Add HSM Prep role

Also add a playbook to call this role as a pre_deploy playbook
so that we can create and use the modified images in our barbican tests.

docs/dictionary/en-custom.txt

@@ -25,6 +25,7 @@ az
 azs
 backend
 backends
+barbican
 baremetal
 baremetalhost
 basedir
@@ -71,6 +72,7 @@ ciuser
 cjeanner
 ckcg
 cli
+clientvm
 clusterimageset
 clusterpool
 cmd
@@ -202,6 +204,8 @@ hostnames
 hostvars
 hotfix
 href
+hsm
+hsms
 https
 ic
 icjbuue
@@ -281,6 +285,8 @@ loopback
 losetup
 lsblk
 luks
+lunaclient
+lunasa
 lv
 lvm
 lvmcluster

hooks/playbooks/barbican-cleanup-luna.yml

@@ -0,0 +1,25 @@
+---
+- name: Add lunaclient to inventory
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Get lunaclient key
+      ansible.builtin.get_url:
+        url: "{{ cifmw_hsm_lunaclient_key }}"
+        dest: "{{ ansible_user_dir }}/.ssh/lunaclient"
+        mode: "0400"
+    - name: Add lunaclient VM to inventory
+      ansible.builtin.add_host:
+        name: "{{ cifmw_hsm_lunaclient_vm }}"
+        ansible_user: "{{ cifmw_hsm_lunaclient_user }}"
+        ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient"
+        ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
+
+- name: Create and store modified barbican images
+  hosts: "{{ cifmw_hsm_lunaclient_vm }}"
+  tasks:
+    - name: Include hsm_prep role cleanup tasks
+      ansible.builtin.include_role:
+        name: hsm_prep
+        tasks_from: cleanup.yml
+      vars:
+        cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"

hooks/playbooks/barbican-enable-luna.yml

@@ -0,0 +1,66 @@
+---
+- name: Add lunaclient to inventory
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Get lunaclient key
+      ansible.builtin.get_url:
+        url: "{{ cifmw_hsm_lunaclient_key }}"
+        dest: "{{ ansible_user_dir }}/.ssh/lunaclient"
+        mode: "0400"
+    - name: Add lunaclient VM to inventory
+      ansible.builtin.add_host:
+        name: "{{ cifmw_hsm_lunaclient_vm }}"
+        ansible_user: "{{ cifmw_hsm_lunaclient_user }}"
+        ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient"
+        ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
+
+- name: Create modified barbican image and get secrets
+  hosts: "{{ cifmw_hsm_lunaclient_vm }}"
+  tasks:
+    - name: Include hsm_prep role
+      ansible.builtin.include_role:
+        name: hsm_prep
+      vars:
+        cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"
+
+- name: Create kustomization to use update barbican to use luna
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Create file to customize barbican resource deployed in the control plane
+      vars:
+        certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}"
+        login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}"
+        cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/barbican/template/globalDefaultSecretStore
+                value: pkcs11
+              - op: add
+                path: /spec/barbican/template/enabledSecretStores
+                value:
+                  - pkcs11
+              - op: add
+                path: /spec/barbican/template/pkcs11
+                value:
+                  type: luna
+                  libraryPath: /usr/local/luna/libs/64/libCryptoki2.so
+                  tokenLabels: "{{ cifmw_hsm_luna_partition }}"
+                  MKEKLabel: "{{ cifm_hsm_mkek_label }}"
+                  HMACLabel: "{{ cifm_hsm_hmac_label }}"
+                  serverAddress: "{{ cifmw_hsm_server_ip }}"
+                  clientAddress: "{{ cifmw_hsm_client_ip }}"
+                  loginSecret: "{{ login_secret }}"
+                  certificatesSecret: "{{ certs_secret }}"
+                  certificatesMountPoint: /usr/local/luna/config/certs
+                  keyWrapMechanism: "{{ cifmw_hsm_key_wrap_mechanism }}"

roles/hsm_prep/README.md

@@ -0,0 +1,75 @@
+# HSM Role
+
+In order to use HSMs, the barbican images need to be customized to include the HSM software.  For now, this is something
+that we expect customers to do with scripts that we will provide as part of the barbican-operator code.
+
+The purpose of this role is to:
+* Generate new images for the barbican-api and barbican-worker containing the HSM software
+* Upload those images to a private repository for use in setting up a CI job.
+* Create any required config to be mounted by the barbican images to interact with the HSM
+
+For the Lunasa, we expect some preparatory steps to be completed prior to execution in order for the
+role to complete successfully.
+* We expect a VM that contains the Lunasa client software and that is registered as a lunasa client.
+  This VM should contain the following contents:
+  * The contents of the minimal linux client in a zipped tar file.
+  * The lunasa binaries that need to be added to the image under a specified directory.
+  * The lunasa HSM server cert.
+* The above contents will be fetched by the role.
+* The VM will be used to generate client certificates.  For this, we will need the cifmw_hsm_client_ip , which
+  is the VM of the hypervisor hosting the openshift node.  If a cert has already been generated, then
+  that certificate will be retrieved instead.
+* The certs will be retrieved and stored in a secret (cifmw_hsm_luna_cert_secret)
+* The password to log into the HSM partition will be stored in a secret (cifmw_hsm_login_secret)
+* As input to this role, we will require the ssh connection details and credentials for this VM.
+
+A minimal (one that takes the defaults) invocation of this role is shown below, where the lunaclient
+is the running client VM described above.
+
+- name: Set up Luna
+  hosts: lunaclient
+  ansible.builtin.include_role: hsm_prep
+  tags:
+    - image_prep
+    - cert_prep
+    - secret_prep
+  vars:
+    cifmw_hsm_admin_password: "<HSM admin password>"
+    cifmw_hsm_server_ip: "IP of HSM"
+    cifmw_hsm_client_ip: "IP of the client - this could be the hypervisor where the Openshift nodes run"
+    cifmw_hsm_luna_partition: "HSM partition for the client to join"
+    cifmw_hsm_partition_password: "<HSM partition password>"
+
+Note that tags have been provided to allow the caller to select specific operations.  This may be necessary
+because different operations may need to executed in different CI jobs.  The current tags available are:
+image_prep, cert_prep, secret_prep, cleanup
+
+## Parameters
+
+### HSM Details
+* `cifmw_hsm_hsmtype`: (String) The type of HSM required.  Currently, only "luna" is supported. Default value: `luna`
+* `cifmw_hsm_admin_user`: (String) The user to log into the HSM.  Default value: `admin`
+* `cifmw_hsm_admin_password`: (String) The password to log into the HSM.
+* `cifmw_hsm_server_ip`: (String) ip address or hostname of the HSM
+* `cifmw_hsm_partition_password: (String) The password to log into the HSM partition
+* `cifmw_hsm_login_secret`: (String) The secret to store the password to log into the HSM partition. Default: `hsm-login`
+
+### Barbican Image and Details to get buildah script
+* `cifmw_hsm_barbican_operator_repo`: (String) Repo for barbican-operator. Default value: "https://github.com/openstack-k8s-operators/barbican-operator.git"
+* `cifmw_hsm_barbican_operator_version`: (String) Version for barbican-operator.  Default value: "main"
+* `cifmv_hsm_barbican_image_namespace`: (String) Namespace for barbican-operator source image.  Default value: "podified-antelope-centos9"
+* `cifmw_hsm_barbican_image_tag`: (String) Tag for barbican-operator source image.  Default value: "current-podified"
+
+### Role Parameters
+* `cifmw_hsm_cleanup`: (Boolean) Delete all resources created by the role at the end of the testing. Default value: `false`
+* `cifmw_hsm_working_dir`: (String) Working directory to store artifacts.  Default value: `/tmp/hsm-prep-working-dir`
+* `cifmw_hsm_client_ip`: (String) ip address or hostname of the client VM
+
+### Luna Parameters
+* `cifmw_hsm_luna_minclient_src`: (String) Location of linux minimal client tarball on the luna client VM. Default value: `/opt/data/Linux-Minimal-Client.tar.gz`
+* `cifmw_hsm_luna_binaries_src`: (String) Location of the luna binaries on the luna client VM. Default value: `/opt/data/bin`
+* `cifmw_hsm_luna_server_cert_src`: (String) Location of HSM server cert on the luna client VM.  Default value: `/usr/safenet/lunaclient/cert/server`
+* `cifmw_hsm_luna_client_cert_src`: (String) Location of HSM client cert on the luna client VM.  Default value: `/usr/safenet/lunaclient/cert/client`
+* `cifmw_hsm_luna_cert_secret`: (String) Name of the secret that stores all of the needed certs for luna.  Default value: `barbican-luna-certs`
+* `cifmw_hsm_luna_cert_secret_namespace`: (String) Namespace of the secret that stores all of the needed certs for luna.  Default value: `openstack`
+* `cifmw_hsm_luna_partition`: (String) HSM partition for the client to join.

roles/hsm_prep/defaults/main.yml

@@ -0,0 +1,47 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# defaults file for hsm role
+
+# HSM Details
+cifmw_hsm_hsmtype: "luna"
+cifmw_hsm_admin_user: "admin"
+cifmw_hsm_login_secret: "hsm-login"
+
+### Barbican Image and Details to get buildah script
+cifmw_hsm_barbican_operator_repo: "https://github.com/openstack-k8s-operators/barbican-operator.git"
+cifmw_hsm_barbican_operator_version: "main"
+cifmv_hsm_barbican_image_namespace: "podified-antelope-centos9"
+cifmw_hsm_barbican_image_tag: "current-podified"
+
+### Role Parameters
+cifmw_hsm_cleanup: false
+cifmw_hsm_working_dir: "/tmp/hsm-prep-working-dir"
+
+### Luna Parameters
+cifmw_hsm_luna_minclient_src: "/opt/data/Linux-Minimal-Client.tar.gz"
+cifmw_hsm_luna_binaries_src: "/opt/data/bin"
+cifmw_hsm_luna_server_cert_src: "/usr/safenet/lunaclient/cert/server"
+cifmw_hsm_luna_client_cert_src: "/usr/safenet/lunaclient/cert/client"
+cifmw_hsm_luna_cert_secret: "barbican-luna-certs"
+cifmw_hsm_luna_cert_secret_namespace: "openstack"
+
+## Image details
+cifmv_hsm_barbican_image_registry: "quay.io"
+cifmv_hsm_barbican_image_namespace: "podified-antelope-centos9"
+cifmw_hsm_barbican_image_tag: "current-podified"
+cifmw_hsm_barbican_final_image_tag: "current-podified-luna"

roles/hsm_prep/files/image_add_luna_minimal_client.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# barbican_add_luna_minimal_client.sh
+#
+# This script adds the Linux Minimal Client for Thales Luna Network HSM
+# to both the API and Worker images so that the HSM can be used as a PKCS#11
+# backend for Barbican.
+set -x
+set -o errexit
+set -o pipefail
+
+BARBICAM_IMAGE_REGISTRY=${BARBICAN_IMAGE_REGISTRY:-"quay.io"}
+BARBICAN_IMAGE_NAMESPACE=${BARBICAN_IMAGE_NAMESPACE:-"podified-antelope-centos9"}
+BARBICAN_IMAGE_TAG=${BARBICAN_IMAGE_TAG:-"current-podified"}
+BARBICAN_API_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_IMAGE_TAG"
+BARBICAN_WORKER_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_IMAGE_TAG"
+BARBICAM_FINAL_IMAGE_TAG_X=${BARBICAN_FINAL_IMAGE_TAG:-"current-podified-luna"}
+BARBICAN_API_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:${BARBICAM_FINAL_IMAGE_TAG_X}"
+BARBICAN_WORKER_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:${BARBICAM_FINAL_IMAGE_TAG_X}"
+
+# LUNA_LINUX_MINIMAL_CLIENT_DIR - location of the "linux-minimal" directory
+# in your client media.  This could be a path to a mounted ISO or a path to
+# the location where a tarball was extracted
+LUNA_LINUX_MINIMAL_CLIENT_DIR=${LUNA_LINUX_MINIMAL_CLIENT_DIR:-"/media/lunaiso/linux-minimal"}
+
+# LUNA_CLIENT_BIN - location of the binaries installed by the client
+# software.
+LUNA_CLIENT_BIN=${LUNA_CLIENT_BIN:-"/usr/safenet/lunaclient/bin"}
+
+function install_client() {
+
+  container=$(buildah from $1)
+
+  # set required env
+  buildah config --env ChrystokiConfigurationPath=/usr/local/luna $container
+
+  # add linux-minimal client
+  buildah add --chown root:root $container $LUNA_LINUX_MINIMAL_CLIENT_DIR /usr/local/luna
+  buildah run --user root $container -- mkdir -p /usr/local/luna/config/certs
+  buildah run --user root $container -- mkdir -p /usr/local/luna/config/token/001
+  buildah run --user root $container -- touch /usr/local/luna/config/token/001/token.db
+  buildah add --chown root:root $container $LUNA_CLIENT_BIN/lunacm /usr/local/bin/
+  buildah add --chown root:root $container $LUNA_CLIENT_BIN/vtl /usr/local/bin/
+  buildah add --chown root:root $container $LUNA_CLIENT_BIN/multitoken /usr/local/bin/
+  buildah add --chown root:root $container $LUNA_CLIENT_BIN/ckdemo /usr/local/bin/
+
+  buildah commit $container $2
+  buildah rm $container
+}
+
+install_client $BARBICAN_API_IMAGE $BARBICAN_API_FINAL_IMAGE
+install_client $BARBICAN_WORKER_IMAGE $BARBICAN_WORKER_FINAL_IMAGE

roles/hsm_prep/meta/main.yml

@@ -0,0 +1,36 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: CI Framework
+  description: CI Framework Role -- HSM Prep
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.14
+  namespace: cifmw
+  platforms:
+    - name: CentOS
+      versions:
+        - 9
+
+  galaxy_tags:
+    - cifmw
+    - hsm
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies: []

roles/hsm_prep/tasks/cleanup.yml

@@ -0,0 +1,37 @@
+---
+- name: Perform cleanup tasks
+  tags: cleanup
+  when:
+    - cifmw_hsm_cleanup | bool
+    - cifmw_hsm_hsmtype == "luna"
+  block:
+    - name: Log debug tasks
+      ansible.builtin.debug:
+        msg: "Running cleanup tasks here"
+
+    - name: Set fact for client_name
+      ansible.builtin.set_fact:
+        client_name: "{{ cifmw_hsm_client_ip }}"
+
+    - name: Check for existing HSM client
+      ansible.builtin.shell: >
+        sshpass -p '{{ cifmw_hsm_admin_password }}'
+        ssh -o StrictHostKeyChecking=false -c aes256-cbc
+        {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
+        -C client list
+      register: client_list
+
+    - name: Delete existing client when rotating certs
+      ansible.builtin.shell: >
+        sshpass -p '{{ cifmw_hsm_admin_password }}'
+        ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
+        -C "client delete -f -c {{ client_name }}"
+      when:
+        - client_name in client_list.stdout
+
+    - name: Remove the working directory
+      delegate_to: localhost
+      become: true
+      ansible.builtin.file:
+        path: "{{ cifmw_hsm_working_dir }}"
+        state: absent