Skip to content

Commit cc2b30a

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #168 from mauricioharley/add_thales_luna_support
Barbican Support for Luna HSM
2 parents ac10d9a + d84132c commit cc2b30a

32 files changed

+1834
-74
lines changed

api/bases/barbican.openstack.org_barbicanapis.yaml

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,26 @@ spec:
8989
description: EnableSecureRBAC - Enable Consistent and Secure RBAC
9090
policies
9191
type: boolean
92+
enabledSecretStores:
93+
items:
94+
description: This SecretStore type is used by the EnabledSecretStores
95+
variable inside the specification.
96+
enum:
97+
- simple_crypto
98+
- pkcs11
99+
type: string
100+
maxItems: 2
101+
minItems: 1
102+
type: array
103+
x-kubernetes-list-type: set
104+
globalDefaultSecretStore:
105+
default: simple_crypto
106+
description: This SecretStore type is used by the EnabledSecretStores
107+
variable inside the specification.
108+
enum:
109+
- simple_crypto
110+
- pkcs11
111+
type: string
92112
networkAttachments:
93113
description: NetworkAttachments is a list of NetworkAttachment resource
94114
names to expose the services to the given network
@@ -292,6 +312,113 @@ spec:
292312
default: SimpleCryptoKEK
293313
type: string
294314
type: object
315+
pkcs11:
316+
description: BarbicanPKCS11Template - Includes all common HSM properties
317+
properties:
318+
AESGCMGenerateIV:
319+
default: true
320+
description: Generate IVs for CKM_AES_GCM mechanism
321+
type: boolean
322+
HMACKeyType:
323+
default: CKK_GENERIC_SECRET
324+
description: HMAC Key Type
325+
type: string
326+
HMACKeygenMechanism:
327+
default: CKM_GENERIC_SECRET_KEY_GEN
328+
description: HMAC Keygen Mechanism
329+
type: string
330+
HMACLabel:
331+
description: Label to identify HMAC key in the HSM (must not be
332+
the same as MKEK label)
333+
type: string
334+
HMACMechanism:
335+
default: CKM_SHA256_HMAC
336+
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
337+
type: string
338+
MKEKLabel:
339+
description: Label to identify master KEK in the HSM (must not
340+
be the same as HMAC label)
341+
type: string
342+
MKEKLength:
343+
default: 32
344+
description: Length in bytes of master KEK
345+
type: integer
346+
OSLockingOK:
347+
default: false
348+
description: Set os_locking_ok
349+
type: boolean
350+
alwaysSetCKASensitive:
351+
default: true
352+
description: Always set cka_sensitive
353+
type: boolean
354+
certificatesMountPoint:
355+
description: The mounting point where the certificates will be
356+
copied to (e.g., /usr/local/luna/config/certs).
357+
type: string
358+
certificatesSecret:
359+
description: The OpenShift secret that stores the HSM certificates.
360+
type: string
361+
clientAddress:
362+
description: The IP address of the client connecting to the HSM
363+
(X.Y.Z.K)
364+
type: string
365+
encryptionMechanism:
366+
default: CKM_AES_GCM
367+
description: Secret encryption mechanism
368+
type: string
369+
keyWrapGenerateIV:
370+
default: true
371+
description: Generate IVs for the key wrap mechanism
372+
type: boolean
373+
keyWrapMechanism:
374+
default: CKM_AES_KEY_WRAP_KWP
375+
description: Key wrap mechanism
376+
type: string
377+
libraryPath:
378+
description: Path to vendor's PKCS11 library
379+
type: string
380+
loggingLevel:
381+
default: 4
382+
description: Level of logging, where 0 means "no logging" and
383+
7 means "debug".
384+
maximum: 7
385+
minimum: 0
386+
type: integer
387+
loginSecret:
388+
description: OpenShift secret that stores the password to login
389+
to the PKCS11 session
390+
type: string
391+
serverAddress:
392+
description: The HSM's IPv4 address (X.Y.Z.K)
393+
type: string
394+
slotId:
395+
description: One of TokenSerialNumber, TokenLabels or SlotId must
396+
be defined. SlotId is used if none of the others is defined
397+
type: string
398+
tokenLabels:
399+
description: Token labels used to identify the token to be used.
400+
One of TokenSerialNumber, TokenLabels or SlotId must be specified.
401+
TokenLabels takes priority over SlotId. This can be a comma
402+
separated string of labels
403+
type: string
404+
tokenSerialNumber:
405+
description: Token serial number used to identify the token to
406+
be used. One of TokenSerialNumber, TokenLabels or SlotId must
407+
be defined. TokenSerialNumber takes priority over TokenLabels
408+
and SlotId
409+
type: string
410+
type:
411+
description: 'A string containing the HSM type (currently supported:
412+
"luna").'
413+
type: string
414+
required:
415+
- HMACLabel
416+
- MKEKLabel
417+
- libraryPath
418+
- loginSecret
419+
- serverAddress
420+
- type
421+
type: object
295422
rabbitMqClusterName:
296423
default: rabbitmq
297424
description: RabbitMQ instance name Needed to request a transportURL

api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,26 @@ spec:
8585
files. Those get added to the service config dir in /etc/<service>
8686
. TODO: -> implement'
8787
type: object
88+
enabledSecretStores:
89+
items:
90+
description: This SecretStore type is used by the EnabledSecretStores
91+
variable inside the specification.
92+
enum:
93+
- simple_crypto
94+
- pkcs11
95+
type: string
96+
maxItems: 2
97+
minItems: 1
98+
type: array
99+
x-kubernetes-list-type: set
100+
globalDefaultSecretStore:
101+
default: simple_crypto
102+
description: This SecretStore type is used by the EnabledSecretStores
103+
variable inside the specification.
104+
enum:
105+
- simple_crypto
106+
- pkcs11
107+
type: string
88108
networkAttachments:
89109
description: NetworkAttachments is a list of NetworkAttachment resource
90110
names to expose the services to the given network
@@ -114,6 +134,113 @@ spec:
114134
default: SimpleCryptoKEK
115135
type: string
116136
type: object
137+
pkcs11:
138+
description: BarbicanPKCS11Template - Includes all common HSM properties
139+
properties:
140+
AESGCMGenerateIV:
141+
default: true
142+
description: Generate IVs for CKM_AES_GCM mechanism
143+
type: boolean
144+
HMACKeyType:
145+
default: CKK_GENERIC_SECRET
146+
description: HMAC Key Type
147+
type: string
148+
HMACKeygenMechanism:
149+
default: CKM_GENERIC_SECRET_KEY_GEN
150+
description: HMAC Keygen Mechanism
151+
type: string
152+
HMACLabel:
153+
description: Label to identify HMAC key in the HSM (must not be
154+
the same as MKEK label)
155+
type: string
156+
HMACMechanism:
157+
default: CKM_SHA256_HMAC
158+
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
159+
type: string
160+
MKEKLabel:
161+
description: Label to identify master KEK in the HSM (must not
162+
be the same as HMAC label)
163+
type: string
164+
MKEKLength:
165+
default: 32
166+
description: Length in bytes of master KEK
167+
type: integer
168+
OSLockingOK:
169+
default: false
170+
description: Set os_locking_ok
171+
type: boolean
172+
alwaysSetCKASensitive:
173+
default: true
174+
description: Always set cka_sensitive
175+
type: boolean
176+
certificatesMountPoint:
177+
description: The mounting point where the certificates will be
178+
copied to (e.g., /usr/local/luna/config/certs).
179+
type: string
180+
certificatesSecret:
181+
description: The OpenShift secret that stores the HSM certificates.
182+
type: string
183+
clientAddress:
184+
description: The IP address of the client connecting to the HSM
185+
(X.Y.Z.K)
186+
type: string
187+
encryptionMechanism:
188+
default: CKM_AES_GCM
189+
description: Secret encryption mechanism
190+
type: string
191+
keyWrapGenerateIV:
192+
default: true
193+
description: Generate IVs for the key wrap mechanism
194+
type: boolean
195+
keyWrapMechanism:
196+
default: CKM_AES_KEY_WRAP_KWP
197+
description: Key wrap mechanism
198+
type: string
199+
libraryPath:
200+
description: Path to vendor's PKCS11 library
201+
type: string
202+
loggingLevel:
203+
default: 4
204+
description: Level of logging, where 0 means "no logging" and
205+
7 means "debug".
206+
maximum: 7
207+
minimum: 0
208+
type: integer
209+
loginSecret:
210+
description: OpenShift secret that stores the password to login
211+
to the PKCS11 session
212+
type: string
213+
serverAddress:
214+
description: The HSM's IPv4 address (X.Y.Z.K)
215+
type: string
216+
slotId:
217+
description: One of TokenSerialNumber, TokenLabels or SlotId must
218+
be defined. SlotId is used if none of the others is defined
219+
type: string
220+
tokenLabels:
221+
description: Token labels used to identify the token to be used.
222+
One of TokenSerialNumber, TokenLabels or SlotId must be specified.
223+
TokenLabels takes priority over SlotId. This can be a comma
224+
separated string of labels
225+
type: string
226+
tokenSerialNumber:
227+
description: Token serial number used to identify the token to
228+
be used. One of TokenSerialNumber, TokenLabels or SlotId must
229+
be defined. TokenSerialNumber takes priority over TokenLabels
230+
and SlotId
231+
type: string
232+
type:
233+
description: 'A string containing the HSM type (currently supported:
234+
"luna").'
235+
type: string
236+
required:
237+
- HMACLabel
238+
- MKEKLabel
239+
- libraryPath
240+
- loginSecret
241+
- serverAddress
242+
- type
243+
type: object
117244
rabbitMqClusterName:
118245
default: rabbitmq
119246
description: RabbitMQ instance name Needed to request a transportURL

0 commit comments

Comments
 (0)