Barbican Support for Luna HSM

Mauricio Harley · Mauricio Harley · commit 937f88af2408 · 2024-10-31T00:30:42.000Z
Signed-off-by: Mauricio Harley &lt;mharley@redhat.com&gt;
diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -165,6 +165,7 @@ type BarbicanPKCS11Template struct {
         HSMCertificates map[string]string `json:"hsmCertificates"`
 
         // +kubebuilder:validation:Optional
+        // +kubebuilder:validation:Items:Enum=trustway;luna;ncipher
         // A string containing the HSM type (currently supported: "trustway", "luna", "ncipher").
         HSMType string `json:"hsmType"`
 }
diff --git a/pkg/barbicanapi/deployment.go b/pkg/barbicanapi/deployment.go
@@ -6,6 +6,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
+	maps "golang.org/x/exp/maps"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -110,6 +111,47 @@ func Deployment(
 		}
 	}
 
+	// Considering the existence of an HSM.
+	if instance.Spec.PKCS11.HSMEnabled {
+		if instance.Spec.PKCS11.HSMType == "luna" {
+			hsmVolume := corev1.Volume{
+				Name: "hsm-luna-certificates",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						DefaultMode: &config0644AccessMode,
+						SecretName:  maps.Keys(instance.Spec.PKCS11.HSMCertificates)[0],
+					},
+				},
+			}
+			apiVolumes = append(apiVolumes, hsmVolume)
+			hsmMountPath := maps.Values(instance.Spec.PKCS11.HSMCertificates)[0]
+			if string(hsmMountPath[len(hsmMountPath)-1]) != "/" {
+				hsmMountPath = hsmMountPath + "/"
+			}
+			hsmMountPoint := []corev1.VolumeMount{
+				{
+					Name:      "hsm-luna-certificates",
+					MountPath: hsmMountPath + instance.Spec.PKCS11.HSMClientAddress + ".pem",
+					SubPath:   instance.Spec.PKCS11.HSMClientAddress + ".pem",
+					ReadOnly:  true,
+				},
+				{
+					Name:      "hsm-luna-certificates",
+					MountPath: hsmMountPath + instance.Spec.PKCS11.HSMClientAddress + "Key.pem",
+					SubPath:   instance.Spec.PKCS11.HSMClientAddress + "Key.pem",
+					ReadOnly:  true,
+				},
+				{
+					Name:      "hsm-luna-certificates",
+					MountPath: hsmMountPath + instance.Spec.PKCS11.HSMIPAddress + "Cert.pem",
+					SubPath:   instance.Spec.PKCS11.HSMIPAddress + "Cert.pem",
+					ReadOnly:  true,
+				},
+			}
+			apiVolumeMounts = append(apiVolumeMounts, hsmMountPoint...)
+		}
+	}
+
 	deployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("%s-api", instance.Name),
diff --git a/pkg/barbicanworker/deployment.go b/pkg/barbicanworker/deployment.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
+	maps "golang.org/x/exp/maps"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -86,6 +87,47 @@ func Deployment(
 		workerVolumeMounts = append(workerVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
 	}
 
+	// Considering the existence of an HSM.
+	if instance.Spec.PKCS11.HSMEnabled {
+		if instance.Spec.PKCS11.HSMType == "luna" {
+			hsmVolume := corev1.Volume{
+				Name: "hsm-luna-certificates",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						DefaultMode: &config0644AccessMode,
+						SecretName:  maps.Keys(instance.Spec.PKCS11.HSMCertificates)[0],
+					},
+				},
+			}
+			workerVolumes = append(workerVolumes, hsmVolume)
+			hsmMountPath := maps.Values(instance.Spec.PKCS11.HSMCertificates)[0]
+			if string(hsmMountPath[len(hsmMountPath)-1]) != "/" {
+				hsmMountPath = hsmMountPath + "/"
+			}
+			hsmMountPoint := []corev1.VolumeMount{
+				{
+					Name:      "hsm-luna-certificates",
+					MountPath: hsmMountPath + instance.Spec.PKCS11.HSMClientAddress + ".pem",
+					SubPath:   instance.Spec.PKCS11.HSMClientAddress + ".pem",
+					ReadOnly:  true,
+				},
+				{
+					Name:      "hsm-luna-certificates",
+					MountPath: hsmMountPath + instance.Spec.PKCS11.HSMClientAddress + "Key.pem",
+					SubPath:   instance.Spec.PKCS11.HSMClientAddress + "Key.pem",
+					ReadOnly:  true,
+				},
+				{
+					Name:      "hsm-luna-certificates",
+					MountPath: hsmMountPath + instance.Spec.PKCS11.HSMIPAddress + "Cert.pem",
+					SubPath:   instance.Spec.PKCS11.HSMIPAddress + "Cert.pem",
+					ReadOnly:  true,
+				},
+			}
+			workerVolumeMounts = append(workerVolumeMounts, hsmMountPoint...)
+		}
+	}
+
 	deployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("%s-worker", instance.Name),
diff --git a/templates/barbican/config/Chrystoki-conf.json b/templates/barbican/config/Chrystoki-conf.json
diff --git a/templates/barbican/config/barbican-api-config.json b/templates/barbican/config/barbican-api-config.json
@@ -77,6 +77,14 @@
       "perm": "0600",
       "optional": true,
       "merge": true
+    },
+    {
+      "source": "/var/lib/config-data/default/Crystoki.conf",
+      "dest": "{{ .HSMLibraryPath }}/config/Crystoki.conf",
+      "owner": "barbican",
+      "perm": "0600",
+      "optional": true,
+      "merge": true
     }
   ],
   "permissions": [

Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,7 @@ type BarbicanPKCS11Template struct {`
`165`	`165`	HSMCertificates map[string]string `json:"hsmCertificates"`
`166`	`166`
`167`	`167`	`// +kubebuilder:validation:Optional`
	`168`	`+ // +kubebuilder:validation:Items:Enum=trustway;luna;ncipher`
`168`	`169`	`// A string containing the HSM type (currently supported: "trustway", "luna", "ncipher").`
`169`	`170`	HSMType string `json:"hsmType"`
`170`	`171`	`}`