Add Barbican adoption framework for Proteccio HSM environments

Mauricio Harley · Mauricio Harley · commit 728898586b87 · 2025-09-29T13:41:24.000Z
Implement a comprehensive adoption framework for migrating Barbican service from OpenStack 17.1 to RHOSO 18 while preserving Proteccio Hardware Security Module (HSM) integration.

This PR introduces extends the Barbican adoption role and supporting infrastructure for environments that use Proteccio HSM with Barbican key management service. The standard data-plane-adoption framework does not support HSM backends, making this specialized approach necessary to preserve HSM integration and access to existing secrets.

Fixes: OSPRH-18981

Signed-off-by: Mauricio Harley &lt;mharley@redhat.com&gt;
diff --git a/tests/config.env.sample b/tests/config.env.sample
@@ -0,0 +1,25 @@
+# Sample configuration file for HSM adoption automation
+# Copy this file to config.env and customize for your environment
+
+# Base directory for Proteccio adoption files
+# Default uses current user's home directory
+PROTECCIO_BASE_DIR="$HOME/adopt_proteccio"
+
+# Path to the Proteccio HSM Ansible role
+PROTECCIO_ROLES_DIR="$PROTECCIO_BASE_DIR/roles/ansible-role-rhoso-proteccio-hsm"
+
+# Directory containing Proteccio client certificates and configuration files
+PROTECCIO_FILES_DIR="$PROTECCIO_BASE_DIR/proteccio_files"
+
+# Ansible inventory file for the adoption
+INVENTORY_FILE="inventory.proteccio.yaml"
+
+# Ansible playbook file for the adoption
+PLAYBOOK_FILE="playbooks/barbican_hsm_adoption.yml"
+
+# Expected user account (user that should run the script)
+EXPECTED_USER="stack"
+
+# Additional Ansible variables (optional)
+# export ANSIBLE_HOST_KEY_CHECKING=False
+# export ANSIBLE_TIMEOUT=60
diff --git a/tests/hsm_vars/common.yml b/tests/hsm_vars/common.yml
@@ -0,0 +1,29 @@
+---
+# Common HSM adoption variables (vendor-agnostic)
+# All values should be overridden by user-specific configurations
+
+enable_hsm_integration: true
+enable_phased_hsm_adoption: false
+
+# Target environment configuration (user must override)
+target_kubeconfig_path: "{{ user_kubeconfig_path | default('/home/user/.kube/config') }}"
+oc_binary_path: "{{ user_oc_path | default('/usr/local/bin') }}"
+target_namespace: "{{ user_target_namespace | default('openstack') }}"
+
+# Common HSM settings
+barbican_hsm_enabled: true
+barbican_default_secret_store: "{{ user_default_secret_store | default('pkcs11') }}"
+barbican_enabled_secret_stores: "{{ user_enabled_stores | default(['simple_crypto', 'pkcs11']) }}"
+
+# Custom image settings (must be set by user)
+use_custom_barbican_images: "{{ user_enable_custom_images | default(true) }}"
+barbican_dest_image_registry: "{{ user_image_registry | default('CHANGE_ME_REGISTRY') }}"
+barbican_dest_image_namespace: "{{ user_image_namespace | default('CHANGE_ME_NAMESPACE') }}"
+barbican_dest_image_tag: "{{ user_image_tag | default('CHANGE_ME_TAG') }}"
+
+# Adoption control
+create_adoption_summary: "{{ user_create_summary | default(true) }}"
+summary_output_path: "{{ user_summary_path | default('/tmp/barbican_hsm_adoption_summary.md') }}"
+
+# Internal API network (user configurable)
+internalapi_prefix: "{{ user_internal_api_prefix | default('172.17.0') }}"
diff --git a/tests/hsm_vars/proteccio.yml b/tests/hsm_vars/proteccio.yml
@@ -0,0 +1,40 @@
+---
+# Proteccio-specific HSM configuration
+# All values should be overridden by user-specific configurations
+
+hsm_vendor: "proteccio"
+
+# Proteccio HSM connection settings (user must configure)
+proteccio_hsm_tokens: "{{ user_proteccio_tokens | default(['CHANGE_ME_TOKEN']) }}"
+proteccio_mkek_name: "{{ user_proteccio_mkek | default('CHANGE_ME_MKEK') }}"
+proteccio_hmac_name: "{{ user_proteccio_hmac | default('CHANGE_ME_HMAC') }}"
+proteccio_library_path: "{{ user_proteccio_lib_path | default('/opt/tw_proteccio/lib/libnethsm.so') }}"
+proteccio_login_password: "{{ user_proteccio_password | default('CHANGE_ME_PASSWORD') }}"
+
+# Proteccio client configuration (user must provide)
+proteccio_client_iso: "{{ user_proteccio_iso | default('CHANGE_ME_ISO_FILENAME') }}"
+proteccio_config_file: "{{ user_proteccio_config | default('proteccio.rc') }}"
+
+# Proteccio secrets in target environment (user configurable)
+proteccio_login_secret: "{{ user_proteccio_login_secret | default('hsm-login') }}"
+proteccio_client_data_secret: "{{ user_proteccio_data_secret | default('proteccio-data') }}"
+proteccio_client_data_path: "{{ user_proteccio_data_path | default('/etc/proteccio') }}"
+
+# Proteccio custom images (user must configure)
+barbican_dest_image_namespace: "{{ user_image_namespace | default('CHANGE_ME_NAMESPACE') }}"
+barbican_dest_image_tag: "{{ user_image_tag | default('CHANGE_ME_TAG') }}"
+barbican_api_image_name: "{{ user_api_image_name | default('openstack-barbican-api') }}"
+barbican_worker_image_name: "{{ user_worker_image_name | default('openstack-barbican-worker') }}"
+
+# File paths (user must override with actual paths)
+proteccio_certs_path: "{{ user_proteccio_certs_path | default('CHANGE_ME_CERTS_PATH') }}"
+proteccio_config_path: "{{ user_proteccio_config_path | default('CHANGE_ME_CONFIG_PATH') }}"
+proteccio_iso_path: "{{ user_proteccio_iso_path | default('CHANGE_ME_ISO_PATH') }}"
+
+# Ansible role configuration (user configurable)
+proteccio_hsm_role_name: "{{ user_proteccio_role | default('ansible-role-rhoso-proteccio-hsm') }}"
+
+# Replica configuration (user configurable)
+barbican_api_replicas: "{{ user_api_replicas | default(2) }}"
+barbican_worker_replicas: "{{ user_worker_replicas | default(2) }}"
+barbican_keystone_listener_replicas: "{{ user_keystone_replicas | default(2) }}"
diff --git a/tests/hsm_vars/user_config.yml.sample b/tests/hsm_vars/user_config.yml.sample
@@ -0,0 +1,67 @@
+---
+# User Configuration Template for HSM Adoption
+# Copy this file to user_config.yml and customize all values
+#
+# IMPORTANT: Replace ALL values marked with CHANGE_ME_*
+
+# ============================================
+# ENVIRONMENT CONFIGURATION
+# ============================================
+user_kubeconfig_path: "CHANGE_ME_KUBECONFIG_PATH"  # e.g., "/home/user/.kube/config"
+user_oc_path: "CHANGE_ME_OC_PATH"                  # e.g., "/usr/local/bin"
+user_target_namespace: "CHANGE_ME_NAMESPACE"       # e.g., "openstack"
+user_internal_api_prefix: "CHANGE_ME_API_PREFIX"   # e.g., "172.17.0"
+
+# ============================================
+# CONTAINER REGISTRY CONFIGURATION
+# ============================================
+user_image_registry: "CHANGE_ME_REGISTRY"          # e.g., "quay.io" or "registry.example.com"
+user_image_namespace: "CHANGE_ME_NAMESPACE"        # e.g., "your_org/barbican"
+user_image_tag: "CHANGE_ME_TAG"                    # e.g., "latest-proteccio"
+user_api_image_name: "CHANGE_ME_API_IMAGE"         # e.g., "openstack-barbican-api"
+user_worker_image_name: "CHANGE_ME_WORKER_IMAGE"   # e.g., "openstack-barbican-worker"
+
+# ============================================
+# PROTECCIO HSM CONFIGURATION
+# ============================================
+user_proteccio_tokens: "CHANGE_ME_TOKEN_LIST"      # e.g., ["TOKEN1", "TOKEN2"]
+user_proteccio_mkek: "CHANGE_ME_MKEK_LABEL"        # e.g., "my_mkek_label"
+user_proteccio_hmac: "CHANGE_ME_HMAC_LABEL"        # e.g., "my_hmac_label"
+user_proteccio_password: "CHANGE_ME_HSM_PASSWORD"  # Your HSM login password
+user_proteccio_lib_path: "CHANGE_ME_LIB_PATH"      # e.g., "/opt/tw_proteccio/lib/libnethsm.so"
+
+# ============================================
+# PROTECCIO FILE PATHS
+# ============================================
+user_proteccio_certs_path: "CHANGE_ME_CERTS_PATH"  # e.g., "/opt/proteccio/certs"
+user_proteccio_config_path: "CHANGE_ME_CONFIG_PATH" # e.g., "/opt/proteccio"
+user_proteccio_iso_path: "CHANGE_ME_ISO_PATH"      # e.g., "/opt/proteccio"
+user_proteccio_iso: "CHANGE_ME_ISO_FILENAME"       # e.g., "Proteccio3.06.05.iso"
+user_proteccio_config: "CHANGE_ME_CONFIG_FILE"     # e.g., "proteccio.rc"
+
+# ============================================
+# KUBERNETES SECRETS
+# ============================================
+user_proteccio_login_secret: "CHANGE_ME_LOGIN_SECRET"    # e.g., "hsm-login"
+user_proteccio_data_secret: "CHANGE_ME_DATA_SECRET"      # e.g., "proteccio-data"
+user_proteccio_data_path: "CHANGE_ME_DATA_PATH"          # e.g., "/etc/proteccio"
+
+# ============================================
+# SERVICE CONFIGURATION
+# ============================================
+user_api_replicas: "CHANGE_ME_API_REPLICAS"        # e.g., 2
+user_worker_replicas: "CHANGE_ME_WORKER_REPLICAS"  # e.g., 2
+user_keystone_replicas: "CHANGE_ME_KS_REPLICAS"    # e.g., 2
+user_default_secret_store: "CHANGE_ME_DEFAULT_STORE" # e.g., "pkcs11"
+user_enabled_stores: "CHANGE_ME_ENABLED_STORES"    # e.g., ["simple_crypto", "pkcs11"]
+
+# ============================================
+# ANSIBLE ROLE CONFIGURATION
+# ============================================
+user_proteccio_role: "CHANGE_ME_ROLE_NAME"         # e.g., "ansible-role-rhoso-proteccio-hsm"
+
+# ============================================
+# OUTPUT CONFIGURATION
+# ============================================
+user_create_summary: "CHANGE_ME_CREATE_SUMMARY"    # e.g., true
+user_summary_path: "CHANGE_ME_SUMMARY_PATH"        # e.g., "/tmp/adoption_summary.md"
diff --git a/tests/inventory.proteccio.yaml b/tests/inventory.proteccio.yaml
@@ -0,0 +1,15 @@
+---
+# Inventory for OpenStack Proteccio Adoption Role
+# Use this inventory for HSM-enabled barbican_adoption role
+# For standard dp-adopt framework, use inventory.yaml instead
+
+all:
+  hosts:
+    localhost:
+      ansible_connection: local
+      ansible_python_interpreter: "{{ ansible_playbook_python }}"
+
+  children:
+    adoption:
+      hosts:
+        localhost:
diff --git a/tests/my_vars.yaml.sample b/tests/my_vars.yaml.sample
@@ -0,0 +1,10 @@
+# Sample source environment connection variables
+# Configure these variables for HSM-enabled Barbican adoption
+# Copy this file to my_vars.yaml and customize for your environment
+
+UC_HOST: "YOUR_UNDERCLOUD_HOSTNAME"
+CTRL_HOST: "YOUR_CONTROLLER_HOSTNAME.ctlplane"
+controller1_ssh: "sudo ssh -t YOUR_UNDERCLOUD_HOSTNAME 'sudo -u stack ssh -t tripleo-admin@YOUR_CONTROLLER_HOSTNAME.ctlplane bash -lc'"
+undercloud_ssh: "sudo ssh -t YOUR_UNDERCLOUD_HOSTNAME 'sudo -u stack bash -lc'"
+tripleo_passwords:
+  default: "/path/to/your/overcloud-passwords.yaml"
diff --git a/tests/playbooks/barbican_hsm_adoption.yml b/tests/playbooks/barbican_hsm_adoption.yml
@@ -0,0 +1,69 @@
+---
+# Main playbook for Barbican adoption with HSM integration (vendor-agnostic)
+# OpenStack 17.1 to RHOSO 18 adoption
+
+- name: Barbican Adoption with HSM Integration
+  hosts: localhost
+  connection: local
+  gather_facts: true
+  become: false
+
+  vars: {}
+    # Override default variables here if needed
+    # source_undercloud_host: "your-undercloud-host"
+    # source_controller_host: "your-controller-host"
+    # target_namespace: "openstack"
+    # barbican_simple_crypto_kek: "your-custom-kek"
+
+  pre_tasks:
+    - name: Verify environment prerequisites
+      block:
+        - name: Check if running as correct user
+          ansible.builtin.fail:
+            msg: "This playbook should be run as the stack user"
+          when: ansible_user_id != "stack"
+
+        - name: Verify oc/oc access
+          ansible.builtin.command: oc cluster-info
+          register: cluster_check
+          failed_when: cluster_check.rc != 0
+
+        - name: Check OpenShift/Kubernetes cluster access
+          ansible.builtin.command: "oc get namespace {{ target_namespace | default('openstack') }}"
+          register: namespace_check
+          changed_when: false
+          failed_when: namespace_check.rc != 0
+
+  roles:
+    - role: barbican_adoption
+      vars:
+        enable_hsm_integration: true
+        hsm_vendor: "{{ hsm_vendor | default('proteccio') }}"
+
+  post_tasks:
+    - name: Display completion summary
+      ansible.builtin.debug:
+        msg: |
+          ===============================================
+          ADOPTION COMPLETED SUCCESSFULLY!
+          ===============================================
+
+          Barbican adoption with HSM integration has been completed.
+
+          Key achievements:
+          - Database adopted with {{ adopted_secrets_count | default('N/A') }} secrets
+          - HSM-enabled custom images deployed
+          - HSM configuration applied
+          - API functionality verified
+
+          Check the generated summary file for detailed results.
+          ===============================================
+
+  handlers:
+    - name: Clean up temporary files
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ backup_dir }}/temp_*"
+      listen: "cleanup"
diff --git a/tests/playbooks/hsm/hsm_adoption.yml b/tests/playbooks/hsm/hsm_adoption.yml
@@ -0,0 +1,54 @@
+---
+# Universal HSM Adoption Coordinator
+# Works with any scenario by loading vendor-specific variables
+
+- name: HSM-Enabled Barbican Adoption
+  hosts: localhost
+  gather_facts: true
+
+  vars_files:
+    - "../../hsm_vars/common.yml"
+    - "../../hsm_vars/{{ hsm_vendor }}.yml"
+
+  pre_tasks:
+    - name: Validate HSM vendor specified
+      ansible.builtin.fail:
+        msg: "HSM vendor must be specified via -e hsm_vendor=<vendor>"
+      when: hsm_vendor is not defined
+
+    - name: Validate supported HSM vendor
+      ansible.builtin.fail:
+        msg: "Unsupported HSM vendor: {{ hsm_vendor }}. Supported: proteccio, luna, ncipher"
+      when: hsm_vendor not in ['proteccio', 'luna', 'ncipher']
+
+    - name: Display HSM adoption configuration
+      ansible.builtin.debug:
+        msg: |
+          ==========================================
+          HSM-ENABLED BARBICAN ADOPTION
+          ==========================================
+          Vendor: {{ hsm_vendor }}
+          Scenario: {{ scenario_name | default('default') }}
+          Target Namespace: {{ target_namespace }}
+          Custom Images: {{ use_custom_barbican_images }}
+          ==========================================
+
+  tasks:
+    - name: Setup HSM infrastructure
+      ansible.builtin.include_tasks: "setup_{{ hsm_vendor }}_hsm.yml"
+
+    - name: Execute HSM-aware Barbican adoption
+      ansible.builtin.include_role:
+        name: barbican_adoption
+      vars:
+        # Pass HSM variables to the role
+        enable_hsm_integration: "{{ enable_hsm_integration }}"
+        hsm_vendor_override: "{{ hsm_vendor }}"
+
+  post_tasks:
+    - name: Generate HSM adoption summary
+      ansible.builtin.template:
+        src: "../../roles/barbican_adoption/templates/hsm_adoption_summary.md.j2"
+        dest: "{{ summary_output_path }}"
+        mode: "0644"
+      when: create_adoption_summary | default(true)
diff --git a/tests/playbooks/hsm/setup_proteccio_hsm.yml b/tests/playbooks/hsm/setup_proteccio_hsm.yml
@@ -0,0 +1,81 @@
+---
+# Proteccio HSM Infrastructure Setup (Fully Parameterized)
+- name: Setup Proteccio HSM Infrastructure
+  block:
+    - name: Validate all required variables are set
+      ansible.builtin.fail:
+        msg: |
+          Required variable {{ item }} contains placeholder value.
+          Please set all variables in user_config.yml before running.
+      when: vars[item] is match("CHANGE_ME_.*")
+      loop:
+        - proteccio_certs_path
+        - proteccio_config_path
+        - proteccio_iso_path
+        - proteccio_client_iso
+        - proteccio_login_password
+        - barbican_dest_image_registry
+        - barbican_dest_image_namespace
+        - barbican_dest_image_tag
+
+    - name: Validate Proteccio prerequisites exist
+      ansible.builtin.stat:
+        path: "{{ proteccio_iso_path }}/{{ proteccio_client_iso }}"
+      register: proteccio_iso_check
+
+    - name: Fail if Proteccio ISO not found
+      ansible.builtin.fail:
+        msg: |
+          Proteccio client ISO not found: {{ proteccio_iso_path }}/{{ proteccio_client_iso }}
+          Please verify the path in user_config.yml
+      when: not proteccio_iso_check.stat.exists
+
+    - name: Create Proteccio-enabled Barbican images
+      ansible.builtin.include_role:
+        name: "{{ proteccio_hsm_role_name }}"
+        tasks_from: create_image
+      vars:
+        proteccio_password: "{{ proteccio_login_password }}"
+        kubeconfig_path: "{{ target_kubeconfig_path }}"
+        oc_dir: "{{ oc_binary_path }}"
+        proteccio_client_crt_src: "file://{{ proteccio_certs_path }}/client.crt"
+        proteccio_client_key_src: "file://{{ proteccio_certs_path }}/client.key"
+        proteccio_server_crt_src: ["file://{{ proteccio_certs_path }}/server.crt"]
+        proteccio_conf_src: "file://{{ proteccio_config_path }}/{{ proteccio_config_file }}"
+        proteccio_client_src: "file://{{ proteccio_iso_path }}/{{ proteccio_client_iso }}"
+        barbican_dest_image_registry: "{{ barbican_dest_image_registry }}"
+        barbican_dest_image_namespace: "{{ barbican_dest_image_namespace }}"
+        barbican_dest_image_tag: "{{ barbican_dest_image_tag }}"
+        barbican_dest_api_image_name: "{{ barbican_api_image_name }}"
+        barbican_dest_worker_image_name: "{{ barbican_worker_image_name }}"
+
+    - name: Create HSM secrets in target environment
+      ansible.builtin.include_role:
+        name: "{{ proteccio_hsm_role_name }}"
+        tasks_from: create_secrets
+      vars:
+        proteccio_password: "{{ proteccio_login_password }}"
+        kubeconfig_path: "{{ target_kubeconfig_path }}"
+        oc_dir: "{{ oc_binary_path }}"
+        proteccio_client_crt_src: "file://{{ proteccio_certs_path }}/client.crt"
+        proteccio_client_key_src: "file://{{ proteccio_certs_path }}/client.key"
+        proteccio_server_crt_src: ["file://{{ proteccio_certs_path }}/server.crt"]
+        proteccio_conf_src: "file://{{ proteccio_config_path }}/{{ proteccio_config_file }}"
+        proteccio_data_secret: "{{ proteccio_client_data_secret }}"
+        proteccio_data_secret_namespace: "{{ target_namespace }}"
+        login_secret: "{{ proteccio_login_secret }}"
+
+    - name: Apply custom Barbican images to control plane
+      ansible.builtin.shell: |
+        export KUBECONFIG="{{ target_kubeconfig_path }}"
+        oc apply -f - <<EOF
+        apiVersion: core.openstack.org/v1beta1
+        kind: OpenStackVersion
+        metadata:
+          name: openstack
+          namespace: {{ target_namespace }}
+        spec:
+          customContainerImages:
+            barbicanAPIImage: {{ barbican_dest_image_registry }}/{{ barbican_dest_image_namespace }}/{{ barbican_api_image_name }}:{{ barbican_dest_image_tag }}
+            barbicanWorkerImage: {{ barbican_dest_image_registry }}/{{ barbican_dest_image_namespace }}/{{ barbican_worker_image_name }}:{{ barbican_dest_image_tag }}
+        EOF
diff --git a/tests/roles/barbican_adoption/defaults/main.yaml b/tests/roles/barbican_adoption/defaults/main.yaml
diff --git a/tests/roles/barbican_adoption/tasks/main.yaml b/tests/roles/barbican_adoption/tasks/main.yaml
diff --git a/tests/roles/barbican_adoption/templates/barbican_proteccio_patch.yaml.j2 b/tests/roles/barbican_adoption/templates/barbican_proteccio_patch.yaml.j2
diff --git a/tests/roles/barbican_adoption/templates/hsm_adoption_summary.md.j2 b/tests/roles/barbican_adoption/templates/hsm_adoption_summary.md.j2
