openstack-k8s-operators · vakwetu · Oct 22, 2024 · Dec 11, 2024
@@ -25,6 +25,7 @@ az
 azs
 backend
 backends
+barbican
 baremetal
 baremetalhost
 basedir
@@ -45,6 +46,7 @@ bootmacaddress
 bootmode
 buildah
 buildpkgs
+cacert
 cacheable
 cci
 ccitredhat
@@ -71,6 +73,7 @@ ciuser
 cjeanner
 ckcg
 cli
+clientvm
 clusterimageset
 clusterpool
 cmd
@@ -203,6 +206,8 @@ hostnames
 hostvars
 hotfix
 href
+hsm
+hsms
 https
 ic
 icjbuue
@@ -282,6 +287,8 @@ loopback
 losetup
 lsblk
 luks
+lunaclient
+lunasa
 lv
 lvm
 lvmcluster
@@ -300,6 +307,7 @@ mellanox
 metallb
 metalsmith
 mgmt
+minclient
 mins
 minsizegigabytes
 mlnx
@@ -392,6 +400,7 @@ params
 passwd
 passwordless
 pastebin
+pem
 pkgs
 pki
 png

@@ -0,0 +1,55 @@
+---
+- name: Create modified barbican image and get secrets
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Include hsm_prep role
+      ansible.builtin.include_role:
+        name: hsm_prep
+      vars:
+        cifmw_hsm_barbican_src_image_registry: "{{ content_provider_registry_ip }}:5001"
+        cifmw_hsm_barbican_src_image_namespace: "{{ cifmw_set_openstack_containers_namespace }}"
+        cifmw_hsm_barbican_src_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}"
+        cifmw_hsm_barbican_dest_image_registry: "{{ content_provider_registry_ip }}:5001"
+        cifmw_hsm_barbican_dest_image_namespace: "{{ cifmw_set_openstack_containers_namespace }}"
+        cifmw_hsm_barbican_dest_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}-luna"
+
+- name: Create kustomization to use update barbican to use luna
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Create file to customize barbican resource deployed in the control plane
+      vars:
+        certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}"
+        login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}"
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/barbican/template/globalDefaultSecretStore
+                value: pkcs11
+              - op: add
+                path: /spec/barbican/template/enabledSecretStores
+                value:
+                  - pkcs11
+              - op: add
+                path: /spec/barbican/template/pkcs11
+                value:
+                  type: luna
+                  libraryPath: /usr/local/luna/libs/64/libCryptoki2.so
+                  tokenLabels: "{{ cifmw_hsm_luna_partition }}"
+                  MKEKLabel: "{{ cifm_hsm_mkek_label }}"
+                  HMACLabel: "{{ cifm_hsm_hmac_label }}"
+                  serverAddress: "{{ cifmw_hsm_server_ip }}"
+                  clientAddress: "{{ cifmw_hsm_client_ip }}"
+                  loginSecret: "{{ login_secret }}"
+                  certificatesSecret: "{{ certs_secret }}"
+                  certificatesMountPoint: /usr/local/luna/config/certs
+                  keyWrapMechanism: "{{ cifmw_hsm_key_wrap_mechanism }}"
@@ -0,0 +1,65 @@
+# HSM Role
+
+In order to use HSMs, the barbican images need to be customized to include the HSM software.
+
+The purpose of this role is to:
+* Generate new images for the barbican-api and barbican-worker containing the HSM software
+* Upload those images to a private repository for use in setting up a CI job.
+* Create any required config to be mounted by the barbican images to interact with the HSM
+
+For the Lunasa, we expect some preparatory steps to be completed prior to execution in order for the
+role to complete successfully.
+* The lunasa software is uploaded somewhere and will be fetched by the role
+  * The contents of the minimal linux client in a zipped tar file should be made available at cifmw_hsm_luna_minclient_src.
+  * The lunasa binaries that need to be added to the image are made available at cifmw_hsm_luna_binaries_src.
+  * The lunasa HSM cacert file is made available at cifmw_hsm_luna_server_cert_src.  For an HA configuration,
+    this will be a concatenation of all the server certs for the servers in the HA partition.
+  * The client certificate and key made available at cifmw_hsm_luna_client_cert_src.  The files are expected
+    to be of the form "(cifmw_hsm_client_ip)".pem and "(cifmw_hsm_client_ip)"Key.pem
+* The certs will be retrieved and stored in a secret (cifmw_hsm_luna_cert_secret)
+* The password to log into the HSM partition will be stored in a secret (cifmw_hsm_login_secret)
+
+A minimal (one that takes the defaults) invocation of this role is shown below.  In this case, the lunaclient
+software and certs are stored locally under /opt/luna.
+
+- name: Set up Luna
+  hosts: lunaclient
+  ansible.builtin.include_role: hsm_prep
+  tags:
+    - image_prep
+    - cert_prep
+    - secret_prep
+  vars:
+    cifmw_hsm_client_ip: "IP of the client - this could be the hypervisor where the Openshift nodes run"
+
+Note that tags have been provided to allow the caller to select specific operations.  This may be necessary
+because different operations may need to executed in different CI jobs.  The current tags available are:
+image_prep, cert_prep, secret_prep, cleanup
+
+## Parameters
+
+### HSM Details
+* `cifmw_hsm_hsmtype`: (String) The type of HSM required.  Currently, only "luna" is supported. Default value: `luna`
+* `cifmw_hsm_login_secret`: (String) The secret to store the password to log into the HSM partition. Default: `hsm-login`
+
+### Role Parameters
+* `cifmw_hsm_cleanup`: (Boolean) Delete all resources created by the role at the end of the testing. Default value: `false`
+* `cifmw_hsm_working_dir`: (String) Working directory to store artifacts.  Default value: `/tmp/hsm-prep-working-dir`
+* `cifmw_hsm_client_ip`: (String) ip address or hostname of the client VM
+
+### Image Details
+* `cifmw_hsm_barbican_src_image_registry`: (String) Registry of the source image. Default value: `quay.io`
+* `cifmw_hsm_barbican_src_image_namespace: (String) Namespace of the source image. Default value: `podified-antelope-centos9`
+* `cifmw_hsm_barbican_src_image_tag: (String) Tag of the source image. Default value: `current-podified`
+* `cifmw_hsm_barbican_dest_image_registry`: (String) Registry of the modified image. Default value: `quay.io`
+* `cifmw_hsm_barbican_dest_image_namespace: (String) Namespace of the modified image. Default value: `podified-antelope-centos9`
+* `cifmw_hsm_barbican_dest_image_tag: (String) Tag of the modified image. Default value: `current-podified-luna`
+
+### Luna Parameters
+* `cifmw_hsm_luna_minclient_src`: (String) Location of linux minimal client tarball. Default value: `file:///opt/luna/Linux-Minimal-Client.tar.gz`
+* `cifmw_hsm_luna_binaries_src`: (String) Location of the luna binaries. Default value: `file:///opt/luna/bin`
+* `cifmw_hsm_luna_server_cert_src`: (String) Location of HSM server CA cert.  Default value: `file:///opt/luna/cert/server/cacert.pem`
+* `cifmw_hsm_luna_client_cert_src`: (String) Location of HSM client certs.  Default value: `file:///opt/luna/cert/client`
+* `cifmw_hsm_server_ca_file`: (String) Name of the cacert file in the container.  Default value: `cacert.pem`
+* `cifmw_hsm_luna_cert_secret`: (String) Name of the secret that stores all of the needed certs for luna.  Default value: `barbican-luna-certs`
+* `cifmw_hsm_luna_cert_secret_namespace`: (String) Namespace of the secret that stores all of the needed certs for luna.  Default value: `openstack`
@@ -0,0 +1,44 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# defaults file for hsm role
+
+# HSM Details
+cifmw_hsm_hsmtype: "luna"
+cifmw_hsm_admin_user: "admin"
+cifmw_hsm_login_secret: "hsm-login"
+
+### Role Parameters
+cifmw_hsm_cleanup: false
+cifmw_hsm_working_dir: "/tmp/hsm-prep-working-dir"
+
+### Luna Parameters
+cifmw_hsm_luna_minclient_src: "file:///opt/luna/Linux-Minimal-Client.tar.gz"
+cifmw_hsm_luna_binaries_src: "file:///opt/luna/bin/"
+cifmw_hsm_luna_server_cert_src: "file:///opt/luna/cert/server/cacert.pem"
+cifmw_hsm_luna_client_cert_src: "file:///opt/luna/cert/client/"
+cifmw_hsm_server_ca_file: "cacert.pem"
+cifmw_hsm_luna_cert_secret: "barbican-luna-certs"
+cifmw_hsm_luna_cert_secret_namespace: "openstack"
+
+## Image details
+cifmw_hsm_barbican_src_image_registry: "quay.io"
+cifmw_hsm_barbican_src_image_namespace: "podified-antelope-centos9"
+cifmw_hsm_barbican_src_image_tag: "current-podified"
+cifmw_hsm_barbican_dest_image_registry: "quay.io"
+cifmw_hsm_barbican_dest_image_namespace: "podified-antelope-centos9"
+cifmw_hsm_barbican_dest_image_tag: "current-podified-luna"
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+# barbican_add_luna_minimal_client.sh
+#
+# This script adds the Linux Minimal Client for Thales Luna Network HSM
+# to both the API and Worker images so that the HSM can be used as a PKCS#11
+# backend for Barbican.
+set -x
+set -o errexit
+set -o pipefail
+
+BARBICAN_SRC_IMAGE_REGISTRY=${BARBICAN_SRC_IMAGE_REGISTRY:-"quay.io"}
+BARBICAN_SRC_IMAGE_NAMESPACE=${BARBICAN_SRC_IMAGE_NAMESPACE:-"podified-antelope-centos9"}
+BARBICAN_SRC_IMAGE_TAG=${BARBICAN_SRC_IMAGE_TAG:-"current-podified"}
+BARBICAN_SRC_API_IMAGE="$BARBICAN_SRC_IMAGE_REGISTRY/$BARBICAN_SRC_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_SRC_IMAGE_TAG"
+BARBICAN_SRC_WORKER_IMAGE="$BARBICAN_SRC_IMAGE_REGISTRY/$BARBICAN_SRC_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_SRC_IMAGE_TAG"
+
+BARBICAN_DEST_IMAGE_REGISTRY=${BARBICAN_DEST_IMAGE_REGISTRY:-"quay.io"}
+BARBICAN_DEST_IMAGE_NAMESPACE=${BARBICAN_DEST_IMAGE_NAMESPACE:-"podified-antelope-centos9"}
+BARBICAN_DEST_IMAGE_TAG=${BARBICAN_DEST_IMAGE_TAG:-"current-podified"}
+BARBICAN_DEST_API_IMAGE="$BARBICAN_DEST_IMAGE_REGISTRY/$BARBICAN_DEST_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_DEST_IMAGE_TAG"
+BARBICAN_DEST_WORKER_IMAGE="$BARBICAN_DEST_IMAGE_REGISTRY/$BARBICAN_DEST_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_DEST_IMAGE_TAG"
+
+# LUNA_LINUX_MINIMAL_CLIENT_DIR - location of the "linux-minimal" directory
+# in your client media.  This could be a path to a mounted ISO or a path to
+# the location where a tarball was extracted
+LUNA_LINUX_MINIMAL_CLIENT_DIR=${LUNA_LINUX_MINIMAL_CLIENT_DIR:-"/media/lunaiso/linux-minimal"}
+
+# LUNA_CLIENT_BIN - location of the binaries installed by the client
+# software.
+LUNA_CLIENT_BIN=${LUNA_CLIENT_BIN:-"/usr/safenet/lunaclient/bin"}
+
+function install_client() {
+
+  container=$(buildah from --tls-verify=false $1)
+
+  # set required env
+  buildah config --env ChrystokiConfigurationPath=/usr/local/luna $container
+
+  # add linux-minimal client
+  buildah add --chown root:root $container $LUNA_LINUX_MINIMAL_CLIENT_DIR /usr/local/luna
+  buildah run --user root $container -- mkdir -p /usr/local/luna/config/certs
+  buildah run --user root $container -- mkdir -p /usr/local/luna/config/token/001
+  buildah run --user root $container -- touch /usr/local/luna/config/token/001/token.db
+  buildah add --chown root:root $container $LUNA_CLIENT_BIN/lunacm /usr/local/bin/
+  buildah add --chown root:root $container $LUNA_CLIENT_BIN/vtl /usr/local/bin/
+  buildah add --chown root:root $container $LUNA_CLIENT_BIN/multitoken /usr/local/bin/
+  buildah add --chown root:root $container $LUNA_CLIENT_BIN/ckdemo /usr/local/bin/
+
+  buildah commit --tls-verify=false $container $2
+  podman push --tls-verify=false $2
+  buildah rm $container
+}
+
+install_client $BARBICAN_SRC_API_IMAGE $BARBICAN_DEST_API_IMAGE
+install_client $BARBICAN_SRC_WORKER_IMAGE $BARBICAN_DEST_WORKER_IMAGE
@@ -0,0 +1,36 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: CI Framework
+  description: CI Framework Role -- HSM Prep
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.14
+  namespace: cifmw
+  platforms:
+    - name: CentOS
+      versions:
+        - 9
+
+  galaxy_tags:
+    - cifmw
+    - hsm
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies: []
@@ -0,0 +1,17 @@
+---
+- name: Perform cleanup tasks
+  tags: cleanup
+  when:
+    - cifmw_hsm_cleanup | bool
+    - cifmw_hsm_hsmtype == "luna"
+  block:
+    - name: Log debug tasks
+      ansible.builtin.debug:
+        msg: "Running cleanup tasks here"
+
+    - name: Remove the working directory
+      delegate_to: localhost
+      become: true
+      ansible.builtin.file:
+        path: "{{ cifmw_hsm_working_dir }}"
+        state: absent