonkneti
+  debug: var=anonkneti.stdout_lines
+
+- name: get the esn
+  set_fact:
+     esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
+
+- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}"
+  script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
+
+- name: push new config to the HSM and check that it was successful
+  shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new"  # noqa 204
+  register: result
+  until: result.rc == 0
+  retries: 10
+
diff --git a/templates/cknfastrc.j2 b/templates/cknfastrc.j2
@@ -0,0 +1,4 @@
+CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
+{% if nshield_hsms|length > 1 %}
+CKNFAST_LOADSHARING=1
+{% endif %}
diff --git a/vars.yaml.sample b/vars.yaml.sample
@@ -0,0 +1,17 @@
+---
+thales_client_working_dir: /tmp/thales_client_install
+thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz
+thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz
+thales_client_path: linux/libc6_11/amd64/nfast
+thales_client_uid:  42481
+thales_client_gid:  42481
+thales_km_data_location: http://myserver.example.com/kmdata.tar.gz
+thales_km_data_tarball_name: kmdata.tar.gz
+thales_rfs_server_ip_address: 192.168.5.20
+nshield_hsms:
+  - name: "My HSM 1"
+    ip: 192.168.1.1
+  - name: "My HSM 2"
+    ip: 192.168.1.1
+thales_rfs_user: admin
+thales_rfs_key: RSA Private key in PEM format used to log into RFS server.