Add code to customize barbican

hooks/playbooks/barbican-enable-luna.yml

@@ -26,7 +26,7 @@
 - name: Create kustomization to use updated barbican images
   hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
   tasks:
-    - name: create customize file
+    - name: Create customize file to use modified barbican images
       vars:
         image_prefix: "quay.io/{{ cifmv_hsm_barbican_image_namespace | default('podified-antelope-centos9', true) }}"
         image_tag: "{{ cifmw_hsm_barbican_image_tag | default('current-podified', true) }}-luna"
@@ -48,3 +48,45 @@
               - op: replace
                 path: /spec/customContainerImages/barbicanWorkerImage
                 value: "{{ image_prefix }}/openstack-barbican-worker:{{ image_tag }}"
+
+- name: Create kustomization to use update barbican to use luna
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Create file to customize barbican resource deployed in the control plane
+      vars:
+        certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}"
+        login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}"
+        cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/barbican/template/globalDefaultSecretStore
+                value: "pkcs11"
+              - op: add
+                path: /spec/barbican/template/enabledSecretStores
+                value: |
+                  - "pkcs11"
+              - op: add
+                path: /spec/barbican/template/pkcs11
+                value: |
+                  type: luna
+                  libraryPath: /usr/local/luna/libs/64/libCryptoki2.so
+                  tokenLabels: "{{ cifmw_hsm_luna_partition }}"
+                  MKEKLabel: "{{ cifm_hsm_mkek_label }}"
+                  HMACLabel: "{{ cifm_hsm_hmac_label }}"
+                  serverAddress: "{{ cifmw_hsm_server_ip }}"
+                  clientAddress: "{{ cifmw_hsm_client_ip }}"
+                  loginSecret: "{{ login_secret }}"
+                  certificatesSecret: "{{ certs_secret }}"
+                  certificatesMountPoint: /usr/local/luna/config/certs
+                  keyWrapMechanism: "{{ cifmw_hsm_key_wrap_mechanism }}"

roles/hsm_prep/README.md

@@ -20,6 +20,7 @@ role to complete successfully.
   is the VM of the hypervisor hosting the openshift node.  If a cert has already been generated, then
   that certificate will be retrieved instead.
 * The certs will be retrieved and stored in a secret (cifmw_hsm_luna_cert_secret)
+* The password to log into the HSM partition will be stored in a secret (cifmw_hsm_login_secret)
 * As input to this role, we will require the ssh connection details and credentials for this VM.
 
 A minimal (one that takes the defaults) invocation of this role is shown below, where the lunaclient
@@ -32,7 +33,8 @@ is the running client VM described above.
     cifmw_hsm_admin_password: "<HSM admin password>"
     cifmw_hsm_server_ip: "IP of HSM"
     cifmw_hsm_client_ip: "IP of the client - this could be the hypervisor where the Openshift nodes run"
-    cifmw_hsm_luna_partition: "HSM partition for th client to join"
+    cifmw_hsm_luna_partition: "HSM partition for the client to join"
+    cifmw_hsm_partition_password: "<HSM partition password>"
 
 ## Parameters
 
@@ -41,6 +43,8 @@ is the running client VM described above.
 * `cifmw_hsm_admin_user`: (String) The user to log into the HSM.  Default value: `admin`
 * `cifmw_hsm_admin_password`: (String) The password to log into the HSM.
 * `cifmw_hsm_server_ip`: (String) ip address or hostname of the HSM
+* `cifmw_hsm_partition_password: (String) The password to log into the HSM partition
+* `cifmw_hsm_login_secret`: (String) The secret to store the password to log into the HSM partition. Default: `hsm-login`
 
 ### Barbican Image and Details to get buildah script
 * `cifmw_hsm_barbican_operator_repo`: (String) Repo for barbican-operator. Default value: "https://github.com/openstack-k8s-operators/barbican-operator.git"

roles/hsm_prep/defaults/main.yml

@@ -20,6 +20,7 @@
 # HSM Details
 cifmw_hsm_hsmtype: "luna"
 cifmw_hsm_admin_user: "admin"
+cifmw_hsm_login_secret: "hsm-login"
 
 ### Barbican Image and Details to get buildah script
 cifmw_hsm_barbican_operator_repo: "https://github.com/openstack-k8s-operators/barbican-operator.git"

roles/hsm_prep/tasks/luna.yml

@@ -114,15 +114,28 @@
         - "{{ cifmw_hsm_client_ip }}.pem"
         - "{{ cifmw_hsm_client_ip }}Key.pem"
 
-- name: Write out secret template file
+- name: Write out the HSM cert secret template file
   delegate_to: localhost
   ansible.builtin.template:
-    src: "secret.yml.j2"
-    dest: "{{ cifmw_hsm_working_dir }}/secret.yml"
+    src: "luna_cert_secret.yml.j2"
+    dest: "{{ cifmw_hsm_working_dir }}/luna_cert_secret.yml"
 
-- name: Create the secret
+- name: Create the HSM cert secret
   delegate_to: localhost
   environment:
     KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
     PATH: "{{ cifmw_path }}"
-  ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/secret.yml"
+  ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/luna_cert_secret.yml"
+
+- name: Write out the hsm-login secret
+  delegate_to: localhost
+  ansible.builtin.template:
+    src: "login_secret.yml.j2"
+    dest: "{{ cifmw_hsm_working_dir }}/login_secret.yml"
+
+- name: Create the hsm-login secret
+  delegate_to: localhost
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
+    PATH: "{{ cifmw_path }}"
+  ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/login_secret.yml"

roles/hsm_prep/templates/login_secret.yml.j2

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: "{{ cifmw_hsm_login_secret }}"
+  namespace: "{{ cifmw_hsm_luna_cert_secret_namespace }}"
+data:
+  "hsmLogin": "{{ cifmw_hsm_partition_password | string | b64encode }}"