Merge pull request #818 from Anand-Reddy7/anand-4171

Adding IBM Key Protect Support

Author: rajan-mis

roles/kp_encryption_apply/README.MD

@@ -0,0 +1,54 @@
+# Enabling Encryption with IBM® Key Protect on IBM Storage Scale
+
+IBM® Key Protect is a powerful service on IBM Cloud that simplifies the provisioning and storage of encrypted keys for applications across IBM Cloud services. By using IBM Key Protect, you can centralize the management of data encryption and efficiently oversee the entire key lifecycle, providing a robust foundation for securing your data on an IBM Storage Scale cluster.
+
+## Setting Up IBM Key Protect
+
+The first step in enabling encryption for your Storage Scale cluster file system is to create a Key Protect service. Once the service is set up, you will generate an encryption key and apply an encryption policy to your desired file system within the cluster. For a detailed guide on setting up and managing your Key Protect service, refer to the [IBM Key Protect documentation](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about).
+
+## Configuring Cluster Nodes
+
+To ensure that every node in the cluster can access the encrypted file system, it's essential to have specific configuration files on each node. These include:
+
+- `/var/mmfs/etc/RKM.conf`
+- `/var/mmfs/etc/prefix.p12`
+
+These files are critical for enabling secure access to the encrypted file system across the entire cluster. Without them, nodes will not be able to interact with the encrypted data.
+
+## Understanding Secure Storage and Data Protection
+
+Secure storage relies on encryption to render data unreadable to unauthorized users. Data is encrypted while at rest (on disk) and decrypted only when accessed by authorized users. It's important to note that encryption protects only the data itself, not the associated metadata.
+
+IBM GPFS encryption safeguards against various threats, including disk theft or improper disposal, and unprivileged user attacks in a multi-tenant cluster. However, it does not protect against malicious actions by a cluster administrator.
+
+In addition to securing data, GPFS encryption facilitates secure data deletion. By leveraging encryption and key management, it ensures that once the master encryption keys are deleted from the key server, the data becomes irretrievable. For more details, refer to [Encryption keys](https://www.ibm.com/docs/en/STXKQY_5.1.8/com.ibm.spectrum.scale.v5r10.doc/bl1adv_encryptionkeys.html#encryptionkeys).
+
+## Applying Encryption on the IBM Storage Scale
+
+The `kp_encryption_apply` Ansible role simplifies the encryption process by automating the following tasks:
+
+- Applying the encryption policy to the IBM Storage Scale cluster file system.
+- Validating the encryption to ensure proper implementation.
+
+## Verifying Encryption on the File System
+
+1. Log in to any of the cluster nodes (storage or compute) using the following SSH command and switch to the `root` user:
+
+    ```bash
+    ssh -J root@BASTION_SERVER vpcuser@STORAGE_NODE
+    sudo -i
+    ```
+
+2. Validate the policy applied to the cluster by running the following command:
+
+    ```bash
+    mmlspolicy FILESYSTEM_NAME -L
+    ```
+
+3. Check the encryption status of a specific file by running the following command:
+
+    ```bash
+    mmlsattr -n gpfs.Encryption FILE_NAME
+    ```
+
+For more in-depth information about encryption in IBM Spectrum Scale, including various encryption use cases, see the [Encryption documentation](https://www.ibm.com/docs/en/storage-scale/5.1.8?topic=administering-encryption).

roles/kp_encryption_apply/tasks/apply_encryption.yml

@@ -0,0 +1,31 @@
+# Apply Encryption Policy on IBM Storge Scale Cluster
+
+- name:  KeyProtect Encryption | Encryption Apply | Check encryption policy for file system
+  command: mmlspolicy {{ filesystem_mountpoint }} -L
+  register: policy_output
+  ignore_errors: yes
+
+- name:  KeyProtect Encryption | Encryption Apply | Check if encryption policy is applied
+  set_fact:
+    encryption_applied: "{{ 'KEYS' in policy_output.stdout }}"
+
+- name: KeyProtect Encryption | Encryption Apply | Check if KP.fsenc.pol file exists
+  stat:
+    path: /var/mmfs/etc/KP.fsenc.pol
+  register: fsenc_pol_stat
+  when: not encryption_applied
+
+- name: KeyProtect Encryption | Encryption Apply | Apply Policy
+  command: mmchpolicy {{ filesystem_mountpoint }} /var/mmfs/etc/KP.fsenc.pol
+  when: not encryption_applied
+  run_once: true
+
+- name: KeyProtect Encryption | Encryption Apply | Show Applied Policy
+  command: mmlspolicy {{ filesystem_mountpoint }} -L
+  register: policy_output
+  run_once: true
+
+- name: KeyProtect Encryption | Encryption Apply | Display Policy Output
+  debug:
+    msg: "{{ policy_output.stdout }}"
+  run_once: true

roles/kp_encryption_apply/tasks/main.yml

@@ -0,0 +1,4 @@
+
+# Import the 'apply_encryption.yml' task to Apply the Encryption on the Scale Cluster.
+
+- import_tasks: apply_encryption.yml

roles/kp_encryption_apply/vars/main.yml

@@ -0,0 +1,4 @@
+# Static Variables for Encryption
+
+# Scale File System Mount Point
+filesystem_mountpoint: "{{ filesystem_mountpoint }}"

roles/kp_encryption_configure/README.MD

@@ -0,0 +1,33 @@
+# Enabling Encryption with IBM® Key Protect on IBM Storage Scale
+
+IBM® Key Protect is a powerful service on IBM Cloud that simplifies the provisioning and storage of encrypted keys for applications across IBM Cloud services. By using IBM Key Protect, you can centralize the management of data encryption and efficiently oversee the entire key lifecycle, providing a robust foundation for securing your data on an IBM Storage Scale cluster.
+
+## Setting Up IBM Key Protect
+
+The first step in enabling encryption for your Storage Scale cluster file system is to create a Key Protect service. Once the service is set up, you will generate an encryption key and apply an encryption policy to your desired file system within the cluster. For a detailed guide on setting up and managing your Key Protect service, refer to the [IBM Key Protect documentation](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about).
+
+## Configuring Cluster Nodes
+
+To ensure that every node in the cluster can access the encrypted file system, it's essential to have specific configuration files on each node. These include:
+
+- `/var/mmfs/etc/RKM.conf`
+- `/var/mmfs/etc/prefix.p12`
+
+These files are critical for enabling secure access to the encrypted file system across the entire cluster. Without them, nodes will not be able to interact with the encrypted data.
+
+## Understanding Secure Storage and Data Protection
+
+Secure storage relies on encryption to render data unreadable to unauthorized users. Data is encrypted while at rest (on disk) and decrypted only when accessed by authorized users. It's important to note that encryption protects only the data itself, not the associated metadata.
+
+IBM GPFS encryption safeguards against various threats, including disk theft or improper disposal, and unprivileged user attacks in a multi-tenant cluster. However, it does not protect against malicious actions by a cluster administrator.
+
+In addition to securing data, GPFS encryption facilitates secure data deletion. By leveraging encryption and key management, it ensures that once the master encryption keys are deleted from the key server, the data becomes irretrievable. For more details, refer to [Encryption keys](https://www.ibm.com/docs/en/STXKQY_5.1.8/com.ibm.spectrum.scale.v5r10.doc/bl1adv_encryptionkeys.html#encryptionkeys).
+
+## Configuring Key Protect
+
+The `kp_encryption_configure` Ansible role automates the distribution of essential files to streamline the encryption process:
+
+- Distributing the `.p12` and `RKM.conf` files to all servers to enable encryption.
+
+
+For more in-depth information about encryption in IBM Spectrum Scale, including various encryption use cases, see the [Encryption documentation](https://www.ibm.com/docs/en/storage-scale/5.1.8?topic=administering-encryption).

roles/kp_encryption_configure/tasks/copy_config_files_to_remote.yml

@@ -0,0 +1,33 @@
+# Distribute .p12 and RKM.conf files to all servers to apply encryption.
+
+- block:
+    - name: KeyProtect Encryption | Encryption Configuration | Check .p12
+      stat:
+        path: "/var/mmfs/etc/{{ kp_resource_prefix }}.p12"
+      register: p12_file_stat
+
+    - name: KeyProtect Encryption | Encryption Configuration | Copy .p12
+      copy:
+        src: "{{ key_protect_cert_files_dir }}/{{ kp_resource_prefix }}.p12"
+        dest: "/var/mmfs/etc/{{ kp_resource_prefix }}.p12"
+        owner: root
+        group: root
+        mode: '0600'
+      when: not p12_file_stat.stat.exists
+      register: p12_copy_result
+
+    - name: KeyProtect Encryption | Encryption Configuration | Check RKM.conf
+      stat:
+        path: "/var/mmfs/etc/RKM.conf"
+      register: rkm_conf_stat
+
+    - name: KeyProtect Encryption | Encryption Configuration | Copy RKM.conf
+      copy:
+        src: "{{ key_protect_cert_files_dir }}/RKM.conf"
+        dest: "/var/mmfs/etc/RKM.conf"
+        owner: root
+        group: root
+        mode: '0600'
+      when: not rkm_conf_stat.stat.exists
+
+  when: key_protect_cert_files_dir is defined and key_protect_cert_files_dir | length > 0

roles/kp_encryption_configure/tasks/main.yml

@@ -0,0 +1,4 @@
+
+# Import the 'copy_config_files_to_remote.yml' task to obtain the RKM.conf and .p12 certificate files and copy them to Bootstrap node.
+
+- import_tasks: copy_config_files_to_remote.yml

roles/kp_encryption_configure/vars/main.yml

@@ -0,0 +1,7 @@
+# Static Variables for Encryption
+
+# Resource Prefix
+kp_resource_prefix: "{{ kp_resource_prefix }}"
+
+# Key Protect files path on Bootstrap node
+key_protect_cert_files_dir: "/opt/IBM/ibm-spectrumscale-cloud-deploy/key_protect"

roles/kp_encryption_prepare/README.MD

@@ -0,0 +1,37 @@
+# Enabling Encryption with IBM® Key Protect on IBM Storage Scale
+
+IBM® Key Protect is a powerful service on IBM Cloud that simplifies the provisioning and storage of encrypted keys for applications across IBM Cloud services. By using IBM Key Protect, you can centralize the management of data encryption and efficiently oversee the entire key lifecycle, providing a robust foundation for securing your data on an IBM Storage Scale cluster.
+
+## Setting Up IBM Key Protect
+
+The first step in enabling encryption for your Storage Scale cluster file system is to create a Key Protect service. Once the service is set up, you will generate an encryption key and apply an encryption policy to your desired file system within the cluster. For a detailed guide on setting up and managing your Key Protect service, refer to the [IBM Key Protect documentation](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about).
+
+## Configuring Cluster Nodes
+
+To ensure that every node in the cluster can access the encrypted file system, it's essential to have specific configuration files on each node. These include:
+
+- `/var/mmfs/etc/RKM.conf`
+- `/var/mmfs/etc/prefix.p12`
+
+These files are critical for enabling secure access to the encrypted file system across the entire cluster. Without them, nodes will not be able to interact with the encrypted data.
+
+## Understanding Secure Storage and Data Protection
+
+Secure storage relies on encryption to render data unreadable to unauthorized users. Data is encrypted while at rest (on disk) and decrypted only when accessed by authorized users. It's important to note that encryption protects only the data itself, not the associated metadata.
+
+IBM GPFS encryption safeguards against various threats, including disk theft or improper disposal, and unprivileged user attacks in a multi-tenant cluster. However, it does not protect against malicious actions by a cluster administrator.
+
+In addition to securing data, GPFS encryption facilitates secure data deletion. By leveraging encryption and key management, it ensures that once the master encryption keys are deleted from the key server, the data becomes irretrievable. For more details, refer to [Encryption keys](https://www.ibm.com/docs/en/STXKQY_5.1.8/com.ibm.spectrum.scale.v5r10.doc/bl1adv_encryptionkeys.html#encryptionkeys).
+
+## Preparation of the Key Protect service:
+
+To streamline the encryption setup process, the `kp_encryption_prepare` Ansible role automates the following tasks:
+
+- Creating a directory and password file for non-interactive deployment of Key Protect.
+- Copying SSL certificates from the bootstrap node to the management node.
+- Creating a `.p12` certificate store.
+- Generating the encryption key.
+- Creating a policy file.
+- Updating the `RKM.conf` file.
+
+For more in-depth information about encryption in IBM Spectrum Scale, including various encryption use cases, see the [Encryption documentation](https://www.ibm.com/docs/en/storage-scale/5.1.8?topic=administering-encryption).

roles/kp_encryption_prepare/tasks/copy_encryption_files_to_ansible_master.yml

@@ -0,0 +1,46 @@
+# Get RKM.conf and .p12 cert
+
+- block:
+    - name: KeyProtect Encryption | Encryption Prepare | Check .p12 exists
+      stat:
+        path: "{{ key_protect_dir }}/{{ resource_prefix }}.p12"
+      register: p12_file_stat
+
+    - name: KeyProtect Encryption | Encryption Prepare | Update permissions
+      file: 
+        path: "{{ key_protect_dir }}/{{ resource_prefix }}.p12"
+        mode: '0644'
+      when: p12_file_stat.stat.exists
+      run_once: true
+
+    - name: KeyProtect Encryption | Encryption Prepare | Check RKM.conf
+      stat:
+        path: "{{ key_protect_dir }}/RKM.conf"
+      register: rkm_conf_stat
+
+    - name: KeyProtect Encryption | Encryption Prepare | Copy RKM.comf
+      template:
+        src: "templates/RKM.conf.j2"
+        dest: "{{ key_protect_dir }}/RKM.conf"
+        owner: root
+        group: root
+        mode: '0600'
+      when: not rkm_conf_stat.stat.exists
+      run_once: true
+
+    - name: KeyProtect Encryption | Encryption Prepare | Fetch .p12 
+      fetch:
+        src: "{{ key_protect_dir }}/{{ resource_prefix }}.p12"
+        dest: "{{ key_protect_cert_files_dir }}/"
+        flat: yes
+      when: p12_file_stat.stat.exists
+      run_once: true
+
+    - name: KeyProtect Encryption | Encryption Prepare | Fetch RKM.conf
+      fetch:
+        src: "{{ key_protect_dir }}/RKM.conf"
+        dest: "{{ key_protect_cert_files_dir }}/"
+        flat: yes
+      run_once: true
+
+  when: key_protect_dir is defined and key_protect_dir | length > 0

roles/kp_encryption_prepare/tasks/create_encryption_key.yml

@@ -0,0 +1,76 @@
+# Create .p12 certificate and Create Encryption Key
+# Create a Policy file
+
+- block:
+    - name: KeyProtect Encryption | Encryption Prepare | Check if .p12 cert exists
+      stat:
+        path: "{{ key_protect_dir }}/{{ resource_prefix }}.p12"
+      register: cert_file_stat
+
+    - name: Run mmgskkm store command | Encryption Prepare | Create a .p12 Store Cert
+      command: mmgskkm store --pwd "{{ scale_encryption_admin_password }}" --label "{{ resource_prefix }}" --cert "{{ key_protect_dir }}/{{ resource_prefix }}.cert" --priv "{{ key_protect_dir }}/{{ resource_prefix }}.key" --out "{{ key_protect_dir }}/{{ resource_prefix }}.p12"
+      args:
+        chdir: "{{ key_protect_dir }}"
+      when: not cert_file_stat.stat.exists
+      run_once: true
+
+    - name: Run mmgskkm trust command | Encryption Prepare | Apply Trust on .p12 Cert
+      command: mmgskkm trust --prefix "{{ key_protect_dir }}/Key_Protect_Server.chain" --pwd "{{ scale_encryption_admin_password }}" --label "{{ resource_prefix }}" --out "{{ key_protect_dir }}/{{ resource_prefix }}.p12"
+      args:
+        chdir: "{{ key_protect_dir }}"
+      register: p12cert
+      when: not cert_file_stat.stat.exists
+      run_once: true
+
+    - name: Sleep for 5 seconds
+      ansible.builtin.pause:
+        seconds: 5
+
+    - name: KeyProtect Encryption | Encryption Prepare | Check if key creation has already performed
+      stat:
+        path: "{{ key_protect_dir }}/key_creation_done.flag"
+      register: flag_file_stat
+
+    - name: KeyProtect Encryption | Encryption Prepare | Create Encryption Key
+      command: >
+        mmkmipkm createkey
+        --host "{{ vpc_region }}.kms.cloud.ibm.com"
+        --kmipport "{{ resource_prefix }}.port"
+        --keystore "{{ key_protect_dir }}/{{ resource_prefix }}.p12"
+        --keypass "{{ key_protect_dir }}/{{ resource_prefix }}.pwd"
+        --label "{{ resource_prefix }}"
+      args:
+        chdir: "{{ key_protect_dir }}"
+      register: createkey_output
+      when: p12cert is defined and not flag_file_stat.stat.exists
+      run_once: true
+
+    - name: KeyProtect Encryption | Encryption Prepare | Debug createkey_output
+      debug:
+        var: createkey_output
+      when: createkey_output is defined
+
+    - name: KeyProtect Encryption | Encryption Prepare | Create flag to indicate key creation has been performed
+      file:
+        path: "{{ key_protect_dir }}/key_creation_done.flag"
+        state: touch
+      when: not flag_file_stat.stat.exists
+      run_once: true
+
+    - name: KeyProtect Encryption | Encryption Prepare | Set Encryption key fact
+      set_fact:
+        encryption_key: "{{ createkey_output.stdout if createkey_output is defined and 'stdout' in createkey_output and createkey_output.stdout != '' }}"
+      when: not flag_file_stat.stat.exists
+      run_once: true
+
+    - name: KeyProtect Encryption | Encryption Prepare | Copy Policy file
+      template:
+        src: "templates/KP.fsenc.pol.j2"
+        dest: "/var/mmfs/etc/KP.fsenc.pol"
+        owner: root
+        group: root
+        mode: '0600'
+      when: encryption_key is defined and encryption_key != ''
+      run_once: true
+
+  when: key_protect_dir is defined and key_protect_dir | length > 0