Add minimal HSM support to barbican_adoption role

Extend the existing barbican_adoption role with minimal HSM support for Proteccio integration.

Fixes: OSPRH-18981

Signed-off-by: Mauricio Harley <mharley@redhat.com>

Author: Mauricio Harley

tests/config.env.sample

@@ -0,0 +1,5 @@
+# Minimal environment configuration for HSM adoption
+# Copy this to config.env and modify as needed
+
+# HSM Configuration
+BARBICAN_HSM_ENABLED=false

tests/hsm_vars/common.yml

@@ -0,0 +1,3 @@
+---
+# Common HSM variables
+internalapi_prefix: "172.17.0"

tests/hsm_vars/proteccio.yml

@@ -0,0 +1,3 @@
+---
+# Minimal Proteccio HSM configuration
+barbican_hsm_enabled: true

tests/inventory.proteccio.yaml

@@ -0,0 +1,5 @@
+---
+all:
+  hosts:
+    localhost:
+      ansible_connection: local

tests/playbooks/barbican_hsm_adoption.yml

@@ -0,0 +1,9 @@
+---
+- name: Barbican HSM Adoption
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  vars_files:
+    - hsm_vars/proteccio.yml
+  roles:
+    - barbican_adoption

tests/roles/barbican_adoption/defaults/main.yaml

@@ -1,4 +1,7 @@
 ---
+# HSM support flag
+barbican_hsm_enabled: false
+
 barbican_patch: |
   spec:
     barbican:
@@ -39,3 +42,50 @@ barbican_patch: |
         barbicanKeystoneListener:
           replicas: 1
 barbican_retry_delay: 5
+
+barbican_hsm_patch: |
+  spec:
+    barbican:
+      enabled: true
+      apiOverride:
+        route: {}
+      template:
+        databaseInstance: openstack
+        databaseAccount: barbican
+        rabbitMqClusterName: rabbitmq
+        secret: osp-secret
+        simpleCryptoBackendSecret: osp-secret
+        serviceAccount: barbican
+        serviceUser: barbican
+        passwordSelectors:
+          database: BarbicanDatabasePassword
+          service: BarbicanPassword
+          simplecryptokek: BarbicanSimpleCryptoKEK
+        customServiceConfig: |
+          [p11_crypto_plugin]
+          plugin_name = PKCS11
+          library_path = {{ proteccio_library_path | default('/opt/tw_proteccio/lib/libnethsm.so') }}
+          token_labels = {{ proteccio_hsm_tokens | default(['VHSM1']) | join(',') }}
+          mkek_label = {{ proteccio_mkek_name | default('adoption_mkek_1') }}
+          hmac_label = {{ proteccio_hmac_name | default('adoption_hmac_1') }}
+          encryption_mechanism = CKM_AES_CBC
+          hmac_key_type = CKK_GENERIC_SECRET
+          hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN
+          hmac_mechanism = CKM_SHA256_HMAC
+          key_wrap_mechanism = CKM_AES_CBC_PAD
+          key_wrap_generate_iv = true
+          always_set_cka_sensitive = true
+          os_locking_ok = false
+          login = {{ proteccio_login_password | default('') }}
+        globalDefaultSecretStore: pkcs11
+        enabledSecretStores: ["simple_crypto", "pkcs11"]
+        pkcs11:
+          loginSecret: hsm-login
+          clientDataSecret: proteccio-data
+          clientDataPath: /etc/proteccio
+        barbicanAPI:
+          replicas: 1
+        barbicanWorker:
+          replicas: 1
+        barbicanKeystoneListener:
+          replicas: 1

tests/roles/barbican_adoption/tasks/main.yaml

@@ -5,11 +5,19 @@
     CONTROLLER1_SSH="{{ controller1_ssh }}"
     oc set data secret/osp-secret "BarbicanSimpleCryptoKEK=$($CONTROLLER1_SSH "sudo python3 -c \"import configparser; c = configparser.ConfigParser(); c.read('/var/lib/config-data/puppet-generated/barbican/etc/barbican/barbican.conf'); print(c['simple_crypto_plugin']['kek'])\"")"
 
-- name: deploy podified Barbican
+- name: deploy podified Barbican (standard)
   ansible.builtin.shell: |
     {{ shell_header }}
     {{ oc_header }}
     oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_patch }}'
+  when: not barbican_hsm_enabled|default(false)
+
+- name: deploy podified Barbican (HSM)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_hsm_patch }}'
+  when: barbican_hsm_enabled|default(false)
 
 - name: wait for Barbican to start up
   ansible.builtin.shell: |

tests/roles/development_environment/tasks/main.yaml

@@ -54,6 +54,30 @@
         prelaunch_test_instance: "{{ prelaunch_test_instance }}"
         ping_test: "{{ ping_test }}"
 
+- name: Debug - Check if we're trying to create Barbican secret
+  ansible.builtin.debug:
+    msg:
+      - "prelaunch_test_instance: {{ prelaunch_test_instance|bool }}"
+      - "prelaunch_barbican_secret: {{ prelaunch_barbican_secret|default(false) }}"
+      - "Will attempt to create secret: {{ prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false) }}"
+
+- name: Debug - Check Barbican endpoint on source cloud
+  no_log: "{{ use_no_log }}"
+  when: prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false)
+  ansible.builtin.shell:
+    cmd: |
+      {{ shell_header }}
+      {{ openstack_command }} endpoint list --service key-manager -f json
+  register: barbican_endpoint_check
+  failed_when: false
+
+- name: Debug - Display Barbican endpoint status
+  when:
+    - prelaunch_test_instance|bool
+    - prelaunch_barbican_secret|default(false)
+  ansible.builtin.debug:
+    msg: "{{ 'Barbican endpoint found' if barbican_endpoint_check.rc == 0 else 'ERROR: No Barbican endpoint found on source cloud!' }}"
+
 - name: creates Barbican secret
   no_log: "{{ use_no_log }}"
   when: prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false)