Merge "Fix can't find /usr/lib/libCryptoki2_64.so in barbican"

ansible/group_vars/all.yml

@@ -442,6 +442,13 @@ ceilometer_database_type: "mongodb"
 ceilometer_event_type: "mongodb"
 
 
+#######################
+# Barbican options
+#######################
+# Valid options are [ simple_crypto, p11_crypto ]
+barbican_crypto_plugin: "simple_crypto"
+barbican_library_path: "/usr/lib/libCryptoki2_64.so"
+
 ########################
 ### Panko options
 ########################

ansible/roles/barbican/templates/barbican.conf.j2

@@ -2,7 +2,6 @@
 debug = {{ barbican_logging_debug }}
 log_dir = /var/log/kolla/barbican
 
-
 bind_port = {{ barbican_api_port }}
 bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 host_href = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}
@@ -23,11 +22,12 @@ enabled_secretstore_plugins = store_crypto
 # ================= Crypto plugin ===================
 [crypto]
 namespace = barbican.crypto.plugin
-enabled_crypto_plugins = p11_crypto
+enabled_crypto_plugins = {{ barbican_crypto_plugin }}
 
+{% if barbican_crypto_plugin == 'p11_crypto' %}
 [p11_crypto_plugin]
 # Path to vendor PKCS11 library
-library_path = '/usr/lib/libCryptoki2_64.so'
+library_path = {{ barbican_library_path }}
 # Password to login to PKCS11 session
 login = '{{ barbican_p11_password }}'
 # Label to identify master KEK in the HSM (must not be the same as HMAC label)
@@ -36,6 +36,12 @@ mkek_label = 'kolla_master_kek'
 mkek_length = 32
 # Label to identify HMAC key in the HSM (must not be the same as MKEK label)
 hmac_label = 'kolla_hmac'
+{% endif %}
+{% if barbican_crypto_plugin == 'simple_crypto' %}
+[simple_crypto_plugin]
+# the kek should be a 32-byte value which is base64 encoded
+kek = '{{ barbican_crypto_password }}'
+{% endif %}
 
 
 [keystone_notifications]

etc/kolla/globals.yml

@@ -241,6 +241,14 @@ kolla_internal_vip_address: "10.10.10.254"
 # Valid options are [ mongodb, gnocchi, panko ]
 #ceilometer_event_type: "mongodb"
 
+
+#######################
+# Barbican options
+#######################
+# Valid options are [ simple_crypto, p11_crypto ]
+#barbican_crypto_plugin: "simple_crypto"
+#barbican_library_path: "/usr/lib/libCryptoki2_64.so"
+
 #######################
 ## Panko options
 #######################

etc/kolla/passwords.yml

@@ -30,6 +30,8 @@ aodh_keystone_password:
 barbican_database_password:
 barbican_keystone_password:
 barbican_p11_password:
+barbican_crypto_key:
+
 
 keystone_admin_password:
 keystone_database_password:

kolla_ansible/cmd/genpwd.py

@@ -21,6 +21,7 @@ import sys
 
 from Crypto.PublicKey import RSA
 from hashlib import md5
+from hashlib import sha256
 from oslo_utils import uuidutils
 import yaml
 
@@ -70,6 +71,9 @@ def main():
     # HMAC-MD5 keys
     hmac_md5_keys = ['designate_rndc_key']
 
+    # HMAC-SHA256 keys
+    hmac_sha256_keys = ['barbican_crypto_key']
+
     # length of password
     length = 40
 
@@ -96,6 +100,10 @@ def main():
                 passwords[k] = (hmac.new(
                     uuidutils.generate_uuid(), '', md5)
                     .digest().encode('base64')[:-1])
+            elif k in hmac_sha256_keys:
+                passwords[k] = (hmac.new(
+                    uuidutils.generate_uuid(), '', sha256)
+                    .digest().encode('base64')[:-1])
             else:
                 passwords[k] = ''.join([
                     random.SystemRandom().choice(