From 4df42928defd5a8bb2b4607016f0a22adcc98444 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Thu, 2 Oct 2025 09:41:05 +0000 Subject: [PATCH 1/3] Add minimal HSM support to barbican_adoption role Extend the existing barbican_adoption role with minimal HSM support for Proteccio integration. Fixes: OSPRH-18981 Signed-off-by: Mauricio Harley --- tests/config.env.sample | 5 ++ tests/hsm_vars/common.yml | 3 ++ tests/hsm_vars/proteccio.yml | 3 ++ tests/inventory.proteccio.yaml | 5 ++ tests/playbooks/barbican_hsm_adoption.yml | 9 ++++ .../barbican_adoption/defaults/main.yaml | 50 +++++++++++++++++++ tests/roles/barbican_adoption/tasks/main.yaml | 10 +++- .../development_environment/tasks/main.yaml | 24 +++++++++ 8 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 tests/config.env.sample create mode 100644 tests/hsm_vars/common.yml create mode 100644 tests/hsm_vars/proteccio.yml create mode 100644 tests/inventory.proteccio.yaml create mode 100644 tests/playbooks/barbican_hsm_adoption.yml diff --git a/tests/config.env.sample b/tests/config.env.sample new file mode 100644 index 000000000..5efb30fd6 --- /dev/null +++ b/tests/config.env.sample @@ -0,0 +1,5 @@ +# Minimal environment configuration for HSM adoption +# Copy this to config.env and modify as needed + +# HSM Configuration +BARBICAN_HSM_ENABLED=false diff --git a/tests/hsm_vars/common.yml b/tests/hsm_vars/common.yml new file mode 100644 index 000000000..c497a1435 --- /dev/null +++ b/tests/hsm_vars/common.yml @@ -0,0 +1,3 @@ +--- +# Common HSM variables +internalapi_prefix: "172.17.0" diff --git a/tests/hsm_vars/proteccio.yml b/tests/hsm_vars/proteccio.yml new file mode 100644 index 000000000..0c8608d0b --- /dev/null +++ b/tests/hsm_vars/proteccio.yml @@ -0,0 +1,3 @@ +--- +# Minimal Proteccio HSM configuration +barbican_hsm_enabled: true diff --git a/tests/inventory.proteccio.yaml b/tests/inventory.proteccio.yaml new file mode 100644 index 000000000..384040625 --- /dev/null +++ b/tests/inventory.proteccio.yaml @@ -0,0 +1,5 @@ +--- +all: + hosts: + localhost: + ansible_connection: local diff --git a/tests/playbooks/barbican_hsm_adoption.yml b/tests/playbooks/barbican_hsm_adoption.yml new file mode 100644 index 000000000..a332b2d00 --- /dev/null +++ b/tests/playbooks/barbican_hsm_adoption.yml @@ -0,0 +1,9 @@ +--- +- name: Barbican HSM Adoption + hosts: localhost + connection: local + gather_facts: false + vars_files: + - hsm_vars/proteccio.yml + roles: + - barbican_adoption diff --git a/tests/roles/barbican_adoption/defaults/main.yaml b/tests/roles/barbican_adoption/defaults/main.yaml index 86af5f32e..7ebcecbc8 100644 --- a/tests/roles/barbican_adoption/defaults/main.yaml +++ b/tests/roles/barbican_adoption/defaults/main.yaml @@ -1,4 +1,7 @@ --- +# HSM support flag +barbican_hsm_enabled: false + barbican_patch: | spec: barbican: @@ -39,3 +42,50 @@ barbican_patch: | barbicanKeystoneListener: replicas: 1 barbican_retry_delay: 5 + +barbican_hsm_patch: | + spec: + barbican: + enabled: true + apiOverride: + route: {} + template: + databaseInstance: openstack + databaseAccount: barbican + rabbitMqClusterName: rabbitmq + secret: osp-secret + simpleCryptoBackendSecret: osp-secret + serviceAccount: barbican + serviceUser: barbican + passwordSelectors: + database: BarbicanDatabasePassword + service: BarbicanPassword + simplecryptokek: BarbicanSimpleCryptoKEK + customServiceConfig: | + [p11_crypto_plugin] + plugin_name = PKCS11 + library_path = {{ proteccio_library_path | default('/opt/tw_proteccio/lib/libnethsm.so') }} + token_labels = {{ proteccio_hsm_tokens | default(['VHSM1']) | join(',') }} + mkek_label = {{ proteccio_mkek_name | default('adoption_mkek_1') }} + hmac_label = {{ proteccio_hmac_name | default('adoption_hmac_1') }} + encryption_mechanism = CKM_AES_CBC + hmac_key_type = CKK_GENERIC_SECRET + hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN + hmac_mechanism = CKM_SHA256_HMAC + key_wrap_mechanism = CKM_AES_CBC_PAD + key_wrap_generate_iv = true + always_set_cka_sensitive = true + os_locking_ok = false + login = {{ proteccio_login_password | default('') }} + globalDefaultSecretStore: pkcs11 + enabledSecretStores: ["simple_crypto", "pkcs11"] + pkcs11: + loginSecret: hsm-login + clientDataSecret: proteccio-data + clientDataPath: /etc/proteccio + barbicanAPI: + replicas: 1 + barbicanWorker: + replicas: 1 + barbicanKeystoneListener: + replicas: 1 diff --git a/tests/roles/barbican_adoption/tasks/main.yaml b/tests/roles/barbican_adoption/tasks/main.yaml index 7a2fa0194..7c2595b76 100644 --- a/tests/roles/barbican_adoption/tasks/main.yaml +++ b/tests/roles/barbican_adoption/tasks/main.yaml @@ -5,11 +5,19 @@ CONTROLLER1_SSH="{{ controller1_ssh }}" oc set data secret/osp-secret "BarbicanSimpleCryptoKEK=$($CONTROLLER1_SSH "sudo python3 -c \"import configparser; c = configparser.ConfigParser(); c.read('/var/lib/config-data/puppet-generated/barbican/etc/barbican/barbican.conf'); print(c['simple_crypto_plugin']['kek'])\"")" -- name: deploy podified Barbican +- name: deploy podified Barbican (standard) ansible.builtin.shell: | {{ shell_header }} {{ oc_header }} oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_patch }}' + when: not barbican_hsm_enabled|default(false) + +- name: deploy podified Barbican (HSM) + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_hsm_patch }}' + when: barbican_hsm_enabled|default(false) - name: wait for Barbican to start up ansible.builtin.shell: | diff --git a/tests/roles/development_environment/tasks/main.yaml b/tests/roles/development_environment/tasks/main.yaml index a7b8f2d45..fa8d55033 100644 --- a/tests/roles/development_environment/tasks/main.yaml +++ b/tests/roles/development_environment/tasks/main.yaml @@ -55,6 +55,30 @@ prelaunch_test_instance: "{{ prelaunch_test_instance }}" ping_test: "{{ ping_test }}" +- name: Debug - Check if we're trying to create Barbican secret + ansible.builtin.debug: + msg: + - "prelaunch_test_instance: {{ prelaunch_test_instance|bool }}" + - "prelaunch_barbican_secret: {{ prelaunch_barbican_secret|default(false) }}" + - "Will attempt to create secret: {{ prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false) }}" + +- name: Debug - Check Barbican endpoint on source cloud + no_log: "{{ use_no_log }}" + when: prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false) + ansible.builtin.shell: + cmd: | + {{ shell_header }} + {{ openstack_command }} endpoint list --service key-manager -f json + register: barbican_endpoint_check + failed_when: false + +- name: Debug - Display Barbican endpoint status + when: + - prelaunch_test_instance|bool + - prelaunch_barbican_secret|default(false) + ansible.builtin.debug: + msg: "{{ 'Barbican endpoint found' if barbican_endpoint_check.rc == 0 else 'ERROR: No Barbican endpoint found on source cloud!' }}" + - name: creates Barbican secret no_log: "{{ use_no_log }}" when: prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false) From d5d288337724922dfe2ca193cea2baac669ff9a6 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Mon, 15 Dec 2025 22:39:05 +0000 Subject: [PATCH 2/3] Add support for custom Barbican images and parameterized HSM secrets This change adds support for: - Custom Barbican API and Worker container images via barbican_custom_api_image and barbican_custom_worker_image variables - Parameterized HSM secret names via proteccio_login_secret_name and proteccio_client_data_secret_name variables This enables adoption scenarios where Barbican requires custom images with HSM client libraries (e.g., Proteccio) installed. Signed-off-by: Mauricio Harley --- tests/roles/backend_services/tasks/main.yaml | 26 +++++++++++ .../barbican_adoption/defaults/main.yaml | 9 +++- tests/roles/barbican_adoption/tasks/main.yaml | 44 +++++++++++++++++++ 3 files changed, 77 insertions(+), 2 deletions(-) diff --git a/tests/roles/backend_services/tasks/main.yaml b/tests/roles/backend_services/tasks/main.yaml index c196c12e2..a6540e1fa 100644 --- a/tests/roles/backend_services/tasks/main.yaml +++ b/tests/roles/backend_services/tasks/main.yaml @@ -93,6 +93,32 @@ args: chdir: "{{ dpa_tests_dir }}/config" +- name: Get OpenStackVersion resource name for custom Barbican images + when: >- + (barbican_custom_api_image is defined and barbican_custom_api_image) or + (barbican_custom_worker_image is defined and barbican_custom_worker_image) + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + oc get openstackversions -o jsonpath='{.items[0].metadata.name}' + register: openstack_version_name + changed_when: false + failed_when: openstack_version_name.stdout == "" + +- name: Patch OpenStackVersion with custom Barbican images + when: >- + (barbican_custom_api_image is defined and barbican_custom_api_image) or + (barbican_custom_worker_image is defined and barbican_custom_worker_image) + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + {% if barbican_custom_api_image is defined and barbican_custom_api_image %} + oc patch openstackversion {{ openstack_version_name.stdout }} --type=merge -p '{"spec":{"customContainerImages":{"barbicanAPIImage":"{{ barbican_custom_api_image }}"}}}' + {% endif %} + {% if barbican_custom_worker_image is defined and barbican_custom_worker_image %} + oc patch openstackversion {{ openstack_version_name.stdout }} --type=merge -p '{"spec":{"customContainerImages":{"barbicanWorkerImage":"{{ barbican_custom_worker_image }}"}}}' + {% endif %} + - name: execute alternative tasks when source env is ODPdO ansible.builtin.include_tasks: ospdo_backend_services.yaml when: ospdo_src| bool diff --git a/tests/roles/barbican_adoption/defaults/main.yaml b/tests/roles/barbican_adoption/defaults/main.yaml index 7ebcecbc8..36cf64d40 100644 --- a/tests/roles/barbican_adoption/defaults/main.yaml +++ b/tests/roles/barbican_adoption/defaults/main.yaml @@ -80,8 +80,8 @@ barbican_hsm_patch: | globalDefaultSecretStore: pkcs11 enabledSecretStores: ["simple_crypto", "pkcs11"] pkcs11: - loginSecret: hsm-login - clientDataSecret: proteccio-data + loginSecret: {{ proteccio_login_secret_name | default('hsm-login') }} + clientDataSecret: {{ proteccio_client_data_secret_name | default('proteccio-data') }} clientDataPath: /etc/proteccio barbicanAPI: replicas: 1 @@ -89,3 +89,8 @@ barbican_hsm_patch: | replicas: 1 barbicanKeystoneListener: replicas: 1 + +# HSM secrets configuration +proteccio_login_secret_name: hsm-login +proteccio_client_data_secret_name: proteccio-data +proteccio_login_password: '' diff --git a/tests/roles/barbican_adoption/tasks/main.yaml b/tests/roles/barbican_adoption/tasks/main.yaml index 7c2595b76..d224a00a2 100644 --- a/tests/roles/barbican_adoption/tasks/main.yaml +++ b/tests/roles/barbican_adoption/tasks/main.yaml @@ -5,6 +5,50 @@ CONTROLLER1_SSH="{{ controller1_ssh }}" oc set data secret/osp-secret "BarbicanSimpleCryptoKEK=$($CONTROLLER1_SSH "sudo python3 -c \"import configparser; c = configparser.ConfigParser(); c.read('/var/lib/config-data/puppet-generated/barbican/etc/barbican/barbican.conf'); print(c['simple_crypto_plugin']['kek'])\"")" +- name: Create HSM login secret for Barbican + when: barbican_hsm_enabled|default(false) + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + cat < Date: Mon, 12 Jan 2026 11:34:03 +0000 Subject: [PATCH 3/3] Addressing reviewer's comment This commit addresses some comments by a reviewer on an analogous PR (https://github.com/openstack-k8s-operators/data-plane-adoption/pull/1059#pullrequestreview-3529482592). Signed-off-by: Mauricio Harley --- tests/config.env.sample | 5 ---- tests/hsm_vars/common.yml | 3 --- tests/hsm_vars/proteccio.yml | 3 --- tests/inventory.proteccio.yaml | 5 ---- tests/playbooks/barbican_hsm_adoption.yml | 9 ------- .../development_environment/tasks/main.yaml | 24 ------------------- 6 files changed, 49 deletions(-) delete mode 100644 tests/config.env.sample delete mode 100644 tests/hsm_vars/common.yml delete mode 100644 tests/hsm_vars/proteccio.yml delete mode 100644 tests/inventory.proteccio.yaml delete mode 100644 tests/playbooks/barbican_hsm_adoption.yml diff --git a/tests/config.env.sample b/tests/config.env.sample deleted file mode 100644 index 5efb30fd6..000000000 --- a/tests/config.env.sample +++ /dev/null @@ -1,5 +0,0 @@ -# Minimal environment configuration for HSM adoption -# Copy this to config.env and modify as needed - -# HSM Configuration -BARBICAN_HSM_ENABLED=false diff --git a/tests/hsm_vars/common.yml b/tests/hsm_vars/common.yml deleted file mode 100644 index c497a1435..000000000 --- a/tests/hsm_vars/common.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# Common HSM variables -internalapi_prefix: "172.17.0" diff --git a/tests/hsm_vars/proteccio.yml b/tests/hsm_vars/proteccio.yml deleted file mode 100644 index 0c8608d0b..000000000 --- a/tests/hsm_vars/proteccio.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# Minimal Proteccio HSM configuration -barbican_hsm_enabled: true diff --git a/tests/inventory.proteccio.yaml b/tests/inventory.proteccio.yaml deleted file mode 100644 index 384040625..000000000 --- a/tests/inventory.proteccio.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -all: - hosts: - localhost: - ansible_connection: local diff --git a/tests/playbooks/barbican_hsm_adoption.yml b/tests/playbooks/barbican_hsm_adoption.yml deleted file mode 100644 index a332b2d00..000000000 --- a/tests/playbooks/barbican_hsm_adoption.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Barbican HSM Adoption - hosts: localhost - connection: local - gather_facts: false - vars_files: - - hsm_vars/proteccio.yml - roles: - - barbican_adoption diff --git a/tests/roles/development_environment/tasks/main.yaml b/tests/roles/development_environment/tasks/main.yaml index fa8d55033..a7b8f2d45 100644 --- a/tests/roles/development_environment/tasks/main.yaml +++ b/tests/roles/development_environment/tasks/main.yaml @@ -55,30 +55,6 @@ prelaunch_test_instance: "{{ prelaunch_test_instance }}" ping_test: "{{ ping_test }}" -- name: Debug - Check if we're trying to create Barbican secret - ansible.builtin.debug: - msg: - - "prelaunch_test_instance: {{ prelaunch_test_instance|bool }}" - - "prelaunch_barbican_secret: {{ prelaunch_barbican_secret|default(false) }}" - - "Will attempt to create secret: {{ prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false) }}" - -- name: Debug - Check Barbican endpoint on source cloud - no_log: "{{ use_no_log }}" - when: prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false) - ansible.builtin.shell: - cmd: | - {{ shell_header }} - {{ openstack_command }} endpoint list --service key-manager -f json - register: barbican_endpoint_check - failed_when: false - -- name: Debug - Display Barbican endpoint status - when: - - prelaunch_test_instance|bool - - prelaunch_barbican_secret|default(false) - ansible.builtin.debug: - msg: "{{ 'Barbican endpoint found' if barbican_endpoint_check.rc == 0 else 'ERROR: No Barbican endpoint found on source cloud!' }}" - - name: creates Barbican secret no_log: "{{ use_no_log }}" when: prelaunch_test_instance|bool and prelaunch_barbican_secret|default(false)