From e57a4e21eaf4944e8e40254dbe8c964b7f65fd96 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Wed, 9 Oct 2024 19:50:11 +0000 Subject: [PATCH] Barbican Support for Luna HSM Signed-off-by: Mauricio Harley --- .../barbican.openstack.org_barbicanapis.yaml | 31 ++- ...enstack.org_barbicankeystonelisteners.yaml | 31 ++- .../barbican.openstack.org_barbicans.yaml | 252 ++++++++++++------ ...arbican.openstack.org_barbicanworkers.yaml | 31 ++- api/v1beta1/barbican_types.go | 6 +- api/v1beta1/barbicanapi_types.go | 27 +- api/v1beta1/barbicanworker_types.go | 18 +- api/v1beta1/common_types.go | 49 ++-- api/v1beta1/zz_generated.deepcopy.go | 39 +-- .../barbican.openstack.org_barbicanapis.yaml | 31 ++- ...enstack.org_barbicankeystonelisteners.yaml | 31 ++- .../barbican.openstack.org_barbicans.yaml | 252 ++++++++++++------ ...arbican.openstack.org_barbicanworkers.yaml | 31 ++- config/samples/pods_with_pkcs11-luna.yaml | 66 +++++ controllers/barbican_controller.go | 28 +- controllers/barbicanapi_controller.go | 18 +- .../barbicankeystonelistener_controller.go | 18 +- controllers/barbicanworker_controller.go | 18 +- pkg/barbicanapi/deployment.go | 8 +- pkg/barbicanworker/deployment.go | 8 +- templates/barbican/config/00-default.conf | 33 +-- 21 files changed, 673 insertions(+), 353 deletions(-) create mode 100644 config/samples/pods_with_pkcs11-luna.yaml diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml index 6d4e6d05..3280a040 100644 --- a/api/bases/barbican.openstack.org_barbicanapis.yaml +++ b/api/bases/barbican.openstack.org_barbicanapis.yaml @@ -300,13 +300,13 @@ spec: pkcs11: description: BarbicanPKCS11Template - Includes all common HSM properties properties: - hsmCertificates: - additionalProperties: - type: string - description: 'The HSM certificates. The map''s key is the OpenShift - secret storing the certificate, and the value is the mounting - point (e.g., "luna-certificates": "/usr/local/luna/config/certs").' - type: object + hsmCertificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string hsmClientAddress: description: The IP address of the client connecting to the HSM (X.Y.Z.K) @@ -331,9 +331,9 @@ spec: maximum: 7 minimum: 0 type: integer - hsmLogin: - description: OpenShift secret storing the password to login to - PKCS11 session + hsmLoginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session type: string hsmMKEKLabel: description: Label to identify master KEK in the HSM (must not @@ -344,16 +344,14 @@ spec: description: Length in bytes of master KEK type: integer hsmSlotId: - default: 1 description: HSM Slot ID that contains the token device to be used - type: integer + type: string hsmTokenLabel: description: Token label used to identify the token to be used. Required when token_serial_number is not specified. type: string hsmTokenSerialNumber: - default: "12345678" description: Token serial number used to identify the token to be used. Required when the device has multiple tokens with the same label. @@ -362,6 +360,13 @@ spec: description: 'A string containing the HSM type (currently supported: "trustway", "luna", "ncipher").' type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType type: object rabbitMqClusterName: default: rabbitmq diff --git a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index 483d8863..2dfd99e9 100644 --- a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -122,13 +122,13 @@ spec: pkcs11: description: BarbicanPKCS11Template - Includes all common HSM properties properties: - hsmCertificates: - additionalProperties: - type: string - description: 'The HSM certificates. The map''s key is the OpenShift - secret storing the certificate, and the value is the mounting - point (e.g., "luna-certificates": "/usr/local/luna/config/certs").' - type: object + hsmCertificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string hsmClientAddress: description: The IP address of the client connecting to the HSM (X.Y.Z.K) @@ -153,9 +153,9 @@ spec: maximum: 7 minimum: 0 type: integer - hsmLogin: - description: OpenShift secret storing the password to login to - PKCS11 session + hsmLoginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session type: string hsmMKEKLabel: description: Label to identify master KEK in the HSM (must not @@ -166,16 +166,14 @@ spec: description: Length in bytes of master KEK type: integer hsmSlotId: - default: 1 description: HSM Slot ID that contains the token device to be used - type: integer + type: string hsmTokenLabel: description: Token label used to identify the token to be used. Required when token_serial_number is not specified. type: string hsmTokenSerialNumber: - default: "12345678" description: Token serial number used to identify the token to be used. Required when the device has multiple tokens with the same label. @@ -184,6 +182,13 @@ spec: description: 'A string containing the HSM type (currently supported: "trustway", "luna", "ncipher").' type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType type: object rabbitMqClusterName: default: rabbitmq diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml index 03416230..7ffbaf7a 100644 --- a/api/bases/barbican.openstack.org_barbicans.yaml +++ b/api/bases/barbican.openstack.org_barbicans.yaml @@ -72,6 +72,20 @@ spec: description: EnableSecureRBAC - Enable Consistent and Secure RBAC policies type: boolean + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + globalDefaultSecretStore: + default: simple_crypto + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -267,6 +281,78 @@ spec: type (public, internal) type: object type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM + properties + properties: + hsmCertificatesMountPoint: + description: The mounting point where the certificates will + be copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + hsmClientAddress: + description: The IP address of the client connecting to the + HSM (X.Y.Z.K) + type: string + hsmEnabled: + default: false + type: boolean + hsmHMACLabel: + description: Label to identify HMAC key in the HSM (must not + be the same as MKEK label) + type: string + hsmIpAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + hsmLibraryPath: + description: Path to vendor's PKCS11 library + type: string + hsmLoggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" + and 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + hsmLoginSecret: + description: OpenShift secret that stores the password to + login to the PKCS11 session + type: string + hsmMKEKLabel: + description: Label to identify master KEK in the HSM (must + not be the same as HMAC label) + type: string + hsmMKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + hsmSlotId: + description: HSM Slot ID that contains the token device to + be used + type: string + hsmTokenLabel: + description: Token label used to identify the token to be + used. Required when token_serial_number is not specified. + type: string + hsmTokenSerialNumber: + description: Token serial number used to identify the token + to be used. Required when the device has multiple tokens + with the same label. + type: string + hsmType: + description: 'A string containing the HSM type (currently + supported: "trustway", "luna", "ncipher").' + type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType + type: object replicas: default: 1 description: Replicas of Barbican API to run @@ -494,6 +580,20 @@ spec: add additional files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + globalDefaultSecretStore: + default: simple_crypto + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -507,6 +607,78 @@ spec: this component. Setting here overrides any global NodeSelector settings within the Barbican CR. type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM + properties + properties: + hsmCertificatesMountPoint: + description: The mounting point where the certificates will + be copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + hsmClientAddress: + description: The IP address of the client connecting to the + HSM (X.Y.Z.K) + type: string + hsmEnabled: + default: false + type: boolean + hsmHMACLabel: + description: Label to identify HMAC key in the HSM (must not + be the same as MKEK label) + type: string + hsmIpAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + hsmLibraryPath: + description: Path to vendor's PKCS11 library + type: string + hsmLoggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" + and 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + hsmLoginSecret: + description: OpenShift secret that stores the password to + login to the PKCS11 session + type: string + hsmMKEKLabel: + description: Label to identify master KEK in the HSM (must + not be the same as HMAC label) + type: string + hsmMKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + hsmSlotId: + description: HSM Slot ID that contains the token device to + be used + type: string + hsmTokenLabel: + description: Token label used to identify the token to be + used. Required when token_serial_number is not specified. + type: string + hsmTokenSerialNumber: + description: Token serial number used to identify the token + to be used. Required when the device has multiple tokens + with the same label. + type: string + hsmType: + description: 'A string containing the HSM type (currently + supported: "trustway", "luna", "ncipher").' + type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType + type: object replicas: default: 1 description: Replicas of Barbican API to run @@ -592,20 +764,6 @@ spec: to add additional files. Those get added to the service config dir in /etc/ . TODO(dmendiza): -> implement' type: object - enabledSecretStores: - items: - description: This SecretStore type is used by the EnabledSecretStores - variable inside the specification. - enum: - - simple_crypto - - pkcs11 - type: string - maxItems: 2 - minItems: 1 - type: array - globalDefaultSecretStore: - default: simple_crypto - type: string nodeSelector: additionalProperties: type: string @@ -629,72 +787,6 @@ spec: default: SimpleCryptoKEK type: string type: object - pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties - properties: - hsmCertificates: - additionalProperties: - type: string - description: 'The HSM certificates. The map''s key is the OpenShift - secret storing the certificate, and the value is the mounting - point (e.g., "luna-certificates": "/usr/local/luna/config/certs").' - type: object - hsmClientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - hsmEnabled: - default: false - type: boolean - hsmHMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - hsmIpAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - hsmLibraryPath: - description: Path to vendor's PKCS11 library - type: string - hsmLoggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer - hsmLogin: - description: OpenShift secret storing the password to login to - PKCS11 session - type: string - hsmMKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - hsmMKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - hsmSlotId: - default: 1 - description: HSM Slot ID that contains the token device to be - used - type: integer - hsmTokenLabel: - description: Token label used to identify the token to be used. - Required when token_serial_number is not specified. - type: string - hsmTokenSerialNumber: - default: "12345678" - description: Token serial number used to identify the token to - be used. Required when the device has multiple tokens with the - same label. - type: string - hsmType: - description: 'A string containing the HSM type (currently supported: - "trustway", "luna", "ncipher").' - type: string - type: object preserveJobs: default: false description: PreserveJobs - do not delete jobs after they finished diff --git a/api/bases/barbican.openstack.org_barbicanworkers.yaml b/api/bases/barbican.openstack.org_barbicanworkers.yaml index 1c34bc87..d8190e2f 100644 --- a/api/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/api/bases/barbican.openstack.org_barbicanworkers.yaml @@ -120,13 +120,13 @@ spec: pkcs11: description: BarbicanPKCS11Template - Includes all common HSM properties properties: - hsmCertificates: - additionalProperties: - type: string - description: 'The HSM certificates. The map''s key is the OpenShift - secret storing the certificate, and the value is the mounting - point (e.g., "luna-certificates": "/usr/local/luna/config/certs").' - type: object + hsmCertificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string hsmClientAddress: description: The IP address of the client connecting to the HSM (X.Y.Z.K) @@ -151,9 +151,9 @@ spec: maximum: 7 minimum: 0 type: integer - hsmLogin: - description: OpenShift secret storing the password to login to - PKCS11 session + hsmLoginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session type: string hsmMKEKLabel: description: Label to identify master KEK in the HSM (must not @@ -164,16 +164,14 @@ spec: description: Length in bytes of master KEK type: integer hsmSlotId: - default: 1 description: HSM Slot ID that contains the token device to be used - type: integer + type: string hsmTokenLabel: description: Token label used to identify the token to be used. Required when token_serial_number is not specified. type: string hsmTokenSerialNumber: - default: "12345678" description: Token serial number used to identify the token to be used. Required when the device has multiple tokens with the same label. @@ -182,6 +180,13 @@ spec: description: 'A string containing the HSM type (currently supported: "trustway", "luna", "ncipher").' type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType type: object rabbitMqClusterName: default: rabbitmq diff --git a/api/v1beta1/barbican_types.go b/api/v1beta1/barbican_types.go index eda79495..3064aee1 100644 --- a/api/v1beta1/barbican_types.go +++ b/api/v1beta1/barbican_types.go @@ -49,16 +49,16 @@ type BarbicanSpec struct { BarbicanKeystoneListener BarbicanKeystoneListenerTemplate `json:"barbicanKeystoneListener"` // +kubebuilder:validation:Optional - PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"` + // PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"` // +kubebuilder:validation:Optional // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=2 - EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"` + // EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"` // +kubebuilder:validation:Optional // +kubebuilder:default="simple_crypto" - GlobalDefaultSecretStore string `json:"globalDefaultSecretStore"` + // GlobalDefaultSecretStore string `json:"globalDefaultSecretStore"` } // BarbicanSpecCore defines the desired state of Barbican, for use with the OpenStackControlplane CR (no containerImages) diff --git a/api/v1beta1/barbicanapi_types.go b/api/v1beta1/barbicanapi_types.go index 27e3f419..1eb0a8b3 100644 --- a/api/v1beta1/barbicanapi_types.go +++ b/api/v1beta1/barbicanapi_types.go @@ -49,6 +49,18 @@ type BarbicanAPITemplateCore struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // TLS - Parameters related to the TLS TLS tls.API `json:"tls,omitempty"` + + // +kubebuilder:validation:Optional + PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=2 + EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default="simple_crypto" + GlobalDefaultSecretStore string `json:"globalDefaultSecretStore" yaml:"globalDefaultSecretStore"` } // APIOverrideSpec to override the generated manifest of several child resources. @@ -58,27 +70,12 @@ type APIOverrideSpec struct { Service map[service.Endpoint]service.RoutedOverrideSpec `json:"service,omitempty"` } -// +kubebuilder:validation:Enum=simple_crypto;pkcs11 -type SecretStore string - // BarbicanAPISpec defines the desired state of BarbicanAPI type BarbicanAPISpec struct { BarbicanTemplate `json:",inline"` BarbicanAPITemplate `json:",inline"` - // +kubebuilder:validation:Optional - PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"` - - // +kubebuilder:validation:Optional - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=2 - EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default="simple_crypto" - GlobalDefaultSecretStore string `json:"globalDefaultSecretStore"` - // +kubebuilder:validation:Required // DatabaseHostname - Barbican Database Hostname DatabaseHostname string `json:"databaseHostname"` diff --git a/api/v1beta1/barbicanworker_types.go b/api/v1beta1/barbicanworker_types.go index ac9d270e..e918d094 100644 --- a/api/v1beta1/barbicanworker_types.go +++ b/api/v1beta1/barbicanworker_types.go @@ -35,6 +35,18 @@ type BarbicanWorkerTemplate struct { type BarbicanWorkerTemplateCore struct { BarbicanComponentTemplate `json:",inline"` + // +kubebuilder:validation:Optional + PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=2 + EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default="simple_crypto" + GlobalDefaultSecretStore string `json:"globalDefaultSecretStore"` + // TODO(dmendiza): Do we need a setting for number of worker processes // or is replica scaling good enough? } @@ -45,17 +57,17 @@ type BarbicanWorkerSpec struct { BarbicanWorkerTemplate `json:",inline"` - // +kubebuilder:validation:Optional + /*// +kubebuilder:validation:Optional PKCS11 BarbicanPKCS11Template `json:"pkcs11,omitempty"` // +kubebuilder:validation:Optional // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=2 - EnabledSecretStores []SecretStore `json:"enabledSecretStores"` + EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"` // +kubebuilder:validation:Optional // +kubebuilder:default="simple_crypto" - GlobalDefaultSecretStore string `json:"globalDefaultSecretStore"` + GlobalDefaultSecretStore string `json:"globalDefaultSecretStore"`*/ DatabaseHostname string `json:"databaseHostname"` diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index 23b509b2..82ece836 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -111,43 +111,42 @@ type BarbicanPKCS11Template struct { // +kubebuilder:default=false HSMEnabled bool `json:"hsmEnabled"` - // +kubebuilder:validation:Optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Items:Enum=trustway;luna;ncipher + // A string containing the HSM type (currently supported: "trustway", "luna", "ncipher"). + HSMType string `json:"hsmType"` + + // +kubebuilder:validation:Required // Path to vendor's PKCS11 library HSMLibraryPath string `json:"hsmLibraryPath"` // +kubebuilder:validation:Optional - // +kubebuilder:default="12345678" // Token serial number used to identify the token to be used. Required // when the device has multiple tokens with the same label. - HSMTokenSerialNumber string `json:"hsmTokenSerialNumber"` + HSMTokenSerialNumber string `json:"hsmTokenSerialNumber,omitempty"` // +kubebuilder:validation:Optional // Token label used to identify the token to be used. Required when // token_serial_number is not specified. - HSMTokenLabel string `json:"hsmTokenLabel"` + HSMTokenLabel string `json:"hsmTokenLabel,omitempty,omitempty"` // +kubebuilder:validation:Optional - // OpenShift secret storing the password to login to PKCS11 session - HSMLogin string `json:"hsmLogin"` + // HSM Slot ID that contains the token device to be used + HSMSlotId string `json:"hsmSlotId,omitempty"` - // +kubebuilder:validation:Optional + // +kubebuilder:validation:Required // Label to identify master KEK in the HSM (must not be the same as HMAC label) HSMMKEKLabel string `json:"hsmMKEKLabel"` + // +kubebuilder:validation:Required + // Label to identify HMAC key in the HSM (must not be the same as MKEK label) + HSMHMACLabel string `json:"hsmHMACLabel"` + // +kubebuilder:validation:Optional // +kubebuilder:default=32 // Length in bytes of master KEK HSMMKEKLength int `json:"hsmMKEKLength"` - // +kubebuilder:validation:Optional - // Label to identify HMAC key in the HSM (must not be the same as MKEK label) - HSMHMACLabel string `json:"hsmHMACLabel"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=1 - // HSM Slot ID that contains the token device to be used - HSMSlotId int `json:"hsmSlotId"` - // +kubebuilder:validation:Optional // +kubebuilder:default=4 // +kubebuilder:validation:Maximum=7 @@ -155,23 +154,25 @@ type BarbicanPKCS11Template struct { // Level of logging, where 0 means "no logging" and 7 means "debug". HSMLoggingLevel int `json:"hsmLoggingLevel"` - // +kubebuilder:validation:Optional + // +kubebuilder:validation:Required // The HSM's IPv4 address (X.Y.Z.K) HSMIPAddress string `json:"hsmIpAddress"` // +kubebuilder:validation:Optional // The IP address of the client connecting to the HSM (X.Y.Z.K) - HSMClientAddress string `json:"hsmClientAddress"` + HSMClientAddress string `json:"hsmClientAddress,omitempty"` + + // +kubebuilder:validation:Required + // OpenShift secret that stores the password to login to the PKCS11 session + HSMLoginSecret string `json:"hsmLoginSecret"` // +kubebuilder:validation:Optional - // The HSM certificates. The map's key is the OpenShift secret storing the certificate, and - // the value is the mounting point (e.g., "luna-certificates": "/usr/local/luna/config/certs"). - HSMCertificates map[string]string `json:"hsmCertificates"` + // The OpenShift secret that stores the HSM certificates. + HSMCertificatesSecret string `json:"hsmCertificatesSecret,omitempty"` // +kubebuilder:validation:Optional - // +kubebuilder:validation:Items:Enum=trustway;luna;ncipher - // A string containing the HSM type (currently supported: "trustway", "luna", "ncipher"). - HSMType string `json:"hsmType"` + // The mounting point where the certificates will be copied to (e.g., /usr/local/luna/config/certs). + HSMCertificatesMountPoint string `json:"hsmCertificatesMountPoint,omitempty"` } // PasswordSelector to identify the DB and AdminUser password from the Secret diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 3ef3e199..0c11a475 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -140,12 +140,6 @@ func (in *BarbicanAPISpec) DeepCopyInto(out *BarbicanAPISpec) { *out = *in out.BarbicanTemplate = in.BarbicanTemplate in.BarbicanAPITemplate.DeepCopyInto(&out.BarbicanAPITemplate) - in.PKCS11.DeepCopyInto(&out.PKCS11) - if in.EnabledSecretStores != nil { - in, out := &in.EnabledSecretStores, &out.EnabledSecretStores - *out = make([]SecretStore, len(*in)) - copy(*out, *in) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanAPISpec. @@ -231,6 +225,12 @@ func (in *BarbicanAPITemplateCore) DeepCopyInto(out *BarbicanAPITemplateCore) { in.BarbicanComponentTemplate.DeepCopyInto(&out.BarbicanComponentTemplate) in.Override.DeepCopyInto(&out.Override) in.TLS.DeepCopyInto(&out.TLS) + out.PKCS11 = in.PKCS11 + if in.EnabledSecretStores != nil { + in, out := &in.EnabledSecretStores, &out.EnabledSecretStores + *out = make([]SecretStore, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanAPITemplateCore. @@ -366,7 +366,7 @@ func (in *BarbicanKeystoneListenerList) DeepCopyObject() runtime.Object { func (in *BarbicanKeystoneListenerSpec) DeepCopyInto(out *BarbicanKeystoneListenerSpec) { *out = *in out.BarbicanTemplate = in.BarbicanTemplate - in.PKCS11.DeepCopyInto(&out.PKCS11) + out.PKCS11 = in.PKCS11 if in.EnabledSecretStores != nil { in, out := &in.EnabledSecretStores, &out.EnabledSecretStores *out = make([]SecretStore, len(*in)) @@ -497,13 +497,6 @@ func (in *BarbicanList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanPKCS11Template) DeepCopyInto(out *BarbicanPKCS11Template) { *out = *in - if in.HSMCertificates != nil { - in, out := &in.HSMCertificates, &out.HSMCertificates - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanPKCS11Template. @@ -523,12 +516,6 @@ func (in *BarbicanSpec) DeepCopyInto(out *BarbicanSpec) { in.BarbicanAPI.DeepCopyInto(&out.BarbicanAPI) in.BarbicanWorker.DeepCopyInto(&out.BarbicanWorker) in.BarbicanKeystoneListener.DeepCopyInto(&out.BarbicanKeystoneListener) - in.PKCS11.DeepCopyInto(&out.PKCS11) - if in.EnabledSecretStores != nil { - in, out := &in.EnabledSecretStores, &out.EnabledSecretStores - *out = make([]SecretStore, len(*in)) - copy(*out, *in) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanSpec. @@ -699,12 +686,6 @@ func (in *BarbicanWorkerSpec) DeepCopyInto(out *BarbicanWorkerSpec) { *out = *in out.BarbicanTemplate = in.BarbicanTemplate in.BarbicanWorkerTemplate.DeepCopyInto(&out.BarbicanWorkerTemplate) - in.PKCS11.DeepCopyInto(&out.PKCS11) - if in.EnabledSecretStores != nil { - in, out := &in.EnabledSecretStores, &out.EnabledSecretStores - *out = make([]SecretStore, len(*in)) - copy(*out, *in) - } out.TLS = in.TLS } @@ -782,6 +763,12 @@ func (in *BarbicanWorkerTemplate) DeepCopy() *BarbicanWorkerTemplate { func (in *BarbicanWorkerTemplateCore) DeepCopyInto(out *BarbicanWorkerTemplateCore) { *out = *in in.BarbicanComponentTemplate.DeepCopyInto(&out.BarbicanComponentTemplate) + out.PKCS11 = in.PKCS11 + if in.EnabledSecretStores != nil { + in, out := &in.EnabledSecretStores, &out.EnabledSecretStores + *out = make([]SecretStore, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanWorkerTemplateCore. diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml index 6d4e6d05..3280a040 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml @@ -300,13 +300,13 @@ spec: pkcs11: description: BarbicanPKCS11Template - Includes all common HSM properties properties: - hsmCertificates: - additionalProperties: - type: string - description: 'The HSM certificates. The map''s key is the OpenShift - secret storing the certificate, and the value is the mounting - point (e.g., "luna-certificates": "/usr/local/luna/config/certs").' - type: object + hsmCertificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string hsmClientAddress: description: The IP address of the client connecting to the HSM (X.Y.Z.K) @@ -331,9 +331,9 @@ spec: maximum: 7 minimum: 0 type: integer - hsmLogin: - description: OpenShift secret storing the password to login to - PKCS11 session + hsmLoginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session type: string hsmMKEKLabel: description: Label to identify master KEK in the HSM (must not @@ -344,16 +344,14 @@ spec: description: Length in bytes of master KEK type: integer hsmSlotId: - default: 1 description: HSM Slot ID that contains the token device to be used - type: integer + type: string hsmTokenLabel: description: Token label used to identify the token to be used. Required when token_serial_number is not specified. type: string hsmTokenSerialNumber: - default: "12345678" description: Token serial number used to identify the token to be used. Required when the device has multiple tokens with the same label. @@ -362,6 +360,13 @@ spec: description: 'A string containing the HSM type (currently supported: "trustway", "luna", "ncipher").' type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType type: object rabbitMqClusterName: default: rabbitmq diff --git a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index 483d8863..2dfd99e9 100644 --- a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -122,13 +122,13 @@ spec: pkcs11: description: BarbicanPKCS11Template - Includes all common HSM properties properties: - hsmCertificates: - additionalProperties: - type: string - description: 'The HSM certificates. The map''s key is the OpenShift - secret storing the certificate, and the value is the mounting - point (e.g., "luna-certificates": "/usr/local/luna/config/certs").' - type: object + hsmCertificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string hsmClientAddress: description: The IP address of the client connecting to the HSM (X.Y.Z.K) @@ -153,9 +153,9 @@ spec: maximum: 7 minimum: 0 type: integer - hsmLogin: - description: OpenShift secret storing the password to login to - PKCS11 session + hsmLoginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session type: string hsmMKEKLabel: description: Label to identify master KEK in the HSM (must not @@ -166,16 +166,14 @@ spec: description: Length in bytes of master KEK type: integer hsmSlotId: - default: 1 description: HSM Slot ID that contains the token device to be used - type: integer + type: string hsmTokenLabel: description: Token label used to identify the token to be used. Required when token_serial_number is not specified. type: string hsmTokenSerialNumber: - default: "12345678" description: Token serial number used to identify the token to be used. Required when the device has multiple tokens with the same label. @@ -184,6 +182,13 @@ spec: description: 'A string containing the HSM type (currently supported: "trustway", "luna", "ncipher").' type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType type: object rabbitMqClusterName: default: rabbitmq diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml index 03416230..7ffbaf7a 100644 --- a/config/crd/bases/barbican.openstack.org_barbicans.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicans.yaml @@ -72,6 +72,20 @@ spec: description: EnableSecureRBAC - Enable Consistent and Secure RBAC policies type: boolean + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + globalDefaultSecretStore: + default: simple_crypto + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -267,6 +281,78 @@ spec: type (public, internal) type: object type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM + properties + properties: + hsmCertificatesMountPoint: + description: The mounting point where the certificates will + be copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + hsmClientAddress: + description: The IP address of the client connecting to the + HSM (X.Y.Z.K) + type: string + hsmEnabled: + default: false + type: boolean + hsmHMACLabel: + description: Label to identify HMAC key in the HSM (must not + be the same as MKEK label) + type: string + hsmIpAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + hsmLibraryPath: + description: Path to vendor's PKCS11 library + type: string + hsmLoggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" + and 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + hsmLoginSecret: + description: OpenShift secret that stores the password to + login to the PKCS11 session + type: string + hsmMKEKLabel: + description: Label to identify master KEK in the HSM (must + not be the same as HMAC label) + type: string + hsmMKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + hsmSlotId: + description: HSM Slot ID that contains the token device to + be used + type: string + hsmTokenLabel: + description: Token label used to identify the token to be + used. Required when token_serial_number is not specified. + type: string + hsmTokenSerialNumber: + description: Token serial number used to identify the token + to be used. Required when the device has multiple tokens + with the same label. + type: string + hsmType: + description: 'A string containing the HSM type (currently + supported: "trustway", "luna", "ncipher").' + type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType + type: object replicas: default: 1 description: Replicas of Barbican API to run @@ -494,6 +580,20 @@ spec: add additional files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + globalDefaultSecretStore: + default: simple_crypto + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -507,6 +607,78 @@ spec: this component. Setting here overrides any global NodeSelector settings within the Barbican CR. type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM + properties + properties: + hsmCertificatesMountPoint: + description: The mounting point where the certificates will + be copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + hsmClientAddress: + description: The IP address of the client connecting to the + HSM (X.Y.Z.K) + type: string + hsmEnabled: + default: false + type: boolean + hsmHMACLabel: + description: Label to identify HMAC key in the HSM (must not + be the same as MKEK label) + type: string + hsmIpAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + hsmLibraryPath: + description: Path to vendor's PKCS11 library + type: string + hsmLoggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" + and 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + hsmLoginSecret: + description: OpenShift secret that stores the password to + login to the PKCS11 session + type: string + hsmMKEKLabel: + description: Label to identify master KEK in the HSM (must + not be the same as HMAC label) + type: string + hsmMKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + hsmSlotId: + description: HSM Slot ID that contains the token device to + be used + type: string + hsmTokenLabel: + description: Token label used to identify the token to be + used. Required when token_serial_number is not specified. + type: string + hsmTokenSerialNumber: + description: Token serial number used to identify the token + to be used. Required when the device has multiple tokens + with the same label. + type: string + hsmType: + description: 'A string containing the HSM type (currently + supported: "trustway", "luna", "ncipher").' + type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType + type: object replicas: default: 1 description: Replicas of Barbican API to run @@ -592,20 +764,6 @@ spec: to add additional files. Those get added to the service config dir in /etc/ . TODO(dmendiza): -> implement' type: object - enabledSecretStores: - items: - description: This SecretStore type is used by the EnabledSecretStores - variable inside the specification. - enum: - - simple_crypto - - pkcs11 - type: string - maxItems: 2 - minItems: 1 - type: array - globalDefaultSecretStore: - default: simple_crypto - type: string nodeSelector: additionalProperties: type: string @@ -629,72 +787,6 @@ spec: default: SimpleCryptoKEK type: string type: object - pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties - properties: - hsmCertificates: - additionalProperties: - type: string - description: 'The HSM certificates. The map''s key is the OpenShift - secret storing the certificate, and the value is the mounting - point (e.g., "luna-certificates": "/usr/local/luna/config/certs").' - type: object - hsmClientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - hsmEnabled: - default: false - type: boolean - hsmHMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - hsmIpAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - hsmLibraryPath: - description: Path to vendor's PKCS11 library - type: string - hsmLoggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer - hsmLogin: - description: OpenShift secret storing the password to login to - PKCS11 session - type: string - hsmMKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - hsmMKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - hsmSlotId: - default: 1 - description: HSM Slot ID that contains the token device to be - used - type: integer - hsmTokenLabel: - description: Token label used to identify the token to be used. - Required when token_serial_number is not specified. - type: string - hsmTokenSerialNumber: - default: "12345678" - description: Token serial number used to identify the token to - be used. Required when the device has multiple tokens with the - same label. - type: string - hsmType: - description: 'A string containing the HSM type (currently supported: - "trustway", "luna", "ncipher").' - type: string - type: object preserveJobs: default: false description: PreserveJobs - do not delete jobs after they finished diff --git a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml index 1c34bc87..d8190e2f 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml @@ -120,13 +120,13 @@ spec: pkcs11: description: BarbicanPKCS11Template - Includes all common HSM properties properties: - hsmCertificates: - additionalProperties: - type: string - description: 'The HSM certificates. The map''s key is the OpenShift - secret storing the certificate, and the value is the mounting - point (e.g., "luna-certificates": "/usr/local/luna/config/certs").' - type: object + hsmCertificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + hsmCertificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string hsmClientAddress: description: The IP address of the client connecting to the HSM (X.Y.Z.K) @@ -151,9 +151,9 @@ spec: maximum: 7 minimum: 0 type: integer - hsmLogin: - description: OpenShift secret storing the password to login to - PKCS11 session + hsmLoginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session type: string hsmMKEKLabel: description: Label to identify master KEK in the HSM (must not @@ -164,16 +164,14 @@ spec: description: Length in bytes of master KEK type: integer hsmSlotId: - default: 1 description: HSM Slot ID that contains the token device to be used - type: integer + type: string hsmTokenLabel: description: Token label used to identify the token to be used. Required when token_serial_number is not specified. type: string hsmTokenSerialNumber: - default: "12345678" description: Token serial number used to identify the token to be used. Required when the device has multiple tokens with the same label. @@ -182,6 +180,13 @@ spec: description: 'A string containing the HSM type (currently supported: "trustway", "luna", "ncipher").' type: string + required: + - hsmHMACLabel + - hsmIpAddress + - hsmLibraryPath + - hsmLoginSecret + - hsmMKEKLabel + - hsmType type: object rabbitMqClusterName: default: rabbitmq diff --git a/config/samples/pods_with_pkcs11-luna.yaml b/config/samples/pods_with_pkcs11-luna.yaml new file mode 100644 index 00000000..8ef485c8 --- /dev/null +++ b/config/samples/pods_with_pkcs11-luna.yaml @@ -0,0 +1,66 @@ +apiVersion: barbican.openstack.org/v1beta1 +kind: Barbican +metadata: + labels: + app.kubernetes.io/name: barbican + app.kubernetes.io/instance: barbican + app.kubernetes.io/part-of: barbican-operator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: barbican-operator + name: barbican +spec: + serviceAccount: barbican + serviceUser: barbican + databaseInstance: openstack + databaseAccount: barbican + rabbitMqCusterName: barbican_rabbit + secret: osp-secret + passwordSelectors: + database: BarbicanDatabasePassword + service: BarbicanPassword + simplecryptokek: BarbicanSimpleCryptoKEK + preserveJobs: true + customServiceConfig: | + [DEFAULT] + debug = True + barbicanAPI: + globalDefaultSecretStore: pkcs11 + enabledSecretStores: + - pkcs11 + pkcs11: + hsmType: luna + hsmLibraryPath: /usr/local/luna/libs/64/libCryptoki2.so + hsmTokenSerialNumber: "12345" + hsmMKEKLabel: my_mkek_label + hsmHMACLabel: my_hmac_label + hsmIpAddress: 10.1.184.213 + hsmClientAddress: 10.0.108.117 + hsmLoginSecret: luna-login + hsmCertificatesSecret: luna-certs + hsmCertificatesMountPoint: /usr/local/luna/config/certs + #containerImage: quay.io/podified-antelope-centos9/openstack-barbican-api@sha256:61a372007883bb868554b04d998edf6958e7ab49fc32bdafd4717fe498f5f60e + containerImage: quay.io/dmendiza/openstack-barbican-api:luna-client + passwordSelectors: + database: BarbicanDatabasePassword + service: BarbicanPassword + replicas: 1 + barbicanWorker: + globalDefaultSecretStore: pkcs11 + enabledSecretStores: + - pkcs11 + pkcs11: + hsmType: luna + hsmLibraryPath: /usr/local/luna/libs/64/libCryptoki2.so + hsmTokenSerialNumber: "12345" + hsmMKEKLabel: my_mkek_label + hsmHMACLabel: my_hmac_label + hsmIpAddress: 10.1.184.213 + hsmClientAddress: 10.0.108.117 + hsmLoginSecret: luna-login + hsmCertificatesSecret: luna-certs + hsmCertificatesMountPoint: /usr/local/luna/config/certs + containerImage: quay.io/podified-antelope-centos9/openstack-barbican-worker@sha256:50960022b059e52805eb5dd0204f7867c0ce71ec8cff672f4e965afdae23bf93 + replicas: 1 + barbicanKeystoneListener: + containerImage: quay.io/podified-antelope-centos9/openstack-barbican-keystone-listener@sha256:9a5deaf4a7db671dab48aface9d426b8fc1ae7cb20d3be64c9c7bf90241fb65c + replicas: 1 diff --git a/controllers/barbican_controller.go b/controllers/barbican_controller.go index e8e4a291..23c70ae3 100644 --- a/controllers/barbican_controller.go +++ b/controllers/barbican_controller.go @@ -628,18 +628,18 @@ func (r *BarbicanReconciler) generateServiceConfig( databaseSecret := db.GetSecret() enabledSecretStores := []string{} - if len(instance.Spec.EnabledSecretStores) == 0 { + if len(instance.Spec.BarbicanAPI.EnabledSecretStores) == 0 { enabledSecretStores = []string{"simple_crypto"} } else { - for _, value := range instance.Spec.EnabledSecretStores { + for _, value := range instance.Spec.BarbicanAPI.EnabledSecretStores { enabledSecretStores = append(enabledSecretStores, string(value)) } } globalDefaultSecretStore := "" - if len(instance.Spec.GlobalDefaultSecretStore) == 0 { + if len(instance.Spec.BarbicanAPI.GlobalDefaultSecretStore) == 0 { globalDefaultSecretStore = "simple_crypto" } else { - globalDefaultSecretStore = instance.Spec.GlobalDefaultSecretStore + globalDefaultSecretStore = instance.Spec.BarbicanAPI.GlobalDefaultSecretStore } templateParameters := map[string]interface{}{ @@ -664,20 +664,30 @@ func (r *BarbicanReconciler) generateServiceConfig( // Checking if there's an HSM. if slices.Contains(enabledSecretStores, "pkcs11") { - pkcs11 := instance.Spec.PKCS11 - hsmLoginSecret, _, err := oko_secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace) + pkcs11 := instance.Spec.BarbicanAPI.PKCS11 + hsmLoginSecret, _, err := oko_secret.GetSecret(ctx, h, pkcs11.HSMLoginSecret, instance.Namespace) if err != nil { return err } + if len(pkcs11.HSMTokenSerialNumber) == 0 && len(pkcs11.HSMTokenLabel) == 0 && len(pkcs11.HSMSlotId) == 0 { + Log.Info("Fail to deploy! At least one of the following parameters must be specified:") + Log.Info("Token Serial Number, Token Label, Slot ID") + return nil + } + if len(pkcs11.HSMTokenSerialNumber) > 0 { + templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber + } else if len(pkcs11.HSMTokenLabel) > 0 { + templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel + } else if len(pkcs11.HSMSlotId) > 0 { + templateParameters["HSMSlotId"] = pkcs11.HSMSlotId + } + instance.Spec.BarbicanAPI.PKCS11.HSMEnabled = true templateParameters["HSMEnabled"] = true templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath - templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber - templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel templateParameters["HSMLogin"] = string(hsmLoginSecret.Data["hsmLogin"]) templateParameters["HSMMKEKLabel"] = pkcs11.HSMMKEKLabel templateParameters["HSMMKEKLength"] = pkcs11.HSMMKEKLength templateParameters["HSMHMACLabel"] = pkcs11.HSMHMACLabel - templateParameters["HSMSlotId"] = pkcs11.HSMSlotId templateParameters["HSMLoggingLevel"] = pkcs11.HSMLoggingLevel templateParameters["HSMIPAddress"] = pkcs11.HSMIPAddress templateParameters["HSMClientAddress"] = pkcs11.HSMClientAddress diff --git a/controllers/barbicanapi_controller.go b/controllers/barbicanapi_controller.go index 89b3617e..742e515e 100644 --- a/controllers/barbicanapi_controller.go +++ b/controllers/barbicanapi_controller.go @@ -349,19 +349,29 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs( // Checking if there's an HSM. if slices.Contains(enabledSecretStores, "pkcs11") { pkcs11 := instance.Spec.PKCS11 - hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace) + hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLoginSecret, instance.Namespace) if err != nil { return err } + if len(pkcs11.HSMTokenSerialNumber) == 0 && len(pkcs11.HSMTokenLabel) == 0 && len(pkcs11.HSMSlotId) == 0 { + Log.Info("Fail to deploy! At least one of the following parameters must be specified:") + Log.Info("Token Serial Number, Token Label, Slot ID") + return nil + } + if len(pkcs11.HSMTokenSerialNumber) > 0 { + templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber + } else if len(pkcs11.HSMTokenLabel) > 0 { + templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel + } else if len(pkcs11.HSMSlotId) > 0 { + templateParameters["HSMSlotId"] = pkcs11.HSMSlotId + } + instance.Spec.PKCS11.HSMEnabled = true templateParameters["HSMEnabled"] = true templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath - templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber - templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel templateParameters["HSMLogin"] = string(hsmLoginSecret.Data["hsmLogin"]) templateParameters["HSMMKEKLabel"] = pkcs11.HSMMKEKLabel templateParameters["HSMMKEKLength"] = pkcs11.HSMMKEKLength templateParameters["HSMHMACLabel"] = pkcs11.HSMHMACLabel - templateParameters["HSMSlotId"] = pkcs11.HSMSlotId templateParameters["HSMLoggingLevel"] = pkcs11.HSMLoggingLevel templateParameters["HSMIPAddress"] = pkcs11.HSMIPAddress templateParameters["HSMClientAddress"] = pkcs11.HSMClientAddress diff --git a/controllers/barbicankeystonelistener_controller.go b/controllers/barbicankeystonelistener_controller.go index 2bbaff3a..164913fa 100644 --- a/controllers/barbicankeystonelistener_controller.go +++ b/controllers/barbicankeystonelistener_controller.go @@ -319,19 +319,29 @@ func (r *BarbicanKeystoneListenerReconciler) generateServiceConfigs( // Checking if there's an HSM. if slices.Contains(enabledSecretStores, "pkcs11") { pkcs11 := instance.Spec.PKCS11 - hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace) + hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLoginSecret, instance.Namespace) if err != nil { return err } + if len(pkcs11.HSMTokenSerialNumber) == 0 && len(pkcs11.HSMTokenLabel) == 0 && len(pkcs11.HSMSlotId) == 0 { + Log.Info("Fail to deploy! At least one of the following parameters must be specified:") + Log.Info("Token Serial Number, Token Label, Slot ID") + return nil + } + if len(pkcs11.HSMTokenSerialNumber) > 0 { + templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber + } else if len(pkcs11.HSMTokenLabel) > 0 { + templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel + } else if len(pkcs11.HSMSlotId) > 0 { + templateParameters["HSMSlotId"] = pkcs11.HSMSlotId + } + instance.Spec.PKCS11.HSMEnabled = true templateParameters["HSMEnabled"] = true templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath - templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber - templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel templateParameters["HSMLogin"] = string(hsmLoginSecret.Data["hsmLogin"]) templateParameters["HSMMKEKLabel"] = pkcs11.HSMMKEKLabel templateParameters["HSMMKEKLength"] = pkcs11.HSMMKEKLength templateParameters["HSMHMACLabel"] = pkcs11.HSMHMACLabel - templateParameters["HSMSlotId"] = pkcs11.HSMSlotId templateParameters["HSMLoggingLevel"] = pkcs11.HSMLoggingLevel templateParameters["HSMIPAddress"] = pkcs11.HSMIPAddress templateParameters["HSMClientAddress"] = pkcs11.HSMClientAddress diff --git a/controllers/barbicanworker_controller.go b/controllers/barbicanworker_controller.go index 266a095c..a30a04e7 100644 --- a/controllers/barbicanworker_controller.go +++ b/controllers/barbicanworker_controller.go @@ -301,19 +301,29 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs( // Checking if there's an HSM. if slices.Contains(enabledSecretStores, "pkcs11") { pkcs11 := instance.Spec.PKCS11 - hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLogin, instance.Namespace) + hsmLoginSecret, _, err := secret.GetSecret(ctx, h, pkcs11.HSMLoginSecret, instance.Namespace) if err != nil { return err } + if len(pkcs11.HSMTokenSerialNumber) == 0 && len(pkcs11.HSMTokenLabel) == 0 && len(pkcs11.HSMSlotId) == 0 { + Log.Info("Fail to deploy! At least one of the following parameters must be specified:") + Log.Info("Token Serial Number, Token Label, Slot ID") + return nil + } + if len(pkcs11.HSMTokenSerialNumber) > 0 { + templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber + } else if len(pkcs11.HSMTokenLabel) > 0 { + templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel + } else if len(pkcs11.HSMSlotId) > 0 { + templateParameters["HSMSlotId"] = pkcs11.HSMSlotId + } + instance.Spec.PKCS11.HSMEnabled = true templateParameters["HSMEnabled"] = true templateParameters["HSMLibraryPath"] = pkcs11.HSMLibraryPath - templateParameters["HSMTokenSerialNumber"] = pkcs11.HSMTokenSerialNumber - templateParameters["HSMTokenLabel"] = pkcs11.HSMTokenLabel templateParameters["HSMLogin"] = string(hsmLoginSecret.Data["hsmLogin"]) templateParameters["HSMMKEKLabel"] = pkcs11.HSMMKEKLabel templateParameters["HSMMKEKLength"] = pkcs11.HSMMKEKLength templateParameters["HSMHMACLabel"] = pkcs11.HSMHMACLabel - templateParameters["HSMSlotId"] = pkcs11.HSMSlotId templateParameters["HSMLoggingLevel"] = pkcs11.HSMLoggingLevel templateParameters["HSMIPAddress"] = pkcs11.HSMIPAddress templateParameters["HSMClientAddress"] = pkcs11.HSMClientAddress diff --git a/pkg/barbicanapi/deployment.go b/pkg/barbicanapi/deployment.go index 5ca4f070..29227873 100644 --- a/pkg/barbicanapi/deployment.go +++ b/pkg/barbicanapi/deployment.go @@ -2,11 +2,11 @@ package barbicanapi import ( "fmt" + "strings" "github.com/openstack-k8s-operators/lib-common/modules/common/env" "github.com/openstack-k8s-operators/lib-common/modules/common/service" "github.com/openstack-k8s-operators/lib-common/modules/common/tls" - maps "golang.org/x/exp/maps" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -113,18 +113,18 @@ func Deployment( // Considering the existence of an HSM. if instance.Spec.PKCS11.HSMEnabled { - if instance.Spec.PKCS11.HSMType == "luna" { + if strings.ToLower(instance.Spec.PKCS11.HSMType) == "luna" { hsmVolume := corev1.Volume{ Name: "hsm-luna-certificates", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &config0644AccessMode, - SecretName: maps.Keys(instance.Spec.PKCS11.HSMCertificates)[0], + SecretName: instance.Spec.PKCS11.HSMCertificatesSecret, }, }, } apiVolumes = append(apiVolumes, hsmVolume) - hsmMountPath := maps.Values(instance.Spec.PKCS11.HSMCertificates)[0] + hsmMountPath := instance.Spec.PKCS11.HSMCertificatesMountPoint if string(hsmMountPath[len(hsmMountPath)-1]) != "/" { hsmMountPath = hsmMountPath + "/" } diff --git a/pkg/barbicanworker/deployment.go b/pkg/barbicanworker/deployment.go index ce14edc6..50f34bb2 100644 --- a/pkg/barbicanworker/deployment.go +++ b/pkg/barbicanworker/deployment.go @@ -2,9 +2,9 @@ package barbicanworker import ( "fmt" + "strings" "github.com/openstack-k8s-operators/lib-common/modules/common/env" - maps "golang.org/x/exp/maps" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -89,18 +89,18 @@ func Deployment( // Considering the existence of an HSM. if instance.Spec.PKCS11.HSMEnabled { - if instance.Spec.PKCS11.HSMType == "luna" { + if strings.ToLower(instance.Spec.PKCS11.HSMType) == "luna" { hsmVolume := corev1.Volume{ Name: "hsm-luna-certificates", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &config0644AccessMode, - SecretName: maps.Keys(instance.Spec.PKCS11.HSMCertificates)[0], + SecretName: instance.Spec.PKCS11.HSMCertificatesSecret, }, }, } workerVolumes = append(workerVolumes, hsmVolume) - hsmMountPath := maps.Values(instance.Spec.PKCS11.HSMCertificates)[0] + hsmMountPath := instance.Spec.PKCS11.HSMCertificatesMountPoint if string(hsmMountPath[len(hsmMountPath)-1]) != "/" { hsmMountPath = hsmMountPath + "/" } diff --git a/templates/barbican/config/00-default.conf b/templates/barbican/config/00-default.conf index f7e02e43..ec56c21c 100644 --- a/templates/barbican/config/00-default.conf +++ b/templates/barbican/config/00-default.conf @@ -1,9 +1,9 @@ [DEFAULT] # keep this for backward compatibility sql_connection = {{ .DatabaseConnection }} -{{ if (index . "ServiceURL") }} +{{- if (index . "ServiceURL") }} host_href = {{ .ServiceURL }} -{{ end }} +{{- end }} debug = true transport_url = {{ .TransportURL }} log_file = {{ .LogFile }} @@ -13,7 +13,7 @@ max_retries=-1 db_max_retries=-1 connection={{ .DatabaseConnection }} -{{ if (index . "KeystoneAuthURL") }} +{{- if (index . "KeystoneAuthURL") }} [keystone_authtoken] auth_version = v3 auth_url={{ .KeystoneAuthURL }} @@ -24,7 +24,7 @@ password = {{ .ServicePassword }} project_name=service project_domain_name=Default interface = internal -{{ end }} +{{- end }} [keystone_notifications] enable = true @@ -33,11 +33,11 @@ topic = barbican_notifications [oslo_messaging_notifications] driver=messagingv2 -{{ if (index . "EnableSecureRBAC") }} +{{- if (index . "EnableSecureRBAC") }} [oslo_policy] enforce_scope = {{ .EnableSecureRBAC }} enforce_new_defaults = {{ .EnableSecureRBAC }} -{{ end }} +{{- end }} [queue] enable = true @@ -45,28 +45,31 @@ enable = true [secretstore] enable_multiple_secret_stores = true stores_lookup_suffix = {{ .EnabledSecretStores }} - {{ if .SimpleCryptoEnabled }} -[secretstore:software] +[secretstore:simple_crypto] secret_store_plugin = store_crypto crypto_plugin = simple_crypto -{{ end }} -{{ if eq .GlobalDefaultSecretStore "simple_crypto" }} global_default = true {{ end }} +{{ if eq .GlobalDefaultSecretStore "simple_crypto" }} +global_default = true +{{- end }} +test_entry = blah -{{ if .SimpleCryptoEnabled }} [simple_crypto_plugin] plugin_name = Software Only Crypto -{{ end }} -{{ if (index . "SimpleCryptoKEK") }} kek = {{ .SimpleCryptoKEK }} {{ end }} +{{- if (index . "SimpleCryptoKEK") }} +kek = {{ .SimpleCryptoKEK }} +{{- end }} +{{- end }} {{ if and (index . "HSMEnabled") .HSMEnabled }} [secretstore:pkcs11] +plugin_name = PKCS11 secret_store_plugin = store_crypto crypto_plugin = p11_crypto +{{- if eq .GlobalDefaultSecretStore "pkcs11" }} +global_default = true {{ end }} -{{ if eq .GlobalDefaultSecretStore "pkcs11" }} global_default = true {{ end }} -{{ if and (index . "HSMEnabled") .HSMEnabled }} [p11_crypto_plugin] library_path = {{ .HSMLibraryPath }} token_serial_number = {{ .HSMTokenSerialNumber }}