From f3d39d2ace3be494ad622545dd0af34571c52290 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 22 Oct 2024 14:36:13 -0400 Subject: [PATCH] Add playbook to configure lunasa access for barbican This playbook will check out an ansible role that creates modified barbican images and creates the relevant secrets needed. In addition, the playbook modifies the control plane CR to include the required config to barbican. You need to call the update-containers role to be able to use the updated barbican images. --- docs/dictionary/en-custom.txt | 6 ++ hooks/playbooks/barbican-enable-luna.yml | 78 +++++++++++++++++++ roles/update_containers/defaults/main.yml | 1 + .../templates/update_containers.j2 | 4 +- 4 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 hooks/playbooks/barbican-enable-luna.yml diff --git a/docs/dictionary/en-custom.txt b/docs/dictionary/en-custom.txt index 38d65a19fd..ffc84cdd77 100644 --- a/docs/dictionary/en-custom.txt +++ b/docs/dictionary/en-custom.txt @@ -25,6 +25,7 @@ az azs backend backends +barbican baremetal baremetalhost basedir @@ -45,6 +46,7 @@ bootmacaddress bootmode buildah buildpkgs +cacert cacheable cci ccitredhat @@ -203,6 +205,8 @@ hostnames hostvars hotfix href +hsm +hsms https ic icjbuue @@ -300,6 +304,7 @@ mellanox metallb metalsmith mgmt +minclient mins minsizegigabytes mlnx @@ -392,6 +397,7 @@ params passwd passwordless pastebin +pem pkgs pki png diff --git a/hooks/playbooks/barbican-enable-luna.yml b/hooks/playbooks/barbican-enable-luna.yml new file mode 100644 index 0000000000..9d14a3ce4c --- /dev/null +++ b/hooks/playbooks/barbican-enable-luna.yml @@ -0,0 +1,78 @@ +--- +- name: Create modified barbican image and get secrets + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Check out the role git repo + ansible.builtin.git: + dest: "./rhoso_luna_hsm" + repo: "https://github.com/openstack-k8s-operators/ansible-role-rhoso-luna-hsm.git" + version: main + + - name: Create and upload the new barbican images + ansible.builtin.include_role: + name: rhoso_luna_hsm + tasks_from: create_image.yml + vars: + barbican_src_image_registry: "{{ content_provider_registry_ip }}:5001" + barbican_src_image_namespace: "{{ cifmw_set_openstack_containers_namespace }}" + barbican_src_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}" + barbican_dest_image_registry: "{{ content_provider_registry_ip }}:5001" + barbican_dest_image_namespace: "{{ cifmw_set_openstack_containers_namespace }}" + barbican_dest_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}{{ cifmw_update_barbican_custom_tag }}" + luna_minclient_src: "{{ cifmw_hsm_luna_minclient_src }}" + luna_binaries_src: "{{ cifmw_hsm_luna_binaries_src }}" + + - name: Create secrets with the HSM certs and hsm-login credentials + ansible.builtin.include_role: + name: rhoso_luna_hsm + tasks_from: create_secrets.yml + vars: + client_ip: "{{ cifmw_hsm_client_ip }}" + luna_server_cert_src: "{{ cifmw_hsm_luna_server_cert_src }}" + luna_client_cert_src: "{{ cifmw_hsm_luna_client_cert_src }}" + partition_password: "{{ cifmw_hsm_partition_password }}" + kubeconfig_path: "{{ cifmw_openshift_kubeconfig }}" + oc_path: "{{ cifmw_path }}" + luna_cert_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}" + login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}" + +- name: Create kustomization to use update barbican to use luna + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Create file to customize barbican resource deployed in the control plane + vars: + certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}" + login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}" + ansible.builtin.copy: + dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml" + content: |- + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + resources: + namespace: {{ namespace }} + patches: + - target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: add + path: /spec/barbican/template/globalDefaultSecretStore + value: pkcs11 + - op: add + path: /spec/barbican/template/enabledSecretStores + value: + - pkcs11 + - op: add + path: /spec/barbican/template/pkcs11 + value: + type: luna + libraryPath: /usr/local/luna/libs/64/libCryptoki2.so + tokenLabels: "{{ cifmw_hsm_luna_partition }}" + MKEKLabel: "{{ cifm_hsm_mkek_label }}" + HMACLabel: "{{ cifm_hsm_hmac_label }}" + serverAddress: "{{ cifmw_hsm_server_ip }}" + clientAddress: "{{ cifmw_hsm_client_ip }}" + loginSecret: "{{ login_secret }}" + certificatesSecret: "{{ certs_secret }}" + certificatesMountPoint: /usr/local/luna/config/certs + keyWrapMechanism: "{{ cifmw_hsm_key_wrap_mechanism }}" diff --git a/roles/update_containers/defaults/main.yml b/roles/update_containers/defaults/main.yml index 95142c4136..1aff329406 100644 --- a/roles/update_containers/defaults/main.yml +++ b/roles/update_containers/defaults/main.yml @@ -47,3 +47,4 @@ cifmw_update_containers_manilashares: # cifmw_update_containers_edpm_image_url: # cifmw_update_containers_ipa_image_url: # cifmw_update_containers_edpmnodeexporterimage: +cifmw_update_barbican_custom_tag: "" diff --git a/roles/update_containers/templates/update_containers.j2 b/roles/update_containers/templates/update_containers.j2 index 04ccbed301..587078444b 100644 --- a/roles/update_containers/templates/update_containers.j2 +++ b/roles/update_containers/templates/update_containers.j2 @@ -10,9 +10,9 @@ spec: aodhEvaluatorImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-evaluator:{{ cifmw_update_containers_tag }} aodhListenerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-listener:{{ cifmw_update_containers_tag }} aodhNotifierImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-notifier:{{ cifmw_update_containers_tag }} - barbicanAPIImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-api:{{ cifmw_update_containers_tag }} + barbicanAPIImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-api:{{ cifmw_update_containers_tag }}{{ cifmw_update_barbican_custom_tag }} barbicanKeystoneListenerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-keystone-listener:{{ cifmw_update_containers_tag }} - barbicanWorkerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-worker:{{ cifmw_update_containers_tag }} + barbicanWorkerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-worker:{{ cifmw_update_containers_tag }}{{ cifmw_update_barbican_custom_tag }} ceilometerCentralImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-central:{{ cifmw_update_containers_tag }} ceilometerComputeImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-compute:{{ cifmw_update_containers_tag }} ceilometerIpmiImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-ipmi:{{ cifmw_update_containers_tag }}