Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add playbook to configure lunasa access for barbican #2630

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add playbook to configure lunasa access for barbican #2630

wants to merge 1 commit into from
+97 −2

Conversation

vakwetu
Copy link
Contributor

@vakwetu vakwetu commented Jan 3, 2025
edited
Loading

This playbook will configure the barbican pods on the test system to use a luna HSM as a crypto backend to store and generate keys.

In particular, we need to:

  1. Create modified barbican-api and barbican-worker images that contain the HSM client software. The new images will be published locally on the crc node with a special tag ("cifmw_update_barbican_custom_tag") appended.
  2. Create a secret to store certificates to access the HSM (server and client certs).
  3. Create a secret to store the password needed to access the HSM partition.
  4. Use the update-containers role to modify openstackversion to use the updated barbican images. This PR makes a small modification to that role to account for the extra tag ("cifmw_update_barbican_custom_tag")
  5. Modify the control plane CR to add the needed config to Barbican to use the HSM as a backend.

Steps 1-3 are done by a separate ansible role (https://github.com/openstack-k8s-operators/ansible-role-rhoso-luna-hsm/). This is useful because we'll be able to modify and branch this role as appropriate as the HSM software changes.

Jira: https://issues.redhat.com/browse/OSPRH-11019

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 3, 2025

Thanks for the PR! ❤️
I'm marking it as a draft, once your happy with it merging and the PR is passing CI, click the "Ready for review" button below.

@github-actions github-actions bot marked this pull request as draft January 3, 2025 18:11
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/740cca6a43014e3e85924701c1903ead

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 30m 35s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 18m 02s
cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 24m 47s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 03s
✔️ cifmw-pod-pre-commit SUCCESS in 7m 06s
✔️ build-push-container-cifmw-client SUCCESS in 36m 33s
✔️ cifmw-molecule-update_containers SUCCESS in 5m 09s

@vakwetu vakwetu force-pushed the add_luna_hsm_logic branch from 199a679 to f3d39d2 Compare January 3, 2025 21:25
@lewisdenny
Copy link
Collaborator

lewisdenny commented Jan 5, 2025
edited
Loading

Hi @vakwetu, do you have a Jira card tracking this work so I can fully understand the context of what you are implementing?

Also, if this is ready to review, please remove the draft status.

@vakwetu vakwetu mentioned this pull request Jan 6, 2025
Closed
@vakwetu
Copy link
Contributor Author

vakwetu commented Jan 6, 2025

@lewisdenny Thanks. I added more details to the PR description and also a link to the Jira.

I've been testing this in testproject, and haven't gotten a completely successful run yet - but we're close. When that happens, I'll remove the draft status.

Its very close to final though, so please feel free to review.

@vakwetu
Copy link
Contributor Author

vakwetu commented Jan 6, 2025

The testproject patch for this passed - ie. the config was set correctly and we got all green for the barbican tests.

https://sf.apps.int.gpc.ocp-hub.prod.psi.redhat.com/logs/16/816/92fbf911ccd2bc7e334bf4e7fe0de8dcfb19de69/check-gitlab-cee/component-barbican-edpm-update-rhel9-rhoso18.0-crc/1a91dc3/controller/ci-framework-data/tests/test_operator/tempest-tests-tempest/stestr_results.html

The update test failed , but I suspect that I need to fix something in the test to account for the updated images. Will work on that separately.

Accordingly, going to remove the draft tag

@vakwetu vakwetu force-pushed the add_luna_hsm_logic branch from f3d39d2 to 8cabbea Compare January 7, 2025 22:47
@vakwetu vakwetu force-pushed the add_luna_hsm_logic branch from 8cabbea to df701b6 Compare January 21, 2025 21:11
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 21, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign pablintino for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/e816533f84444f489a216a4d222aecb7

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 08m 15s
podified-multinode-edpm-deployment-crc FAILURE in 17m 52s
cifmw-crc-podified-edpm-baremetal FAILURE in 55m 15s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 31s
✔️ cifmw-pod-pre-commit SUCCESS in 8m 09s
✔️ build-push-container-cifmw-client SUCCESS in 36m 48s
✔️ cifmw-molecule-update_containers SUCCESS in 5m 33s

@mauricioharley
Copy link

All good from my perspective.

@vakwetu vakwetu force-pushed the add_luna_hsm_logic branch from df701b6 to db9972e Compare February 4, 2025 20:16
@vakwetu vakwetu marked this pull request as ready for review February 4, 2025 20:36
@vakwetu vakwetu force-pushed the add_luna_hsm_logic branch from db9972e to 353af1c Compare February 5, 2025 16:20
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/d4dc6823ddd84e6b8f4309c2c6b14a99

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 45m 16s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 31m 24s
cifmw-crc-podified-edpm-baremetal FAILURE in 43m 31s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 7m 50s
✔️ cifmw-pod-pre-commit SUCCESS in 7m 15s
✔️ build-push-container-cifmw-client SUCCESS in 18m 18s
✔️ cifmw-molecule-update_containers SUCCESS in 5m 12s

@vakwetu vakwetu force-pushed the add_luna_hsm_logic branch from 353af1c to b88bf29 Compare February 6, 2025 20:59
@vakwetu
Add playbook to configure lunasa access for barbican
f1ecbda 
This playbook will check out an ansible role that creates modified
barbican images and creates the relevant secrets needed.

In addition, the playbook modifies the control plane CR to include
the required config to barbican.

You need to call the update-containers role to be able to use the
updated barbican images.
@vakwetu vakwetu force-pushed the add_luna_hsm_logic branch from b88bf29 to f1ecbda Compare February 7, 2025 20:08
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/18e42705c0a144ccaa554c5a00e1d14c

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 44m 30s
podified-multinode-edpm-deployment-crc FAILURE in 1h 11m 43s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 29m 23s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 24s
✔️ cifmw-pod-pre-commit SUCCESS in 7m 49s
✔️ build-push-container-cifmw-client SUCCESS in 18m 38s
✔️ cifmw-molecule-update_containers SUCCESS in 6m 06s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmendiza dmendiza dmendiza approved these changes

@pablintino pablintino Awaiting requested review from pablintino pablintino is a code owner

@lewisdenny lewisdenny Awaiting requested review from lewisdenny lewisdenny is a code owner

@viroel viroel Awaiting requested review from viroel

@mauricioharley mauricioharley Awaiting requested review from mauricioharley

@evallesp evallesp Awaiting requested review from evallesp evallesp is a code owner

@bshewale bshewale Awaiting requested review from bshewale bshewale is a code owner

@frenzyfriday frenzyfriday Awaiting requested review from frenzyfriday frenzyfriday is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vakwetu @lewisdenny @mauricioharley @dmendiza