Add support for custom Barbican images and parameterized HSM secrets

This change adds support for:
- Custom Barbican API and Worker container images via
  barbican_custom_api_image and barbican_custom_worker_image variables
- Parameterized HSM secret names via proteccio_login_secret_name and
  proteccio_client_data_secret_name variables

This enables adoption scenarios where Barbican requires custom images
with HSM client libraries (e.g., Proteccio) installed.

Signed-off-by: Mauricio Harley <mharley@redhat.com>

Author: Mauricio Harley

tests/roles/backend_services/tasks/main.yaml

@@ -93,6 +93,32 @@
       args:
         chdir: "{{ dpa_tests_dir }}/config"
 
+- name: Get OpenStackVersion resource name for custom Barbican images
+  when: >-
+    (barbican_custom_api_image is defined and barbican_custom_api_image) or
+    (barbican_custom_worker_image is defined and barbican_custom_worker_image)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc get openstackversions -o jsonpath='{.items[0].metadata.name}'
+  register: openstack_version_name
+  changed_when: false
+  failed_when: openstack_version_name.stdout == ""
+
+- name: Patch OpenStackVersion with custom Barbican images
+  when: >-
+    (barbican_custom_api_image is defined and barbican_custom_api_image) or
+    (barbican_custom_worker_image is defined and barbican_custom_worker_image)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    {% if barbican_custom_api_image is defined and barbican_custom_api_image %}
+    oc patch openstackversion {{ openstack_version_name.stdout }} --type=merge -p '{"spec":{"customContainerImages":{"barbicanAPIImage":"{{ barbican_custom_api_image }}"}}}'
+    {% endif %}
+    {% if barbican_custom_worker_image is defined and barbican_custom_worker_image %}
+    oc patch openstackversion {{ openstack_version_name.stdout }} --type=merge -p '{"spec":{"customContainerImages":{"barbicanWorkerImage":"{{ barbican_custom_worker_image }}"}}}'
+    {% endif %}
+
 - name: execute alternative tasks when source env is ODPdO
   ansible.builtin.include_tasks: ospdo_backend_services.yaml
   when: ospdo_src| bool

tests/roles/barbican_adoption/defaults/main.yaml

@@ -80,8 +80,8 @@ barbican_hsm_patch: |
         globalDefaultSecretStore: pkcs11
         enabledSecretStores: ["simple_crypto", "pkcs11"]
         pkcs11:
-          loginSecret: hsm-login
-          clientDataSecret: proteccio-data
+          loginSecret: {{ proteccio_login_secret_name | default('hsm-login') }}
+          clientDataSecret: {{ proteccio_client_data_secret_name | default('proteccio-data') }}
           clientDataPath: /etc/proteccio
         barbicanAPI:
           replicas: 1