Barbican support for Thales Luna HSM

Signed-off-by: Mauricio Harley <[email protected]>
Co-authored-by: Ade Lee <[email protected]>

Author: Mauricio Harley

api/bases/barbican.openstack.org_barbicanapis.yaml

@@ -80,6 +80,25 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              enabledSecretStores:
+                items:
+                  description: This SecretStore type is used by the EnabledSecretStores
+                    variable inside the specification.
+                  enum:
+                  - simple_crypto
+                  - pkcs11
+                  type: string
+                maxItems: 2
+                minItems: 1
+                type: array
+              globalDefaultSecretStore:
+                default: simple_crypto
+                description: This SecretStore type is used by the EnabledSecretStores
+                  variable inside the specification.
+                enum:
+                - simple_crypto
+                - pkcs11
+                type: string
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network
@@ -283,6 +302,77 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pkcs11:
+                description: BarbicanPKCS11Template - Includes all common HSM properties
+                properties:
+                  hsmCertificatesMountPoint:
+                    description: The mounting point where the certificates will be
+                      copied to (e.g., /usr/local/luna/config/certs).
+                    type: string
+                  hsmCertificatesSecret:
+                    description: The OpenShift secret that stores the HSM certificates.
+                    type: string
+                  hsmClientAddress:
+                    description: The IP address of the client connecting to the HSM
+                      (X.Y.Z.K)
+                    type: string
+                  hsmEnabled:
+                    default: false
+                    type: boolean
+                  hsmHMACLabel:
+                    description: Label to identify HMAC key in the HSM (must not be
+                      the same as MKEK label)
+                    type: string
+                  hsmIpAddress:
+                    description: The HSM's IPv4 address (X.Y.Z.K)
+                    type: string
+                  hsmLibraryPath:
+                    description: Path to vendor's PKCS11 library
+                    type: string
+                  hsmLoggingLevel:
+                    default: 4
+                    description: Level of logging, where 0 means "no logging" and
+                      7 means "debug".
+                    maximum: 7
+                    minimum: 0
+                    type: integer
+                  hsmLoginSecret:
+                    description: OpenShift secret that stores the password to login
+                      to the PKCS11 session
+                    type: string
+                  hsmMKEKLabel:
+                    description: Label to identify master KEK in the HSM (must not
+                      be the same as HMAC label)
+                    type: string
+                  hsmMKEKLength:
+                    default: 32
+                    description: Length in bytes of master KEK
+                    type: integer
+                  hsmSlotId:
+                    description: HSM Slot ID that contains the token device to be
+                      used
+                    type: string
+                  hsmTokenLabel:
+                    description: Token label used to identify the token to be used.
+                      Required when token_serial_number is not specified.
+                    type: string
+                  hsmTokenSerialNumber:
+                    description: Token serial number used to identify the token to
+                      be used. Required when the device has multiple tokens with the
+                      same label.
+                    type: string
+                  hsmType:
+                    description: 'A string containing the HSM type (currently supported:
+                      "trustway", "luna", "ncipher").'
+                    type: string
+                required:
+                - hsmHMACLabel
+                - hsmIpAddress
+                - hsmLibraryPath
+                - hsmLoginSecret
+                - hsmMKEKLabel
+                - hsmType
+                type: object
               rabbitMqClusterName:
                 default: rabbitmq
                 description: RabbitMQ instance name Needed to request a transportURL

api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml

@@ -76,6 +76,25 @@ spec:
                   files. Those get added to the service config dir in /etc/<service>
                   . TODO: -> implement'
                 type: object
+              enabledSecretStores:
+                items:
+                  description: This SecretStore type is used by the EnabledSecretStores
+                    variable inside the specification.
+                  enum:
+                  - simple_crypto
+                  - pkcs11
+                  type: string
+                maxItems: 2
+                minItems: 1
+                type: array
+              globalDefaultSecretStore:
+                default: simple_crypto
+                description: This SecretStore type is used by the EnabledSecretStores
+                  variable inside the specification.
+                enum:
+                - simple_crypto
+                - pkcs11
+                type: string
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network
@@ -105,6 +124,77 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pkcs11:
+                description: BarbicanPKCS11Template - Includes all common HSM properties
+                properties:
+                  hsmCertificatesMountPoint:
+                    description: The mounting point where the certificates will be
+                      copied to (e.g., /usr/local/luna/config/certs).
+                    type: string
+                  hsmCertificatesSecret:
+                    description: The OpenShift secret that stores the HSM certificates.
+                    type: string
+                  hsmClientAddress:
+                    description: The IP address of the client connecting to the HSM
+                      (X.Y.Z.K)
+                    type: string
+                  hsmEnabled:
+                    default: false
+                    type: boolean
+                  hsmHMACLabel:
+                    description: Label to identify HMAC key in the HSM (must not be
+                      the same as MKEK label)
+                    type: string
+                  hsmIpAddress:
+                    description: The HSM's IPv4 address (X.Y.Z.K)
+                    type: string
+                  hsmLibraryPath:
+                    description: Path to vendor's PKCS11 library
+                    type: string
+                  hsmLoggingLevel:
+                    default: 4
+                    description: Level of logging, where 0 means "no logging" and
+                      7 means "debug".
+                    maximum: 7
+                    minimum: 0
+                    type: integer
+                  hsmLoginSecret:
+                    description: OpenShift secret that stores the password to login
+                      to the PKCS11 session
+                    type: string
+                  hsmMKEKLabel:
+                    description: Label to identify master KEK in the HSM (must not
+                      be the same as HMAC label)
+                    type: string
+                  hsmMKEKLength:
+                    default: 32
+                    description: Length in bytes of master KEK
+                    type: integer
+                  hsmSlotId:
+                    description: HSM Slot ID that contains the token device to be
+                      used
+                    type: string
+                  hsmTokenLabel:
+                    description: Token label used to identify the token to be used.
+                      Required when token_serial_number is not specified.
+                    type: string
+                  hsmTokenSerialNumber:
+                    description: Token serial number used to identify the token to
+                      be used. Required when the device has multiple tokens with the
+                      same label.
+                    type: string
+                  hsmType:
+                    description: 'A string containing the HSM type (currently supported:
+                      "trustway", "luna", "ncipher").'
+                    type: string
+                required:
+                - hsmHMACLabel
+                - hsmIpAddress
+                - hsmLibraryPath
+                - hsmLoginSecret
+                - hsmMKEKLabel
+                - hsmType
+                type: object
               rabbitMqClusterName:
                 default: rabbitmq
                 description: RabbitMQ instance name Needed to request a transportURL

api/bases/barbican.openstack.org_barbicans.yaml

@@ -592,6 +592,25 @@ spec:
                   to add additional files. Those get added to the service config dir
                   in /etc/<service> . TODO(dmendiza): -> implement'
                 type: object
+              enabledSecretStores:
+                items:
+                  description: This SecretStore type is used by the EnabledSecretStores
+                    variable inside the specification.
+                  enum:
+                  - simple_crypto
+                  - pkcs11
+                  type: string
+                maxItems: 2
+                minItems: 1
+                type: array
+              globalDefaultSecretStore:
+                default: simple_crypto
+                description: This SecretStore type is used by the EnabledSecretStores
+                  variable inside the specification.
+                enum:
+                - simple_crypto
+                - pkcs11
+                type: string
               nodeSelector:
                 additionalProperties:
                   type: string
@@ -615,6 +634,77 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pkcs11:
+                description: BarbicanPKCS11Template - Includes all common HSM properties
+                properties:
+                  hsmCertificatesMountPoint:
+                    description: The mounting point where the certificates will be
+                      copied to (e.g., /usr/local/luna/config/certs).
+                    type: string
+                  hsmCertificatesSecret:
+                    description: The OpenShift secret that stores the HSM certificates.
+                    type: string
+                  hsmClientAddress:
+                    description: The IP address of the client connecting to the HSM
+                      (X.Y.Z.K)
+                    type: string
+                  hsmEnabled:
+                    default: false
+                    type: boolean
+                  hsmHMACLabel:
+                    description: Label to identify HMAC key in the HSM (must not be
+                      the same as MKEK label)
+                    type: string
+                  hsmIpAddress:
+                    description: The HSM's IPv4 address (X.Y.Z.K)
+                    type: string
+                  hsmLibraryPath:
+                    description: Path to vendor's PKCS11 library
+                    type: string
+                  hsmLoggingLevel:
+                    default: 4
+                    description: Level of logging, where 0 means "no logging" and
+                      7 means "debug".
+                    maximum: 7
+                    minimum: 0
+                    type: integer
+                  hsmLoginSecret:
+                    description: OpenShift secret that stores the password to login
+                      to the PKCS11 session
+                    type: string
+                  hsmMKEKLabel:
+                    description: Label to identify master KEK in the HSM (must not
+                      be the same as HMAC label)
+                    type: string
+                  hsmMKEKLength:
+                    default: 32
+                    description: Length in bytes of master KEK
+                    type: integer
+                  hsmSlotId:
+                    description: HSM Slot ID that contains the token device to be
+                      used
+                    type: string
+                  hsmTokenLabel:
+                    description: Token label used to identify the token to be used.
+                      Required when token_serial_number is not specified.
+                    type: string
+                  hsmTokenSerialNumber:
+                    description: Token serial number used to identify the token to
+                      be used. Required when the device has multiple tokens with the
+                      same label.
+                    type: string
+                  hsmType:
+                    description: 'A string containing the HSM type (currently supported:
+                      "trustway", "luna", "ncipher").'
+                    type: string
+                required:
+                - hsmHMACLabel
+                - hsmIpAddress
+                - hsmLibraryPath
+                - hsmLoginSecret
+                - hsmMKEKLabel
+                - hsmType
+                type: object
               preserveJobs:
                 default: false
                 description: PreserveJobs - do not delete jobs after they finished