The powervm-tang-server-automation project provides Terraform based automation code to help with the deployment of Network Bound Disk Encryption (NBDE) on IBM® Power Systems™ virtualization and cloud management.
The NBDE Server, also called the tang server, is deployed in a 3-node cluster with a single bastion host. The tang server socket listens on port 7500.
You'll need to use git to clone the deployment code when working off the main branch
$ git clone https://github.com/ibm/powervm-tang-server-automation
$ cd powervm-tang-server-automation
Update following variables in the var.tfvars based on your environment.
### PowerVC Details
auth_url = "<https://<HOSTNAME>:5000/v3/>"
user_name = "<powervc-login-user-name>"
password = "<powervc-login-user-password>"
tenant_name = "<tenant_name>"
domain_name = "Default"
# Workload
openstack_availability_zone = "<<Host Group from PowerVC>>"
network_name = "workload"
# Virtual Machines
bastion = {
image_id = "27ebd00f-cbec-4e27-993d-56e4bd441584"
instance_type = "base-ocp-squad-tiny"
count = 1
}
tang = {
image_id = "27ebd00f-cbec-4e27-993d-56e4bd441584"
instance_type = "base-ocp-squad-tiny"
count = 3
}
domain = "sslip.io"
rhel_username = "root"
public_key_file = "data/id_rsa.pub"
private_key_file = "data/id_rsa"
rhel_subscription_username = "" #Leave this as-is if using CentOS as bastion image
rhel_subscription_password = "" #Leave this as-is if using CentOS as bastion image
connection_timeout = 45
Note: rhel_image_name should reference a PowerVM image for Red Hat Enterprise Linux 8.6 or 9.0 or Centos 8.6.
Run the following commands from within the directory.
$ terraform init
$ terraform plan --var-file=var.tfvars
$ terraform apply -var-file=var.tfvars
Note: Terraform Version should be ~>1.4.0
Now wait for the installation to complete. It may take around 20 mins to complete provisioning.
On a successful installation of a cluster, the details will be printed as shown below.
bastion_public_ip = [
"163.68.*.*",
]
These details can be retrieved anytime by running the following command from the root folder of the code
$ terraform output
In case of any errors, you'll have to re-apply.
Once the deployment is completed successfully, you can connect to bastion node and fetch keys for every tang server
$ cat /root/nbde_server/keys/*
Destroy the Tang Server
$ terraform destroy -var-file var.tfvars
Per Red Hat'
s blog, we've added the nbde_server_fetch_keys: yes This downloads the keys to the 'bastion host' and customers are
expected to backup the keys using their operations processes.
- Connect to your Bastion host
- Run the playbook with the rotate keys variable
sudo env ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook \
-i inventory tang.yml -e nbde_server_rotate_keys=yes-
Connect to your Bastion host
-
Copy the
inventorytoinventory-del
cp inventory inventory-del
-
Edit the
inventory-delfor the hosts you want to rekey -
Run the playbook with the rotate keys variable
sudo env ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook \
-i inventory tang.yml -e nbde_server_rotate_keys=yesThe automation needs to run from a system with internet access. This could be your laptop or a VM with public internet connectivity. This automation code have been tested on the following Operating Systems:
- Mac OSX (Darwin)
- Linux (x86_64/ppc64le)
- Windows 10
Follow the guide to complete the prerequisites.
Follow the guide to complete the PowerVM prerequisites.
For bugs/enhancement requests etc. please open a GitHub issue
Please see the contributing doc for more details.
PRs are most welcome !!