From 2295d970b7afa5d164c18d5d4a087c8a8aec2a38 Mon Sep 17 00:00:00 2001
From: Mauricio Harley <mharley@redhat.com>
Date: Tue, 30 Sep 2025 22:35:08 +0000
Subject: [PATCH 1/2] Add Barbican adoption support with Proteccio HSM
 integration

Implements comprehensive Barbican service adoption from OSP 17.1 to RHOSO 18
with optional Proteccio Hardware Security Module (HSM) integration.

Features:
- Base scenario for Barbican adoption without HSM (barbican.yaml)
- Extended scenario with Proteccio HSM support (barbican-proteccio.yaml)
- OSP 17.1 HSM configuration hook (barbican-osp17-proteccio-setup.yml)
- Conditional HSM environment file inclusion in adoption workflow

Implements: OSPRH-18874

Signed-off-by: Mauricio Harley <mharley@redhat.com>
---
 .../barbican-osp17-proteccio-setup.yml        | 57 +++++++++++++++++++
 .../tasks/deploy_overcloud.yml                | 11 ++++
 scenarios/adoption/barbican-proteccio.yaml    | 13 +++++
 scenarios/adoption/barbican.yaml              | 12 ++++
 4 files changed, 93 insertions(+)
 create mode 100644 hooks/playbooks/barbican-osp17-proteccio-setup.yml
 create mode 100644 scenarios/adoption/barbican-proteccio.yaml
 create mode 100644 scenarios/adoption/barbican.yaml

diff --git a/hooks/playbooks/barbican-osp17-proteccio-setup.yml b/hooks/playbooks/barbican-osp17-proteccio-setup.yml
new file mode 100644
index 0000000000..981a1613be
--- /dev/null
+++ b/hooks/playbooks/barbican-osp17-proteccio-setup.yml
@@ -0,0 +1,57 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Configure OSP 17.1 Barbican with Proteccio HSM
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Gather ansible_user_dir from undercloud
+      delegate_to: "osp-undercloud-0"
+      ansible.builtin.setup:
+        gather_subset:
+          - user_dir
+
+    - name: Generate Barbican Proteccio Heat environment file
+      delegate_to: "osp-undercloud-0"
+      ansible.builtin.copy:
+        mode: '0644'
+        dest: "{{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
+        content: |-
+          parameter_defaults:
+            # Enable PKCS11 backend for Barbican
+            BarbicanPkcs11CryptoEnabled: true
+            BarbicanPkcs11CryptoGlobalDefault: true
+            BarbicanSimpleCryptoGlobalDefault: false
+
+            # Proteccio HSM configuration
+            BarbicanPkcs11CryptoLibraryPath: {{ cifmw_barbican_proteccio_library_path | default('/usr/lib64/libnethsm.so') }}
+            BarbicanPkcs11CryptoTokenLabels: {{ cifmw_barbican_proteccio_partition }}
+            BarbicanPkcs11CryptoMKEKLabel: {{ cifmw_barbican_proteccio_mkek_label }}
+            BarbicanPkcs11CryptoHMACLabel: {{ cifmw_barbican_proteccio_hmac_label }}
+            BarbicanPkcs11CryptoLogin: {{ cifmw_hsm_password }}
+            BarbicanPkcs11CryptoSlotId: {{ cifmw_barbican_proteccio_slot_id | default('1') }}
+
+            # Encryption mechanisms
+            BarbicanPkcs11CryptoEncryptionMechanism: CKM_AES_CBC
+            BarbicanPkcs11CryptoHMACKeyType: CKK_GENERIC_SECRET
+            BarbicanPkcs11CryptoHMACKeygenMechanism: CKM_GENERIC_SECRET_KEY_GEN
+            BarbicanPkcs11CryptoMKEKLength: 32
+            BarbicanPkcs11AlwaysSetCkaSensitive: false
+            BarbicanPkcs11CryptoOsLockingOk: true
+            BarbicanPkcs11CryptoATOSEnabled: true
+
+    - name: Display generated file location
+      ansible.builtin.debug:
+        msg: "Generated Barbican Proteccio HSM configuration at: {{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
diff --git a/roles/adoption_osp_deploy/tasks/deploy_overcloud.yml b/roles/adoption_osp_deploy/tasks/deploy_overcloud.yml
index 59136b57e0..c632970cc8 100644
--- a/roles/adoption_osp_deploy/tasks/deploy_overcloud.yml
+++ b/roles/adoption_osp_deploy/tasks/deploy_overcloud.yml
@@ -70,6 +70,17 @@
         dest: "{{ _private_overcloud_conf_file }}"
         mode: "0644"
 
+    - name: Check if Barbican Proteccio HSM env file exists
+      delegate_to: "osp-undercloud-0"
+      ansible.builtin.stat:
+        path: "{{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
+      register: _barbican_proteccio_env_file
+
+    - name: Include Barbican Proteccio HSM environment file if exists
+      when: _barbican_proteccio_env_file.stat.exists
+      ansible.builtin.set_fact:
+        _overcloud_args: "{{ _overcloud_args }} -e {{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
+
     - name: Run overcloud deploy
       delegate_to: "osp-undercloud-0"
       vars:
diff --git a/scenarios/adoption/barbican-proteccio.yaml b/scenarios/adoption/barbican-proteccio.yaml
new file mode 100644
index 0000000000..0135cec5ba
--- /dev/null
+++ b/scenarios/adoption/barbican-proteccio.yaml
@@ -0,0 +1,13 @@
+---
+# OSP 17.1 deployment scenario for Barbican with Proteccio HSM
+# Extends the base Barbican scenario with HSM configuration
+
+undercloud:
+  config: []
+
+stacks:
+  - stackname: overcloud
+    pre_oc_run:
+      - name: Configure Barbican with Proteccio HSM on OSP 17.1
+        type: playbook
+        source: barbican-osp17-proteccio-setup.yml
diff --git a/scenarios/adoption/barbican.yaml b/scenarios/adoption/barbican.yaml
new file mode 100644
index 0000000000..8fb805ace7
--- /dev/null
+++ b/scenarios/adoption/barbican.yaml
@@ -0,0 +1,12 @@
+---
+# Base OSP 17.1 deployment scenario for Barbican adoption
+# This deploys Barbican with simple_crypto backend (no HSM)
+# Can be extended with HSM-specific scenarios
+
+undercloud:
+  config: []
+
+stacks:
+  - stackname: overcloud
+    # No pre_oc_run hooks needed for basic Barbican
+    # It will use the default simple_crypto backend

From da90ca55f4e6034d35eaadb384419b00c572c6ca Mon Sep 17 00:00:00 2001
From: Mauricio Harley <mharley@redhat.com>
Date: Mon, 27 Oct 2025 17:39:11 +0000
Subject: [PATCH 2/2] Fix delegate_to target for adoption undercloud

Change delegate_to from 'undercloud-0' to 'standalone' to match
the actual hostname used in adoption scenarios.

Signed-off-by: Mauricio Harley <mharley@redhat.com>
---
 hooks/playbooks/barbican-osp17-proteccio-setup.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hooks/playbooks/barbican-osp17-proteccio-setup.yml b/hooks/playbooks/barbican-osp17-proteccio-setup.yml
index 981a1613be..b013ca149b 100644
--- a/hooks/playbooks/barbican-osp17-proteccio-setup.yml
+++ b/hooks/playbooks/barbican-osp17-proteccio-setup.yml
@@ -18,13 +18,13 @@
   hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
   tasks:
     - name: Gather ansible_user_dir from undercloud
-      delegate_to: "osp-undercloud-0"
+      delegate_to: "standalone"
       ansible.builtin.setup:
         gather_subset:
           - user_dir
 
     - name: Generate Barbican Proteccio Heat environment file
-      delegate_to: "osp-undercloud-0"
+      delegate_to: "standalone"
       ansible.builtin.copy:
         mode: '0644'
         dest: "{{ ansible_user_dir }}/enable-barbican-proteccio.yaml"