more changes

openstack-k8s-operators · Dec 3, 2024 · 4cc698e · 4cc698e
1 parent 7cb2e0c
commit 4cc698e
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 45 deletions.
diff --git a/hooks/playbooks/barbican-enable-luna.yml b/hooks/playbooks/barbican-enable-luna.yml
@@ -14,15 +14,12 @@
         ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient"
         ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
 
-- name: Create cert secret and login secret
+- name: Create modified barbican image and get secrets
   hosts: "{{ cifmw_hsm_lunaclient_vm }}"
   tasks:
     - name: Include hsm_prep role
       ansible.builtin.include_role:
         name: hsm_prep
-      tags:
-        - cert_prep
-        - secret_prep
       vars:
         cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"
 

diff --git a/roles/hsm_prep/defaults/main.yml b/roles/hsm_prep/defaults/main.yml
@@ -39,3 +39,9 @@ cifmw_hsm_luna_server_cert_src: "/usr/safenet/lunaclient/cert/server"
 cifmw_hsm_luna_client_cert_src: "/usr/safenet/lunaclient/cert/client"
 cifmw_hsm_luna_cert_secret: "barbican-luna-certs"
 cifmw_hsm_luna_cert_secret_namespace: "openstack"
+
+## Image details
+cifmv_hsm_barbican_image_registry: "quay.io"
+cifmv_hsm_barbican_image_namespace: "podified-antelope-centos9"
+cifmw_hsm_barbican_image_tag: "current-podified"
+cifmw_hsm_barbican_final_image_tag: "current-podified-luna"
diff --git a/roles/hsm_prep/files/image_add_luna_minimal_client.sh b/roles/hsm_prep/files/image_add_luna_minimal_client.sh
@@ -5,7 +5,7 @@
 # This script adds the Linux Minimal Client for Thales Luna Network HSM
 # to both the API and Worker images so that the HSM can be used as a PKCS#11
 # backend for Barbican.
-
+set -x
 set -o errexit
 set -o pipefail
 
@@ -14,10 +14,9 @@ BARBICAN_IMAGE_NAMESPACE=${BARBICAN_IMAGE_NAMESPACE:-"podified-antelope-centos9"
 BARBICAN_IMAGE_TAG=${BARBICAN_IMAGE_TAG:-"current-podified"}
 BARBICAN_API_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_IMAGE_TAG"
 BARBICAN_WORKER_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_IMAGE_TAG"
-
-BARBICAM_FINAL_IMAGE_TAG=${BARBICAN_FINAL_IMAGE_TAG:-"current-podified-luna"}
-BARBICAN_API_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_FINAL_IMAGE_TAG"
-BARBICAN_WORKER_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_FINAL_IMAGE_TAG"
+BARBICAM_FINAL_IMAGE_TAG_X=${BARBICAN_FINAL_IMAGE_TAG:-"current-podified-luna"}
+BARBICAN_API_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:${BARBICAM_FINAL_IMAGE_TAG_X}"
+BARBICAN_WORKER_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:${BARBICAM_FINAL_IMAGE_TAG_X}"
 
 # LUNA_LINUX_MINIMAL_CLIENT_DIR - location of the "linux-minimal" directory
 # in your client media.  This could be a path to a mounted ISO or a path to
@@ -45,7 +44,7 @@ function install_client() {
   buildah add --chown root:root $container $LUNA_CLIENT_BIN/multitoken /usr/local/bin/
   buildah add --chown root:root $container $LUNA_CLIENT_BIN/ckdemo /usr/local/bin/
 
-  buildah commit $container ${2}
+  buildah commit $container $2
   buildah rm $container
 }
 

diff --git a/roles/hsm_prep/tasks/cleanup.yml b/roles/hsm_prep/tasks/cleanup.yml
@@ -0,0 +1,37 @@
+---
+- name: Perform cleanup tasks
+  tags: cleanup
+  when:
+    - cifmw_hsm_cleanup | bool
+    - cifmw_hsm_hsmtype == "luna"
+  block:
+    - name: Log debug tasks
+      ansible.builtin.debug:
+        msg: "Running cleanup tasks here"
+
+    - name: Set fact for client_name
+      ansible.builtin.set_fact:
+        client_name: "{{ cifmw_hsm_client_ip }}"
+
+    - name: Check for existing HSM client
+      ansible.builtin.shell: >
+        sshpass -p '{{ cifmw_hsm_admin_password }}'
+        ssh -o StrictHostKeyChecking=false -c aes256-cbc
+        {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
+        -C client list
+      register: client_list
+
+    - name: Delete existing client when rotating certs
+      ansible.builtin.shell: >
+        sshpass -p '{{ cifmw_hsm_admin_password }}'
+        ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
+        -C "client delete -f -c {{ client_name }}"
+      when:
+        - client_name in client_list.stdout
+
+    - name: Remove the working directory
+      delegate_to: localhost
+      become: true
+      ansible.builtin.file:
+        path: "{{ cifmw_hsm_working_dir }}"
+        state: absent
diff --git a/roles/hsm_prep/tasks/luna.yml b/roles/hsm_prep/tasks/luna.yml
@@ -150,38 +150,3 @@
     KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
     PATH: "{{ cifmw_path }}"
   ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/login_secret.yml"
-
-- name: Perform cleanup tasks
-  tags: cleanup
-  when: cifmw_hsm_cleanup | bool
-  block:
-    - name: Log debug tasks
-      ansible.builtin.debug:
-        msg: "Running cleanup tasks here"
-
-    - name: Set fact for client_name
-      ansible.builtin.set_fact:
-        client_name: "{{ cifmw_hsm_client_ip }}"
-
-    - name: Check for existing HSM client
-      ansible.builtin.shell: >
-        sshpass -p '{{ cifmw_hsm_admin_password }}'
-        ssh -o StrictHostKeyChecking=false -c aes256-cbc
-        {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-        -C client list
-      register: client_list
-
-    - name: Delete existing client when rotating certs
-      ansible.builtin.shell: >
-        sshpass -p '{{ cifmw_hsm_admin_password }}'
-        ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-        -C "client delete -f -c {{ client_name }}"
-      when:
-        - client_name in client_list.stdout
-
-    - name: Remove the working directory
-      delegate_to: localhost
-      become: true
-      ansible.builtin.file:
-        path: "{{ cifmw_hsm_working_dir }}"
-        state: absent