openstack-k8s-operators
diff --git a/‎api/bases/barbican.openstack.org_barbicanapis.yaml‎
Lines changed: 2 additions & 1 deletion b/‎api/bases/barbican.openstack.org_barbicanapis.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml‎
Lines changed: 80 additions & 0 deletions b/‎api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎api/bases/barbican.openstack.org_barbicans.yaml‎
Lines changed: 80 additions & 0 deletions b/‎api/bases/barbican.openstack.org_barbicans.yaml‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎api/bases/barbican.openstack.org_barbicanworkers.yaml‎
Lines changed: 2 additions & 1 deletion b/‎api/bases/barbican.openstack.org_barbicanworkers.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/v1beta1/barbican_types.go‎
Lines changed: 12 additions & 0 deletions b/‎api/v1beta1/barbican_types.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎api/v1beta1/barbicankeystonelistener_types.go‎
Lines changed: 12 additions & 0 deletions b/‎api/v1beta1/barbicankeystonelistener_types.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎api/v1beta1/common_types.go‎
Lines changed: 4 additions & 0 deletions b/‎api/v1beta1/common_types.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎api/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 12 additions & 0 deletions b/‎api/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎config/crd/bases/barbican.openstack.org_barbicanapis.yaml‎
Lines changed: 2 additions & 1 deletion b/‎config/crd/bases/barbican.openstack.org_barbicanapis.yaml‎
Lines changed: 2 additions & 1 deletion
@@ -82,6 +82,8 @@ spec:
                 type: boolean
               enabledSecretStores:
                 items:
+                  description: This SecretStore type is used by the EnabledSecretStores
+                    variable inside the specification.
                   enum:
                   - simple_crypto
                   - pkcs11
@@ -477,7 +479,6 @@ spec:
             - containerImage
             - databaseHostname
             - databaseInstance
-            - enabledSecretStores
             - rabbitMqClusterName
             - serviceAccount
             type: object
 
@@ -76,6 +76,20 @@ spec:
                   files. Those get added to the service config dir in /etc/<service>
                   . TODO: -> implement'
                 type: object
+              enabledSecretStores:
+                items:
+                  description: This SecretStore type is used by the EnabledSecretStores
+                    variable inside the specification.
+                  enum:
+                  - simple_crypto
+                  - pkcs11
+                  type: string
+                maxItems: 2
+                minItems: 1
+                type: array
+              globalDefaultSecretStore:
+                default: simple_crypto
+                type: string
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network
@@ -105,6 +119,72 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pkcs11:
+                description: BarbicanPKCS11Template - Includes all common HSM properties
+                properties:
+                  hsmCertificates:
+                    additionalProperties:
+                      type: string
+                    description: 'The HSM certificates. The map''s key is the OpenShift
+                      secret storing the certificate, and the value is the mounting
+                      point (e.g., "luna-certificates": "/usr/local/luna/config/certs").'
+                    type: object
+                  hsmClientAddress:
+                    description: The IP address of the client connecting to the HSM
+                      (X.Y.Z.K)
+                    type: string
+                  hsmEnabled:
+                    default: false
+                    type: boolean
+                  hsmHMACLabel:
+                    description: Label to identify HMAC key in the HSM (must not be
+                      the same as MKEK label)
+                    type: string
+                  hsmIpAddress:
+                    description: The HSM's IPv4 address (X.Y.Z.K)
+                    type: string
+                  hsmLibraryPath:
+                    description: Path to vendor's PKCS11 library
+                    type: string
+                  hsmLoggingLevel:
+                    default: 4
+                    description: Level of logging, where 0 means "no logging" and
+                      7 means "debug".
+                    maximum: 7
+                    minimum: 0
+                    type: integer
+                  hsmLogin:
+                    description: OpenShift secret storing the password to login to
+                      PKCS11 session
+                    type: string
+                  hsmMKEKLabel:
+                    description: Label to identify master KEK in the HSM (must not
+                      be the same as HMAC label)
+                    type: string
+                  hsmMKEKLength:
+                    default: 32
+                    description: Length in bytes of master KEK
+                    type: integer
+                  hsmSlotId:
+                    default: 1
+                    description: HSM Slot ID that contains the token device to be
+                      used
+                    type: integer
+                  hsmTokenLabel:
+                    description: Token label used to identify the token to be used.
+                      Required when token_serial_number is not specified.
+                    type: string
+                  hsmTokenSerialNumber:
+                    default: "12345678"
+                    description: Token serial number used to identify the token to
+                      be used. Required when the device has multiple tokens with the
+                      same label.
+                    type: string
+                  hsmType:
+                    description: 'A string containing the HSM type (currently supported:
+                      "trustway", "luna", "ncipher").'
+                    type: string
+                type: object
               rabbitMqClusterName:
                 default: rabbitmq
                 description: RabbitMQ instance name Needed to request a transportURL
 
@@ -592,6 +592,20 @@ spec:
                   to add additional files. Those get added to the service config dir
                   in /etc/<service> . TODO(dmendiza): -> implement'
                 type: object
+              enabledSecretStores:
+                items:
+                  description: This SecretStore type is used by the EnabledSecretStores
+                    variable inside the specification.
+                  enum:
+                  - simple_crypto
+                  - pkcs11
+                  type: string
+                maxItems: 2
+                minItems: 1
+                type: array
+              globalDefaultSecretStore:
+                default: simple_crypto
+                type: string
               nodeSelector:
                 additionalProperties:
                   type: string
@@ -615,6 +629,72 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pkcs11:
+                description: BarbicanPKCS11Template - Includes all common HSM properties
+                properties:
+                  hsmCertificates:
+                    additionalProperties:
+                      type: string
+                    description: 'The HSM certificates. The map''s key is the OpenShift
+                      secret storing the certificate, and the value is the mounting
+                      point (e.g., "luna-certificates": "/usr/local/luna/config/certs").'
+                    type: object
+                  hsmClientAddress:
+                    description: The IP address of the client connecting to the HSM
+                      (X.Y.Z.K)
+                    type: string
+                  hsmEnabled:
+                    default: false
+                    type: boolean
+                  hsmHMACLabel:
+                    description: Label to identify HMAC key in the HSM (must not be
+                      the same as MKEK label)
+                    type: string
+                  hsmIpAddress:
+                    description: The HSM's IPv4 address (X.Y.Z.K)
+                    type: string
+                  hsmLibraryPath:
+                    description: Path to vendor's PKCS11 library
+                    type: string
+                  hsmLoggingLevel:
+                    default: 4
+                    description: Level of logging, where 0 means "no logging" and
+                      7 means "debug".
+                    maximum: 7
+                    minimum: 0
+                    type: integer
+                  hsmLogin:
+                    description: OpenShift secret storing the password to login to
+                      PKCS11 session
+                    type: string
+                  hsmMKEKLabel:
+                    description: Label to identify master KEK in the HSM (must not
+                      be the same as HMAC label)
+                    type: string
+                  hsmMKEKLength:
+                    default: 32
+                    description: Length in bytes of master KEK
+                    type: integer
+                  hsmSlotId:
+                    default: 1
+                    description: HSM Slot ID that contains the token device to be
+                      used
+                    type: integer
+                  hsmTokenLabel:
+                    description: Token label used to identify the token to be used.
+                      Required when token_serial_number is not specified.
+                    type: string
+                  hsmTokenSerialNumber:
+                    default: "12345678"
+                    description: Token serial number used to identify the token to
+                      be used. Required when the device has multiple tokens with the
+                      same label.
+                    type: string
+                  hsmType:
+                    description: 'A string containing the HSM type (currently supported:
+                      "trustway", "luna", "ncipher").'
+                    type: string
+                type: object
               preserveJobs:
                 default: false
                 description: PreserveJobs - do not delete jobs after they finished
 
@@ -76,6 +76,8 @@ spec:
                 type: object
               enabledSecretStores:
                 items:
+                  description: This SecretStore type is used by the EnabledSecretStores
+                    variable inside the specification.
                   enum:
                   - simple_crypto
                   - pkcs11
@@ -274,7 +276,6 @@ spec:
             - containerImage
             - databaseHostname
             - databaseInstance
-            - enabledSecretStores
             - rabbitMqClusterName
             - serviceAccount
             type: object
 
@@ -47,6 +47,18 @@ type BarbicanSpec struct {
 	BarbicanWorker BarbicanWorkerTemplate `json:"barbicanWorker"`
 
 	BarbicanKeystoneListener BarbicanKeystoneListenerTemplate `json:"barbicanKeystoneListener"`
+
+        // +kubebuilder:validation:Optional
+        PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"`
+
+        // +kubebuilder:validation:Optional
+        // +kubebuilder:validation:MinItems=1
+        // +kubebuilder:validation:MaxItems=2
+        EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"`
+
+        // +kubebuilder:validation:Optional
+        // +kubebuilder:default="simple_crypto"
+        GlobalDefaultSecretStore string `json:"globalDefaultSecretStore"`
 }
 
 // BarbicanSpecCore defines the desired state of Barbican, for use with the OpenStackControlplane CR (no containerImages)
 
@@ -43,6 +43,18 @@ type BarbicanKeystoneListenerTemplateCore struct {
 type BarbicanKeystoneListenerSpec struct {
 	BarbicanTemplate `json:",inline"`
 
+        // +kubebuilder:validation:Optional
+        PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"`
+
+        // +kubebuilder:validation:Optional
+        // +kubebuilder:validation:MinItems=1
+        // +kubebuilder:validation:MaxItems=2
+        EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"`
+
+        // +kubebuilder:validation:Optional
+        // +kubebuilder:default="simple_crypto"
+        GlobalDefaultSecretStore string `json:"globalDefaultSecretStore"`
+
 	BarbicanKeystoneListenerTemplate `json:",inline"`
 	DatabaseHostname                 string `json:"databaseHostname"`
 
 
@@ -101,6 +101,10 @@ type BarbicanComponentTemplate struct {
 	NetworkAttachments []string `json:"networkAttachments,omitempty"`
 }
 
+// +kubebuilder:validation:Enum=simple_crypto;pkcs11
+// This SecretStore type is used by the EnabledSecretStores variable inside the specification.
+type SecretStore string
+
 // BarbicanPKCS11Template - Includes all common HSM properties
 type BarbicanPKCS11Template struct {
         // +kubebuilder:validation:Optional
 
@@ -82,6 +82,8 @@ spec:
                 type: boolean
               enabledSecretStores:
                 items:
+                  description: This SecretStore type is used by the EnabledSecretStores
+                    variable inside the specification.
                   enum:
                   - simple_crypto
                   - pkcs11
@@ -477,7 +479,6 @@ spec:
             - containerImage
             - databaseHostname
             - databaseInstance
-            - enabledSecretStores
             - rabbitMqClusterName
             - serviceAccount
             type: object