openstack/ansible-role-thales-hsm
Code Issues Proposed changes

Add support for configuring load_sharing mode

Browse Source 
Change-Id: Ia5fedaf5b1dbe7d8958c04a3e8534098d4bbd548
This commit is contained in:
Ade Lee 2021-02-10 16:02:46 -05:00
parent 8590934320
commit e82db3b3fc
11 changed files with 94 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.rst
View File

@ -48,23 +48,16 @@ Role Variables
- Full URL where a copy of the client software tarball can be downloaded. - Full URL where a copy of the client software tarball can be downloaded.
* - thales_client_path * - thales_client_path
- linux/libc6_11/amd64/nfast - linux/libc6_11/amd64/nfast
- Path tho the client software directory inside the tarball - Path to the client software directory inside the tarball
* - thales_km_data_tarball_name * - thales_km_data_tarball_name
- None - None
- Filename for the KM Data tarball - Filename for the KM Data tarball
* - thales_km_data_location * - thales_km_data_location
- None - None
- Full URL where a copy of the KM Data tarball can be downloaded. - Full URL where a copy of the KM Data tarball can be downloaded.
* - thales_hsm_ip_address
- None
- IPv4 address for the Thales HSM.
* - thales_rfs_ip_address * - thales_rfs_ip_address
- None - None
- IPv4 address for the Thales RFS host. - IPv4 address for the Thales RFS host.
* - thales_hsm_config_location
- None
- Unique hsm diretory name where the RFS configuration is stored.
(e.g. hsm-XXX-XXX-XXX)
* - thales_client_ips * - thales_client_ips
- None - None
- Whitespace separated list of IP addresses to be added to RFS config. - Whitespace separated list of IP addresses to be added to RFS config.
@ -72,6 +65,9 @@ Role Variables
- None - None
- Bootstrap client IP address. This IP will be allowed to update RFS - Bootstrap client IP address. This IP will be allowed to update RFS
server. server.
* - nshield_hsms
- None
- List of one or more HSM devices
Requirements Requirements

2
files/add_ips.py
View File

@ -1,4 +1,4 @@
#!/usr/bin/python #!/usr/bin/python3
# #
# Copyright 2018 Red Hat, Inc. # Copyright 2018 Red Hat, Inc.
# #

5
handlers/main.yaml Normal file
View File

@ -0,0 +1,5 @@
---
- name: legacy vars warning
debug:
msg: "WARNING: Using legacy thales_hsm_ip_address and
thales_hsm_config_location variables. Please udpate your vars file."

12
releasenotes/notes/add-ha-c41f45eaa1aba077.yaml Normal file
View File

@ -0,0 +1,12 @@
---
features:
- |
This version adds support for using more than one nshield HSM in load
sharing mode. There is a new variable `nshield_hsms` that accepts
a list of HSM IP addresses. See `vars.yaml.sample` for an example.
Note that HSM Pools are not supported at this time.
deprecations:
- |
Two variables have been deprecated: `thales_hsm_ip_address` and
`thales_hsm_config_location`. You should use the new `nshield_hsms` list
to specify these values instead. See `vars.yaml.sample` for an example.

18
tasks/client.yaml
View File

@ -79,19 +79,10 @@
dest: /opt/nfast dest: /opt/nfast
remote_src: yes remote_src: yes
- name: run anonkneti to get hash
command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: create cknfastrc - name: create cknfastrc
copy: template:
src: cknfastrc.j2
dest: /opt/nfast/cknfastrc dest: /opt/nfast/cknfastrc
content: |
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
force: no
mode: 0644 mode: 0644
- name: create snmp.conf - name: create snmp.conf
@ -102,8 +93,9 @@
force: yes force: yes
mode: 0644 mode: 0644
- name: enroll client to HSM - name: enroll client to hsms
command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }} include_tasks: client_enroll.yaml
loop: "{{ nshield_hsms }}"
- name: set selinux contexts for /opt/nfast - name: set selinux contexts for /opt/nfast
command: restorecon -R /opt/nfast command: restorecon -R /opt/nfast

10
tasks/client_enroll.yaml Normal file
View File

@ -0,0 +1,10 @@
---
- name: run anonkneti to get hash for "{{ item.ip }}"
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: enroll client to HSM "{{ item.ip }}"
command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}

15
tasks/main.yaml
View File

@ -1,8 +1,17 @@
--- ---
- name: Include client installation tasks - name: allow using legacy variables for backwards compatibility
include_tasks: client.yaml set_fact:
when: thales_install_client args:
nshield_hsms:
- name: Legacy variables HSM
ip: "{{ thales_hsm_ip_address }}"
when: nshield_hsms is not defined and thales_hsm_ip_address is defined
notify: legacy vars warning
- name: Include RFS tasks - name: Include RFS tasks
include_tasks: rfs.yaml include_tasks: rfs.yaml
when: thales_configure_rfs when: thales_configure_rfs
- name: Include client installation tasks
include_tasks: client.yaml
when: thales_install_client

11
tasks/rfs.yaml
View File

@ -1,14 +1,9 @@
--- ---
# This role adds a new IP address to the RFS conf file # This role adds a new IP address to the RFS conf file
- name: run script to add {{ thales_client_ips }} to config.new - name: add client ips to hsms
script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config --ips {{ thales_client_ips }}" include_tasks: rfs_register_client.yaml
loop: "{{ nshield_hsms }}"
- name: push new config to the HSM and check that it was successful
shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ thales_hsm_ip_address }} /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new" # noqa 204
register: result
until: result.rc == 0
retries: 10
- name: allow bootstrap server to update the RFS server - name: allow bootstrap server to update the RFS server
command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}" command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}"

21
tasks/rfs_register_client.yaml Normal file
View File

@ -0,0 +1,21 @@
---
- name: run anonkneti to get esn for "{{ item.ip }}"
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: get the esn
set_fact:
esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}"
script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
- name: push new config to the HSM and check that it was successful
shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new" # noqa 204
register: result
until: result.rc == 0
retries: 10

4
templates/cknfastrc.j2 Normal file
View File

@ -0,0 +1,4 @@
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
{% if nshield_hsms|length > 1 %}
CKNFAST_LOADSHARING=1
{% endif %}

17
vars.yaml.sample Normal file
View File

@ -0,0 +1,17 @@
---
thales_client_working_dir: /tmp/thales_client_install
thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz
thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz
thales_client_path: linux/libc6_11/amd64/nfast
thales_client_uid: 42481
thales_client_gid: 42481
thales_km_data_location: http://myserver.example.com/kmdata.tar.gz
thales_km_data_tarball_name: kmdata.tar.gz
thales_rfs_server_ip_address: 192.168.5.20
nshield_hsms:
- name: "My HSM 1"
ip: 192.168.1.1
- name: "My HSM 2"
ip: 192.168.1.1
thales_rfs_user: admin
thales_rfs_key: RSA Private key in PEM format used to log into RFS server.