From 72201c9918bb695dc3627ea92f23b75ab2d852d4 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 11 Dec 2024 22:20:41 +0000 Subject: [PATCH] Simplify the role Lets take all the dependencies on a running lunaclient VM out. We suspect that with the ip checking turned off, we can use any subject in the client certs anyway, as long as the cert is uploaded to the HSM (and registered to a client). This simplifies things considerably - and makes the role more reusable by a deployer as a standalone role. Instead, we'll need the relevant bits uploaded somewhere for the deployer to retrieve. --- hooks/playbooks/barbican-cleanup-luna.yml | 25 ------ hooks/playbooks/barbican-enable-luna.yml | 25 ++---- roles/hsm_prep/README.md | 56 ++++++------- roles/hsm_prep/defaults/main.yml | 23 +++--- .../files/image_add_luna_minimal_client.sh | 25 +++--- roles/hsm_prep/tasks/cleanup.yml | 20 ----- .../tasks/generate_luna_client_certs.yaml | 54 ------------- roles/hsm_prep/tasks/luna.yml | 80 ++++++------------- .../templates/luna_cert_secret.yml.j2 | 2 +- 9 files changed, 79 insertions(+), 231 deletions(-) delete mode 100644 hooks/playbooks/barbican-cleanup-luna.yml delete mode 100644 roles/hsm_prep/tasks/generate_luna_client_certs.yaml diff --git a/hooks/playbooks/barbican-cleanup-luna.yml b/hooks/playbooks/barbican-cleanup-luna.yml deleted file mode 100644 index 559776768e..0000000000 --- a/hooks/playbooks/barbican-cleanup-luna.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: Add lunaclient to inventory - hosts: "{{ cifmw_target_hook_host | default('localhost') }}" - tasks: - - name: Get lunaclient key - ansible.builtin.get_url: - url: "{{ cifmw_hsm_lunaclient_key }}" - dest: "{{ ansible_user_dir }}/.ssh/lunaclient" - mode: "0400" - - name: Add lunaclient VM to inventory - ansible.builtin.add_host: - name: "{{ cifmw_hsm_lunaclient_vm }}" - ansible_user: "{{ cifmw_hsm_lunaclient_user }}" - ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient" - ansible_ssh_common_args: "-o StrictHostKeyChecking=no" - -- name: Create and store modified barbican images - hosts: "{{ cifmw_hsm_lunaclient_vm }}" - tasks: - - name: Include hsm_prep role cleanup tasks - ansible.builtin.include_role: - name: hsm_prep - tasks_from: cleanup.yml - vars: - cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}" diff --git a/hooks/playbooks/barbican-enable-luna.yml b/hooks/playbooks/barbican-enable-luna.yml index 93b79b03ac..f9af0eec7d 100644 --- a/hooks/playbooks/barbican-enable-luna.yml +++ b/hooks/playbooks/barbican-enable-luna.yml @@ -1,27 +1,17 @@ --- -- name: Add lunaclient to inventory - hosts: "{{ cifmw_target_hook_host | default('localhost') }}" - tasks: - - name: Get lunaclient key - ansible.builtin.get_url: - url: "{{ cifmw_hsm_lunaclient_key }}" - dest: "{{ ansible_user_dir }}/.ssh/lunaclient" - mode: "0400" - - name: Add lunaclient VM to inventory - ansible.builtin.add_host: - name: "{{ cifmw_hsm_lunaclient_vm }}" - ansible_user: "{{ cifmw_hsm_lunaclient_user }}" - ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient" - ansible_ssh_common_args: "-o StrictHostKeyChecking=no" - - name: Create modified barbican image and get secrets - hosts: "{{ cifmw_hsm_lunaclient_vm }}" + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" tasks: - name: Include hsm_prep role ansible.builtin.include_role: name: hsm_prep vars: - cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}" + cifmw_hsm_src_image_registry: "{{ content_provider_registry_ip }}:5001" + cifmw_hsm_src_image_namepace: "{{ cifmw_set_openstack_containers_namespace }}" + cifmw_hsm_src_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}" + cifmw_hsm_dest_image_registry: "{{ content_provider_registry_ip }}:5001" + cifmw_hsm_dest_image_namepace: "{{ cifmw_set_openstack_containers_namespace }}" + cifmw_hsm_dest_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}-luna" - name: Create kustomization to use update barbican to use luna hosts: "{{ cifmw_target_hook_host | default('localhost') }}" @@ -30,7 +20,6 @@ vars: certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}" login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}" - cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}" ansible.builtin.copy: dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml" content: |- diff --git a/roles/hsm_prep/README.md b/roles/hsm_prep/README.md index 9587c3652c..a9c30a2720 100644 --- a/roles/hsm_prep/README.md +++ b/roles/hsm_prep/README.md @@ -1,7 +1,6 @@ # HSM Role -In order to use HSMs, the barbican images need to be customized to include the HSM software. For now, this is something -that we expect customers to do with scripts that we will provide as part of the barbican-operator code. +In order to use HSMs, the barbican images need to be customized to include the HSM software. The purpose of this role is to: * Generate new images for the barbican-api and barbican-worker containing the HSM software @@ -10,21 +9,18 @@ The purpose of this role is to: For the Lunasa, we expect some preparatory steps to be completed prior to execution in order for the role to complete successfully. -* We expect a VM that contains the Lunasa client software and that is registered as a lunasa client. - This VM should contain the following contents: - * The contents of the minimal linux client in a zipped tar file. - * The lunasa binaries that need to be added to the image under a specified directory. - * The lunasa HSM server cert. -* The above contents will be fetched by the role. -* The VM will be used to generate client certificates. For this, we will need the cifmw_hsm_client_ip , which - is the VM of the hypervisor hosting the openshift node. If a cert has already been generated, then - that certificate will be retrieved instead. +* The lunasa software is uploaded somewhere and will be fetched by the role + * The contents of the minimal linux client in a zipped tar file should be made available at cifmw_hsm_luna_minclient_src. + * The lunasa binaries that need to be added to the image are maded available at cifmw_hsm_luna_binaries_src. + * The lunasa HSM cacert file is made available at cifmw_hsm_luna_server_cert_src. For an HA configuration, + this will be a concatenation of all the server certs for the servers in the HA partition. + * The client certificate and key made available at cifmw_hsm_luna_client_cert_src. The files are expected + to be of the form "(cifmw_hsm_client_ip)".pem and "(cifmw_hsm_client_ip)"Key.pem * The certs will be retrieved and stored in a secret (cifmw_hsm_luna_cert_secret) * The password to log into the HSM partition will be stored in a secret (cifmw_hsm_login_secret) -* As input to this role, we will require the ssh connection details and credentials for this VM. -A minimal (one that takes the defaults) invocation of this role is shown below, where the lunaclient -is the running client VM described above. +A minimal (one that takes the defaults) invocation of this role is shown below. In this case, the lunaclient +software and certs are stored locally under /opt/luna. - name: Set up Luna hosts: lunaclient @@ -34,11 +30,7 @@ is the running client VM described above. - cert_prep - secret_prep vars: - cifmw_hsm_admin_password: "" - cifmw_hsm_server_ip: "IP of HSM" cifmw_hsm_client_ip: "IP of the client - this could be the hypervisor where the Openshift nodes run" - cifmw_hsm_luna_partition: "HSM partition for the client to join" - cifmw_hsm_partition_password: "" Note that tags have been provided to allow the caller to select specific operations. This may be necessary because different operations may need to executed in different CI jobs. The current tags available are: @@ -48,28 +40,26 @@ image_prep, cert_prep, secret_prep, cleanup ### HSM Details * `cifmw_hsm_hsmtype`: (String) The type of HSM required. Currently, only "luna" is supported. Default value: `luna` -* `cifmw_hsm_admin_user`: (String) The user to log into the HSM. Default value: `admin` -* `cifmw_hsm_admin_password`: (String) The password to log into the HSM. -* `cifmw_hsm_server_ip`: (String) ip address or hostname of the HSM -* `cifmw_hsm_partition_password: (String) The password to log into the HSM partition * `cifmw_hsm_login_secret`: (String) The secret to store the password to log into the HSM partition. Default: `hsm-login` -### Barbican Image and Details to get buildah script -* `cifmw_hsm_barbican_operator_repo`: (String) Repo for barbican-operator. Default value: "https://github.com/openstack-k8s-operators/barbican-operator.git" -* `cifmw_hsm_barbican_operator_version`: (String) Version for barbican-operator. Default value: "main" -* `cifmv_hsm_barbican_image_namespace`: (String) Namespace for barbican-operator source image. Default value: "podified-antelope-centos9" -* `cifmw_hsm_barbican_image_tag`: (String) Tag for barbican-operator source image. Default value: "current-podified" - ### Role Parameters * `cifmw_hsm_cleanup`: (Boolean) Delete all resources created by the role at the end of the testing. Default value: `false` * `cifmw_hsm_working_dir`: (String) Working directory to store artifacts. Default value: `/tmp/hsm-prep-working-dir` * `cifmw_hsm_client_ip`: (String) ip address or hostname of the client VM +### Image Details +* `cifmw_hsm_barbican_src_image_registry`: (String) Registry of the source image. Default value: `quay.io` +* `cifmw_hsm_barbican_src_image_namespace: (String) Namespace of the source image. Default value: `podified-antelope-centos9` +* `cifmw_hsm_barbican_src_image_tag: (String) Tag of the source image. Default value: `current-podified` +* `cifmw_hsm_barbican_dest_image_registry`: (String) Registry of the modified image. Default value: `quay.io` +* `cifmw_hsm_barbican_dest_image_namespace: (String) Namespace of the modified image. Default value: `podified-antelope-centos9` +* `cifmw_hsm_barbican_dest_image_tag: (String) Tag of the modified image. Default value: `current-podified-luna` + ### Luna Parameters -* `cifmw_hsm_luna_minclient_src`: (String) Location of linux minimal client tarball on the luna client VM. Default value: `/opt/data/Linux-Minimal-Client.tar.gz` -* `cifmw_hsm_luna_binaries_src`: (String) Location of the luna binaries on the luna client VM. Default value: `/opt/data/bin` -* `cifmw_hsm_luna_server_cert_src`: (String) Location of HSM server cert on the luna client VM. Default value: `/usr/safenet/lunaclient/cert/server` -* `cifmw_hsm_luna_client_cert_src`: (String) Location of HSM client cert on the luna client VM. Default value: `/usr/safenet/lunaclient/cert/client` +* `cifmw_hsm_luna_minclient_src`: (String) Location of linux minimal client tarball. Default value: `file:///opt/luna/Linux-Minimal-Client.tar.gz` +* `cifmw_hsm_luna_binaries_src`: (String) Location of the luna binaries. Default value: `file:///opt/luna/bin` +* `cifmw_hsm_luna_server_cert_src`: (String) Location of HSM server CA cert. Default value: `file:///opt/luna/cert/server/cacert.pem` +* `cifmw_hsm_luna_client_cert_src`: (String) Location of HSM client certs. Default value: `file:///opt/luna/cert/client` +* `cifmw_hsm_server_ca_file`: (String) Name of the cacert file in the container. Default value: `cacert.pem` * `cifmw_hsm_luna_cert_secret`: (String) Name of the secret that stores all of the needed certs for luna. Default value: `barbican-luna-certs` * `cifmw_hsm_luna_cert_secret_namespace`: (String) Namespace of the secret that stores all of the needed certs for luna. Default value: `openstack` -* `cifmw_hsm_luna_partition`: (String) HSM partition for the client to join. diff --git a/roles/hsm_prep/defaults/main.yml b/roles/hsm_prep/defaults/main.yml index 9e09a05fd1..4d6305f4ae 100644 --- a/roles/hsm_prep/defaults/main.yml +++ b/roles/hsm_prep/defaults/main.yml @@ -22,24 +22,23 @@ cifmw_hsm_hsmtype: "luna" cifmw_hsm_admin_user: "admin" cifmw_hsm_login_secret: "hsm-login" -### Barbican Image and Details to get buildah script -cifmw_hsm_barbican_operator_repo: "https://github.com/openstack-k8s-operators/barbican-operator.git" -cifmw_hsm_barbican_operator_version: "main" - ### Role Parameters cifmw_hsm_cleanup: false cifmw_hsm_working_dir: "/tmp/hsm-prep-working-dir" ### Luna Parameters -cifmw_hsm_luna_minclient_src: "/opt/data/Linux-Minimal-Client.tar.gz" -cifmw_hsm_luna_binaries_src: "/opt/data/bin" -cifmw_hsm_luna_server_cert_src: "/usr/safenet/lunaclient/cert/server" -cifmw_hsm_luna_client_cert_src: "/usr/safenet/lunaclient/cert/client" +cifmw_hsm_luna_minclient_src: "file:///opt/luna/Linux-Minimal-Client.tar.gz" +cifmw_hsm_luna_binaries_src: "file:///opt/luna/bin/" +cifmw_hsm_luna_server_cert_src: "file:///opt/luna/cert/server/cacert.pem" +cifmw_hsm_luna_client_cert_src: "file:///opt/luna/cert/client/" +cifmw_hsm_server_ca_file: "cacert.pem" cifmw_hsm_luna_cert_secret: "barbican-luna-certs" cifmw_hsm_luna_cert_secret_namespace: "openstack" ## Image details -cifmv_hsm_barbican_image_registry: "quay.io" -cifmv_hsm_barbican_image_namespace: "podified-antelope-centos9" -cifmw_hsm_barbican_image_tag: "current-podified" -cifmw_hsm_barbican_final_image_tag: "current-podified-luna" +cifmw_hsm_barbican_src_image_registry: "quay.io" +cifmw_hsm_barbican_src_image_namespace: "podified-antelope-centos9" +cifmw_hsm_barbican_src_image_tag: "current-podified" +cifmw_hsm_barbican_dest_image_registry: "quay.io" +cifmw_hsm_barbican_dest_image_namespace: "podified-antelope-centos9" +cifmw_hsm_barbican_dest_image_tag: "current-podified-luna" diff --git a/roles/hsm_prep/files/image_add_luna_minimal_client.sh b/roles/hsm_prep/files/image_add_luna_minimal_client.sh index 5067626338..e9125ca122 100755 --- a/roles/hsm_prep/files/image_add_luna_minimal_client.sh +++ b/roles/hsm_prep/files/image_add_luna_minimal_client.sh @@ -9,14 +9,17 @@ set -x set -o errexit set -o pipefail -BARBICAM_IMAGE_REGISTRY=${BARBICAN_IMAGE_REGISTRY:-"quay.io"} -BARBICAN_IMAGE_NAMESPACE=${BARBICAN_IMAGE_NAMESPACE:-"podified-antelope-centos9"} -BARBICAN_IMAGE_TAG=${BARBICAN_IMAGE_TAG:-"current-podified"} -BARBICAN_API_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_IMAGE_TAG" -BARBICAN_WORKER_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_IMAGE_TAG" -BARBICAM_FINAL_IMAGE_TAG_X=${BARBICAN_FINAL_IMAGE_TAG:-"current-podified-luna"} -BARBICAN_API_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:${BARBICAM_FINAL_IMAGE_TAG_X}" -BARBICAN_WORKER_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:${BARBICAM_FINAL_IMAGE_TAG_X}" +BARBICAM_SRC_IMAGE_REGISTRY=${BARBICAN_SRC_IMAGE_REGISTRY:-"quay.io"} +BARBICAN_SRC_IMAGE_NAMESPACE=${BARBICAN_SRC_IMAGE_NAMESPACE:-"podified-antelope-centos9"} +BARBICAN_SRC_IMAGE_TAG=${BARBICAN_SRC_IMAGE_TAG:-"current-podified"} +BARBICAN_SRC_API_IMAGE="$BARBICAM_SRC_IMAGE_REGISTRY/$BARBICAN_SRC_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_SRC_IMAGE_TAG" +BARBICAN_SRC_WORKER_IMAGE="$BARBICAM_SRC_IMAGE_REGISTRY/$BARBICAN_SRC_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_SRC_IMAGE_TAG" + +BARBICAM_DEST_IMAGE_REGISTRY=${BARBICAN_DEST_IMAGE_REGISTRY:-"quay.io"} +BARBICAN_DEST_IMAGE_NAMESPACE=${BARBICAN_DEST_IMAGE_NAMESPACE:-"podified-antelope-centos9"} +BARBICAN_DEST_IMAGE_TAG=${BARBICAN_DEST_IMAGE_TAG:-"current-podified"} +BARBICAN_DEST_API_IMAGE="$BARBICAM_DEST_IMAGE_REGISTRY/$BARBICAN_DEST_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_DEST_IMAGE_TAG" +BARBICAN_DEST_WORKER_IMAGE="$BARBICAM_DEST_IMAGE_REGISTRY/$BARBICAN_DEST_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_DEST_IMAGE_TAG" # LUNA_LINUX_MINIMAL_CLIENT_DIR - location of the "linux-minimal" directory # in your client media. This could be a path to a mounted ISO or a path to @@ -45,9 +48,9 @@ function install_client() { buildah add --chown root:root $container $LUNA_CLIENT_BIN/ckdemo /usr/local/bin/ buildah commit --tls-verify=false $container $2 - podman push --tls-verify=false $2 + # podman push --tls-verify=false $2 buildah rm $container } -install_client $BARBICAN_API_IMAGE $BARBICAN_API_FINAL_IMAGE -install_client $BARBICAN_WORKER_IMAGE $BARBICAN_WORKER_FINAL_IMAGE +install_client $BARBICAN_SRC_API_IMAGE $BARBICAN_DEST_API_FINAL_IMAGE +install_client $BARBICAN_SRC_WORKER_IMAGE $BARBICAN_DEST_WORKER_FINAL_IMAGE diff --git a/roles/hsm_prep/tasks/cleanup.yml b/roles/hsm_prep/tasks/cleanup.yml index 94b173dfbe..918cddd23f 100644 --- a/roles/hsm_prep/tasks/cleanup.yml +++ b/roles/hsm_prep/tasks/cleanup.yml @@ -9,26 +9,6 @@ ansible.builtin.debug: msg: "Running cleanup tasks here" - - name: Set fact for client_name - ansible.builtin.set_fact: - client_name: "{{ cifmw_hsm_client_ip }}" - - - name: Check for existing HSM client - ansible.builtin.shell: > - sshpass -p '{{ cifmw_hsm_admin_password }}' - ssh -o StrictHostKeyChecking=false -c aes256-cbc - {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} - -C client list - register: client_list - - - name: Delete existing client when rotating certs - ansible.builtin.shell: > - sshpass -p '{{ cifmw_hsm_admin_password }}' - ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} - -C "client delete -f -c {{ client_name }}" - when: - - client_name in client_list.stdout - - name: Remove the working directory delegate_to: localhost become: true diff --git a/roles/hsm_prep/tasks/generate_luna_client_certs.yaml b/roles/hsm_prep/tasks/generate_luna_client_certs.yaml deleted file mode 100644 index 63e057a38c..0000000000 --- a/roles/hsm_prep/tasks/generate_luna_client_certs.yaml +++ /dev/null @@ -1,54 +0,0 @@ -- name: Set fact for client_name - ansible.builtin.set_fact: - client_name: "{{ cifmw_hsm_client_ip }}" - -- name: Generate a new client cert for NTL - ansible.builtin.command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ cifmw_hsm_client_ip }}" - become: true - -- name: Get the hsm server cert from the hsm_server - ansible.builtin.shell: > - sshpass -p '{{ cifmw_hsm_admin_password }}' - scp -O -o StrictHostKeyChecking=false -c aes256-cbc - {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}:server.pem - /usr/safenet/lunaclient/bin/{{ cifmw_hsm_server_ip }}.pem - args: - creates: /usr/safenet/lunaclient/bin/{{ cifmw_hsm_server_ip }}.pem - become: true - -- name: Delete existing client if present - ansible.builtin.shell: > - sshpass -p '{{ cifmw_hsm_admin_password }}' - ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} - -C "client delete -f -c {{ client_name }}" - register: client_delete - failed_when: - - client_delete.rc != 0 - - "'There is no registered client with the name you specified' not in client_delete.stdout" - -- name: Copy the NTL client cert to the HSM - ansible.builtin.shell: > - sshpass -p '{{ cifmw_hsm_admin_password }}' scp -O -c aes256-cbc - /usr/safenet/lunaclient/cert/client/{{ cifmw_hsm_client_ip }}.pem - {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}:{{ cifmw_hsm_client_ip }}.pem - -- name: Register the client - ansible.builtin.shell: > - sshpass -p '{{ cifmw_hsm_admin_password }}' - ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} - -C "client register -c {{ client_name }} -ip {{ cifmw_hsm_client_ip }}" - register: client_register - failed_when: - - client_register.rc != 0 - - "'client with the same IP address has already been registered' not in client_register.stdout" - -- name: Assign client to an HSM partition - ansible.builtin.shell: > - sshpass -p '{{ cifmw_hsm_admin_password }}' - ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }} - -C "client assignPartition -c {{ client_name }} -p {{ cifmw_hsm_luna_partition }}" - register: assign_partition - failed_when: - - assign_partition.rc != 0 - - "'client already has access' not in assign_partition.stdout" - become: true diff --git a/roles/hsm_prep/tasks/luna.yml b/roles/hsm_prep/tasks/luna.yml index 9e174c4266..01ba51d34b 100644 --- a/roles/hsm_prep/tasks/luna.yml +++ b/roles/hsm_prep/tasks/luna.yml @@ -15,7 +15,6 @@ # under the License. - name: Create working directories - delegate_to: localhost tags: always ansible.builtin.file: path: "{{ item }}" @@ -32,23 +31,20 @@ - name: Extract luna software tags: image_prep block: - - name: Fetch the linux minimal client - ansible.builtin.fetch: - src: "{{ cifmw_hsm_luna_minclient_src }}" + - name: Get the linux minimal client + ansible.builtin.get_url: + url: "{{ cifmw_hsm_luna_minclient_src }}" dest: "{{ cifmw_hsm_working_dir }}/" - flat: true - name: Extract the minimal client - delegate_to: localhost ansible.builtin.unarchive: src: "{{ cifmw_hsm_working_dir }}/{{ cifmw_hsm_luna_minclient_src | basename }}" dest: "{{ cifmw_hsm_working_dir }}/client/" - - name: Fetch the binaries - ansible.builtin.fetch: - src: "{{ cifmw_hsm_luna_binaries_src }}/{{ item}}" + - name: Get the binaries + ansible.builtin.get_url: + url: "{{ cifmw_hsm_luna_binaries_src }}/{{ item}}" dest: "{{ cifmw_hsm_working_dir }}/bin/" - flat: true loop: - "vtl" - "lunacm" @@ -56,7 +52,6 @@ - "ckdemo" - name: Download build tools - delegate_to: localhost become: true tags: image_prep ansible.builtin.dnf: @@ -65,71 +60,44 @@ - podman state: present -- name: Clone barbican-operator to get buildah script - delegate_to: localhost - tags: image_prep - ansible.builtin.git: - repo: "{{ cifmw_hsm_barbican_operator_repo }}" - dest: "{{ cifmw_hsm_working_dir}}/barbican_operator" - version: "{{ cifmw_hsm_barbican_operator_version }}" - force: true - -# TODO(alee) Use the buildah script from the barbican-operator once it has merged -# ansible.builtin.command: "{{ cifmw_hsm_working_dir}}/barbican_operator/hack/image_add_luna_minimal_client.sh" - name: Create and store new images - delegate_to: localhost tags: image_prep ansible.builtin.script: "image_add_luna_minimal_client.sh" environment: - BARBICAN_IMAGE_REGISTRY: "{{ content_provider_registry_ip }}:5001" - BARBICAN_IMAGE_NAMESPACE: "{{ cifmw_set_openstack_containers_namespace }}" - BARBICAN_IMAGE_TAG: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}" - BARBICAN_FINAL_IMAGE_TAG: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}-luna" + BARBICAN_SRC_IMAGE_REGISTRY: "{{ cifmw_hsm_barbican_src_image_registry }}" + BARBICAN_SRC_IMAGE_NAMESPACE: "{{ cifmw_hsm_barbican_src_image_namespace }}" + BARBICAN_SRC_IMAGE_TAG: "{{ cifmw_hsm_barbican_src_image_tag }}" + BARBICAN_DEST_IMAGE_REGISTRY: "{{ cifmw_hsm_barbican_dest_image_registry }}" + BARBICAN_DEST_IMAGE_NAMESPACE: "{{ cifmw_hsm_barbican_dest_image_namespace }}" + BARBICAN_DEST_IMAGE_TAG: "{{ cifmw_hsm_barbican_dest_image_tag }}" LUNA_LINUX_MINIMAL_CLIENT_DIR: "{{ cifmw_hsm_working_dir }}/client/linux-minimal" LUNA_CLIENT_BIN: "{{ cifmw_hsm_working_dir }}/bin" - name: Get certs and keys - become: true tags: cert_prep block: - - name: Fetch the server cert - ansible.builtin.fetch: - src: "{{ cifmw_hsm_luna_server_cert_src }}/{{ cifmw_hsm_server_ip }}Cert.pem" + - name: Get the server CA cert + ansible.builtin.get_url: + url: "{{ cifmw_hsm_luna_server_cert_src }}" + dest: "{{ cifmw_hsm_working_dir }}/certs/{{ cifmw_hsm_server_ca_file }}" + + - name: Get client cert + ansible.builtin.get_url: + url: "{{ cifmw_hsm_luna_client_cert_src }}/{{ cifmw_hsm_client_ip }}.pem" dest: "{{ cifmw_hsm_working_dir }}/certs/" - flat: true - - - name: Check if client cert exists - ansible.builtin.stat: - path: "{{ cifmw_hsm_luna_client_cert_src }}/{{ cifmw_hsm_client_ip }}.pem" - register: client_cert_stat - - name: Check if client key exists - ansible.builtin.stat: - path: "{{ cifmw_hsm_luna_client_cert_src }}/{{ cifmw_hsm_client_ip }}Key.pem" - register: client_key_stat - - - name: Generate certs if they do not already exist - ansible.builtin.import_tasks: generate_luna_client_certs.yaml - when: not client_cert_stat.stat.exists or not client_key_stat.stat.exists - - - name: Fetch the client cert and key - ansible.builtin.fetch: - src: "{{ cifmw_hsm_luna_client_cert_src }}/{{ item }}" + - name: Get client key + ansible.builtin.get_url: + url: "{{ cifmw_hsm_luna_client_cert_src }}/{{ cifmw_hsm_client_ip }}Key.pem" dest: "{{ cifmw_hsm_working_dir }}/certs/" - flat: true - loop: - - "{{ cifmw_hsm_client_ip }}.pem" - - "{{ cifmw_hsm_client_ip }}Key.pem" - name: Write out the HSM cert secret template file - delegate_to: localhost tags: cert_prep ansible.builtin.template: src: "luna_cert_secret.yml.j2" dest: "{{ cifmw_hsm_working_dir }}/luna_cert_secret.yml" - name: Create the HSM cert secret - delegate_to: localhost tags: cert_prep environment: KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" @@ -137,14 +105,12 @@ ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/luna_cert_secret.yml" - name: Write out the hsm-login secret - delegate_to: localhost tags: secret_prep ansible.builtin.template: src: "login_secret.yml.j2" dest: "{{ cifmw_hsm_working_dir }}/login_secret.yml" - name: Create the hsm-login secret - delegate_to: localhost tags: secret_prep environment: KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" diff --git a/roles/hsm_prep/templates/luna_cert_secret.yml.j2 b/roles/hsm_prep/templates/luna_cert_secret.yml.j2 index 506d7a113c..b31ea7a8bc 100644 --- a/roles/hsm_prep/templates/luna_cert_secret.yml.j2 +++ b/roles/hsm_prep/templates/luna_cert_secret.yml.j2 @@ -7,4 +7,4 @@ metadata: data: "{{ cifmw_hsm_client_ip }}.pem": "{{ lookup('ansible.builtin.file', cifmw_hsm_working_dir + '/certs/' + cifmw_hsm_client_ip + '.pem') | string | b64encode }}" "{{ cifmw_hsm_client_ip }}Key.pem": "{{ lookup('ansible.builtin.file', cifmw_hsm_working_dir + '/certs/' + cifmw_hsm_client_ip + 'Key.pem') | string | b64encode }}" - "CACert.pem": "{{ lookup('ansible.builtin.file', cifmw_hsm_working_dir + '/certs/' + cifmw_hsm_server_ip + 'Cert.pem') | string | b64encode }}" + "CACert.pem": "{{ lookup('ansible.builtin.file', cifmw_hsm_working_dir + '/certs/' + cifmw_hsm_server_ca_file) | string | b64encode }}"