Simply the way Proteccio is setup to be used with Barbican.

Addresses last comments.

Signed-off-by: Mauricio Harley <[email protected]>

Author: Mauricio Harley

tests/config.env.sample

@@ -1,25 +1,5 @@
-# Sample configuration file for HSM adoption automation
-# Copy this file to config.env and customize for your environment
+# Minimal environment configuration for HSM adoption
+# Copy this to config.env and modify as needed
 
-# Base directory for Proteccio adoption files
-# Default uses current user's home directory
-PROTECCIO_BASE_DIR="$HOME/adopt_proteccio"
-
-# Path to the Proteccio HSM Ansible role
-PROTECCIO_ROLES_DIR="$PROTECCIO_BASE_DIR/roles/ansible-role-rhoso-proteccio-hsm"
-
-# Directory containing Proteccio client certificates and configuration files
-PROTECCIO_FILES_DIR="$PROTECCIO_BASE_DIR/proteccio_files"
-
-# Ansible inventory file for the adoption
-INVENTORY_FILE="inventory.proteccio.yaml"
-
-# Ansible playbook file for the adoption
-PLAYBOOK_FILE="playbooks/barbican_hsm_adoption.yml"
-
-# Expected user account (user that should run the script)
-EXPECTED_USER="stack"
-
-# Additional Ansible variables (optional)
-# export ANSIBLE_HOST_KEY_CHECKING=False
-# export ANSIBLE_TIMEOUT=60
+# HSM Configuration
+BARBICAN_HSM_ENABLED=false

tests/hsm_vars/common.yml

@@ -1,29 +1,3 @@
 ---
-# Common HSM adoption variables (vendor-agnostic)
-# All values should be overridden by user-specific configurations
-
-enable_hsm_integration: true
-enable_phased_hsm_adoption: false
-
-# Target environment configuration (user must override)
-target_kubeconfig_path: "{{ user_kubeconfig_path | default('/home/user/.kube/config') }}"
-oc_binary_path: "{{ user_oc_path | default('/usr/local/bin') }}"
-target_namespace: "{{ user_target_namespace | default('openstack') }}"
-
-# Common HSM settings
-barbican_hsm_enabled: true
-barbican_default_secret_store: "{{ user_default_secret_store | default('pkcs11') }}"
-barbican_enabled_secret_stores: "{{ user_enabled_stores | default(['simple_crypto', 'pkcs11']) }}"
-
-# Custom image settings (must be set by user)
-use_custom_barbican_images: "{{ user_enable_custom_images | default(true) }}"
-barbican_dest_image_registry: "{{ user_image_registry | default('CHANGE_ME_REGISTRY') }}"
-barbican_dest_image_namespace: "{{ user_image_namespace | default('CHANGE_ME_NAMESPACE') }}"
-barbican_dest_image_tag: "{{ user_image_tag | default('CHANGE_ME_TAG') }}"
-
-# Adoption control
-create_adoption_summary: "{{ user_create_summary | default(true) }}"
-summary_output_path: "{{ user_summary_path | default('/tmp/barbican_hsm_adoption_summary.md') }}"
-
-# Internal API network (user configurable)
-internalapi_prefix: "{{ user_internal_api_prefix | default('172.17.0') }}"
+# Common HSM variables
+internalapi_prefix: "172.17.0"

tests/hsm_vars/proteccio.yml

@@ -1,40 +1,3 @@
 ---
-# Proteccio-specific HSM configuration
-# All values should be overridden by user-specific configurations
-
-hsm_vendor: "proteccio"
-
-# Proteccio HSM connection settings (user must configure)
-proteccio_hsm_tokens: "{{ user_proteccio_tokens | default(['CHANGE_ME_TOKEN']) }}"
-proteccio_mkek_name: "{{ user_proteccio_mkek | default('CHANGE_ME_MKEK') }}"
-proteccio_hmac_name: "{{ user_proteccio_hmac | default('CHANGE_ME_HMAC') }}"
-proteccio_library_path: "{{ user_proteccio_lib_path | default('/opt/tw_proteccio/lib/libnethsm.so') }}"
-proteccio_login_password: "{{ user_proteccio_password | default('CHANGE_ME_PASSWORD') }}"
-
-# Proteccio client configuration (user must provide)
-proteccio_client_iso: "{{ user_proteccio_iso | default('CHANGE_ME_ISO_FILENAME') }}"
-proteccio_config_file: "{{ user_proteccio_config | default('proteccio.rc') }}"
-
-# Proteccio secrets in target environment (user configurable)
-proteccio_login_secret: "{{ user_proteccio_login_secret | default('hsm-login') }}"
-proteccio_client_data_secret: "{{ user_proteccio_data_secret | default('proteccio-data') }}"
-proteccio_client_data_path: "{{ user_proteccio_data_path | default('/etc/proteccio') }}"
-
-# Proteccio custom images (user must configure)
-barbican_dest_image_namespace: "{{ user_image_namespace | default('CHANGE_ME_NAMESPACE') }}"
-barbican_dest_image_tag: "{{ user_image_tag | default('CHANGE_ME_TAG') }}"
-barbican_api_image_name: "{{ user_api_image_name | default('openstack-barbican-api') }}"
-barbican_worker_image_name: "{{ user_worker_image_name | default('openstack-barbican-worker') }}"
-
-# File paths (user must override with actual paths)
-proteccio_certs_path: "{{ user_proteccio_certs_path | default('CHANGE_ME_CERTS_PATH') }}"
-proteccio_config_path: "{{ user_proteccio_config_path | default('CHANGE_ME_CONFIG_PATH') }}"
-proteccio_iso_path: "{{ user_proteccio_iso_path | default('CHANGE_ME_ISO_PATH') }}"
-
-# Ansible role configuration (user configurable)
-proteccio_hsm_role_name: "{{ user_proteccio_role | default('ansible-role-rhoso-proteccio-hsm') }}"
-
-# Replica configuration (user configurable)
-barbican_api_replicas: "{{ user_api_replicas | default(2) }}"
-barbican_worker_replicas: "{{ user_worker_replicas | default(2) }}"
-barbican_keystone_listener_replicas: "{{ user_keystone_replicas | default(2) }}"
+# Minimal Proteccio HSM configuration
+barbican_hsm_enabled: true

tests/hsm_vars/user_config.yml.sample

@@ -1,15 +1,5 @@
 ---
-# Inventory for OpenStack Proteccio Adoption Role
-# Use this inventory for HSM-enabled barbican_adoption role
-# For standard dp-adopt framework, use inventory.yaml instead
-
 all:
   hosts:
     localhost:
-      ansible_connection: local
-      ansible_python_interpreter: "{{ ansible_playbook_python }}"
-
-  children:
-    adoption:
-      hosts:
-        localhost:
+      ansible_connection: local

tests/inventory.proteccio.yaml

@@ -1,69 +1,9 @@
 ---
-# Main playbook for Barbican adoption with HSM integration (vendor-agnostic)
-# OpenStack 17.1 to RHOSO 18 adoption
-
-- name: Barbican Adoption with HSM Integration
+- name: Barbican HSM Adoption
   hosts: localhost
   connection: local
-  gather_facts: true
-  become: false
-
-  vars: {}
-    # Override default variables here if needed
-    # source_undercloud_host: "your-undercloud-host"
-    # source_controller_host: "your-controller-host"
-    # target_namespace: "openstack"
-    # barbican_simple_crypto_kek: "your-custom-kek"
-
-  pre_tasks:
-    - name: Verify environment prerequisites
-      block:
-        - name: Check if running as correct user
-          ansible.builtin.fail:
-            msg: "This playbook should be run as the stack user"
-          when: ansible_user_id != "stack"
-
-        - name: Verify oc/oc access
-          ansible.builtin.command: oc cluster-info
-          register: cluster_check
-          failed_when: cluster_check.rc != 0
-
-        - name: Check OpenShift/Kubernetes cluster access
-          ansible.builtin.command: "oc get namespace {{ target_namespace | default('openstack') }}"
-          register: namespace_check
-          changed_when: false
-          failed_when: namespace_check.rc != 0
-
+  gather_facts: false
+  vars_files:
+    - hsm_vars/proteccio.yml
   roles:
-    - role: barbican_adoption
-      vars:
-        enable_hsm_integration: true
-        hsm_vendor: "{{ hsm_vendor | default('proteccio') }}"
-
-  post_tasks:
-    - name: Display completion summary
-      ansible.builtin.debug:
-        msg: |
-          ===============================================
-          ADOPTION COMPLETED SUCCESSFULLY!
-          ===============================================
-
-          Barbican adoption with HSM integration has been completed.
-
-          Key achievements:
-          - Database adopted with {{ adopted_secrets_count | default('N/A') }} secrets
-          - HSM-enabled custom images deployed
-          - HSM configuration applied
-          - API functionality verified
-
-          Check the generated summary file for detailed results.
-          ===============================================
-
-  handlers:
-    - name: Clean up temporary files
-      ansible.builtin.file:
-        path: "{{ item }}"
-        state: absent
-      loop:
-        - "{{ backup_dir }}/temp_*"
-      listen: "cleanup"
+    - barbican_adoption