Skip to content

Commit

Permalink
Barbican Support for Luna HSM
Browse files Browse the repository at this point in the history 
Signed-off-by: Mauricio Harley <[email protected]>
  • Loading branch information
Mauricio Harley committed Oct 31, 2024
1 parent 40cdf6f commit e57a4e2
Show file tree
Hide file tree
Showing 21 changed files with 673 additions and 353 deletions.
31 changes: 18 additions & 13 deletions api/bases/barbican.openstack.org_barbicanapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,13 +300,13 @@ spec:
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
hsmCertificates:
additionalProperties:
type: string
description: 'The HSM certificates. The map''s key is the OpenShift
secret storing the certificate, and the value is the mounting
point (e.g., "luna-certificates": "/usr/local/luna/config/certs").'
type: object
hsmCertificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
hsmCertificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
hsmClientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
Expand All @@ -331,9 +331,9 @@ spec:
maximum: 7
minimum: 0
type: integer
hsmLogin:
description: OpenShift secret storing the password to login to
PKCS11 session
hsmLoginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
hsmMKEKLabel:
description: Label to identify master KEK in the HSM (must not
Expand All @@ -344,16 +344,14 @@ spec:
description: Length in bytes of master KEK
type: integer
hsmSlotId:
default: 1
description: HSM Slot ID that contains the token device to be
used
type: integer
type: string
hsmTokenLabel:
description: Token label used to identify the token to be used.
Required when token_serial_number is not specified.
type: string
hsmTokenSerialNumber:
default: "12345678"
description: Token serial number used to identify the token to
be used. Required when the device has multiple tokens with the
same label.
Expand All @@ -362,6 +360,13 @@ spec:
description: 'A string containing the HSM type (currently supported:
"trustway", "luna", "ncipher").'
type: string
required:
- hsmHMACLabel
- hsmIpAddress
- hsmLibraryPath
- hsmLoginSecret
- hsmMKEKLabel
- hsmType
type: object
rabbitMqClusterName:
default: rabbitmq
Expand Down
31 changes: 18 additions & 13 deletions api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,13 +122,13 @@ spec:
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
hsmCertificates:
additionalProperties:
type: string
description: 'The HSM certificates. The map''s key is the OpenShift
secret storing the certificate, and the value is the mounting
point (e.g., "luna-certificates": "/usr/local/luna/config/certs").'
type: object
hsmCertificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
hsmCertificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
hsmClientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
Expand All @@ -153,9 +153,9 @@ spec:
maximum: 7
minimum: 0
type: integer
hsmLogin:
description: OpenShift secret storing the password to login to
PKCS11 session
hsmLoginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
hsmMKEKLabel:
description: Label to identify master KEK in the HSM (must not
Expand All @@ -166,16 +166,14 @@ spec:
description: Length in bytes of master KEK
type: integer
hsmSlotId:
default: 1
description: HSM Slot ID that contains the token device to be
used
type: integer
type: string
hsmTokenLabel:
description: Token label used to identify the token to be used.
Required when token_serial_number is not specified.
type: string
hsmTokenSerialNumber:
default: "12345678"
description: Token serial number used to identify the token to
be used. Required when the device has multiple tokens with the
same label.
Expand All @@ -184,6 +182,13 @@ spec:
description: 'A string containing the HSM type (currently supported:
"trustway", "luna", "ncipher").'
type: string
required:
- hsmHMACLabel
- hsmIpAddress
- hsmLibraryPath
- hsmLoginSecret
- hsmMKEKLabel
- hsmType
type: object
rabbitMqClusterName:
default: rabbitmq
Expand Down
Loading

0 comments on commit e57a4e2

Please sign in to comment.