Skip to content

Commit ef4921e

Browse files
Mauricio Harleyvakwetu
Mauricio Harley
and
vakwetu
committed
Barbican support for Thales Luna HSM
Signed-off-by: Mauricio Harley <[email protected]> Co-authored-by: Ade Lee <[email protected]>
1 parent b7a77ac commit ef4921e

30 files changed

+1806
-75
lines changed

api/bases/barbican.openstack.org_barbicanapis.yaml

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,25 @@ spec:
8989
description: EnableSecureRBAC - Enable Consistent and Secure RBAC
9090
policies
9191
type: boolean
92+
enabledSecretStores:
93+
items:
94+
description: This SecretStore type is used by the EnabledSecretStores
95+
variable inside the specification.
96+
enum:
97+
- simple_crypto
98+
- pkcs11
99+
type: string
100+
maxItems: 2
101+
minItems: 1
102+
type: array
103+
globalDefaultSecretStore:
104+
default: simple_crypto
105+
description: This SecretStore type is used by the EnabledSecretStores
106+
variable inside the specification.
107+
enum:
108+
- simple_crypto
109+
- pkcs11
110+
type: string
92111
networkAttachments:
93112
description: NetworkAttachments is a list of NetworkAttachment resource
94113
names to expose the services to the given network
@@ -292,6 +311,113 @@ spec:
292311
default: SimpleCryptoKEK
293312
type: string
294313
type: object
314+
pkcs11:
315+
description: BarbicanPKCS11Template - Includes all common HSM properties
316+
properties:
317+
AESGCMGenerateIV:
318+
default: true
319+
description: Generate IVs for CKM_AES_GCM mechanism
320+
type: boolean
321+
HMACKeyType:
322+
default: CKK_GENERIC_SECRET
323+
description: HMAC Key Type
324+
type: string
325+
HMACKeygenMechanism:
326+
default: CKM_GENERIC_SECRET_KEY_GEN
327+
description: HMAC Keygen Mechanism
328+
type: string
329+
HMACLabel:
330+
description: Label to identify HMAC key in the HSM (must not be
331+
the same as MKEK label)
332+
type: string
333+
HMACMechanism:
334+
default: CKM_SHA256_HMAC
335+
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
336+
type: string
337+
MKEKLabel:
338+
description: Label to identify master KEK in the HSM (must not
339+
be the same as HMAC label)
340+
type: string
341+
MKEKLength:
342+
default: 32
343+
description: Length in bytes of master KEK
344+
type: integer
345+
OSLockingOK:
346+
default: false
347+
description: Set os_locking_ok
348+
type: boolean
349+
alwaysSetCKASensitive:
350+
default: true
351+
description: Always set cka_sentivie
352+
type: boolean
353+
certificatesMountPoint:
354+
description: The mounting point where the certificates will be
355+
copied to (e.g., /usr/local/luna/config/certs).
356+
type: string
357+
certificatesSecret:
358+
description: The OpenShift secret that stores the HSM certificates.
359+
type: string
360+
clientAddress:
361+
description: The IP address of the client connecting to the HSM
362+
(X.Y.Z.K)
363+
type: string
364+
encryptionMechanism:
365+
default: CKM_AES_GCM
366+
description: Secret encryption mechanism
367+
type: string
368+
keyWrapGenerateIV:
369+
default: true
370+
description: Generate IVs for the key wrap mechanism
371+
type: boolean
372+
keyWrapMechanism:
373+
default: CKM_AES_KEY_WRAP_KWP
374+
description: Key wrap mechanism
375+
type: string
376+
libraryPath:
377+
description: Path to vendor's PKCS11 library
378+
type: string
379+
loggingLevel:
380+
default: 4
381+
description: Level of logging, where 0 means "no logging" and
382+
7 means "debug".
383+
maximum: 7
384+
minimum: 0
385+
type: integer
386+
loginSecret:
387+
description: OpenShift secret that stores the password to login
388+
to the PKCS11 session
389+
type: string
390+
serverAddress:
391+
description: The HSM's IPv4 address (X.Y.Z.K)
392+
type: string
393+
slotId:
394+
description: One of TokenSerialNumber, TokenLabels or SlotId must
395+
be defined. SlotId is used if none of the others is defined
396+
type: string
397+
tokenLabels:
398+
description: Token labels used to identify the token to be used.
399+
One of TokenSerialNumber, TokenLabels or SlotId must be specified.
400+
TokenLabels takes priority over SlotId. This can be a comma
401+
separated string of labels
402+
type: string
403+
tokenSerialNumber:
404+
description: Token serial number used to identify the token to
405+
be used. One of TokenSerialNumber, TokenLabels or SlotId must
406+
be defined. TokenSerialNumber takes priority over TokenLabels
407+
and SlotId
408+
type: string
409+
type:
410+
description: 'A string containing the HSM type (currently supported:
411+
"luna").'
412+
type: string
413+
required:
414+
- HMACLabel
415+
- MKEKLabel
416+
- libraryPath
417+
- loginSecret
418+
- serverAddress
419+
- type
420+
type: object
295421
rabbitMqClusterName:
296422
default: rabbitmq
297423
description: RabbitMQ instance name Needed to request a transportURL

api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,25 @@ spec:
8585
files. Those get added to the service config dir in /etc/<service>
8686
. TODO: -> implement'
8787
type: object
88+
enabledSecretStores:
89+
items:
90+
description: This SecretStore type is used by the EnabledSecretStores
91+
variable inside the specification.
92+
enum:
93+
- simple_crypto
94+
- pkcs11
95+
type: string
96+
maxItems: 2
97+
minItems: 1
98+
type: array
99+
globalDefaultSecretStore:
100+
default: simple_crypto
101+
description: This SecretStore type is used by the EnabledSecretStores
102+
variable inside the specification.
103+
enum:
104+
- simple_crypto
105+
- pkcs11
106+
type: string
88107
networkAttachments:
89108
description: NetworkAttachments is a list of NetworkAttachment resource
90109
names to expose the services to the given network
@@ -114,6 +133,113 @@ spec:
114133
default: SimpleCryptoKEK
115134
type: string
116135
type: object
136+
pkcs11:
137+
description: BarbicanPKCS11Template - Includes all common HSM properties
138+
properties:
139+
AESGCMGenerateIV:
140+
default: true
141+
description: Generate IVs for CKM_AES_GCM mechanism
142+
type: boolean
143+
HMACKeyType:
144+
default: CKK_GENERIC_SECRET
145+
description: HMAC Key Type
146+
type: string
147+
HMACKeygenMechanism:
148+
default: CKM_GENERIC_SECRET_KEY_GEN
149+
description: HMAC Keygen Mechanism
150+
type: string
151+
HMACLabel:
152+
description: Label to identify HMAC key in the HSM (must not be
153+
the same as MKEK label)
154+
type: string
155+
HMACMechanism:
156+
default: CKM_SHA256_HMAC
157+
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
158+
type: string
159+
MKEKLabel:
160+
description: Label to identify master KEK in the HSM (must not
161+
be the same as HMAC label)
162+
type: string
163+
MKEKLength:
164+
default: 32
165+
description: Length in bytes of master KEK
166+
type: integer
167+
OSLockingOK:
168+
default: false
169+
description: Set os_locking_ok
170+
type: boolean
171+
alwaysSetCKASensitive:
172+
default: true
173+
description: Always set cka_sentivie
174+
type: boolean
175+
certificatesMountPoint:
176+
description: The mounting point where the certificates will be
177+
copied to (e.g., /usr/local/luna/config/certs).
178+
type: string
179+
certificatesSecret:
180+
description: The OpenShift secret that stores the HSM certificates.
181+
type: string
182+
clientAddress:
183+
description: The IP address of the client connecting to the HSM
184+
(X.Y.Z.K)
185+
type: string
186+
encryptionMechanism:
187+
default: CKM_AES_GCM
188+
description: Secret encryption mechanism
189+
type: string
190+
keyWrapGenerateIV:
191+
default: true
192+
description: Generate IVs for the key wrap mechanism
193+
type: boolean
194+
keyWrapMechanism:
195+
default: CKM_AES_KEY_WRAP_KWP
196+
description: Key wrap mechanism
197+
type: string
198+
libraryPath:
199+
description: Path to vendor's PKCS11 library
200+
type: string
201+
loggingLevel:
202+
default: 4
203+
description: Level of logging, where 0 means "no logging" and
204+
7 means "debug".
205+
maximum: 7
206+
minimum: 0
207+
type: integer
208+
loginSecret:
209+
description: OpenShift secret that stores the password to login
210+
to the PKCS11 session
211+
type: string
212+
serverAddress:
213+
description: The HSM's IPv4 address (X.Y.Z.K)
214+
type: string
215+
slotId:
216+
description: One of TokenSerialNumber, TokenLabels or SlotId must
217+
be defined. SlotId is used if none of the others is defined
218+
type: string
219+
tokenLabels:
220+
description: Token labels used to identify the token to be used.
221+
One of TokenSerialNumber, TokenLabels or SlotId must be specified.
222+
TokenLabels takes priority over SlotId. This can be a comma
223+
separated string of labels
224+
type: string
225+
tokenSerialNumber:
226+
description: Token serial number used to identify the token to
227+
be used. One of TokenSerialNumber, TokenLabels or SlotId must
228+
be defined. TokenSerialNumber takes priority over TokenLabels
229+
and SlotId
230+
type: string
231+
type:
232+
description: 'A string containing the HSM type (currently supported:
233+
"luna").'
234+
type: string
235+
required:
236+
- HMACLabel
237+
- MKEKLabel
238+
- libraryPath
239+
- loginSecret
240+
- serverAddress
241+
- type
242+
type: object
117243
rabbitMqClusterName:
118244
default: rabbitmq
119245
description: RabbitMQ instance name Needed to request a transportURL

0 commit comments

Comments
 (0)