Barbican Support for Luna HSM

Signed-off-by: Mauricio Harley <[email protected]>

Author: Mauricio Harley

api/bases/barbican.openstack.org_barbicanapis.yaml

@@ -81,10 +81,12 @@ spec:
                   policies
                 type: boolean
               enabledSecretStores:
-                default: '["simple_crypto"]'
                 items:
+                  enum:
+                  - simple_crypto
+                  - pkcs11
                   type: string
-                maxItems: 5
+                maxItems: 2
                 minItems: 1
                 type: array
               globalDefaultSecretStore:

api/bases/barbican.openstack.org_barbicanworkers.yaml

@@ -75,10 +75,12 @@ spec:
                   . TODO: -> implement'
                 type: object
               enabledSecretStores:
-                default: '["simple_crypto"]'
                 items:
+                  enum:
+                  - simple_crypto
+                  - pkcs11
                   type: string
-                maxItems: 5
+                maxItems: 2
                 minItems: 1
                 type: array
               globalDefaultSecretStore:

api/v1beta1/barbicanapi_types.go

@@ -58,6 +58,9 @@ type APIOverrideSpec struct {
 	Service map[service.Endpoint]service.RoutedOverrideSpec `json:"service,omitempty"`
 }
 
+// +kubebuilder:validation:Enum=simple_crypto;pkcs11
+type SecretStore string
+
 // BarbicanAPISpec defines the desired state of BarbicanAPI
 type BarbicanAPISpec struct {
 	BarbicanTemplate `json:",inline"`
@@ -67,12 +70,10 @@ type BarbicanAPISpec struct {
 	// +kubebuilder:validation:Optional
 	PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"`
 
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:MinItems=1
-	// +kubebuilder:validation:MaxItems=5
-	// +kubebuilder:validation:Items:Enum=simple_crypto;kmip;pkcs11;dogtag;vault
-	// +kubebuilder:default=["simple_crypto"]
-	EnabledSecretStores []string `json:"enabledSecretStores"`
+	// +kubebuilder:validation:MaxItems=2
+	EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"`
 
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default="simple_crypto"

api/v1beta1/barbicanworker_types.go

@@ -48,12 +48,10 @@ type BarbicanWorkerSpec struct {
 	// +kubebuilder:validation:Optional
 	PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"`
 
-        // +kubebuilder:validation:Required
+        // +kubebuilder:validation:Optional
         // +kubebuilder:validation:MinItems=1
-	// +kubebuilder:validation:MaxItems=5
-	// +kubebuilder:validation:Items:Enum=simple_crypto;kmip;pkcs11;dogtag;vault
-        // +kubebuilder:default=["simple_crypto"]
-        EnabledSecretStores []string `json:"enabledSecretStores"`
+	// +kubebuilder:validation:MaxItems=2
+        EnabledSecretStores []SecretStore `json:"enabledSecretStores"`
 
         // +kubebuilder:validation:Optional
         // +kubebuilder:default="simple_crypto"

api/v1beta1/zz_generated.deepcopy.go

@@ -81,10 +81,12 @@ spec:
                   policies
                 type: boolean
               enabledSecretStores:
-                default: '["simple_crypto"]'
                 items:
+                  enum:
+                  - simple_crypto
+                  - pkcs11
                   type: string
-                maxItems: 5
+                maxItems: 2
                 minItems: 1
                 type: array
               globalDefaultSecretStore:

config/crd/bases/barbican.openstack.org_barbicanapis.yaml

@@ -75,10 +75,12 @@ spec:
                   . TODO: -> implement'
                 type: object
               enabledSecretStores:
-                default: '["simple_crypto"]'
                 items:
+                  enum:
+                  - simple_crypto
+                  - pkcs11
                   type: string
-                maxItems: 5
+                maxItems: 2
                 minItems: 1
                 type: array
               globalDefaultSecretStore:

config/crd/bases/barbican.openstack.org_barbicanworkers.yaml

@@ -310,6 +310,21 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs(
 
 	databaseAccount := db.GetAccount()
 	databaseSecret := db.GetSecret()
+	enabledSecretStores := []string{}
+	if len(instance.Spec.EnabledSecretStores) == 0 {
+		enabledSecretStores = []string{"simple_crypto"}
+	} else {
+		for _, value := range instance.Spec.EnabledSecretStores {
+			enabledSecretStores = append(enabledSecretStores, string(value))
+		}
+	}
+	globalDefaultSecretStore := ""
+	if len(instance.Spec.GlobalDefaultSecretStore) == 0 {
+		globalDefaultSecretStore = "simple_crypto"
+	} else {
+		globalDefaultSecretStore = instance.Spec.GlobalDefaultSecretStore
+	}
+
 	templateParameters := map[string]interface{}{
 		"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?read_default_file=/etc/my.cnf",
 			databaseAccount.Spec.UserName,
@@ -325,19 +340,20 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs(
 		"LogFile":                  fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name),
 		"SimpleCryptoKEK":          string(simpleCryptoSecret.Data[instance.Spec.PasswordSelectors.SimpleCryptoKEK]),
 		"EnableSecureRBAC":         instance.Spec.EnableSecureRBAC,
-		"EnabledSecretStores":      strings.Join(instance.Spec.EnabledSecretStores, ","),
-		"GlobalDefaultSecretStore": instance.Spec.GlobalDefaultSecretStore,
-		"SimpleCryptoEnabled":      slices.Contains(instance.Spec.EnabledSecretStores, "simple_crypto"),
-		"PKCS11CryptoEnabled":      slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11_crypto"),
+		"EnabledSecretStores":      strings.Join(enabledSecretStores, ","),
+		"GlobalDefaultSecretStore": globalDefaultSecretStore,
+		"SimpleCryptoEnabled":      slices.Contains(enabledSecretStores, "simple_crypto"),
+		"PKCS11CryptoEnabled":      slices.Contains(enabledSecretStores, "pkcs11"),
 	}
 
 	// Checking if there's an HSM.
-	pkcs11 := instance.Spec.PKCS11
-	if len(pkcs11.HSMLibraryPath) > 0 {
+	if slices.Contains(enabledSecretStores, "pkcs11") {
+		pkcs11 := instance.Spec.PKCS11
 		hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace)
 		if err != nil {
 			return err
 		}
+		templateParameters["HSMEnabled"] = true
 		templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath
 		templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber
 		templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel

controllers/barbicanapi_controller.go

@@ -267,6 +267,20 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs(
 
 	databaseAccount := db.GetAccount()
 	databaseSecret := db.GetSecret()
+	enabledSecretStores := []string{}
+	if len(instance.Spec.EnabledSecretStores) == 0 {
+		enabledSecretStores = []string{"simple_crypto"}
+	} else {
+		for _, value := range instance.Spec.EnabledSecretStores {
+			enabledSecretStores = append(enabledSecretStores, string(value))
+		}
+	}
+	globalDefaultSecretStore := ""
+	if len(instance.Spec.GlobalDefaultSecretStore) == 0 {
+		globalDefaultSecretStore = "simple_crypto"
+	} else {
+		globalDefaultSecretStore = instance.Spec.GlobalDefaultSecretStore
+	}
 
 	templateParameters := map[string]interface{}{
 		"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?read_default_file=/etc/my.cnf",
@@ -278,19 +292,20 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs(
 		"TransportURL":             string(transportURLSecret.Data["transport_url"]),
 		"LogFile":                  fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name),
 		"SimpleCryptoKEK":          string(simpleCryptoSecret.Data[instance.Spec.PasswordSelectors.SimpleCryptoKEK]),
-		"EnabledSecretStores":      strings.Join(instance.Spec.EnabledSecretStores, ","),
-		"GlobalDefaultSecretStore": instance.Spec.GlobalDefaultSecretStore,
-		"SimpleCryptoEnabled":      slices.Contains(instance.Spec.EnabledSecretStores, "simple_crypto"),
-		"PKCS11CryptoEnabled":      slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11_crypto"),
+		"EnabledSecretStores":      strings.Join(enabledSecretStores, ","),
+		"GlobalDefaultSecretStore": globalDefaultSecretStore,
+		"SimpleCryptoEnabled":      slices.Contains(enabledSecretStores, "simple_crypto"),
+		"PKCS11CryptoEnabled":      slices.Contains(enabledSecretStores, "pkcs11"),
 	}
 
 	// Checking if there's an HSM.
-	pkcs11 := instance.Spec.PKCS11
-	if len(pkcs11.HSMLibraryPath) > 0 {
+	if slices.Contains(enabledSecretStores, "pkcs11") {
+		pkcs11 := instance.Spec.PKCS11
 		hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace)
 		if err != nil {
 			return err
 		}
+		templateParameters["HSMEnabled"] = true
 		templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath
 		templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber
 		templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel

controllers/barbicanworker_controller.go

@@ -50,14 +50,32 @@ stores_lookup_suffix = {{ .EnabledSecretStores }}
 [secretstore:software]
 secret_store_plugin = store_crypto
 crypto_plugin = simple_crypto
-{{ if .GlobalDefaultSecretStore == "simple_crypto" }}
-global_default = true
 {{ end }}
+{{ if eq .GlobalDefaultSecretStore "simple_crypto" }}  global_default = true {{ end }}
 
+{{ if .SimpleCryptoEnabled }}
 [simple_crypto_plugin]
 plugin_name = Software Only Crypto
-{{ if (index . "SimpleCryptoKEK") }}
-kek = {{ .SimpleCryptoKEK }}
+{{ end }}
+{{ if (index . "SimpleCryptoKEK") }} kek = {{ .SimpleCryptoKEK }} {{ end }}
+
+{{ if and (index . "HSMEnabled") .HSMEnabled }}
+[secretstore:pkcs11]
+secret_store_plugin = store_crypto
+crypto_plugin = p11_crypto
+{{ end }}
+{{ if eq .GlobalDefaultSecretStore "pkcs11" }} global_default = true {{ end }}
+
+{{ if and (index . "HSMEnabled") .HSMEnabled }}
+[p11_crypto_plugin]
+library_path = {{ .HSMLibraryPath }}
+token_serial_number = {{ .HSMTokenSerialNumber }}
+token_label = {{ .HSMTokenLabel }}
+login = {{ .HSMLogin }}
+mkek_label = {{ .HSMMKEKLabel }}
+mkek_length = {{ .HSMMKEKLength }}
+hmac_label = {{ .HSMHMACLabel }}
+slot_id = {{ .HSMSlotId }}
 {{ end }}
 {{ end }}