Simply the way Proteccio is setup to be used with Barbican.

Addresses last comments.

Signed-off-by: Mauricio Harley <[email protected]>

Author: Mauricio Harley

tests/config.env.sample

@@ -1,25 +1,5 @@
-# Sample configuration file for HSM adoption automation
-# Copy this file to config.env and customize for your environment
+# Minimal environment configuration for HSM adoption
+# Copy this to config.env and modify as needed
 
-# Base directory for Proteccio adoption files
-# Default uses current user's home directory
-PROTECCIO_BASE_DIR="$HOME/adopt_proteccio"
-
-# Path to the Proteccio HSM Ansible role
-PROTECCIO_ROLES_DIR="$PROTECCIO_BASE_DIR/roles/ansible-role-rhoso-proteccio-hsm"
-
-# Directory containing Proteccio client certificates and configuration files
-PROTECCIO_FILES_DIR="$PROTECCIO_BASE_DIR/proteccio_files"
-
-# Ansible inventory file for the adoption
-INVENTORY_FILE="inventory.proteccio.yaml"
-
-# Ansible playbook file for the adoption
-PLAYBOOK_FILE="playbooks/barbican_hsm_adoption.yml"
-
-# Expected user account (user that should run the script)
-EXPECTED_USER="stack"
-
-# Additional Ansible variables (optional)
-# export ANSIBLE_HOST_KEY_CHECKING=False
-# export ANSIBLE_TIMEOUT=60
+# HSM Configuration
+BARBICAN_HSM_ENABLED=false

tests/hsm_vars/common.yml

@@ -1,29 +1,3 @@
 ---
-# Common HSM adoption variables (vendor-agnostic)
-# All values should be overridden by user-specific configurations
-
-enable_hsm_integration: true
-enable_phased_hsm_adoption: false
-
-# Target environment configuration (user must override)
-target_kubeconfig_path: "{{ user_kubeconfig_path | default('/home/user/.kube/config') }}"
-oc_binary_path: "{{ user_oc_path | default('/usr/local/bin') }}"
-target_namespace: "{{ user_target_namespace | default('openstack') }}"
-
-# Common HSM settings
-barbican_hsm_enabled: true
-barbican_default_secret_store: "{{ user_default_secret_store | default('pkcs11') }}"
-barbican_enabled_secret_stores: "{{ user_enabled_stores | default(['simple_crypto', 'pkcs11']) }}"
-
-# Custom image settings (must be set by user)
-use_custom_barbican_images: "{{ user_enable_custom_images | default(true) }}"
-barbican_dest_image_registry: "{{ user_image_registry | default('CHANGE_ME_REGISTRY') }}"
-barbican_dest_image_namespace: "{{ user_image_namespace | default('CHANGE_ME_NAMESPACE') }}"
-barbican_dest_image_tag: "{{ user_image_tag | default('CHANGE_ME_TAG') }}"
-
-# Adoption control
-create_adoption_summary: "{{ user_create_summary | default(true) }}"
-summary_output_path: "{{ user_summary_path | default('/tmp/barbican_hsm_adoption_summary.md') }}"
-
-# Internal API network (user configurable)
-internalapi_prefix: "{{ user_internal_api_prefix | default('172.17.0') }}"
+# Common HSM variables
+internalapi_prefix: "172.17.0"

tests/hsm_vars/proteccio.yml

@@ -1,40 +1,3 @@
 ---
-# Proteccio-specific HSM configuration
-# All values should be overridden by user-specific configurations
-
-hsm_vendor: "proteccio"
-
-# Proteccio HSM connection settings (user must configure)
-proteccio_hsm_tokens: "{{ user_proteccio_tokens | default(['CHANGE_ME_TOKEN']) }}"
-proteccio_mkek_name: "{{ user_proteccio_mkek | default('CHANGE_ME_MKEK') }}"
-proteccio_hmac_name: "{{ user_proteccio_hmac | default('CHANGE_ME_HMAC') }}"
-proteccio_library_path: "{{ user_proteccio_lib_path | default('/opt/tw_proteccio/lib/libnethsm.so') }}"
-proteccio_login_password: "{{ user_proteccio_password | default('CHANGE_ME_PASSWORD') }}"
-
-# Proteccio client configuration (user must provide)
-proteccio_client_iso: "{{ user_proteccio_iso | default('CHANGE_ME_ISO_FILENAME') }}"
-proteccio_config_file: "{{ user_proteccio_config | default('proteccio.rc') }}"
-
-# Proteccio secrets in target environment (user configurable)
-proteccio_login_secret: "{{ user_proteccio_login_secret | default('hsm-login') }}"
-proteccio_client_data_secret: "{{ user_proteccio_data_secret | default('proteccio-data') }}"
-proteccio_client_data_path: "{{ user_proteccio_data_path | default('/etc/proteccio') }}"
-
-# Proteccio custom images (user must configure)
-barbican_dest_image_namespace: "{{ user_image_namespace | default('CHANGE_ME_NAMESPACE') }}"
-barbican_dest_image_tag: "{{ user_image_tag | default('CHANGE_ME_TAG') }}"
-barbican_api_image_name: "{{ user_api_image_name | default('openstack-barbican-api') }}"
-barbican_worker_image_name: "{{ user_worker_image_name | default('openstack-barbican-worker') }}"
-
-# File paths (user must override with actual paths)
-proteccio_certs_path: "{{ user_proteccio_certs_path | default('CHANGE_ME_CERTS_PATH') }}"
-proteccio_config_path: "{{ user_proteccio_config_path | default('CHANGE_ME_CONFIG_PATH') }}"
-proteccio_iso_path: "{{ user_proteccio_iso_path | default('CHANGE_ME_ISO_PATH') }}"
-
-# Ansible role configuration (user configurable)
-proteccio_hsm_role_name: "{{ user_proteccio_role | default('ansible-role-rhoso-proteccio-hsm') }}"
-
-# Replica configuration (user configurable)
-barbican_api_replicas: "{{ user_api_replicas | default(2) }}"
-barbican_worker_replicas: "{{ user_worker_replicas | default(2) }}"
-barbican_keystone_listener_replicas: "{{ user_keystone_replicas | default(2) }}"
+# Minimal Proteccio HSM configuration
+barbican_hsm_enabled: true

tests/inventory.proteccio.yaml

@@ -1,15 +1,5 @@
 ---
-# Inventory for OpenStack Proteccio Adoption Role
-# Use this inventory for HSM-enabled barbican_adoption role
-# For standard dp-adopt framework, use inventory.yaml instead
-
 all:
   hosts:
     localhost:
-      ansible_connection: local
-      ansible_python_interpreter: "{{ ansible_playbook_python }}"
-
-  children:
-    adoption:
-      hosts:
-        localhost:
+      ansible_connection: local

tests/playbooks/barbican_hsm_adoption.yml

@@ -1,69 +1,9 @@
 ---
-# Main playbook for Barbican adoption with HSM integration (vendor-agnostic)
-# OpenStack 17.1 to RHOSO 18 adoption
-
-- name: Barbican Adoption with HSM Integration
+- name: Barbican HSM Adoption
   hosts: localhost
   connection: local
-  gather_facts: true
-  become: false
-
-  vars: {}
-    # Override default variables here if needed
-    # source_undercloud_host: "your-undercloud-host"
-    # source_controller_host: "your-controller-host"
-    # target_namespace: "openstack"
-    # barbican_simple_crypto_kek: "your-custom-kek"
-
-  pre_tasks:
-    - name: Verify environment prerequisites
-      block:
-        - name: Check if running as correct user
-          ansible.builtin.fail:
-            msg: "This playbook should be run as the stack user"
-          when: ansible_user_id != "stack"
-
-        - name: Verify oc/oc access
-          ansible.builtin.command: oc cluster-info
-          register: cluster_check
-          failed_when: cluster_check.rc != 0
-
-        - name: Check OpenShift/Kubernetes cluster access
-          ansible.builtin.command: "oc get namespace {{ target_namespace | default('openstack') }}"
-          register: namespace_check
-          changed_when: false
-          failed_when: namespace_check.rc != 0
-
+  gather_facts: false
+  vars_files:
+    - hsm_vars/proteccio.yml
   roles:
-    - role: barbican_adoption
-      vars:
-        enable_hsm_integration: true
-        hsm_vendor: "{{ hsm_vendor | default('proteccio') }}"
-
-  post_tasks:
-    - name: Display completion summary
-      ansible.builtin.debug:
-        msg: |
-          ===============================================
-          ADOPTION COMPLETED SUCCESSFULLY!
-          ===============================================
-
-          Barbican adoption with HSM integration has been completed.
-
-          Key achievements:
-          - Database adopted with {{ adopted_secrets_count | default('N/A') }} secrets
-          - HSM-enabled custom images deployed
-          - HSM configuration applied
-          - API functionality verified
-
-          Check the generated summary file for detailed results.
-          ===============================================
-
-  handlers:
-    - name: Clean up temporary files
-      ansible.builtin.file:
-        path: "{{ item }}"
-        state: absent
-      loop:
-        - "{{ backup_dir }}/temp_*"
-      listen: "cleanup"
+    - barbican_adoption

tests/playbooks/hsm/setup_proteccio_hsm.yml

@@ -1,7 +1,10 @@
 ---
 # Proteccio HSM Infrastructure Setup (Fully Parameterized)
 - name: Setup Proteccio HSM Infrastructure
-  block:
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  tasks:
     - name: Validate all required variables are set
       ansible.builtin.fail:
         msg: |

tests/roles/barbican_adoption/defaults/main.yaml

@@ -1,29 +1,8 @@
 ---
-# HSM Integration Control (set to false for standard adoption)
-barbican_hsm_enabled: "{{ enable_hsm_integration | default(false) }}"
+# Minimal HSM support - single boolean flag
+barbican_hsm_enabled: false
 
-# Detection helper - set automatically based on source environment
-barbican_detected_hsm: false
-
-# Multi-phase adoption control for HSM environments
-barbican_use_phased_approach: "{{ enable_phased_hsm_adoption | default(false) }}"
-
-# HSM vendor override (can be set externally)
-hsm_vendor_override: "{{ hsm_vendor | default('') }}"
-
-# Vendor-specific detection patterns
-hsm_vendor_indicators:
-  proteccio:
-    library_path: "/opt/tw_proteccio/lib/libnethsm.so"
-    config_pattern: "proteccio.rc"
-  luna:
-    library_path: "/usr/lib/libCryptoki2_64.so"
-    config_pattern: "crystoki.ini"
-  ncipher:
-    library_path: "/opt/nfast/toolkits/pkcs11/libcknfast.so"
-    config_pattern: "cknfastrc"
-
-# Standard Barbican patch (enhanced to support conditional HSM)
+# Standard Barbican patch
 barbican_patch: |
   spec:
     barbican:
@@ -42,22 +21,36 @@ barbican_patch: |
           database: BarbicanDatabasePassword
           service: BarbicanPassword
           simplecryptokek: BarbicanSimpleCryptoKEK
-        {% if barbican_hsm_enabled %}
-        # HSM-specific configuration when enabled
-        customServiceConfig: |
-          [DEFAULT]
-          debug = {{ barbican_debug | default('False') }}
-
-          [simple_crypto_plugin]
-          kek = {{ barbican_simple_crypto_kek | default('') }}
+      barbicanAPI:
+        replicas: 1
+        override:
+          service:
+            internal:
+              metadata:
+                annotations:
+                  metallb.universe.tf/address-pool: internalapi
+                  metallb.universe.tf/allow-shared-ip: internalapi
+                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80
+              spec:
+                type: LoadBalancer
+      barbicanWorker:
+        replicas: 1
+      barbicanKeystoneListener:
+        replicas: 1
 
-          {% if barbican_detected_hsm %}
+# Minimal HSM patch for Proteccio
+barbican_hsm_patch: |
+  spec:
+    barbican:
+      enabled: true
+      template:
+        customServiceConfig: |
           [p11_crypto_plugin]
           plugin_name = PKCS11
           library_path = {{ proteccio_library_path | default('/opt/tw_proteccio/lib/libnethsm.so') }}
-          token_labels = {{ proteccio_token_labels | default(['VHSM1']) | join(',') }}
-          mkek_label = {{ proteccio_mkek_label | default('adoption_mkek_1') }}
-          hmac_label = {{ proteccio_hmac_label | default('adoption_hmac_1') }}
+          token_labels = {{ proteccio_hsm_tokens | default(['VHSM1']) | join(',') }}
+          mkek_label = {{ proteccio_mkek_name | default('adoption_mkek_1') }}
+          hmac_label = {{ proteccio_hmac_name | default('adoption_hmac_1') }}
           encryption_mechanism = CKM_AES_CBC
           hmac_key_type = CKK_GENERIC_SECRET
           hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN
@@ -67,38 +60,9 @@ barbican_patch: |
           always_set_cka_sensitive = true
           os_locking_ok = false
           login = {{ proteccio_login_password | default('') }}
-          {% endif %}
-        globalDefaultSecretStore: {{ barbican_default_secret_store | default('pkcs11' if barbican_detected_hsm else 'simple_crypto') }}
-        enabledSecretStores:
-          - simple_crypto
-          {% if barbican_detected_hsm %}
-          - pkcs11
-          {% endif %}
-        {% if barbican_detected_hsm %}
+        globalDefaultSecretStore: pkcs11
+        enabledSecretStores: ["simple_crypto", "pkcs11"]
         pkcs11:
-          loginSecret: {{ proteccio_login_secret | default('hsm-login') }}
-          clientDataSecret: {{ proteccio_client_data_secret | default('proteccio-data') }}
-          clientDataPath: {{ proteccio_client_data_path | default('/etc/proteccio') }}
-        {% endif %}
-        {% endif %}
-        barbicanAPI:
-          replicas: {{ barbican_api_replicas | default(1) }}
-          override:
-            service:
-              internal:
-                metadata:
-                  annotations:
-                    metallb.universe.tf/address-pool: internalapi
-                    metallb.universe.tf/allow-shared-ip: internalapi
-                    {% if ipv6_enabled | default(false) -%}
-                    metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix_ipv6 | default('2620:cf:cf:bbbb') }}::50
-                    {%- else -%}
-                    metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80
-                    {%- endif %}
-
-                spec:
-                  type: LoadBalancer
-        barbicanWorker:
-          replicas: {{ barbican_worker_replicas | default(1) }}
-        barbicanKeystoneListener:
-          replicas: {{ barbican_keystone_listener_replicas | default(1) }}
+          loginSecret: hsm-login
+          clientDataSecret: proteccio-data
+          clientDataPath: /etc/proteccio