Add configuration and Ansible role for Barbican adoption with Proteccio HSM

These artifacts will be used for Proteccio HSM adoption.

Implements: OSPRH-18874

Signed-off-by: Mauricio Harley <[email protected]>

Author: Mauricio Harley

deploy-osp-adoption.yml

@@ -105,3 +105,13 @@
     - name: Deploy source osp environment
       ansible.builtin.import_role:
         name: "adoption_osp_deploy"
+
+    - name: Run Barbican adoption when enabled
+      when: 
+        - cifmw_barbican_adoption_enable | default(false) | bool
+        - cifmw_barbican_adoption_hsm_enabled | default(false) | bool
+      block:
+        - name: Execute Barbican adoption with HSM support
+          ansible.builtin.include: "playbooks/adoption/barbican-proteccio.yml"
+          vars:
+            osp_17_controller_host: "{{ groups['osp-controllers'][0] | default('') }}"

hooks/playbooks/barbican-enable-proteccio.yml

@@ -33,9 +33,7 @@
         tasks_from: create_secrets
       vars:
         proteccio_conf_src: "{{ cifmw_hsm_proteccio_conf_src }}"
-        proteccio_client_crt_src: "{{ cifmw_hsm_proteccio_client_crt_src }}"
-        proteccio_client_key_src: "{{ cifmw_hsm_proteccio_client_key_src }}"
-        proteccio_server_crt_src: "{{ cifmw_hsm_proteccio_server_crt_src }}"
+        proteccio_crt_src: "{{ cifmw_hsm_proteccio_crt_src }}"
         proteccio_password: "{{ cifmw_hsm_password }}"
         kubeconfig_path: "{{ cifmw_openshift_kubeconfig }}"
         oc_dir: "{{ cifmw_path }}"
@@ -44,16 +42,34 @@
         login_secret: "{{ cifmw_hsm_login_secret | default('barbican-proteccio-login', true) }}"
         login_secret_field: "{{ cifmw_hsm_login_secret_field | default('PKCS11Pin') }}"
 
+    - name: Handle adoption-specific HSM configuration
+      when: cifmw_adoption_enable | default(false) | bool
+      block:
+        - name: Create adoption-specific proteccio configuration patch
+          ansible.builtin.include_role:
+            name: rhoso_proteccio_hsm
+            tasks_from: create_adoption_patch
+          vars:
+            source_barbican_namespace: "{{ cifmw_adoption_source_namespace | default('openstack') }}"
+            target_barbican_namespace: "{{ cifmw_adoption_target_namespace | default('openstack') }}"
+            preserve_existing_secrets: "{{ cifmw_hsm_preserve_secrets | default(true) }}"
+
 - name: Create kustomization to update Barbican to use proteccio
   hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
   tasks:
     - name: Create file to customize barbican resource deployed in the control plane
       vars:
         client_data_secret: "{{ cifmw_hsm_proteccio_client_data_secret | default('barbican-proteccio-client-data', true) }}"
         login_secret: "{{ cifmw_hsm_login_secret | default('barbican-proteccio-login', true) }}"
+        kustomization_file: >-
+          {%- if cifmw_adoption_enable | default(false) | bool -%}
+          93-barbican-proteccio-adoption.yaml
+          {%- else -%}
+          93-barbican-proteccio.yaml
+          {%- endif -%}
       ansible.builtin.copy:
         mode: '0644'
-        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-proteccio.yaml"
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/{{ kustomization_file }}"
         content: |-
           apiVersion: kustomize.config.k8s.io/v1beta1
           kind: Kustomization
@@ -94,3 +110,14 @@
                   key_wrap_generate_iv = true
                   always_set_cka_sensitive = true
                   os_locking_ok = false
+              {%- if cifmw_adoption_enable | default(false) | bool %}
+              - op: add
+                path: /spec/barbican/template/databaseInstance
+                value: openstack
+              - op: add
+                path: /spec/barbican/template/secret
+                value: osp-secret
+              - op: add
+                path: /spec/barbican/template/preserveJobs
+                value: {{ cifmw_adoption_preserve_jobs | default(false) }}
+              {%- endif %}

playbooks/adoption/barbican-proteccio.yml

@@ -0,0 +1,70 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: "Barbican adoption for Proteccio HSM environments"
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  vars:
+    # Enable adoption mode
+    cifmw_adoption_enable: true
+    
+    # Barbican adoption specific configuration
+    cifmw_barbican_adoption_hsm_enabled: true
+    cifmw_barbican_adoption_hsm_type: "proteccio"
+    
+    # Source environment configuration (to be overridden)
+    cifmw_barbican_adoption_source_db_host: "{{ osp_17_controller_host | default('') }}"
+    cifmw_barbican_adoption_source_db_password: "{{ barbican_db_password | default('') }}"
+    
+    # HSM configuration (to be overridden)
+    cifmw_barbican_adoption_proteccio_partition: "{{ hsm_partition | default('') }}"
+    cifmw_barbican_adoption_proteccio_mkek_label: "{{ hsm_mkek_label | default('') }}"
+    cifmw_barbican_adoption_proteccio_hmac_label: "{{ hsm_hmac_label | default('') }}"
+    
+  tasks:
+    - name: Validate required variables for Proteccio adoption
+      ansible.builtin.assert:
+        that:
+          - osp_17_controller_host is defined and osp_17_controller_host != ""
+          - barbican_db_password is defined and barbican_db_password != ""
+          - hsm_partition is defined and hsm_partition != ""
+          - hsm_mkek_label is defined and hsm_mkek_label != ""
+          - hsm_hmac_label is defined and hsm_hmac_label != ""
+        fail_msg: "Required variables for Barbican Proteccio adoption are not properly configured"
+
+    - name: Run Barbican adoption with Proteccio HSM support
+      ansible.builtin.include_role:
+        name: barbican_adoption
+
+    - name: Enable Proteccio HSM for adopted Barbican
+      ansible.builtin.include_role:
+        name: run_hook
+      vars:
+        cifmw_run_hook_name: barbican-enable-proteccio
+
+    - name: Verify Barbican Proteccio adoption
+      ansible.builtin.debug:
+        msg: |
+          Barbican adoption with Proteccio HSM support completed successfully.
+          
+          Next steps:
+          1. Verify Barbican API is accessible
+          2. Test HSM connectivity 
+          3. Validate existing secrets are accessible
+          4. Run smoke tests
+          
+          Note: This playbook works with the uni07eta adoption scenario which
+          includes Proteccio HSM support configuration.

roles/barbican_adoption/README.md

@@ -0,0 +1,145 @@
+# barbican_adoption
+
+Role to support Barbican service adoption from OpenStack 17.1 to RHOSO 18 while preserving Hardware Security Module (HSM) integration, specifically designed for Proteccio HSM environments.
+
+## Overview
+
+This role implements a comprehensive adoption framework that:
+- Migrates Barbican database from source OSP 17.1 environment
+- Preserves HSM configuration and connectivity
+- Deploys Barbican in target RHOSO 18 environment
+- Validates successful adoption and HSM integration
+
+## Features
+
+- **Database Migration**: Automated backup and migration of Barbican database
+- **HSM Preservation**: Maintains Proteccio HSM configuration and secrets
+- **Service Migration**: Orchestrated shutdown of source services and deployment in target
+- **Validation**: Comprehensive verification of adoption success
+- **Rollback Support**: Backup creation for potential rollback scenarios
+
+## Prerequisites
+
+1. Access to source OSP 17.1 environment with Barbican + Proteccio HSM
+2. Target RHOSO 18 environment with OpenShift cluster
+3. Proteccio HSM certificates and configuration files
+4. Database access credentials for source environment
+
+## Variables
+
+### Required Variables
+
+- `cifmw_barbican_adoption_source_db_host`: Source database hostname/IP
+- `cifmw_barbican_adoption_source_db_password`: Source database password
+- `cifmw_openshift_kubeconfig`: Path to OpenShift kubeconfig file
+
+### HSM Configuration (when HSM enabled)
+
+- `cifmw_barbican_adoption_proteccio_partition`: HSM partition/token name
+- `cifmw_barbican_adoption_proteccio_mkek_label`: Master key encryption key label
+- `cifmw_barbican_adoption_proteccio_hmac_label`: HMAC key label
+
+### Optional Variables
+
+- `cifmw_barbican_adoption_hsm_enabled`: Enable HSM support (default: false)
+- `cifmw_barbican_adoption_backup_enabled`: Create database backup (default: true)
+- `cifmw_barbican_adoption_preserve_jobs`: Preserve migration jobs (default: false)
+- `cifmw_barbican_adoption_debug`: Enable debug logging (default: false)
+
+See `defaults/main.yml` for complete variable list.
+
+## Usage
+
+### Basic Adoption (No HSM)
+
+```yaml
+- name: Adopt Barbican service
+  ansible.builtin.include_role:
+    name: barbican_adoption
+  vars:
+    cifmw_barbican_adoption_source_db_host: "192.168.1.100"
+    cifmw_barbican_adoption_source_db_password: "secret123"
+```
+
+### Proteccio HSM Adoption
+
+```yaml
+- name: Adopt Barbican with Proteccio HSM
+  ansible.builtin.include_role:
+    name: barbican_adoption
+  vars:
+    cifmw_barbican_adoption_source_db_host: "192.168.1.100"
+    cifmw_barbican_adoption_source_db_password: "secret123"
+    cifmw_barbican_adoption_hsm_enabled: true
+    cifmw_barbican_adoption_hsm_type: "proteccio"
+    cifmw_barbican_adoption_proteccio_partition: "barbican_partition"
+    cifmw_barbican_adoption_proteccio_mkek_label: "mkek_2024"
+    cifmw_barbican_adoption_proteccio_hmac_label: "hmac_2024"
+```
+
+### Using with Adoption Playbook
+
+```bash
+ansible-playbook playbooks/adoption/barbican-proteccio.yml \
+  -e osp_17_controller_host=192.168.1.100 \
+  -e barbican_db_password=secret123 \
+  -e hsm_partition=barbican_partition \
+  -e hsm_mkek_label=mkek_2024 \
+  -e hsm_hmac_label=hmac_2024
+```
+
+## Integration with CI Framework
+
+This role integrates with the existing ci-framework adoption infrastructure:
+
+1. **Hooks Integration**: Works with `barbican-enable-proteccio.yml` hook
+2. **Adoption Framework**: Leverages existing `adoption_osp_deploy` role
+3. **Kustomization**: Creates appropriate Kubernetes manifests
+4. **Scenarios**: Can be used with adoption scenarios
+
+## Architecture
+
+The adoption process follows these phases:
+
+1. **Validation**: Verify prerequisites and connectivity
+2. **Backup**: Create database and configuration backups
+3. **Migration**: Stop source services and migrate database
+4. **HSM Configuration**: Preserve and configure HSM integration
+5. **Deployment**: Deploy Barbican in target environment
+6. **Verification**: Validate adoption success
+7. **Cleanup**: Remove temporary files and old backups
+
+## Error Handling
+
+- Database migration failures trigger automatic rollback
+- HSM connectivity issues are validated before deployment
+- Comprehensive logging for troubleshooting
+- Backup creation ensures data protection
+
+## Limitations
+
+- Currently supports Proteccio HSM only (Luna HSM can be added)
+- Requires manual network connectivity between environments
+- Database migration requires temporary downtime
+
+## Examples
+
+See `playbooks/adoption/barbican-proteccio.yml` and `scenarios/adoption/uni07eta.yml` for complete usage examples.
+
+## Testing
+
+The role can be tested using the adoption scenario:
+
+```bash
+ansible-playbook deploy-osp-adoption.yml \
+  -e @scenarios/adoption/uni07eta.yml \
+  -e osp_17_controller_host=192.168.1.100
+```
+
+## Contributing
+
+When extending this role:
+1. Follow existing variable naming conventions (`cifmw_barbican_adoption_*`)
+2. Add appropriate validation in `validate_prerequisites.yml`
+3. Update documentation and examples
+4. Test with both HSM and non-HSM scenarios

roles/barbican_adoption/defaults/main.yml

@@ -0,0 +1,61 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# All variables intended for modification should be placed in this file.
+# All variables within this role should have a prefix of "cifmw_barbican_adoption"
+
+# General adoption configuration
+cifmw_barbican_adoption_source_namespace: "openstack"
+cifmw_barbican_adoption_target_namespace: "openstack"
+cifmw_barbican_adoption_preserve_jobs: false
+cifmw_barbican_adoption_db_migration_timeout: 3600
+cifmw_barbican_adoption_validation_timeout: 1800
+
+# Database configuration  
+cifmw_barbican_adoption_source_db_host: ""
+cifmw_barbican_adoption_source_db_port: 3306
+cifmw_barbican_adoption_source_db_name: "barbican"
+cifmw_barbican_adoption_source_db_user: "barbican"
+cifmw_barbican_adoption_source_db_password: ""
+
+# HSM configuration
+cifmw_barbican_adoption_hsm_enabled: false
+cifmw_barbican_adoption_hsm_type: "proteccio"  # or "luna"
+cifmw_barbican_adoption_preserve_hsm_config: true
+
+# Proteccio HSM specific configuration
+cifmw_barbican_adoption_proteccio_client_data_secret: "barbican-proteccio-client-data"
+cifmw_barbican_adoption_proteccio_login_secret: "barbican-proteccio-login"
+cifmw_barbican_adoption_proteccio_login_secret_field: "PKCS11Pin"
+cifmw_barbican_adoption_proteccio_library_path: "/usr/lib64/libnethsm.so"
+cifmw_barbican_adoption_proteccio_partition: ""
+cifmw_barbican_adoption_proteccio_mkek_label: ""
+cifmw_barbican_adoption_proteccio_hmac_label: ""
+cifmw_barbican_adoption_proteccio_key_wrap_mechanism: "CKM_AES_KEY_WRAP"
+
+# Service configuration
+cifmw_barbican_adoption_service_config_backup: true
+cifmw_barbican_adoption_service_config_restore: true
+cifmw_barbican_adoption_verify_connectivity: true
+
+# Debug and logging
+cifmw_barbican_adoption_debug: false
+cifmw_barbican_adoption_log_level: "INFO"
+
+# Backup and rollback configuration
+cifmw_barbican_adoption_backup_enabled: true
+cifmw_barbican_adoption_backup_retention_days: 30
+cifmw_barbican_adoption_rollback_enabled: true

roles/barbican_adoption/meta/main.yml

@@ -0,0 +1,42 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+galaxy_info:
+  role_name: barbican_adoption
+  namespace: cifmw
+  author: CI Framework
+  description: |
+    Role to support Barbican adoption from OSP 17.1 to RHOSO 18 while
+    preserving HSM (Hardware Security Module) integration, specifically
+    for Proteccio HSM environments.
+  company: Red Hat, Inc.
+  license: Apache-2.0
+  min_ansible_version: "2.14"
+  platforms:
+    - name: Fedora
+      versions:
+        - 37
+        - 38
+        - 39
+        - 40
+    - name: CentOS
+      versions:
+        - 9
+    - name: RHEL
+      versions:
+        - 9
+
+dependencies: []