Make HSM use configurable in proxy class, SC-2522

global/overlay/etc/puppet/modules/eid/manifests/proxy.pp

@@ -5,7 +5,8 @@
 # @param server_fqdn          The FQDN of the server. (referenced in compose file)
 # @param proxy_directory      The directory where all proxy related config and files are stored. (referenced in compose file)
 # @param spring_config_param  Used as parameter name in compose file
-# @param contry               Used while creating directories and referenced in compsose file
+# @param country               Used while creating directories and referenced in compsose file
+# @param use_hsm              Configure if HSM is used or not
 class eid::proxy (
   String  $version = '',
   String  $service_name = '',
@@ -13,13 +14,16 @@ class eid::proxy (
   String  $proxy_directory = '/opt/eidas-proxy',
   String  $spring_config_param = 'SPRING_CONFIG_ADDITIONAL_LOCATION',
   String  $country = 'se',
+  Boolean $use_hsm=true,
 ) {
 
+  if $use_hsm {
     $pkcs11_pin = safe_hiera('pkcs11_pin')
+  }
   $eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','')
   $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw')
 
-  if $version and $service_name and $pkcs11_pin != 'NOT_SET_IN_HIERA' and $eidas_proxy_oidc_rp_jks  != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{
+  if $version and $service_name and $eidas_proxy_oidc_rp_jks  != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{
 
     sunet::nftables::allow { 'allow-http-from-any':
       from => any,
@@ -66,12 +70,14 @@ class eid::proxy (
       }
     }
 
+    if $use_hsm {
       file { ['/etc/luna','/etc/luna/cert']:
         ensure => directory,
         mode   => '0755',
         owner  => 'root',
         group  => 'root',
       }
+    }
 
     sunet::nagios::nrpe_check_fileage {'proxy_eidas_metadata_cache_age':
       filename     => "${proxy_directory}/se/ps-mdcache/metadata-cache.xml",

global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb

@@ -8,18 +8,22 @@ services:
       - SPRING_PROFILES_ACTIVE=<%= @country %>
       - CERTNAME=<%= @server_fqdn %>_infra
       - <%= @spring_config_param %>=<%= @proxy_directory %>/<%= @country %>/cfg/
-      - PKCS11_PIN=<%= @pkcs11_pin %>
       - PROXY_SERVICE_COOKIEENCRYPTPW=<%= @proxy_service_cookie_encrypt_pw %>
+<% if @use_hsm -%>
+      - PKCS11_PIN=<%= @pkcs11_pin %>
+<% end -%>
 
     hostname: <%= @server_fqdn %>
 
     volumes:
       - '/var/log/eidas-proxy:/var/log/eidas-proxy'
       - '<%= @proxy_directory %>:<%= @proxy_directory %>'
-      - '/etc/luna/cert:/usr/safenet/lunaclient/cert'
-      - '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d'
       - '/dev/log:/dev/log'
       - '/etc/ssl:/etc/ssl'
+<% if @use_hsm -%>
+      - '/etc/luna/cert:/usr/safenet/lunaclient/cert'
+      - '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d'
+<% end -%>
 
     ports:
       - "443:8443"