From f09ca11685c276b2c62d145740444768b84db0db Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 15 Nov 2024 23:28:16 +0000 Subject: [PATCH] Add code to customize barbican --- hooks/playbooks/barbican-enable-luna.yml | 44 ++++++++++++++++++- roles/hsm_prep/README.md | 6 ++- roles/hsm_prep/defaults/main.yml | 1 + roles/hsm_prep/tasks/luna.yml | 23 +++++++--- roles/hsm_prep/templates/login_secret.yml.j2 | 8 ++++ ...{secret.yml.j2 => luna_cert_secret.yml.j2} | 0 6 files changed, 75 insertions(+), 7 deletions(-) create mode 100644 roles/hsm_prep/templates/login_secret.yml.j2 rename roles/hsm_prep/templates/{secret.yml.j2 => luna_cert_secret.yml.j2} (100%) diff --git a/hooks/playbooks/barbican-enable-luna.yml b/hooks/playbooks/barbican-enable-luna.yml index 04739971ec..11582bfab8 100644 --- a/hooks/playbooks/barbican-enable-luna.yml +++ b/hooks/playbooks/barbican-enable-luna.yml @@ -26,7 +26,7 @@ - name: Create kustomization to use updated barbican images hosts: "{{ cifmw_target_hook_host | default('localhost') }}" tasks: - - name: create customize file + - name: Create customize file to use modified barbican images vars: image_prefix: "quay.io/{{ cifmv_hsm_barbican_image_namespace | default('podified-antelope-centos9', true) }}" image_tag: "{{ cifmw_hsm_barbican_image_tag | default('current-podified', true) }}-luna" @@ -48,3 +48,45 @@ - op: replace path: /spec/customContainerImages/barbicanWorkerImage value: "{{ image_prefix }}/openstack-barbican-worker:{{ image_tag }}" + +- name: Create kustomization to use update barbican to use luna + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Create file to customize barbican resource deployed in the control plane + vars: + certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}" + login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}" + cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}" + ansible.builtin.copy: + dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml" + content: |- + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + resources: + namespace: {{ namespace }} + patches: + - target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: add + path: /spec/barbican/template/globalDefaultSecretStore + value: "pkcs11" + - op: add + path: /spec/barbican/template/enabledSecretStores + value: | + - "pkcs11" + - op: add + path: /spec/barbican/template/pkcs11 + value: | + type: luna + libraryPath: /usr/local/luna/libs/64/libCryptoki2.so + tokenLabels: "{{ cifmw_hsm_luna_partition }}" + MKEKLabel: "{{ cifm_hsm_mkek_label }}" + HMACLabel: "{{ cifm_hsm_hmac_label }}" + serverAddress: "{{ cifmw_hsm_server_ip }}" + clientAddress: "{{ cifmw_hsm_client_ip }}" + loginSecret: "{{ login_secret }}" + certificatesSecret: "{{ certs_secret }}" + certificatesMountPoint: /usr/local/luna/config/certs + keyWrapMechanism: "{{ cifmw_hsm_key_wrap_mechanism }}" diff --git a/roles/hsm_prep/README.md b/roles/hsm_prep/README.md index 04e0162bd1..9ca2fad2b8 100644 --- a/roles/hsm_prep/README.md +++ b/roles/hsm_prep/README.md @@ -20,6 +20,7 @@ role to complete successfully. is the VM of the hypervisor hosting the openshift node. If a cert has already been generated, then that certificate will be retrieved instead. * The certs will be retrieved and stored in a secret (cifmw_hsm_luna_cert_secret) +* The password to log into the HSM partition will be stored in a secret (cifmw_hsm_login_secret) * As input to this role, we will require the ssh connection details and credentials for this VM. A minimal (one that takes the defaults) invocation of this role is shown below, where the lunaclient @@ -32,7 +33,8 @@ is the running client VM described above. cifmw_hsm_admin_password: "" cifmw_hsm_server_ip: "IP of HSM" cifmw_hsm_client_ip: "IP of the client - this could be the hypervisor where the Openshift nodes run" - cifmw_hsm_luna_partition: "HSM partition for th client to join" + cifmw_hsm_luna_partition: "HSM partition for the client to join" + cifmw_hsm_partition_password: "" ## Parameters @@ -41,6 +43,8 @@ is the running client VM described above. * `cifmw_hsm_admin_user`: (String) The user to log into the HSM. Default value: `admin` * `cifmw_hsm_admin_password`: (String) The password to log into the HSM. * `cifmw_hsm_server_ip`: (String) ip address or hostname of the HSM +* `cifmw_hsm_partition_password: (String) The password to log into the HSM partition +* `cifmw_hsm_login_secret`: (String) The secret to store the password to log into the HSM partition. Default: `hsm-login` ### Barbican Image and Details to get buildah script * `cifmw_hsm_barbican_operator_repo`: (String) Repo for barbican-operator. Default value: "https://github.com/openstack-k8s-operators/barbican-operator.git" diff --git a/roles/hsm_prep/defaults/main.yml b/roles/hsm_prep/defaults/main.yml index 9a69aed6f9..6aecb225e1 100644 --- a/roles/hsm_prep/defaults/main.yml +++ b/roles/hsm_prep/defaults/main.yml @@ -20,6 +20,7 @@ # HSM Details cifmw_hsm_hsmtype: "luna" cifmw_hsm_admin_user: "admin" +cifmw_hsm_login_secret: "hsm-login" ### Barbican Image and Details to get buildah script cifmw_hsm_barbican_operator_repo: "https://github.com/openstack-k8s-operators/barbican-operator.git" diff --git a/roles/hsm_prep/tasks/luna.yml b/roles/hsm_prep/tasks/luna.yml index 348f063b32..3ada82e939 100644 --- a/roles/hsm_prep/tasks/luna.yml +++ b/roles/hsm_prep/tasks/luna.yml @@ -114,15 +114,28 @@ - "{{ cifmw_hsm_client_ip }}.pem" - "{{ cifmw_hsm_client_ip }}Key.pem" -- name: Write out secret template file +- name: Write out the HSM cert secret template file delegate_to: localhost ansible.builtin.template: - src: "secret.yml.j2" - dest: "{{ cifmw_hsm_working_dir }}/secret.yml" + src: "luna_cert_secret.yml.j2" + dest: "{{ cifmw_hsm_working_dir }}/luna_cert_secret.yml" -- name: Create the secret +- name: Create the HSM cert secret delegate_to: localhost environment: KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" PATH: "{{ cifmw_path }}" - ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/secret.yml" + ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/luna_cert_secret.yml" + +- name: Write out the hsm-login secret + delegate_to: localhost + ansible.builtin.template: + src: "login_secret.yml.j2" + dest: "{{ cifmw_hsm_working_dir }}/login_secret.yml" + +- name: Create the hsm-login secret + delegate_to: localhost + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/login_secret.yml" diff --git a/roles/hsm_prep/templates/login_secret.yml.j2 b/roles/hsm_prep/templates/login_secret.yml.j2 new file mode 100644 index 0000000000..a4684e766a --- /dev/null +++ b/roles/hsm_prep/templates/login_secret.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: "{{ cifmw_hsm_login_secret }}" + namespace: "{{ cifmw_hsm_luna_cert_secret_namespace }}" +data: + "hsmLogin": "{{ cifmw_hsm_partition_password | string | b64encode }}" diff --git a/roles/hsm_prep/templates/secret.yml.j2 b/roles/hsm_prep/templates/luna_cert_secret.yml.j2 similarity index 100% rename from roles/hsm_prep/templates/secret.yml.j2 rename to roles/hsm_prep/templates/luna_cert_secret.yml.j2