Add minimal HSM support to barbican_adoption role

Mauricio Harley · Mauricio Harley · commit 365cbaec3f08 · 2025-10-02T09:41:05.000Z
Extend the existing barbican_adoption role with minimal HSM support for Proteccio integration.

Fixes: OSPRH-18981

Signed-off-by: Mauricio Harley &lt;mharley@redhat.com&gt;
diff --git a/tests/config.env.sample b/tests/config.env.sample
@@ -0,0 +1,5 @@
+# Minimal environment configuration for HSM adoption
+# Copy this to config.env and modify as needed
+
+# HSM Configuration
+BARBICAN_HSM_ENABLED=false
diff --git a/tests/hsm_vars/common.yml b/tests/hsm_vars/common.yml
@@ -0,0 +1,3 @@
+---
+# Common HSM variables
+internalapi_prefix: "172.17.0"
diff --git a/tests/hsm_vars/proteccio.yml b/tests/hsm_vars/proteccio.yml
@@ -0,0 +1,3 @@
+---
+# Minimal Proteccio HSM configuration
+barbican_hsm_enabled: true
diff --git a/tests/inventory.proteccio.yaml b/tests/inventory.proteccio.yaml
@@ -0,0 +1,5 @@
+---
+all:
+  hosts:
+    localhost:
+      ansible_connection: local
diff --git a/tests/playbooks/barbican_hsm_adoption.yml b/tests/playbooks/barbican_hsm_adoption.yml
@@ -0,0 +1,9 @@
+---
+- name: Barbican HSM Adoption
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  vars_files:
+    - hsm_vars/proteccio.yml
+  roles:
+    - barbican_adoption
diff --git a/tests/roles/barbican_adoption/defaults/main.yaml b/tests/roles/barbican_adoption/defaults/main.yaml
@@ -1,4 +1,7 @@
 ---
+# HSM support flag
+barbican_hsm_enabled: false
+
 barbican_patch: |
   spec:
     barbican:
@@ -38,3 +41,50 @@ barbican_patch: |
           replicas: 1
         barbicanKeystoneListener:
           replicas: 1
+
+barbican_hsm_patch: |
+  spec:
+    barbican:
+      enabled: true
+      apiOverride:
+        route: {}
+      template:
+        databaseInstance: openstack
+        databaseAccount: barbican
+        rabbitMqClusterName: rabbitmq
+        secret: osp-secret
+        simpleCryptoBackendSecret: osp-secret
+        serviceAccount: barbican
+        serviceUser: barbican
+        passwordSelectors:
+          database: BarbicanDatabasePassword
+          service: BarbicanPassword
+          simplecryptokek: BarbicanSimpleCryptoKEK
+        customServiceConfig: |
+          [p11_crypto_plugin]
+          plugin_name = PKCS11
+          library_path = {{ proteccio_library_path | default('/opt/tw_proteccio/lib/libnethsm.so') }}
+          token_labels = {{ proteccio_hsm_tokens | default(['VHSM1']) | join(',') }}
+          mkek_label = {{ proteccio_mkek_name | default('adoption_mkek_1') }}
+          hmac_label = {{ proteccio_hmac_name | default('adoption_hmac_1') }}
+          encryption_mechanism = CKM_AES_CBC
+          hmac_key_type = CKK_GENERIC_SECRET
+          hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN
+          hmac_mechanism = CKM_SHA256_HMAC
+          key_wrap_mechanism = CKM_AES_CBC_PAD
+          key_wrap_generate_iv = true
+          always_set_cka_sensitive = true
+          os_locking_ok = false
+          login = {{ proteccio_login_password | default('') }}
+        globalDefaultSecretStore: pkcs11
+        enabledSecretStores: ["simple_crypto", "pkcs11"]
+        pkcs11:
+          loginSecret: hsm-login
+          clientDataSecret: proteccio-data
+          clientDataPath: /etc/proteccio
+        barbicanAPI:
+          replicas: 1
+        barbicanWorker:
+          replicas: 1
+        barbicanKeystoneListener:
+          replicas: 1
diff --git a/tests/roles/barbican_adoption/tasks/main.yaml b/tests/roles/barbican_adoption/tasks/main.yaml
@@ -5,11 +5,19 @@
     CONTROLLER1_SSH="{{ controller1_ssh }}"
     oc set data secret/osp-secret "BarbicanSimpleCryptoKEK=$($CONTROLLER1_SSH "sudo python3 -c \"import configparser; c = configparser.ConfigParser(); c.read('/var/lib/config-data/puppet-generated/barbican/etc/barbican/barbican.conf'); print(c['simple_crypto_plugin']['kek'])\"")"
 
-- name: deploy podified Barbican
+- name: deploy podified Barbican (standard)
   ansible.builtin.shell: |
     {{ shell_header }}
     {{ oc_header }}
     oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_patch }}'
+  when: not barbican_hsm_enabled|default(false)
+
+- name: deploy podified Barbican (HSM)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_hsm_patch }}'
+  when: barbican_hsm_enabled|default(false)
 
 - name: wait for Barbican to start up
   ansible.builtin.shell: |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+# Common HSM variables`
	`3`	`+internalapi_prefix: "172.17.0"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+# Minimal Proteccio HSM configuration`
	`3`	`+barbican_hsm_enabled: true`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +all:
 +  hosts:
 +    localhost:
 +      ansible_connection: local