Barbican Support for Luna HSM

Signed-off-by: Mauricio Harley <[email protected]>

Author: Mauricio Harley

api/bases/barbican.openstack.org_barbicanapis.yaml

@@ -81,7 +81,7 @@ spec:
                   policies
                 type: boolean
               enabledSecretStores:
-                default: Enum=simple_crypto
+                default: '["simple_crypto"]'
                 items:
                   type: string
                 minItems: 1

api/bases/barbican.openstack.org_barbicanworkers.yaml

@@ -75,7 +75,7 @@ spec:
                   . TODO: -> implement'
                 type: object
               enabledSecretStores:
-                default: Enum=simple_crypto
+                default: '["simple_crypto"]'
                 items:
                   type: string
                 minItems: 1

api/v1beta1/barbicanapi_types.go

@@ -64,11 +64,12 @@ type BarbicanAPISpec struct {
 
 	BarbicanAPITemplate `json:",inline"`
 
+	// +kubebuilder:validation:Optional
 	PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"`
 
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinItems=1
-	// +kubebuilder:default=Enum=simple_crypto
+	// +kubebuilder:default=["simple_crypto"]
 	EnabledSecretStores []string `json:"enabledSecretStores"`
 
 	// +kubebuilder:validation:Optional

api/v1beta1/barbicanworker_types.go

@@ -45,11 +45,12 @@ type BarbicanWorkerSpec struct {
 
 	BarbicanWorkerTemplate `json:",inline"`
 
+	// +kubebuilder:validation:Optional
 	PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"`
 
         // +kubebuilder:validation:Required
         // +kubebuilder:validation:MinItems=1
-        // +kubebuilder:default=Enum=simple_crypto
+        // +kubebuilder:default=["simple_crypto"]
         EnabledSecretStores []string `json:"enabledSecretStores"`
 
         // +kubebuilder:validation:Optional

config/crd/bases/barbican.openstack.org_barbicanapis.yaml

@@ -81,7 +81,7 @@ spec:
                   policies
                 type: boolean
               enabledSecretStores:
-                default: Enum=simple_crypto
+                default: '["simple_crypto"]'
                 items:
                   type: string
                 minItems: 1

config/crd/bases/barbican.openstack.org_barbicanworkers.yaml

@@ -75,7 +75,7 @@ spec:
                   . TODO: -> implement'
                 type: object
               enabledSecretStores:
-                default: Enum=simple_crypto
+                default: '["simple_crypto"]'
                 items:
                   type: string
                 minItems: 1

controllers/barbicanapi_controller.go

@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 	"time"
 
@@ -317,14 +318,39 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs(
 			instance.Spec.DatabaseHostname,
 			barbican.DatabaseName,
 		),
-		"KeystoneAuthURL":  keystoneInternalURL,
-		"ServicePassword":  string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]),
-		"ServiceUser":      instance.Spec.ServiceUser,
-		"ServiceURL":       "https://barbican.openstack.svc:9311",
-		"TransportURL":     string(transportURLSecret.Data["transport_url"]),
-		"LogFile":          fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name),
-		"SimpleCryptoKEK":  string(simpleCryptoSecret.Data[instance.Spec.PasswordSelectors.SimpleCryptoKEK]),
-		"EnableSecureRBAC": instance.Spec.EnableSecureRBAC,
+		"KeystoneAuthURL":          keystoneInternalURL,
+		"ServicePassword":          string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]),
+		"ServiceUser":              instance.Spec.ServiceUser,
+		"ServiceURL":               "https://barbican.openstack.svc:9311",
+		"TransportURL":             string(transportURLSecret.Data["transport_url"]),
+		"LogFile":                  fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name),
+		"SimpleCryptoKEK":          string(simpleCryptoSecret.Data[instance.Spec.PasswordSelectors.SimpleCryptoKEK]),
+		"EnableSecureRBAC":         instance.Spec.EnableSecureRBAC,
+		"EnabledSecretStores":      strings.Join(instance.Spec.EnabledSecretStores, ","),
+		"GlobalDefaultSecretStore": instance.Spec.GlobalDefaultSecretStore,
+		"SimpleCryptoEnabled":      slices.Contains(instance.Spec.EnabledSecretStores, "simple_crypto"),
+		"PKCS11CryptoEnabled":      slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11_crypto"),
+	}
+
+	// Checking if there's an HSM.
+	pkcs11 := instance.Spec.PKCS11
+	if len(pkcs11.HSMLibraryPath) > 0 {
+		hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace)
+		if err != nil {
+			return err
+		}
+		templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath
+		templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber
+		templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel
+		templateParameters["HSMLogin"] = string(hsmLoginSecret.Data["hsmLogin"])
+		templateParameters["HSMMKEKLabel"] = pkcs11.HSMMKEKLabel
+		templateParameters["HSMMKEKLength"] = pkcs11.HSMMKEKLength
+		templateParameters["HSMHMACLabel"] = pkcs11.HSMHMACLabel
+		templateParameters["HSMSlotId"] = pkcs11.HSMSlotId
+		templateParameters["HSMLoggingLevel"] = pkcs11.HSMLoggingLevel
+		templateParameters["HSMIPAddress"] = pkcs11.HSMIPAddress
+		templateParameters["HSMClientAddress"] = pkcs11.HSMClientAddress
+		templateParameters["HSMType"] = pkcs11.HSMType
 	}
 
 	// Checking if there's an HSM.

controllers/barbicanworker_controller.go

@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 	"time"
 
@@ -275,9 +276,34 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs(
 			instance.Spec.DatabaseHostname,
 			barbican.DatabaseName,
 		),
-		"TransportURL":    string(transportURLSecret.Data["transport_url"]),
-		"LogFile":         fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name),
-		"SimpleCryptoKEK": string(simpleCryptoSecret.Data[instance.Spec.PasswordSelectors.SimpleCryptoKEK]),
+		"TransportURL":             string(transportURLSecret.Data["transport_url"]),
+		"LogFile":                  fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name),
+		"SimpleCryptoKEK":          string(simpleCryptoSecret.Data[instance.Spec.PasswordSelectors.SimpleCryptoKEK]),
+		"EnabledSecretStores":      strings.Join(instance.Spec.EnabledSecretStores, ","),
+		"GlobalDefaultSecretStore": instance.Spec.GlobalDefaultSecretStore,
+		"SimpleCryptoEnabled":      slices.Contains(instance.Spec.EnabledSecretStores, "simple_crypto"),
+		"PKCS11CryptoEnabled":      slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11_crypto"),
+	}
+
+	// Checking if there's an HSM.
+	pkcs11 := instance.Spec.PKCS11
+	if len(pkcs11.HSMLibraryPath) > 0 {
+		hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace)
+		if err != nil {
+			return err
+		}
+		templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath
+		templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber
+		templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel
+		templateParameters["HSMLogin"] = string(hsmLoginSecret.Data["hsmLogin"])
+		templateParameters["HSMMKEKLabel"] = pkcs11.HSMMKEKLabel
+		templateParameters["HSMMKEKLength"] = pkcs11.HSMMKEKLength
+		templateParameters["HSMHMACLabel"] = pkcs11.HSMHMACLabel
+		templateParameters["HSMSlotId"] = pkcs11.HSMSlotId
+		templateParameters["HSMLoggingLevel"] = pkcs11.HSMLoggingLevel
+		templateParameters["HSMIPAddress"] = pkcs11.HSMIPAddress
+		templateParameters["HSMClientAddress"] = pkcs11.HSMClientAddress
+		templateParameters["HSMType"] = pkcs11.HSMType
 	}
 
 	// Checking if there's an HSM.

templates/barbican/config/00-default.conf

@@ -44,13 +44,13 @@ enable = true
 
 [secretstore]
 enable_multiple_secret_stores = true
-stores_lookup_suffix = {{ .enabledSecretStores }}
+stores_lookup_suffix = {{ .EnabledSecretStores }}
 
-{{ if .simpleCryptoEnabled }}
-[secretstore:simple_crypto]
+{{ if .SimpleCryptoEnabled }}
+[secretstore:software]
 secret_store_plugin = store_crypto
 crypto_plugin = simple_crypto
-{{ if .globalDefaultSecretStore == ‘simple_crypto’ }}
+{{ if .GlobalDefaultSecretStore == "simple_crypto" }}
 global_default = true
 {{ end }}
 
@@ -61,21 +61,21 @@ kek = {{ .SimpleCryptoKEK }}
 {{ end }}
 {{ end }}
 
-{{ if .pkcs11Enabled }}
+{{ if .PKCS11Enabled }}
 [secretstore:pkcs11]
 secret_store_plugin = store_crypto
 crypto_plugin = p11_crypto
-{{ if .globalDefaultSecretStore == ‘pkcs11’ }}
+{{ if .GlobalDefaultSecretStore == "pkcs11" }}
 global_default = true
 {{ end }}
 
 [p11_crypto_plugin]
-library_path = {{ .hsmLibraryPath }}
-token_serial_number = {{ .hsmTokenSerialNumber }}
-token_label = {{ .hsmTokenLabel }}
-login = {{ .hsmLogin }}
-mkek_label = {{ .hsmMKEKLabel }}
-mkek_length = {{ .hsmMKEKLength }}
-hmac_label = {{ .hsmHMACLabel }}
-slot_id = {{ .hsmSlotId }
+library_path = {{ .HSMLibraryPath }}
+token_serial_number = {{ .HSMTokenSerialNumber }}
+token_label = {{ .HSMTokenLabel }}
+login = {{ .HSMLogin }}
+mkek_label = {{ .HSMMKEKLabel }}
+mkek_length = {{ .HSMMKEKLength }}
+hmac_label = {{ .HSMHMACLabel }}
+slot_id = {{ .HSMSlotId }
 {{ end }}

templates/barbican/config/Chrystoki-conf.json

@@ -0,0 +1,13 @@
+{{ if .HSMType == "Luna" }}
+{
+  "config_files": [
+    {
+      "source": "/var/lib/config-data/default/Crystoki.conf",
+      "dest": "{{ .HSLibraryPath }}/config/Crystoki.conf",
+      "owner": "barbican",
+      "perm": "0600",
+      "optional": true
+    }
+  ]
+}
+{{ end }}