Add support for custom Barbican images and parameterized HSM secrets

Mauricio Harley · Mauricio Harley · commit 3f7277b3c8ac · 2025-12-17T09:53:46.000Z
This change adds support for:
- Custom Barbican API and Worker container images via
  barbican_custom_api_image and barbican_custom_worker_image variables
- Parameterized HSM secret names via proteccio_login_secret_name and
  proteccio_client_data_secret_name variables

This enables adoption scenarios where Barbican requires custom images
with HSM client libraries (e.g., Proteccio) installed.

Signed-off-by: Mauricio Harley &lt;mharley@redhat.com&gt;
diff --git a/tests/roles/backend_services/tasks/main.yaml b/tests/roles/backend_services/tasks/main.yaml
@@ -93,6 +93,32 @@
       args:
         chdir: "{{ dpa_tests_dir }}/config"
 
+- name: Get OpenStackVersion resource name for custom Barbican images
+  when: >-
+    (barbican_custom_api_image is defined and barbican_custom_api_image) or
+    (barbican_custom_worker_image is defined and barbican_custom_worker_image)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc get openstackversions -o jsonpath='{.items[0].metadata.name}'
+  register: openstack_version_name
+  changed_when: false
+  failed_when: openstack_version_name.stdout == ""
+
+- name: Patch OpenStackVersion with custom Barbican images
+  when: >-
+    (barbican_custom_api_image is defined and barbican_custom_api_image) or
+    (barbican_custom_worker_image is defined and barbican_custom_worker_image)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    {% if barbican_custom_api_image is defined and barbican_custom_api_image %}
+    oc patch openstackversion {{ openstack_version_name.stdout }} --type=merge -p '{"spec":{"customContainerImages":{"barbicanAPIImage":"{{ barbican_custom_api_image }}"}}}'
+    {% endif %}
+    {% if barbican_custom_worker_image is defined and barbican_custom_worker_image %}
+    oc patch openstackversion {{ openstack_version_name.stdout }} --type=merge -p '{"spec":{"customContainerImages":{"barbicanWorkerImage":"{{ barbican_custom_worker_image }}"}}}'
+    {% endif %}
+
 - name: execute alternative tasks when source env is ODPdO
   ansible.builtin.include_tasks: ospdo_backend_services.yaml
   when: ospdo_src| bool
diff --git a/tests/roles/barbican_adoption/defaults/main.yaml b/tests/roles/barbican_adoption/defaults/main.yaml
@@ -80,12 +80,17 @@ barbican_hsm_patch: |
         globalDefaultSecretStore: pkcs11
         enabledSecretStores: ["simple_crypto", "pkcs11"]
         pkcs11:
-          loginSecret: hsm-login
-          clientDataSecret: proteccio-data
+          loginSecret: {{ proteccio_login_secret_name | default('hsm-login') }}
+          clientDataSecret: {{ proteccio_client_data_secret_name | default('proteccio-data') }}
           clientDataPath: /etc/proteccio
         barbicanAPI:
           replicas: 1
         barbicanWorker:
           replicas: 1
         barbicanKeystoneListener:
           replicas: 1
+
+# HSM secrets configuration
+proteccio_login_secret_name: hsm-login
+proteccio_client_data_secret_name: proteccio-data
+proteccio_login_password: ''
diff --git a/tests/roles/barbican_adoption/tasks/main.yaml b/tests/roles/barbican_adoption/tasks/main.yaml
@@ -5,6 +5,50 @@
     CONTROLLER1_SSH="{{ controller1_ssh }}"
     oc set data secret/osp-secret "BarbicanSimpleCryptoKEK=$($CONTROLLER1_SSH "sudo python3 -c \"import configparser; c = configparser.ConfigParser(); c.read('/var/lib/config-data/puppet-generated/barbican/etc/barbican/barbican.conf'); print(c['simple_crypto_plugin']['kek'])\"")"
 
+- name: Create HSM login secret for Barbican
+  when: barbican_hsm_enabled|default(false)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    cat <<EOF | oc apply -f -
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ proteccio_login_secret_name | default('hsm-login') }}
+      namespace: openstack
+    type: Opaque
+    stringData:
+      PKCS11Pin: "{{ proteccio_login_password | default('') }}"
+    EOF
+
+- name: Check if HSM client data files exist
+  when: barbican_hsm_enabled|default(false)
+  ansible.builtin.stat:
+    path: /tmp/hsm-prep-working-dir/proteccio_data_secret.yml
+  register: hsm_data_secret_file
+
+- name: Create HSM client data secret from file
+  when:
+    - barbican_hsm_enabled|default(false)
+    - hsm_data_secret_file.stat.exists|default(false)
+  ansible.builtin.command: oc apply -f /tmp/hsm-prep-working-dir/proteccio_data_secret.yml
+
+- name: Create empty HSM client data secret if file not found
+  when:
+    - barbican_hsm_enabled|default(false)
+    - not hsm_data_secret_file.stat.exists|default(true)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    cat <<EOF | oc apply -f -
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ proteccio_client_data_secret_name | default('proteccio-data') }}
+      namespace: openstack
+    type: Opaque
+    EOF
+
 - name: deploy podified Barbican (standard)
   ansible.builtin.shell: |
     {{ shell_header }}
