Add support for custom Barbican images and parameterized HSM secrets

tests/roles/backend_services/tasks/main.yaml

@@ -93,6 +93,32 @@
       args:
         chdir: "{{ dpa_tests_dir }}/config"
 
+- name: Get OpenStackVersion resource name for custom Barbican images
+  when: >-
+    (barbican_custom_api_image is defined and barbican_custom_api_image) or
+    (barbican_custom_worker_image is defined and barbican_custom_worker_image)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc get openstackversions -o jsonpath='{.items[0].metadata.name}'
+  register: openstack_version_name
+  changed_when: false
+  failed_when: openstack_version_name.stdout == ""
+
+- name: Patch OpenStackVersion with custom Barbican images
+  when: >-
+    (barbican_custom_api_image is defined and barbican_custom_api_image) or
+    (barbican_custom_worker_image is defined and barbican_custom_worker_image)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    {% if barbican_custom_api_image is defined and barbican_custom_api_image %}
+    oc patch openstackversion {{ openstack_version_name.stdout }} --type=merge -p '{"spec":{"customContainerImages":{"barbicanAPIImage":"{{ barbican_custom_api_image }}"}}}'
+    {% endif %}
+    {% if barbican_custom_worker_image is defined and barbican_custom_worker_image %}
+    oc patch openstackversion {{ openstack_version_name.stdout }} --type=merge -p '{"spec":{"customContainerImages":{"barbicanWorkerImage":"{{ barbican_custom_worker_image }}"}}}'
+    {% endif %}
+
 - name: execute alternative tasks when source env is ODPdO
   ansible.builtin.include_tasks: ospdo_backend_services.yaml
   when: ospdo_src| bool

tests/roles/barbican_adoption/defaults/main.yaml

@@ -1,4 +1,7 @@
 ---
+# HSM support flag
+barbican_hsm_enabled: false
+
 barbican_patch: |
   spec:
     barbican:
@@ -39,3 +42,55 @@ barbican_patch: |
         barbicanKeystoneListener:
           replicas: 1
 barbican_retry_delay: 5
+
+barbican_hsm_patch: |
+  spec:
+    barbican:
+      enabled: true
+      apiOverride:
+        route: {}
+      template:
+        databaseInstance: openstack
+        databaseAccount: barbican
+        rabbitMqClusterName: rabbitmq
+        secret: osp-secret
+        simpleCryptoBackendSecret: osp-secret
+        serviceAccount: barbican
+        serviceUser: barbican
+        passwordSelectors:
+          database: BarbicanDatabasePassword
+          service: BarbicanPassword
+          simplecryptokek: BarbicanSimpleCryptoKEK
+        customServiceConfig: |
+          [p11_crypto_plugin]
+          plugin_name = PKCS11
+          library_path = {{ proteccio_library_path | default('/opt/tw_proteccio/lib/libnethsm.so') }}
+          token_labels = {{ proteccio_hsm_tokens | default(['VHSM1']) | join(',') }}
+          mkek_label = {{ proteccio_mkek_name | default('adoption_mkek_1') }}
+          hmac_label = {{ proteccio_hmac_name | default('adoption_hmac_1') }}
+          encryption_mechanism = CKM_AES_CBC
+          hmac_key_type = CKK_GENERIC_SECRET
+          hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN
+          hmac_mechanism = CKM_SHA256_HMAC
+          key_wrap_mechanism = CKM_AES_CBC_PAD
+          key_wrap_generate_iv = true
+          always_set_cka_sensitive = true
+          os_locking_ok = false
+          login = {{ proteccio_login_password | default('') }}
+        globalDefaultSecretStore: pkcs11
+        enabledSecretStores: ["simple_crypto", "pkcs11"]
+        pkcs11:
+          loginSecret: {{ proteccio_login_secret_name | default('hsm-login') }}
+          clientDataSecret: {{ proteccio_client_data_secret_name | default('proteccio-data') }}
+          clientDataPath: /etc/proteccio
+        barbicanAPI:
+          replicas: 1
+        barbicanWorker:
+          replicas: 1
+        barbicanKeystoneListener:
+          replicas: 1
+
+# HSM secrets configuration
+proteccio_login_secret_name: hsm-login
+proteccio_client_data_secret_name: proteccio-data
+proteccio_login_password: ''

tests/roles/barbican_adoption/tasks/main.yaml

@@ -5,11 +5,63 @@
     CONTROLLER1_SSH="{{ controller1_ssh }}"
     oc set data secret/osp-secret "BarbicanSimpleCryptoKEK=$($CONTROLLER1_SSH "sudo python3 -c \"import configparser; c = configparser.ConfigParser(); c.read('/var/lib/config-data/puppet-generated/barbican/etc/barbican/barbican.conf'); print(c['simple_crypto_plugin']['kek'])\"")"
 
-- name: deploy podified Barbican
+- name: Create HSM login secret for Barbican
+  when: barbican_hsm_enabled|default(false)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    cat <<EOF | oc apply -f -
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ proteccio_login_secret_name | default('hsm-login') }}
+      namespace: openstack
+    type: Opaque
+    stringData:
+      PKCS11Pin: "{{ proteccio_login_password | default('') }}"
+    EOF
+
+- name: Check if HSM client data files exist
+  when: barbican_hsm_enabled|default(false)
+  ansible.builtin.stat:
+    path: /tmp/hsm-prep-working-dir/proteccio_data_secret.yml
+  register: hsm_data_secret_file
+
+- name: Create HSM client data secret from file
+  when:
+    - barbican_hsm_enabled|default(false)
+    - hsm_data_secret_file.stat.exists|default(false)
+  ansible.builtin.command: oc apply -f /tmp/hsm-prep-working-dir/proteccio_data_secret.yml
+
+- name: Create empty HSM client data secret if file not found
+  when:
+    - barbican_hsm_enabled|default(false)
+    - not hsm_data_secret_file.stat.exists|default(true)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    cat <<EOF | oc apply -f -
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ proteccio_client_data_secret_name | default('proteccio-data') }}
+      namespace: openstack
+    type: Opaque
+    EOF
+
+- name: deploy podified Barbican (standard)
   ansible.builtin.shell: |
     {{ shell_header }}
     {{ oc_header }}
     oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_patch }}'
+  when: not barbican_hsm_enabled|default(false)
+
+- name: deploy podified Barbican (HSM)
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_hsm_patch }}'
+  when: barbican_hsm_enabled|default(false)
 
 - name: wait for Barbican to start up
   ansible.builtin.shell: |