Barbican Support for Luna HSM

Signed-off-by: Mauricio Harley <[email protected]>

Author: Mauricio Harley

api/bases/barbican.openstack.org_barbicanapis.yaml

@@ -84,6 +84,7 @@ spec:
                 default: '["simple_crypto"]'
                 items:
                   type: string
+                maxItems: 5
                 minItems: 1
                 type: array
               globalDefaultSecretStore:

api/bases/barbican.openstack.org_barbicanworkers.yaml

@@ -78,6 +78,7 @@ spec:
                 default: '["simple_crypto"]'
                 items:
                   type: string
+                maxItems: 5
                 minItems: 1
                 type: array
               globalDefaultSecretStore:

api/v1beta1/barbicanapi_types.go

@@ -69,6 +69,8 @@ type BarbicanAPISpec struct {
 
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=5
+	// +kubebuilder:validation:Items:Enum=simple_crypto;kmip;pkcs11;dogtag;vault
 	// +kubebuilder:default=["simple_crypto"]
 	EnabledSecretStores []string `json:"enabledSecretStores"`
 

api/v1beta1/barbicanworker_types.go

@@ -50,6 +50,8 @@ type BarbicanWorkerSpec struct {
 
         // +kubebuilder:validation:Required
         // +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=5
+	// +kubebuilder:validation:Items:Enum=simple_crypto;kmip;pkcs11;dogtag;vault
         // +kubebuilder:default=["simple_crypto"]
         EnabledSecretStores []string `json:"enabledSecretStores"`
 

config/crd/bases/barbican.openstack.org_barbicanapis.yaml

@@ -84,6 +84,7 @@ spec:
                 default: '["simple_crypto"]'
                 items:
                   type: string
+                maxItems: 5
                 minItems: 1
                 type: array
               globalDefaultSecretStore:

config/crd/bases/barbican.openstack.org_barbicanworkers.yaml

@@ -78,6 +78,7 @@ spec:
                 default: '["simple_crypto"]'
                 items:
                   type: string
+                maxItems: 5
                 minItems: 1
                 type: array
               globalDefaultSecretStore:

controllers/barbicanapi_controller.go

@@ -41,7 +41,6 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
-	"golang.org/x/exp/maps"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -353,45 +352,6 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs(
 		templateParameters["HSMType"] = pkcs11.HSMType
 	}
 
-	// Checking if there's an HSM.
-	pkcs11 := instance.Spec.PKCS11
-	if pkcs11.HSMEnabled {
-		hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace)
-		if err != nil {
-			return err
-		}
-		hsmCertificatesSecret, _, err := secret.GetSecret(ctx, h, maps.Keys(pkcs11.HSMCertificates)[0], instance.Namespace)
-		if err != nil {
-			return err
-		}
-		templateParameters["HSMEnabled"] = pkcs11.HSMEnabled
-		templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath
-		templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber
-		templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel
-		templateParameters["HSMLogin"] = string(hsmLoginSecret.Data["hsmLogin"])
-		templateParameters["HSMMKEKLabel"] = pkcs11.HSMMKEKLabel
-		templateParameters["HSMMKEKLength"] = pkcs11.HSMMKEKLength
-		templateParameters["HSMHMACLabel"] = pkcs11.HSMHMACLabel
-		templateParameters["HSMSlotId"] = pkcs11.HSMSlotId
-		templateParameters["HSMLoggingLevel"] = pkcs11.HSMLoggingLevel
-		templateParameters["HSMIPAddress"] = pkcs11.HSMIPAddress
-		templateParameters["HSMClientAddress"] = pkcs11.HSMClientAddress
-		templateParameters["HSMType"] = pkcs11.HSMType
-		templateParameters["HSMCertificatesMountPoint"] = maps.Values(pkcs11.HSMCertificates)[0]
-		for certfile, certificate := range hsmCertificatesSecret.Data {
-			if strings.HasSuffix(certfile, "Cert.pem") {
-				templateParameters["HSMServerCertfile"] = certfile
-				templateParameters["HSMServerCertificate"] = certificate
-			} else if strings.HasSuffix(certfile, "Key.pem") {
-				templateParameters["HSMClientKeyFile"] = certfile
-				templateParameters["HSMClientKey"] = certificate
-			} else if !(strings.HasSuffix(certfile, "File.pem")) { // Excluding "CAFile.pem".
-				templateParameters["HSMClientCertfile"] = certfile
-				templateParameters["HSMClientCertificate"] = certificate
-			}
-		}
-	}
-
 	// create httpd  vhost template parameters
 	httpdVhostConfig := map[string]interface{}{}
 	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {

controllers/barbicanworker_controller.go

@@ -40,7 +40,6 @@ import (
 	nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
-	"golang.org/x/exp/maps"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -306,45 +305,6 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs(
 		templateParameters["HSMType"] = pkcs11.HSMType
 	}
 
-	// Checking if there's an HSM.
-	pkcs11 := instance.Spec.PKCS11
-	if pkcs11.HSMEnabled {
-		hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace)
-		if err != nil {
-			return err
-		}
-		hsmCertificatesSecret, _, err := secret.GetSecret(ctx, h, maps.Keys(pkcs11.HSMCertificates)[0], instance.Namespace)
-		if err != nil {
-			return err
-		}
-		templateParameters["HSMEnabled"] = pkcs11.HSMEnabled
-		templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath
-		templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber
-		templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel
-		templateParameters["HSMLogin"] = string(hsmLoginSecret.Data["hsmLogin"])
-		templateParameters["HSMMKEKLabel"] = pkcs11.HSMMKEKLabel
-		templateParameters["HSMMKEKLength"] = pkcs11.HSMMKEKLength
-		templateParameters["HSMHMACLabel"] = pkcs11.HSMHMACLabel
-		templateParameters["HSMSlotId"] = pkcs11.HSMSlotId
-		templateParameters["HSMLoggingLevel"] = pkcs11.HSMLoggingLevel
-		templateParameters["HSMIPAddress"] = pkcs11.HSMIPAddress
-		templateParameters["HSMClientAddress"] = pkcs11.HSMClientAddress
-		templateParameters["HSMType"] = pkcs11.HSMType
-		templateParameters["HSMCertificatesMountPoint"] = maps.Values(pkcs11.HSMCertificates)[0]
-		for certfile, certificate := range hsmCertificatesSecret.Data {
-			if strings.HasSuffix(certfile, "Cert.pem") {
-				templateParameters["HSMServerCertfile"] = certfile
-				templateParameters["HSMServerCertificate"] = certificate
-			} else if strings.HasSuffix(certfile, "Key.pem") {
-				templateParameters["HSMClientKeyFile"] = certfile
-				templateParameters["HSMClientKey"] = certificate
-			} else if !(strings.HasSuffix(certfile, "File.pem")) { // Excluding "CAFile.pem".
-				templateParameters["HSMClientCertfile"] = certfile
-				templateParameters["HSMClientCertificate"] = certificate
-			}
-		}
-	}
-
 	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false)
 }