diff --git a/docs/dictionary/en-custom.txt b/docs/dictionary/en-custom.txt index 783c236922..c62ef15ed4 100644 --- a/docs/dictionary/en-custom.txt +++ b/docs/dictionary/en-custom.txt @@ -25,6 +25,7 @@ az azs backend backends +barbican baremetal baremetalhost basedir @@ -71,6 +72,7 @@ ciuser cjeanner ckcg cli +clientvm clusterimageset clusterpool cmd @@ -202,6 +204,8 @@ hostnames hostvars hotfix href +hsm +hsms https ic icjbuue @@ -281,6 +285,8 @@ loopback losetup lsblk luks +lunaclient +lunasa lv lvm lvmcluster diff --git a/hooks/playbooks/barbican-cleanup-luna.yml b/hooks/playbooks/barbican-cleanup-luna.yml new file mode 100644 index 0000000000..ec0fba4d48 --- /dev/null +++ b/hooks/playbooks/barbican-cleanup-luna.yml @@ -0,0 +1,25 @@ +--- +- name: Add lunaclient to inventory + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Get lunaclient key + ansible.builtin.get_url: + url: "{{ cifmw_hsm_lunaclient_key }}" + dest: "{{ ansible_user_dir }}/.ssh/lunaclient" + mode: "0400" + - name: Add lunaclient VM to inventory + ansible.builtin.add_host: + name: "{{ cifmw_hsm_lunaclient_vm }}" + ansible_user: "{{ cifmw_hsm_lunaclient_user }}" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient" + ansible_ssh_common_args: "-o StrictHostKeyChecking=no" + +- name: Create and store modified barbican images + hosts: "{{ cifmw_hsm_lunaclient_vm }}" + tasks: + - name: Include hsm_prep role cleanup tasks + ansible.builtin.include_role: + name: hsm_prep + tags: cleanup + vars: + cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}" diff --git a/hooks/playbooks/barbican-create-luna-image.yml b/hooks/playbooks/barbican-create-luna-image.yml new file mode 100644 index 0000000000..59e7f4a300 --- /dev/null +++ b/hooks/playbooks/barbican-create-luna-image.yml @@ -0,0 +1,23 @@ +--- +- name: Add lunaclient to inventory + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Get lunaclient key + ansible.builtin.get_url: + url: "{{ cifmw_hsm_lunaclient_key }}" + dest: "{{ ansible_user_dir }}/.ssh/lunaclient" + mode: "0400" + - name: Add lunaclient VM to inventory + ansible.builtin.add_host: + name: "{{ cifmw_hsm_lunaclient_vm }}" + ansible_user: "{{ cifmw_hsm_lunaclient_user }}" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient" + ansible_ssh_common_args: "-o StrictHostKeyChecking=no" + +- name: Create and store modified barbican images + hosts: "{{ cifmw_hsm_lunaclient_vm }}" + tasks: + - name: Include hsm_prep role + ansible.builtin.include_role: + name: hsm_prep + tags: image_prep diff --git a/hooks/playbooks/barbican-enable-luna.yml b/hooks/playbooks/barbican-enable-luna.yml new file mode 100644 index 0000000000..7f63874baf --- /dev/null +++ b/hooks/playbooks/barbican-enable-luna.yml @@ -0,0 +1,96 @@ +--- +- name: Add lunaclient to inventory + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Get lunaclient key + ansible.builtin.get_url: + url: "{{ cifmw_hsm_lunaclient_key }}" + dest: "{{ ansible_user_dir }}/.ssh/lunaclient" + mode: "0400" + - name: Add lunaclient VM to inventory + ansible.builtin.add_host: + name: "{{ cifmw_hsm_lunaclient_vm }}" + ansible_user: "{{ cifmw_hsm_lunaclient_user }}" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient" + ansible_ssh_common_args: "-o StrictHostKeyChecking=no" + +- name: Create cert secret and login secret + hosts: "{{ cifmw_hsm_lunaclient_vm }}" + tasks: + - name: Include hsm_prep role + ansible.builtin.include_role: + name: hsm_prep + tags: + - cert_prep + - secret_prep + vars: + cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}" + +# TODO(alee) This task doesn't work yet. But thats next to tackle. +- name: Create kustomization to use updated barbican images + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Create customize file to use modified barbican images + vars: + image_prefix: "quay.io/{{ cifmv_hsm_barbican_image_namespace | default('podified-antelope-centos9', true) }}" + image_tag: "{{ cifmw_hsm_barbican_image_tag | default('current-podified', true) }}-luna" + ansible.builtin.copy: + dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/92-barbican-luna.yaml" + content: |- + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + resources: + namespace: {{ namespace }} + patches: + - target: + kind: OpenStackVersion + name: .* + patch: |- + - op: replace + path: /spec/customContainerImages/barbicanAPIImage + value: "{{ image_prefix }}/openstack-barbican-api:{{ image_tag }}" + - op: replace + path: /spec/customContainerImages/barbicanWorkerImage + value: "{{ image_prefix }}/openstack-barbican-worker:{{ image_tag }}" + +- name: Create kustomization to use update barbican to use luna + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Create file to customize barbican resource deployed in the control plane + vars: + certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}" + login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}" + cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}" + ansible.builtin.copy: + dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml" + content: |- + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + resources: + namespace: {{ namespace }} + patches: + - target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: add + path: /spec/barbican/template/globalDefaultSecretStore + value: pkcs11 + - op: add + path: /spec/barbican/template/enabledSecretStores + value: + - pkcs11 + - op: add + path: /spec/barbican/template/pkcs11 + value: + type: luna + libraryPath: /usr/local/luna/libs/64/libCryptoki2.so + tokenLabels: "{{ cifmw_hsm_luna_partition }}" + MKEKLabel: "{{ cifm_hsm_mkek_label }}" + HMACLabel: "{{ cifm_hsm_hmac_label }}" + serverAddress: "{{ cifmw_hsm_server_ip }}" + clientAddress: "{{ cifmw_hsm_client_ip }}" + loginSecret: "{{ login_secret }}" + certificatesSecret: "{{ certs_secret }}" + certificatesMountPoint: /usr/local/luna/config/certs + keyWrapMechanism: "{{ cifmw_hsm_key_wrap_mechanism }}" diff --git a/roles/hsm_prep/README.md b/roles/hsm_prep/README.md new file mode 100644 index 0000000000..9587c3652c --- /dev/null +++ b/roles/hsm_prep/README.md @@ -0,0 +1,75 @@ +# HSM Role + +In order to use HSMs, the barbican images need to be customized to include the HSM software. For now, this is something +that we expect customers to do with scripts that we will provide as part of the barbican-operator code. + +The purpose of this role is to: +* Generate new images for the barbican-api and barbican-worker containing the HSM software +* Upload those images to a private repository for use in setting up a CI job. +* Create any required config to be mounted by the barbican images to interact with the HSM + +For the Lunasa, we expect some preparatory steps to be completed prior to execution in order for the +role to complete successfully. +* We expect a VM that contains the Lunasa client software and that is registered as a lunasa client. + This VM should contain the following contents: + * The contents of the minimal linux client in a zipped tar file. + * The lunasa binaries that need to be added to the image under a specified directory. + * The lunasa HSM server cert. +* The above contents will be fetched by the role. +* The VM will be used to generate client certificates. For this, we will need the cifmw_hsm_client_ip , which + is the VM of the hypervisor hosting the openshift node. If a cert has already been generated, then + that certificate will be retrieved instead. +* The certs will be retrieved and stored in a secret (cifmw_hsm_luna_cert_secret) +* The password to log into the HSM partition will be stored in a secret (cifmw_hsm_login_secret) +* As input to this role, we will require the ssh connection details and credentials for this VM. + +A minimal (one that takes the defaults) invocation of this role is shown below, where the lunaclient +is the running client VM described above. + +- name: Set up Luna + hosts: lunaclient + ansible.builtin.include_role: hsm_prep + tags: + - image_prep + - cert_prep + - secret_prep + vars: + cifmw_hsm_admin_password: "" + cifmw_hsm_server_ip: "IP of HSM" + cifmw_hsm_client_ip: "IP of the client - this could be the hypervisor where the Openshift nodes run" + cifmw_hsm_luna_partition: "HSM partition for the client to join" + cifmw_hsm_partition_password: "" + +Note that tags have been provided to allow the caller to select specific operations. This may be necessary +because different operations may need to executed in different CI jobs. The current tags available are: +image_prep, cert_prep, secret_prep, cleanup + +## Parameters + +### HSM Details +* `cifmw_hsm_hsmtype`: (String) The type of HSM required. Currently, only "luna" is supported. Default value: `luna` +* `cifmw_hsm_admin_user`: (String) The user to log into the HSM. Default value: `admin` +* `cifmw_hsm_admin_password`: (String) The password to log into the HSM. +* `cifmw_hsm_server_ip`: (String) ip address or hostname of the HSM +* `cifmw_hsm_partition_password: (String) The password to log into the HSM partition +* `cifmw_hsm_login_secret`: (String) The secret to store the password to log into the HSM partition. Default: `hsm-login` + +### Barbican Image and Details to get buildah script +* `cifmw_hsm_barbican_operator_repo`: (String) Repo for barbican-operator. Default value: "https://github.com/openstack-k8s-operators/barbican-operator.git" +* `cifmw_hsm_barbican_operator_version`: (String) Version for barbican-operator. Default value: "main" +* `cifmv_hsm_barbican_image_namespace`: (String) Namespace for barbican-operator source image. Default value: "podified-antelope-centos9" +* `cifmw_hsm_barbican_image_tag`: (String) Tag for barbican-operator source image. Default value: "current-podified" + +### Role Parameters +* `cifmw_hsm_cleanup`: (Boolean) Delete all resources created by the role at the end of the testing. Default value: `false` +* `cifmw_hsm_working_dir`: (String) Working directory to store artifacts. Default value: `/tmp/hsm-prep-working-dir` +* `cifmw_hsm_client_ip`: (String) ip address or hostname of the client VM + +### Luna Parameters +* `cifmw_hsm_luna_minclient_src`: (String) Location of linux minimal client tarball on the luna client VM. Default value: `/opt/data/Linux-Minimal-Client.tar.gz` +* `cifmw_hsm_luna_binaries_src`: (String) Location of the luna binaries on the luna client VM. Default value: `/opt/data/bin` +* `cifmw_hsm_luna_server_cert_src`: (String) Location of HSM server cert on the luna client VM. Default value: `/usr/safenet/lunaclient/cert/server` +* `cifmw_hsm_luna_client_cert_src`: (String) Location of HSM client cert on the luna client VM. Default value: `/usr/safenet/lunaclient/cert/client` +* `cifmw_hsm_luna_cert_secret`: (String) Name of the secret that stores all of the needed certs for luna. Default value: `barbican-luna-certs` +* `cifmw_hsm_luna_cert_secret_namespace`: (String) Namespace of the secret that stores all of the needed certs for luna. Default value: `openstack` +* `cifmw_hsm_luna_partition`: (String) HSM partition for the client to join. diff --git a/roles/hsm_prep/defaults/main.yml b/roles/hsm_prep/defaults/main.yml new file mode 100644 index 0000000000..6aecb225e1 --- /dev/null +++ b/roles/hsm_prep/defaults/main.yml @@ -0,0 +1,41 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# defaults file for hsm role + +# HSM Details +cifmw_hsm_hsmtype: "luna" +cifmw_hsm_admin_user: "admin" +cifmw_hsm_login_secret: "hsm-login" + +### Barbican Image and Details to get buildah script +cifmw_hsm_barbican_operator_repo: "https://github.com/openstack-k8s-operators/barbican-operator.git" +cifmw_hsm_barbican_operator_version: "main" +cifmv_hsm_barbican_image_namespace: "podified-antelope-centos9" +cifmw_hsm_barbican_image_tag: "current-podified" + +### Role Parameters +cifmw_hsm_cleanup: false +cifmw_hsm_working_dir: "/tmp/hsm-prep-working-dir" + +### Luna Parameters +cifmw_hsm_luna_minclient_src: "/opt/data/Linux-Minimal-Client.tar.gz" +cifmw_hsm_luna_binaries_src: "/opt/data/bin" +cifmw_hsm_luna_server_cert_src: "/usr/safenet/lunaclient/cert/server" +cifmw_hsm_luna_client_cert_src: "/usr/safenet/lunaclient/cert/client" +cifmw_hsm_luna_cert_secret: "barbican-luna-certs" +cifmw_hsm_luna_cert_secret_namespace: "openstack" diff --git a/roles/hsm_prep/files/image_add_luna_minimal_client.sh b/roles/hsm_prep/files/image_add_luna_minimal_client.sh new file mode 100755 index 0000000000..d82979c51f --- /dev/null +++ b/roles/hsm_prep/files/image_add_luna_minimal_client.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash + +# barbican_add_luna_minimal_client.sh +# +# This script adds the Linux Minimal Client for Thales Luna Network HSM +# to both the API and Worker images so that the HSM can be used as a PKCS#11 +# backend for Barbican. + +set -o errexit +set -o pipefail + +BARBICAN_IMAGE_NAMESPACE=${BARBICAN_IMAGE_NAMESPACE:-"podified-antelope-centos9"} +BARBICAN_IMAGE_TAG=${BARBICAN_IMAGE_TAG:-"current-podified"} +BARBICAN_API_IMAGE="quay.io/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_IMAGE_TAG" +BARBICAN_WORKER_IMAGE="quay.io/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_IMAGE_TAG" + +# LUNA_LINUX_MINIMAL_CLIENT_DIR - location of the "linux-minimal" directory +# in your client media. This could be a path to a mounted ISO or a path to +# the location where a tarball was extracted +LUNA_LINUX_MINIMAL_CLIENT_DIR=${LUNA_LINUX_MINIMAL_CLIENT_DIR:-"/media/lunaiso/linux-minimal"} + +# LUNA_CLIENT_BIN - location of the binaries installed by the client +# software. +LUNA_CLIENT_BIN=${LUNA_CLIENT_BIN:-"/usr/safenet/lunaclient/bin"} + +function install_client() { + + container=$(buildah from $1) + + # set required env + buildah config --env ChrystokiConfigurationPath=/usr/local/luna $container + + # add linux-minimal client + buildah add --chown root:root $container $LUNA_LINUX_MINIMAL_CLIENT_DIR /usr/local/luna + buildah run --user root $container -- mkdir -p /usr/local/luna/config/certs + buildah run --user root $container -- mkdir -p /usr/local/luna/config/token/001 + buildah run --user root $container -- touch /usr/local/luna/config/token/001/token.db + buildah add --chown root:root $container $LUNA_CLIENT_BIN/lunacm /usr/local/bin/ + buildah add --chown root:root $container $LUNA_CLIENT_BIN/vtl /usr/local/bin/ + buildah add --chown root:root $container $LUNA_CLIENT_BIN/multitoken /usr/local/bin/ + buildah add --chown root:root $container $LUNA_CLIENT_BIN/ckdemo /usr/local/bin/ + + buildah commit $container ${1}-luna + buildah rm $container +} + +install_client $BARBICAN_API_IMAGE +install_client $BARBICAN_WORKER_IMAGE diff --git a/roles/hsm_prep/meta/main.yml b/roles/hsm_prep/meta/main.yml new file mode 100644 index 0000000000..8130a40a64 --- /dev/null +++ b/roles/hsm_prep/meta/main.yml @@ -0,0 +1,36 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: CI Framework + description: CI Framework Role -- HSM Prep + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.14 + namespace: cifmw + platforms: + - name: CentOS + versions: + - 9 + + galaxy_tags: + - cifmw + - hsm + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: [] diff --git a/roles/hsm_prep/tasks/generate_luna_client_certs.yaml b/roles/hsm_prep/tasks/generate_luna_client_certs.yaml new file mode 100644 index 0000000000..63e057a38c --- /dev/null +++ b/roles/hsm_prep/tasks/generate_luna_client_certs.yaml @@ -0,0 +1,54 @@ +- name: Set fact for client_name + ansible.builtin.set_fact: + client_name: "{{ cifmw_hsm_client_ip }}" + +- name: Generate a new client cert for NTL + ansible.builtin.command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ cifmw_hsm_client_ip }}" + become: true + +- name: Get the hsm server cert from the hsm_server + ansible.builtin.shell: > + sshpass -p '{{ cifmw_hsm_admin_password }}' + scp -O -o StrictHostKeyChecking=false -c aes256-cbc + {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}:server.pem + /usr/safenet/lunaclient/bin/{{ cifmw_hsm_server_ip }}.pem + args: + creates: /usr/safenet/lunaclient/bin/{{ cifmw_hsm_server_ip }}.pem + become: true + +- name: Delete existing client if present + ansible.builtin.shell: > + sshpass -p '{{ cifmw_hsm_admin_password }}' + ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} + -C "client delete -f -c {{ client_name }}" + register: client_delete + failed_when: + - client_delete.rc != 0 + - "'There is no registered client with the name you specified' not in client_delete.stdout" + +- name: Copy the NTL client cert to the HSM + ansible.builtin.shell: > + sshpass -p '{{ cifmw_hsm_admin_password }}' scp -O -c aes256-cbc + /usr/safenet/lunaclient/cert/client/{{ cifmw_hsm_client_ip }}.pem + {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}:{{ cifmw_hsm_client_ip }}.pem + +- name: Register the client + ansible.builtin.shell: > + sshpass -p '{{ cifmw_hsm_admin_password }}' + ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} + -C "client register -c {{ client_name }} -ip {{ cifmw_hsm_client_ip }}" + register: client_register + failed_when: + - client_register.rc != 0 + - "'client with the same IP address has already been registered' not in client_register.stdout" + +- name: Assign client to an HSM partition + ansible.builtin.shell: > + sshpass -p '{{ cifmw_hsm_admin_password }}' + ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} + -C "client assignPartition -c {{ client_name }} -p {{ cifmw_hsm_luna_partition }}" + register: assign_partition + failed_when: + - assign_partition.rc != 0 + - "'client already has access' not in assign_partition.stdout" + become: true diff --git a/roles/hsm_prep/tasks/luna.yml b/roles/hsm_prep/tasks/luna.yml new file mode 100644 index 0000000000..684545a21f --- /dev/null +++ b/roles/hsm_prep/tasks/luna.yml @@ -0,0 +1,185 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Create working directories + delegate_to: localhost + tags: always + ansible.builtin.file: + path: "{{ item }}" + state: directory + recurse: true + mode: '755' + loop: + - "{{ cifmw_hsm_working_dir }}" + - "{{ cifmw_hsm_working_dir }}/bin" + - "{{ cifmw_hsm_working_dir }}/certs" + - "{{ cifmw_hsm_working_dir }}/client" + - "{{ cifmw_hsm_working_dir }}/barbican_operator" + +- name: Extract luna software + tags: image_prep + block: + - name: Fetch the linux minimal client + ansible.builtin.fetch: + src: "{{ cifmw_hsm_luna_minclient_src }}" + dest: "{{ cifmw_hsm_working_dir }}/" + flat: true + + - name: Extract the minimal client + delegate_to: localhost + ansible.builtin.unarchive: + src: "{{ cifmw_hsm_working_dir }}/{{ cifmw_hsm_luna_minclient_src | basename }}" + dest: "{{ cifmw_hsm_working_dir }}/client/" + + - name: Fetch the binaries + ansible.builtin.fetch: + src: "{{ cifmw_hsm_luna_binaries_src }}/{{ item}}" + dest: "{{ cifmw_hsm_working_dir }}/bin/" + flat: true + loop: + - "vtl" + - "lunacm" + - "multitoken" + - "ckdemo" + +- name: Download build tools + delegate_to: localhost + become: true + tags: image_prep + ansible.builtin.dnf: + name: + - buildah + - podman + state: present + +- name: Clone barbican-operator to get buildah script + delegate_to: localhost + tags: image_prep + ansible.builtin.git: + repo: "{{ cifmw_hsm_barbican_operator_repo }}" + dest: "{{ cifmw_hsm_working_dir}}/barbican_operator" + version: "{{ cifmw_hsm_barbican_operator_version }}" + force: true + +# TODO(alee) Use the buildah script from the barbican-operator once it has merged +# ansible.builtin.command: "{{ cifmw_hsm_working_dir}}/barbican_operator/hack/image_add_luna_minimal_client.sh" +- name: Create and store new images + delegate_to: localhost + tags: image_prep + ansible.builtin.script: "image_add_luna_minimal_client.sh" + environment: + BARBICAN_IMAGE_NAMESPACE: "{{ cifmv_hsm_barbican_image_namespace }}" + BARBICAN_IMAGE_TAG: "{{ cifmw_hsm_barbican_image_tag }}" + LUNA_LINUX_MINIMAL_CLIENT_DIR: "{{ cifmw_hsm_working_dir }}/client/linux-minimal" + LUNA_CLIENT_BIN: "{{ cifmw_hsm_working_dir }}/bin" + +- name: Get certs and keys + become: true + tags: cert_prep + block: + - name: Fetch the server cert + ansible.builtin.fetch: + src: "{{ cifmw_hsm_luna_server_cert_src }}/{{ cifmw_hsm_server_ip }}Cert.pem" + dest: "{{ cifmw_hsm_working_dir }}/certs/" + flat: true + + - name: Check if client cert exists + ansible.builtin.stat: + path: "{{ cifmw_hsm_luna_client_cert_src }}/{{ cifmw_hsm_client_ip }}.pem" + register: client_cert_stat + + - name: Check if client key exists + ansible.builtin.stat: + path: "{{ cifmw_hsm_luna_client_cert_src }}/{{ cifmw_hsm_client_ip }}Key.pem" + register: client_key_stat + + - name: Generate certs if they do not already exist + ansible.builtin.import_tasks: generate_luna_client_certs.yaml + when: not client_cert_stat.stat.exists or not client_key_stat.stat.exists + + - name: Fetch the client cert and key + ansible.builtin.fetch: + src: "{{ cifmw_hsm_luna_client_cert_src }}/{{ item }}" + dest: "{{ cifmw_hsm_working_dir }}/certs/" + flat: true + loop: + - "{{ cifmw_hsm_client_ip }}.pem" + - "{{ cifmw_hsm_client_ip }}Key.pem" + +- name: Write out the HSM cert secret template file + delegate_to: localhost + tags: cert_prep + ansible.builtin.template: + src: "luna_cert_secret.yml.j2" + dest: "{{ cifmw_hsm_working_dir }}/luna_cert_secret.yml" + +- name: Create the HSM cert secret + delegate_to: localhost + tags: cert_prep + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/luna_cert_secret.yml" + +- name: Write out the hsm-login secret + delegate_to: localhost + tags: secret_prep + ansible.builtin.template: + src: "login_secret.yml.j2" + dest: "{{ cifmw_hsm_working_dir }}/login_secret.yml" + +- name: Create the hsm-login secret + delegate_to: localhost + tags: secret_prep + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/login_secret.yml" + +- name: Perform cleanup tasks + tags: cleanup + when: cifmw_hsm_cleanup | bool + block: + - name: Log debug tasks + ansible.builtin.debug: + msg: "Running cleanup tasks here" + + - name: Set fact for client_name + ansible.builtin.set_fact: + client_name: "{{ cifmw_hsm_client_ip }}" + + - name: Check for existing HSM client + ansible.builtin.shell: > + sshpass -p '{{ cifmw_hsm_admin_password }}' + ssh -o StrictHostKeyChecking=false -c aes256-cbc + {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} + -C client list + register: client_list + + - name: Delete existing client when rotating certs + ansible.builtin.shell: > + sshpass -p '{{ cifmw_hsm_admin_password }}' + ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} + -C "client delete -f -c {{ client_name }}" + when: + - client_name in client_list.stdout + + - name: Remove the working directory + delegate_to: localhost + become: true + ansible.builtin.file: + path: "{{ cifmw_hsm_working_dir }}" + state: absent diff --git a/roles/hsm_prep/tasks/main.yml b/roles/hsm_prep/tasks/main.yml new file mode 100644 index 0000000000..fefde7b95d --- /dev/null +++ b/roles/hsm_prep/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Run luna tasks + ansible.builtin.include_tasks: luna.yml + tags: always + when: cifmw_hsm_hsmtype == "luna" diff --git a/roles/hsm_prep/templates/login_secret.yml.j2 b/roles/hsm_prep/templates/login_secret.yml.j2 new file mode 100644 index 0000000000..a4684e766a --- /dev/null +++ b/roles/hsm_prep/templates/login_secret.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: "{{ cifmw_hsm_login_secret }}" + namespace: "{{ cifmw_hsm_luna_cert_secret_namespace }}" +data: + "hsmLogin": "{{ cifmw_hsm_partition_password | string | b64encode }}" diff --git a/roles/hsm_prep/templates/luna_cert_secret.yml.j2 b/roles/hsm_prep/templates/luna_cert_secret.yml.j2 new file mode 100644 index 0000000000..c1444f2a61 --- /dev/null +++ b/roles/hsm_prep/templates/luna_cert_secret.yml.j2 @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: "{{ cifmw_hsm_luna_cert_secret }}" + namespace: "{{ cifmw_hsm_luna_cert_secret_namespace }}" +data: + "{{ cifmw_hsm_client_ip }}.pem": "{{ lookup('ansible.builtin.file', cifmw_hsm_working_dir + '/certs/' + cifmw_hsm_client_ip + '.pem') | string | b64encode }}" + "{{ cifmw_hsm_client_ip }}Key.pem": "{{ lookup('ansible.builtin.file', cifmw_hsm_working_dir + '/certs/' + cifmw_hsm_client_ip + 'Key.pem') | string | b64encode }}" + "{{ cifmw_hsm_server_ip }}.pem": "{{ lookup('ansible.builtin.file', cifmw_hsm_working_dir + '/certs/' + cifmw_hsm_server_ip + 'Cert.pem') | string | b64encode }}"