Simplify the role

Lets take all the dependencies on a running lunaclient VM
out.  We suspect that with the ip checking turned off, we can use
any subject in the client certs anyway, as long as the cert is uploaded
to the HSM (and registered to a client).

This simplifies things considerably - and makes the role more
reusable by a deployer as a standalone role.

Instead, we'll need the relevant bits uploaded somewhere for the
deployer to retrieve.

Author: vakwetu

docs/dictionary/en-custom.txt

@@ -46,6 +46,7 @@ bootmacaddress
 bootmode
 buildah
 buildpkgs
+cacert
 cacheable
 cci
 ccitredhat
@@ -305,6 +306,7 @@ mellanox
 metallb
 metalsmith
 mgmt
+minclient
 mins
 minsizegigabytes
 mlnx
@@ -397,6 +399,7 @@ params
 passwd
 passwordless
 pastebin
+pem
 pkgs
 pki
 png

hooks/playbooks/barbican-cleanup-luna.yml

@@ -1,27 +1,17 @@
 ---
-- name: Add lunaclient to inventory
-  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
-  tasks:
-    - name: Get lunaclient key
-      ansible.builtin.get_url:
-        url: "{{ cifmw_hsm_lunaclient_key }}"
-        dest: "{{ ansible_user_dir }}/.ssh/lunaclient"
-        mode: "0400"
-    - name: Add lunaclient VM to inventory
-      ansible.builtin.add_host:
-        name: "{{ cifmw_hsm_lunaclient_vm }}"
-        ansible_user: "{{ cifmw_hsm_lunaclient_user }}"
-        ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient"
-        ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
-
 - name: Create modified barbican image and get secrets
-  hosts: "{{ cifmw_hsm_lunaclient_vm }}"
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
   tasks:
     - name: Include hsm_prep role
       ansible.builtin.include_role:
         name: hsm_prep
       vars:
-        cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"
+        cifmw_hsm_src_image_registry: "{{ content_provider_registry_ip }}:5001"
+        cifmw_hsm_src_image_namepace: "{{ cifmw_set_openstack_containers_namespace }}"
+        cifmw_hsm_src_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}"
+        cifmw_hsm_dest_image_registry: "{{ content_provider_registry_ip }}:5001"
+        cifmw_hsm_dest_image_namepace: "{{ cifmw_set_openstack_containers_namespace }}"
+        cifmw_hsm_dest_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}-luna"
 
 - name: Create kustomization to use update barbican to use luna
   hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
@@ -30,7 +20,6 @@
       vars:
         certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}"
         login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}"
-        cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"
       ansible.builtin.copy:
         dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml"
         content: |-

hooks/playbooks/barbican-enable-luna.yml

@@ -1,7 +1,6 @@
 # HSM Role
 
-In order to use HSMs, the barbican images need to be customized to include the HSM software.  For now, this is something
-that we expect customers to do with scripts that we will provide as part of the barbican-operator code.
+In order to use HSMs, the barbican images need to be customized to include the HSM software.
 
 The purpose of this role is to:
 * Generate new images for the barbican-api and barbican-worker containing the HSM software
@@ -10,21 +9,18 @@ The purpose of this role is to:
 
 For the Lunasa, we expect some preparatory steps to be completed prior to execution in order for the
 role to complete successfully.
-* We expect a VM that contains the Lunasa client software and that is registered as a lunasa client.
-  This VM should contain the following contents:
-  * The contents of the minimal linux client in a zipped tar file.
-  * The lunasa binaries that need to be added to the image under a specified directory.
-  * The lunasa HSM server cert.
-* The above contents will be fetched by the role.
-* The VM will be used to generate client certificates.  For this, we will need the cifmw_hsm_client_ip , which
-  is the VM of the hypervisor hosting the openshift node.  If a cert has already been generated, then
-  that certificate will be retrieved instead.
+* The lunasa software is uploaded somewhere and will be fetched by the role
+  * The contents of the minimal linux client in a zipped tar file should be made available at cifmw_hsm_luna_minclient_src.
+  * The lunasa binaries that need to be added to the image are made available at cifmw_hsm_luna_binaries_src.
+  * The lunasa HSM cacert file is made available at cifmw_hsm_luna_server_cert_src.  For an HA configuration,
+    this will be a concatenation of all the server certs for the servers in the HA partition.
+  * The client certificate and key made available at cifmw_hsm_luna_client_cert_src.  The files are expected
+    to be of the form "(cifmw_hsm_client_ip)".pem and "(cifmw_hsm_client_ip)"Key.pem
 * The certs will be retrieved and stored in a secret (cifmw_hsm_luna_cert_secret)
 * The password to log into the HSM partition will be stored in a secret (cifmw_hsm_login_secret)
-* As input to this role, we will require the ssh connection details and credentials for this VM.
 
-A minimal (one that takes the defaults) invocation of this role is shown below, where the lunaclient
-is the running client VM described above.
+A minimal (one that takes the defaults) invocation of this role is shown below.  In this case, the lunaclient
+software and certs are stored locally under /opt/luna.
 
 - name: Set up Luna
   hosts: lunaclient
@@ -34,11 +30,7 @@ is the running client VM described above.
     - cert_prep
     - secret_prep
   vars:
-    cifmw_hsm_admin_password: "<HSM admin password>"
-    cifmw_hsm_server_ip: "IP of HSM"
     cifmw_hsm_client_ip: "IP of the client - this could be the hypervisor where the Openshift nodes run"
-    cifmw_hsm_luna_partition: "HSM partition for the client to join"
-    cifmw_hsm_partition_password: "<HSM partition password>"
 
 Note that tags have been provided to allow the caller to select specific operations.  This may be necessary
 because different operations may need to executed in different CI jobs.  The current tags available are:
@@ -48,28 +40,26 @@ image_prep, cert_prep, secret_prep, cleanup
 
 ### HSM Details
 * `cifmw_hsm_hsmtype`: (String) The type of HSM required.  Currently, only "luna" is supported. Default value: `luna`
-* `cifmw_hsm_admin_user`: (String) The user to log into the HSM.  Default value: `admin`
-* `cifmw_hsm_admin_password`: (String) The password to log into the HSM.
-* `cifmw_hsm_server_ip`: (String) ip address or hostname of the HSM
-* `cifmw_hsm_partition_password: (String) The password to log into the HSM partition
 * `cifmw_hsm_login_secret`: (String) The secret to store the password to log into the HSM partition. Default: `hsm-login`
 
-### Barbican Image and Details to get buildah script
-* `cifmw_hsm_barbican_operator_repo`: (String) Repo for barbican-operator. Default value: "https://github.com/openstack-k8s-operators/barbican-operator.git"
-* `cifmw_hsm_barbican_operator_version`: (String) Version for barbican-operator.  Default value: "main"
-* `cifmv_hsm_barbican_image_namespace`: (String) Namespace for barbican-operator source image.  Default value: "podified-antelope-centos9"
-* `cifmw_hsm_barbican_image_tag`: (String) Tag for barbican-operator source image.  Default value: "current-podified"
-
 ### Role Parameters
 * `cifmw_hsm_cleanup`: (Boolean) Delete all resources created by the role at the end of the testing. Default value: `false`
 * `cifmw_hsm_working_dir`: (String) Working directory to store artifacts.  Default value: `/tmp/hsm-prep-working-dir`
 * `cifmw_hsm_client_ip`: (String) ip address or hostname of the client VM
 
+### Image Details
+* `cifmw_hsm_barbican_src_image_registry`: (String) Registry of the source image. Default value: `quay.io`
+* `cifmw_hsm_barbican_src_image_namespace: (String) Namespace of the source image. Default value: `podified-antelope-centos9`
+* `cifmw_hsm_barbican_src_image_tag: (String) Tag of the source image. Default value: `current-podified`
+* `cifmw_hsm_barbican_dest_image_registry`: (String) Registry of the modified image. Default value: `quay.io`
+* `cifmw_hsm_barbican_dest_image_namespace: (String) Namespace of the modified image. Default value: `podified-antelope-centos9`
+* `cifmw_hsm_barbican_dest_image_tag: (String) Tag of the modified image. Default value: `current-podified-luna`
+
 ### Luna Parameters
-* `cifmw_hsm_luna_minclient_src`: (String) Location of linux minimal client tarball on the luna client VM. Default value: `/opt/data/Linux-Minimal-Client.tar.gz`
-* `cifmw_hsm_luna_binaries_src`: (String) Location of the luna binaries on the luna client VM. Default value: `/opt/data/bin`
-* `cifmw_hsm_luna_server_cert_src`: (String) Location of HSM server cert on the luna client VM.  Default value: `/usr/safenet/lunaclient/cert/server`
-* `cifmw_hsm_luna_client_cert_src`: (String) Location of HSM client cert on the luna client VM.  Default value: `/usr/safenet/lunaclient/cert/client`
+* `cifmw_hsm_luna_minclient_src`: (String) Location of linux minimal client tarball. Default value: `file:///opt/luna/Linux-Minimal-Client.tar.gz`
+* `cifmw_hsm_luna_binaries_src`: (String) Location of the luna binaries. Default value: `file:///opt/luna/bin`
+* `cifmw_hsm_luna_server_cert_src`: (String) Location of HSM server CA cert.  Default value: `file:///opt/luna/cert/server/cacert.pem`
+* `cifmw_hsm_luna_client_cert_src`: (String) Location of HSM client certs.  Default value: `file:///opt/luna/cert/client`
+* `cifmw_hsm_server_ca_file`: (String) Name of the cacert file in the container.  Default value: `cacert.pem`
 * `cifmw_hsm_luna_cert_secret`: (String) Name of the secret that stores all of the needed certs for luna.  Default value: `barbican-luna-certs`
 * `cifmw_hsm_luna_cert_secret_namespace`: (String) Namespace of the secret that stores all of the needed certs for luna.  Default value: `openstack`
-* `cifmw_hsm_luna_partition`: (String) HSM partition for the client to join.

roles/hsm_prep/README.md

@@ -22,24 +22,23 @@ cifmw_hsm_hsmtype: "luna"
 cifmw_hsm_admin_user: "admin"
 cifmw_hsm_login_secret: "hsm-login"
 
-### Barbican Image and Details to get buildah script
-cifmw_hsm_barbican_operator_repo: "https://github.com/openstack-k8s-operators/barbican-operator.git"
-cifmw_hsm_barbican_operator_version: "main"
-
 ### Role Parameters
 cifmw_hsm_cleanup: false
 cifmw_hsm_working_dir: "/tmp/hsm-prep-working-dir"
 
 ### Luna Parameters
-cifmw_hsm_luna_minclient_src: "/opt/data/Linux-Minimal-Client.tar.gz"
-cifmw_hsm_luna_binaries_src: "/opt/data/bin"
-cifmw_hsm_luna_server_cert_src: "/usr/safenet/lunaclient/cert/server"
-cifmw_hsm_luna_client_cert_src: "/usr/safenet/lunaclient/cert/client"
+cifmw_hsm_luna_minclient_src: "file:///opt/luna/Linux-Minimal-Client.tar.gz"
+cifmw_hsm_luna_binaries_src: "file:///opt/luna/bin/"
+cifmw_hsm_luna_server_cert_src: "file:///opt/luna/cert/server/cacert.pem"
+cifmw_hsm_luna_client_cert_src: "file:///opt/luna/cert/client/"
+cifmw_hsm_server_ca_file: "cacert.pem"
 cifmw_hsm_luna_cert_secret: "barbican-luna-certs"
 cifmw_hsm_luna_cert_secret_namespace: "openstack"
 
 ## Image details
-cifmv_hsm_barbican_image_registry: "quay.io"
-cifmv_hsm_barbican_image_namespace: "podified-antelope-centos9"
-cifmw_hsm_barbican_image_tag: "current-podified"
-cifmw_hsm_barbican_final_image_tag: "current-podified-luna"
+cifmw_hsm_barbican_src_image_registry: "quay.io"
+cifmw_hsm_barbican_src_image_namespace: "podified-antelope-centos9"
+cifmw_hsm_barbican_src_image_tag: "current-podified"
+cifmw_hsm_barbican_dest_image_registry: "quay.io"
+cifmw_hsm_barbican_dest_image_namespace: "podified-antelope-centos9"
+cifmw_hsm_barbican_dest_image_tag: "current-podified-luna"

roles/hsm_prep/defaults/main.yml

@@ -9,14 +9,17 @@ set -x
 set -o errexit
 set -o pipefail
 
-BARBICAM_IMAGE_REGISTRY=${BARBICAN_IMAGE_REGISTRY:-"quay.io"}
-BARBICAN_IMAGE_NAMESPACE=${BARBICAN_IMAGE_NAMESPACE:-"podified-antelope-centos9"}
-BARBICAN_IMAGE_TAG=${BARBICAN_IMAGE_TAG:-"current-podified"}
-BARBICAN_API_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_IMAGE_TAG"
-BARBICAN_WORKER_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_IMAGE_TAG"
-BARBICAM_FINAL_IMAGE_TAG_X=${BARBICAN_FINAL_IMAGE_TAG:-"current-podified-luna"}
-BARBICAN_API_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:${BARBICAM_FINAL_IMAGE_TAG_X}"
-BARBICAN_WORKER_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:${BARBICAM_FINAL_IMAGE_TAG_X}"
+BARBICAM_SRC_IMAGE_REGISTRY=${BARBICAN_SRC_IMAGE_REGISTRY:-"quay.io"}
+BARBICAN_SRC_IMAGE_NAMESPACE=${BARBICAN_SRC_IMAGE_NAMESPACE:-"podified-antelope-centos9"}
+BARBICAN_SRC_IMAGE_TAG=${BARBICAN_SRC_IMAGE_TAG:-"current-podified"}
+BARBICAN_SRC_API_IMAGE="$BARBICAM_SRC_IMAGE_REGISTRY/$BARBICAN_SRC_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_SRC_IMAGE_TAG"
+BARBICAN_SRC_WORKER_IMAGE="$BARBICAM_SRC_IMAGE_REGISTRY/$BARBICAN_SRC_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_SRC_IMAGE_TAG"
+
+BARBICAM_DEST_IMAGE_REGISTRY=${BARBICAN_DEST_IMAGE_REGISTRY:-"quay.io"}
+BARBICAN_DEST_IMAGE_NAMESPACE=${BARBICAN_DEST_IMAGE_NAMESPACE:-"podified-antelope-centos9"}
+BARBICAN_DEST_IMAGE_TAG=${BARBICAN_DEST_IMAGE_TAG:-"current-podified"}
+BARBICAN_DEST_API_IMAGE="$BARBICAM_DEST_IMAGE_REGISTRY/$BARBICAN_DEST_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_DEST_IMAGE_TAG"
+BARBICAN_DEST_WORKER_IMAGE="$BARBICAM_DEST_IMAGE_REGISTRY/$BARBICAN_DEST_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_DEST_IMAGE_TAG"
 
 # LUNA_LINUX_MINIMAL_CLIENT_DIR - location of the "linux-minimal" directory
 # in your client media.  This could be a path to a mounted ISO or a path to
@@ -49,5 +52,5 @@ function install_client() {
   buildah rm $container
 }
 
-install_client $BARBICAN_API_IMAGE $BARBICAN_API_FINAL_IMAGE
-install_client $BARBICAN_WORKER_IMAGE $BARBICAN_WORKER_FINAL_IMAGE
+install_client $BARBICAN_SRC_API_IMAGE $BARBICAN_DEST_API_IMAGE
+install_client $BARBICAN_SRC_WORKER_IMAGE $BARBICAN_DEST_WORKER_IMAGE

roles/hsm_prep/files/image_add_luna_minimal_client.sh

@@ -9,26 +9,6 @@
       ansible.builtin.debug:
         msg: "Running cleanup tasks here"
 
-    - name: Set fact for client_name
-      ansible.builtin.set_fact:
-        client_name: "{{ cifmw_hsm_client_ip }}"
-
-    - name: Check for existing HSM client
-      ansible.builtin.shell: >
-        sshpass -p '{{ cifmw_hsm_admin_password }}'
-        ssh -o StrictHostKeyChecking=false -c aes256-cbc
-        {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-        -C client list
-      register: client_list
-
-    - name: Delete existing client when rotating certs
-      ansible.builtin.shell: >
-        sshpass -p '{{ cifmw_hsm_admin_password }}'
-        ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-        -C "client delete -f -c {{ client_name }}"
-      when:
-        - client_name in client_list.stdout
-
     - name: Remove the working directory
       delegate_to: localhost
       become: true