Add support for configuring load_sharing mode

Change-Id: Ia5fedaf5b1dbe7d8958c04a3e8534098d4bbd548
2021-02-10 16:02:46 -05:00 · 2021-02-10 16:02:46 -05:00 · e82db3b3fc
commit e82db3b3fc
parent 8590934320
11 changed files with 94 additions and 33 deletions
--- a/README.rst
+++ b/README.rst
@ -48,23 +48,16 @@ Role Variables
     - Full URL where a copy of the client software tarball can be downloaded.
   * - thales_client_path
     - linux/libc6_11/amd64/nfast
-     - Path tho the client software directory inside the tarball
+     - Path to the client software directory inside the tarball
   * - thales_km_data_tarball_name
     - None
     - Filename for the KM Data tarball
   * - thales_km_data_location
     - None
     - Full URL where a copy of the KM Data tarball can be downloaded.
-   * - thales_hsm_ip_address
-     - None
-     - IPv4 address for the Thales HSM.
   * - thales_rfs_ip_address
     - None
     - IPv4 address for the Thales RFS host.
-   * - thales_hsm_config_location
-     - None
-     - Unique hsm diretory name where the RFS configuration is stored.
-       (e.g. hsm-XXX-XXX-XXX)
   * - thales_client_ips
     - None
     - Whitespace separated list of IP addresses to be added to RFS config.
@ -72,6 +65,9 @@ Role Variables
     - None
     - Bootstrap client IP address.  This IP will be allowed to update RFS
       server.
+   * - nshield_hsms
+     - None
+     - List of one or more HSM devices


 Requirements
--- a/files/add_ips.py
+++ b/files/add_ips.py
@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 #
 # Copyright 2018 Red Hat, Inc.
 #
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@ -0,0 +1,5 @@
+---
+- name: legacy vars warning
+  debug:
+    msg: "WARNING: Using legacy thales_hsm_ip_address and
+         thales_hsm_config_location variables.  Please udpate your vars file."
--- a/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml
+++ b/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    This version adds support for using more than one nshield HSM in load
+    sharing mode.  There is a new variable `nshield_hsms` that accepts
+    a list of HSM IP addresses.  See `vars.yaml.sample` for an example.
+    Note that HSM Pools are not supported at this time.
+deprecations:
+  - |
+    Two variables have been deprecated: `thales_hsm_ip_address` and
+    `thales_hsm_config_location`.  You should use the new `nshield_hsms` list
+    to specify these values instead.  See `vars.yaml.sample` for an example.
--- a/tasks/client.yaml
+++ b/tasks/client.yaml
@ -79,19 +79,10 @@
      dest: /opt/nfast
      remote_src: yes

- name: run anonkneti to get hash
-  command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}"
-  register: anonkneti
-
- name: output of anonkneti
-  debug: var=anonkneti.stdout_lines
-
 - name: create cknfastrc
-  copy:
+  template:
+      src: cknfastrc.j2
      dest: /opt/nfast/cknfastrc
-      content: |
-          CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
-      force: no
      mode: 0644

 - name: create snmp.conf
@ -102,8 +93,9 @@
      force: yes
      mode: 0644

- name: enroll client to HSM
-  command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }}
+- name: enroll client to hsms
+  include_tasks: client_enroll.yaml
+  loop: "{{ nshield_hsms }}"

 - name:  set selinux contexts for /opt/nfast
  command: restorecon -R /opt/nfast
--- a/tasks/client_enroll.yaml
+++ b/tasks/client_enroll.yaml
@ -0,0 +1,10 @@
+---
+- name: run anonkneti to get hash for "{{ item.ip }}"
+  command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
+  register: anonkneti
+
+- name: output of anonkneti
+  debug: var=anonkneti.stdout_lines
+
+- name: enroll client to HSM "{{ item.ip }}"
+  command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -1,8 +1,17 @@
 ---
- name: Include client installation tasks
-  include_tasks: client.yaml
-  when: thales_install_client
+- name: allow using legacy variables for backwards compatibility
+  set_fact:
+    args:
+      nshield_hsms:
+        - name: Legacy variables HSM
+          ip: "{{ thales_hsm_ip_address }}"
+  when: nshield_hsms is not defined and thales_hsm_ip_address is defined
+  notify: legacy vars warning

 - name: Include RFS tasks
  include_tasks: rfs.yaml
  when: thales_configure_rfs
+
+- name: Include client installation tasks
+  include_tasks: client.yaml
+  when: thales_install_client
--- a/tasks/rfs.yaml
+++ b/tasks/rfs.yaml
@ -1,14 +1,9 @@
 ---
 # This role adds a new IP address to the RFS conf file

- name: run script to add {{ thales_client_ips }} to config.new
-  script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config --ips {{ thales_client_ips }}"
-
- name: push new config to the HSM and check that it was successful
-  shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ thales_hsm_ip_address }} /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new"  # noqa 204
-  register: result
-  until: result.rc == 0
-  retries: 10
+- name: add client ips to hsms
+  include_tasks: rfs_register_client.yaml
+  loop: "{{ nshield_hsms }}"

 - name: allow bootstrap server to update the RFS server
  command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth  {{ thales_bootstrap_client_ip }}"
--- a/tasks/rfs_register_client.yaml
+++ b/tasks/rfs_register_client.yaml
@ -0,0 +1,21 @@
+---
+- name: run anonkneti to get esn for "{{ item.ip }}"
+  command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
+  register: anonkneti
+
+- name: output of anonkneti
+  debug: var=anonkneti.stdout_lines
+
+- name: get the esn
+  set_fact:
+     esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
+
+- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}"
+  script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
+
+- name: push new config to the HSM and check that it was successful
+  shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new"  # noqa 204
+  register: result
+  until: result.rc == 0
+  retries: 10
+
--- a/templates/cknfastrc.j2
+++ b/templates/cknfastrc.j2
@ -0,0 +1,4 @@
+CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
+{% if nshield_hsms|length > 1 %}
+CKNFAST_LOADSHARING=1
+{% endif %}
--- a/vars.yaml.sample
+++ b/vars.yaml.sample
@ -0,0 +1,17 @@
+---
+thales_client_working_dir: /tmp/thales_client_install
+thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz
+thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz
+thales_client_path: linux/libc6_11/amd64/nfast
+thales_client_uid:  42481
+thales_client_gid:  42481
+thales_km_data_location: http://myserver.example.com/kmdata.tar.gz
+thales_km_data_tarball_name: kmdata.tar.gz
+thales_rfs_server_ip_address: 192.168.5.20
+nshield_hsms:
+  - name: "My HSM 1"
+    ip: 192.168.1.1
+  - name: "My HSM 2"
+    ip: 192.168.1.1
+thales_rfs_user: admin
+thales_rfs_key: RSA Private key in PEM format used to log into RFS server.