Merge pull request #76 from gobindadas/luks_tang

Integrate Luks/Clevis with Tang

roles/backend_setup/tasks/bind_tang_server.yml

@@ -0,0 +1,45 @@
+---
+# Create key file with <device>_key and encrypt devices
+
+- name: Create key root file
+  no_log: true
+  copy:
+      dest: "/etc/root_key"
+      content: |
+        {{ rootpassphrase }}
+  when: gluster_infra_tangservers is defined
+
+- name: Download the advertisement from tang server
+  shell:
+    cmd: curl -sfg "{{ item.url }}/adv" -o /etc/adv{{ index }}.jws
+    warn: False
+  loop: "{{ gluster_infra_tangservers }}"
+  loop_control:
+    index_var: index
+  when: gluster_infra_tangservers is defined
+
+- name: Bind tang server with clevis
+  shell: clevis luks bind -f -k /etc/root_key -d  {{ rootdevice }} tang '{"url":"{{item.url}}", "adv":"/etc/adv{{ index }}.jws"}'
+  loop: "{{ gluster_infra_tangservers }}"
+  loop_control:
+    index_var: index
+  when: gluster_infra_tangservers is defined
+
+- name: Add network entry on /etc/dracut.conf.d/clevis.conf
+  blockinfile:
+    path: /etc/dracut.conf.d/clevis.conf
+    create: yes
+    state: present
+    block: |
+      kernel_cmdline="ip={{ networkinterface }}:dhcp"
+      omit_dracutmodules+="{{ networkinterface }}"
+    marker: "# {mark} Entry for {{networkinterface}}"
+  when: gluster_infra_tangservers is defined
+
+# Once "dracut -vf" execution is not working, so executing two times till finding issue. 
+- name: Execute dracut -vf to configure tang
+  command: dracut -vf
+  with_items:
+    - 1
+    - 2
+  when: gluster_infra_tangservers is defined

roles/backend_setup/tasks/luks_device_encrypt.yml

@@ -0,0 +1,47 @@
+---
+# This play is for blacklist devices,create key file with <device>_key and encrypt devices
+
+- name: "Blacklist gluster multipath devices"
+  no_log: true
+  blockinfile:
+    path: /etc/multipath.conf
+    state: present
+    block: |
+      blacklist {
+         devnode "^{{ item.devicename.split("/")[-1] }}"
+      }
+    marker: "# {mark} {{ item.devicename }} will be blacklisted"
+  with_items: "{{ gluster_infra_luks_devices }}"
+  when: gluster_infra_luks_devices is defined
+
+- name: Create key file
+  no_log: true
+  copy:
+      dest: "/etc/{{ item.devicename.split('/')[-1] }}_key"
+      content: |
+        {{ item.passphrase }}
+  with_items: "{{ gluster_infra_luks_devices }}"
+  when: gluster_infra_luks_devices is defined
+
+- name: Encrypt devices using key file
+  no_log: true
+  shell: echo ‘YES’ | cryptsetup luksFormat {{ item.devicename }} /etc/{{ item.devicename.split('/')[-1] }}_key
+  with_items: "{{ gluster_infra_luks_devices }}"
+  when: gluster_infra_luks_devices is defined
+
+- name: Open encrypt devices using key file
+  no_log: true
+  shell: cryptsetup luksOpen {{ item.devicename }} luks_{{ item.devicename.split('/')[-1] }} -d /etc/{{ item.devicename.split('/')[-1] }}_key
+  with_items: "{{ gluster_infra_luks_devices }}"
+  when: gluster_infra_luks_devices is defined
+
+- name: Add encrypted device entry on /etc/crypttab to auto unlock
+  no_log: true
+  blockinfile:
+    path: "/etc/crypttab"
+    state: present
+    block: |
+      luks_{{ item.devicename.split('/')[-1] }} {{ item.devicename }} /etc/{{ item.devicename.split('/')[-1] }}_key
+    marker: "# {mark} Entry for {{item.devicename}}"
+  with_items: "{{ gluster_infra_luks_devices }}"
+  when: gluster_infra_luks_devices is defined

roles/backend_setup/tasks/main.yml

@@ -138,4 +138,18 @@
   import_tasks: fstrim_service.yml
   when: fstrim_service is defined
   tags:
-    - fstrim
+    - fstrim
+
+# Encrypt devices with LUKS
+- name: Encrypt devices with LUKS
+  import_tasks: luks_device_encrypt.yml
+  when: gluster_infra_luks_devices is defined
+  tags:
+    - luksencrypt
+
+# Bind Tand server
+- name: Bind Tand server
+  import_tasks: bind_tang_server.yml
+  when: gluster_infra_tangservers is defined
+  tags:
+    - bindtang