Skip to content

Commit

Permalink
Barbican support for Thales Luna HSM
Browse files Browse the repository at this point in the history 
Signed-off-by: Mauricio Harley <[email protected]>
Co-authored-by: Ade Lee <[email protected]>
  • Loading branch information
@vakwetu
Mauricio Harley and vakwetu committed Nov 5, 2024
1 parent e1b6b7c commit 3cab58f
Show file tree
Hide file tree
Showing 22 changed files with 1,221 additions and 14 deletions.
90 changes: 90 additions & 0 deletions api/bases/barbican.openstack.org_barbicanapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,25 @@ spec:
description: EnableSecureRBAC - Enable Consistent and Secure RBAC
policies
type: boolean
enabledSecretStores:
items:
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
maxItems: 2
minItems: 1
type: array
globalDefaultSecretStore:
default: simple_crypto
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
networkAttachments:
description: NetworkAttachments is a list of NetworkAttachment resource
names to expose the services to the given network
Expand Down Expand Up @@ -283,6 +302,77 @@ spec:
default: SimpleCryptoKEK
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
hsmCertificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
hsmCertificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
hsmClientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
hsmEnabled:
default: false
type: boolean
hsmHMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
hsmIpAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
hsmLibraryPath:
description: Path to vendor's PKCS11 library
type: string
hsmLoggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
hsmLoginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
hsmMKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
hsmMKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
hsmSlotId:
description: HSM Slot ID that contains the token device to be
used
type: string
hsmTokenLabel:
description: Token label used to identify the token to be used.
Required when token_serial_number is not specified.
type: string
hsmTokenSerialNumber:
description: Token serial number used to identify the token to
be used. Required when the device has multiple tokens with the
same label.
type: string
hsmType:
description: 'A string containing the HSM type (currently supported:
"trustway", "luna", "ncipher").'
type: string
required:
- hsmHMACLabel
- hsmIpAddress
- hsmLibraryPath
- hsmLoginSecret
- hsmMKEKLabel
- hsmType
type: object
rabbitMqClusterName:
default: rabbitmq
description: RabbitMQ instance name Needed to request a transportURL
Expand Down
90 changes: 90 additions & 0 deletions api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,25 @@ spec:
files. Those get added to the service config dir in /etc/<service>
. TODO: -> implement'
type: object
enabledSecretStores:
items:
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
maxItems: 2
minItems: 1
type: array
globalDefaultSecretStore:
default: simple_crypto
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
networkAttachments:
description: NetworkAttachments is a list of NetworkAttachment resource
names to expose the services to the given network
Expand Down Expand Up @@ -105,6 +124,77 @@ spec:
default: SimpleCryptoKEK
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
hsmCertificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
hsmCertificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
hsmClientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
hsmEnabled:
default: false
type: boolean
hsmHMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
hsmIpAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
hsmLibraryPath:
description: Path to vendor's PKCS11 library
type: string
hsmLoggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
hsmLoginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
hsmMKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
hsmMKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
hsmSlotId:
description: HSM Slot ID that contains the token device to be
used
type: string
hsmTokenLabel:
description: Token label used to identify the token to be used.
Required when token_serial_number is not specified.
type: string
hsmTokenSerialNumber:
description: Token serial number used to identify the token to
be used. Required when the device has multiple tokens with the
same label.
type: string
hsmType:
description: 'A string containing the HSM type (currently supported:
"trustway", "luna", "ncipher").'
type: string
required:
- hsmHMACLabel
- hsmIpAddress
- hsmLibraryPath
- hsmLoginSecret
- hsmMKEKLabel
- hsmType
type: object
rabbitMqClusterName:
default: rabbitmq
description: RabbitMQ instance name Needed to request a transportURL
Expand Down
90 changes: 90 additions & 0 deletions api/bases/barbican.openstack.org_barbicans.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,25 @@ spec:
to add additional files. Those get added to the service config dir
in /etc/<service> . TODO(dmendiza): -> implement'
type: object
enabledSecretStores:
items:
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
maxItems: 2
minItems: 1
type: array
globalDefaultSecretStore:
default: simple_crypto
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
nodeSelector:
additionalProperties:
type: string
Expand All @@ -615,6 +634,77 @@ spec:
default: SimpleCryptoKEK
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
hsmCertificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
hsmCertificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
hsmClientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
hsmEnabled:
default: false
type: boolean
hsmHMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
hsmIpAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
hsmLibraryPath:
description: Path to vendor's PKCS11 library
type: string
hsmLoggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
hsmLoginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
hsmMKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
hsmMKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
hsmSlotId:
description: HSM Slot ID that contains the token device to be
used
type: string
hsmTokenLabel:
description: Token label used to identify the token to be used.
Required when token_serial_number is not specified.
type: string
hsmTokenSerialNumber:
description: Token serial number used to identify the token to
be used. Required when the device has multiple tokens with the
same label.
type: string
hsmType:
description: 'A string containing the HSM type (currently supported:
"trustway", "luna", "ncipher").'
type: string
required:
- hsmHMACLabel
- hsmIpAddress
- hsmLibraryPath
- hsmLoginSecret
- hsmMKEKLabel
- hsmType
type: object
preserveJobs:
default: false
description: PreserveJobs - do not delete jobs after they finished
Expand Down
Loading

0 comments on commit 3cab58f

Please sign in to comment.