Skip to content

Commit

Permalink
Add HSM Prep role
Browse files Browse the repository at this point in the history
Also add a playbook to call this role as a pre_deploy playbook
so that we can create and use the modified images in our barbican tests.
  • Loading branch information
vakwetu committed Nov 15, 2024
1 parent 3b375d8 commit cd7fe9f
Show file tree
Hide file tree
Showing 12 changed files with 524 additions and 0 deletions.
6 changes: 6 additions & 0 deletions docs/dictionary/en-custom.txt
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ az
azs
backend
backends
barbican
baremetal
baremetalhost
basedir
Expand Down Expand Up @@ -71,6 +72,7 @@ ciuser
cjeanner
ckcg
cli
clientvm
clusterimageset
clusterpool
cmd
Expand Down Expand Up @@ -202,6 +204,8 @@ hostnames
hostvars
hotfix
href
hsm
hsms
https
ic
icjbuue
Expand Down Expand Up @@ -281,6 +285,8 @@ loopback
losetup
lsblk
luks
lunaclient
lunasa
lv
lvm
lvmcluster
Expand Down
10 changes: 10 additions & 0 deletions hooks/playbooks/barbican-cleanup-luna.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
- name: Create and store modified barbican images
hosts: "{{ cifmw_hsm_lunaclient_vm }}"
tasks:
- name: Include hsm_prep role cleanup tasks
ansible.builtin.include_role:
name: hsm_prep
tasks_from: cleanup
vars:
cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"
50 changes: 50 additions & 0 deletions hooks/playbooks/barbican-enable-luna.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
- name: Add lunaclient to inventory
hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
tasks:
- name: Get lunaclient key
ansible.builtin.get_url:
url: "{{ cifmw_hsm_lunaclient_key }}"
dest: "{{ ansible_user_dir }}/.ssh/lunaclient"
mode: "0400"
- name: Add lunaclient VM to inventory
ansible.builtin.add_host:
name: "{{ cifmw_hsm_lunaclient_vm }}"
ansible_user: "{{ cifmw_hsm_lunaclient_user }}"
ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient"
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"

- name: Create and store modified barbican images
hosts: "{{ cifmw_hsm_lunaclient_vm }}"
tasks:
- name: Include hsm_prep role
ansible.builtin.include_role:
name: hsm_prep
vars:
cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"

- name: Create kustomization to use updated barbican images
hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
tasks:
- name: create customize file
vars:
image_prefix: "quay.io/{{ cifmv_hsm_barbican_image_namespace | default('podified-antelope-centos9', true) }}"
image_tag: "{{ cifmw_hsm_barbican_image_tag | default('current-podified', true) }}-luna"
ansible.builtin.copy:
dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/92-barbican-luna.yaml"
content: |-
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
namespace: {{ namespace }}
patches:
- target:
kind: OpenStackVersion
name: .*
patch: |-
- op: replace
path: /spec/customContainerImages/barbicanAPIImage
value: "{{ image_prefix }}/openstack-barbican-api:{{ image_tag }}"
- op: replace
path: /spec/customContainerImages/barbicanWorkerImage
value: "{{ image_prefix }}/openstack-barbican-worker:{{ image_tag }}"
63 changes: 63 additions & 0 deletions roles/hsm_prep/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# HSM Role

In order to use HSMs, the barbican images need to be customized to include the HSM software. For now, this is something
that we expect customers to do with scripts that we will provide as part of the barbican-operator code.

The purpose of this role is to:
* Generate new images for the barbican-api and barbican-worker containing the HSM software
* Upload those images to a private repository for use in setting up a CI job.
* Create any required config to be mounted by the barbican images to interact with the HSM

For the Lunasa, we expect some preparatory steps to be completed prior to execution in order for the
role to complete successfully.
* We expect a VM that contains the Lunasa client software and that is registered as a lunasa client.
This VM should contain the following contents:
* The contents of the minimal linux client in a zipped tar file.
* The lunasa binaries that need to be added to the image under a specified directory.
* The lunasa HSM server cert.
* The above contents will be fetched by the role.
* The VM will be used to generate client certificates. For this, we will need the cifmw_hsm_client_ip , which
is the VM of the hypervisor hosting the openshift node. If a cert has already been generated, then
that certificate will be retrieved instead.
* The certs will be retrieved and stored in a secret (cifmw_hsm_luna_cert_secret)
* As input to this role, we will require the ssh connection details and credentials for this VM.

A minimal (one that takes the defaults) invocation of this role is shown below, where the lunaclient
is the running client VM described above.

- name: Set up Luna
hosts: lunaclient
ansible.builtin.include_role: hsm_prep
vars:
cifmw_hsm_admin_password: "<HSM admin password>"
cifmw_hsm_server_ip: "IP of HSM"
cifmw_hsm_client_ip: "IP of the client - this could be the hypervisor where the Openshift nodes run"
cifmw_hsm_luna_partition: "HSM partition for th client to join"

## Parameters

### HSM Details
* `cifmw_hsm_hsmtype`: (String) The type of HSM required. Currently, only "luna" is supported. Default value: `luna`
* `cifmw_hsm_admin_user`: (String) The user to log into the HSM. Default value: `admin`
* `cifmw_hsm_admin_password`: (String) The password to log into the HSM.
* `cifmw_hsm_server_ip`: (String) ip address or hostname of the HSM

### Barbican Image and Details to get buildah script
* `cifmw_hsm_barbican_operator_repo`: (String) Repo for barbican-operator. Default value: "https://github.com/openstack-k8s-operators/barbican-operator.git"
* `cifmw_hsm_barbican_operator_version`: (String) Version for barbican-operator. Default value: "main"
* `cifmv_hsm_barbican_image_namespace`: (String) Namespace for barbican-operator source image. Default value: "podified-antelope-centos9"
* `cifmw_hsm_barbican_image_tag`: (String) Tag for barbican-operator source image. Default value: "current-podified"

### Role Parameters
* `cifmw_hsm_cleanup`: (Boolean) Delete all resources created by the role at the end of the testing. Default value: `false`
* `cifmw_hsm_working_dir`: (String) Working directory to store artifacts. Default value: `/tmp/hsm-prep-working-dir`
* `cifmw_hsm_client_ip`: (String) ip address or hostname of the client VM

### Luna Parameters
* `cifmw_hsm_luna_minclient_src`: (String) Location of linux minimal client tarball on the luna client VM. Default value: `/opt/data/Linux-Minimal-Client.tar.gz`
* `cifmw_hsm_luna_binaries_src`: (String) Location of the luna binaries on the luna client VM. Default value: `/opt/data/bin`
* `cifmw_hsm_luna_server_cert_src`: (String) Location of HSM server cert on the luna client VM. Default value: `/usr/safenet/lunaclient/cert/server`
* `cifmw_hsm_luna_client_cert_src`: (String) Location of HSM client cert on the luna client VM. Default value: `/usr/safenet/lunaclient/cert/client`
* `cifmw_hsm_luna_cert_secret`: (String) Name of the secret that stores all of the needed certs for luna. Default value: `barbican-luna-certs`
* `cifmw_hsm_luna_cert_secret_namespace`: (String) Namespace of the secret that stores all of the needed certs for luna. Default value: `openstack`
* `cifmw_hsm_luna_partition`: (String) HSM partition for the client to join.
40 changes: 40 additions & 0 deletions roles/hsm_prep/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
# Copyright Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


# defaults file for hsm role

# HSM Details
cifmw_hsm_hsmtype: "luna"
cifmw_hsm_admin_user: "admin"

### Barbican Image and Details to get buildah script
cifmw_hsm_barbican_operator_repo: "https://github.com/openstack-k8s-operators/barbican-operator.git"
cifmw_hsm_barbican_operator_version: "main"
cifmv_hsm_barbican_image_namespace: "podified-antelope-centos9"
cifmw_hsm_barbican_image_tag: "current-podified"

### Role Parameters
cifmw_hsm_cleanup: false
cifmw_hsm_working_dir: "/tmp/hsm-prep-working-dir"

### Luna Parameters
cifmw_hsm_luna_minclient_src: "/opt/data/Linux-Minimal-Client.tar.gz"
cifmw_hsm_luna_binaries_src: "/opt/data/bin"
cifmw_hsm_luna_server_cert_src: "/usr/safenet/lunaclient/cert/server"
cifmw_hsm_luna_client_cert_src: "/usr/safenet/lunaclient/cert/client"
cifmw_hsm_luna_cert_secret: "barbican-luna-certs"
cifmw_hsm_luna_cert_secret_namespace: "openstack"
48 changes: 48 additions & 0 deletions roles/hsm_prep/files/image_add_luna_minimal_client.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
#!/usr/bin/env bash

# barbican_add_luna_minimal_client.sh
#
# This script adds the Linux Minimal Client for Thales Luna Network HSM
# to both the API and Worker images so that the HSM can be used as a PKCS#11
# backend for Barbican.

set -o errexit
set -o pipefail

BARBICAN_IMAGE_NAMESPACE=${BARBICAN_IMAGE_NAMESPACE:-"podified-antelope-centos9"}
BARBICAN_IMAGE_TAG=${BARBICAN_IMAGE_TAG:-"current-podified"}
BARBICAN_API_IMAGE="quay.io/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_IMAGE_TAG"
BARBICAN_WORKER_IMAGE="quay.io/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_IMAGE_TAG"

# LUNA_LINUX_MINIMAL_CLIENT_DIR - location of the "linux-minimal" directory
# in your client media. This could be a path to a mounted ISO or a path to
# the location where a tarball was extracted
LUNA_LINUX_MINIMAL_CLIENT_DIR=${LUNA_LINUX_MINIMAL_CLIENT_DIR:-"/media/lunaiso/linux-minimal"}

# LUNA_CLIENT_BIN - location of the binaries installed by the client
# software.
LUNA_CLIENT_BIN=${LUNA_CLIENT_BIN:-"/usr/safenet/lunaclient/bin"}

function install_client() {

container=$(buildah from $1)

# set required env
buildah config --env ChrystokiConfigurationPath=/usr/local/luna $container

# add linux-minimal client
buildah add --chown root:root $container $LUNA_LINUX_MINIMAL_CLIENT_DIR /usr/local/luna
buildah run --user root $container -- mkdir -p /usr/local/luna/config/certs
buildah run --user root $container -- mkdir -p /usr/local/luna/config/token/001
buildah run --user root $container -- touch /usr/local/luna/config/token/001/token.db
buildah add --chown root:root $container $LUNA_CLIENT_BIN/lunacm /usr/local/bin/
buildah add --chown root:root $container $LUNA_CLIENT_BIN/vtl /usr/local/bin/
buildah add --chown root:root $container $LUNA_CLIENT_BIN/multitoken /usr/local/bin/
buildah add --chown root:root $container $LUNA_CLIENT_BIN/ckdemo /usr/local/bin/

buildah commit $container ${1}-luna
buildah rm $container
}

install_client $BARBICAN_API_IMAGE
install_client $BARBICAN_WORKER_IMAGE
36 changes: 36 additions & 0 deletions roles/hsm_prep/meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
# Copyright Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


galaxy_info:
author: CI Framework
description: CI Framework Role -- HSM Prep
company: Red Hat
license: Apache-2.0
min_ansible_version: 2.14
namespace: cifmw
platforms:
- name: CentOS
versions:
- 9

galaxy_tags:
- cifmw
- hsm

# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
dependencies: []
46 changes: 46 additions & 0 deletions roles/hsm_prep/tasks/cleanup.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
# Copyright Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Log debug tasks
ansible.builtin.debug:
msg: "Running cleanup tasks here"

- name: Set fact for client_name
ansible.builtin.set_fact:
client_name: "{{ cifmw_hsm_client_ip }}"

- name: Check for existing HSM client
ansible.builtin.shell: >
sshpass -p '{{ cifmw_hsm_admin_password }}'
ssh -o StrictHostKeyChecking=false -c aes256-cbc
{{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-C client list
register: client_list

- name: Delete existing client when rotating certs
ansible.builtin.shell: >
sshpass -p '{{ cifmw_hsm_admin_password }}'
ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-C "client delete -f -c {{ client_name }}"
when:
- client_name in client_list.stdout

- name: Remove the working directory
delegate_to: localhost
become: true
ansible.builtin.file:
path: "{{ cifmw_hsm_working_dir }}"
state: absent
64 changes: 64 additions & 0 deletions roles/hsm_prep/tasks/generate_luna_client_certs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
- name: Set fact for client_name
ansible.builtin.set_fact:
client_name: "{{ cifmw_hsm_client_ip }}"

- name: Generate a new client cert for NTL
ansible.builtin.command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ cifmw_hsm_client_ip }}"
become: true

- name: Get the hsm server cert from the hsm_server
ansible.builtin.shell: >
sshpass -p '{{ cifmw_hsm_admin_password }}'
scp -O -o StrictHostKeyChecking=false -c aes256-cbc
{{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}:server.pem
/usr/safenet/lunaclient/bin/{{ cifmw_hsm_server_ip }}.pem
args:
creates: /usr/safenet/lunaclient/bin/{{ cifmw_hsm_server_ip }}.pem
become: true

- name: Check for existing clients
ansible.builtin.shell: >
sshpass -p '{{ cifmw_hsm_admin_password }}'
ssh -o StrictHostKeyChecking=false -c aes256-cbc
{{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-C client list
register: client_list

- name: Delete existing client when rotating certs
ansible.builtin.shell: >
sshpass -p '{{ cifmw_hsm_admin_password }}'
ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-C "client delete -f -c {{ client_name }}"
when:
- client_name in client_list.stdout

- name: Register the client certificate on the hsm_server
become: true
when: client_name not in client_list.stdout
block:
- name: Copy the NTL client cert to the HSM
ansible.builtin.shell: >
sshpass -p '{{ cifmw_hsm_admin_password }}' scp -O -c aes256-cbc
/usr/safenet/lunaclient/cert/client/{{ cifmw_hsm_client_ip }}.pem
{{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}:{{ cifmw_hsm_client_ip }}.pem
- name: Register the client
ansible.builtin.shell: >
sshpass -p '{{ cifmw_hsm_admin_password }}'
ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-C "client register -c {{ client_name }} -hostname {{ cifmw_hsm_client_ip }}"
register: client_register
failed_when:
- client_register.rc != 0
- "'client with the same IP address has already been registered' not in client_register.stdout"

- name: Assign client to an HSM partition
ansible.builtin.shell: >
sshpass -p '{{ cifmw_hsm_admin_password }}'
ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-C "client assignPartition -c {{ client_name }} -p {{ cifmw_hsm_luna_partition }}"
register: assign_partition
failed_when:
- assign_partition.rc != 0
- "'client already has access' not in assign_partition.stdout"
become: true
Loading

0 comments on commit cd7fe9f

Please sign in to comment.