From d84132c88f982edaf15e1f8fa6ce6d4d603c2013 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Wed, 9 Oct 2024 19:50:11 +0000 Subject: [PATCH] Barbican support for Thales Luna HSM hold-the-node Signed-off-by: Mauricio Harley Co-authored-by: Ade Lee Co-authored-by: Grzegorz Grasza --- .../barbican.openstack.org_barbicanapis.yaml | 127 +++++++++++++++++ ...enstack.org_barbicankeystonelisteners.yaml | 127 +++++++++++++++++ .../barbican.openstack.org_barbicans.yaml | 127 +++++++++++++++++ ...arbican.openstack.org_barbicanworkers.yaml | 127 +++++++++++++++++ api/v1beta1/barbican_types.go | 6 + api/v1beta1/barbican_webhook.go | 18 +++ api/v1beta1/barbicankeystonelistener_types.go | 1 + api/v1beta1/barbicanworker_types.go | 3 +- api/v1beta1/common_types.go | 133 ++++++++++++++++++ api/v1beta1/zz_generated.deepcopy.go | 33 ++++- .../barbican.openstack.org_barbicanapis.yaml | 127 +++++++++++++++++ ...enstack.org_barbicankeystonelisteners.yaml | 127 +++++++++++++++++ .../barbican.openstack.org_barbicans.yaml | 127 +++++++++++++++++ ...arbican.openstack.org_barbicanworkers.yaml | 127 +++++++++++++++++ config/samples/pods_with_pkcs11-luna.yaml | 53 +++++++ controllers/barbican_common.go | 94 ++++++++++++- controllers/barbican_controller.go | 83 ++++++++++- controllers/barbicanapi_controller.go | 21 +++ controllers/barbicanworker_controller.go | 21 +++ hack/crd-schema-checker.sh | 1 + pkg/barbican/const.go | 9 +- pkg/barbican/p11_prep.go | 91 ++++++++++++ pkg/barbican/volumes.go | 103 +++++++++++--- pkg/barbicanapi/deployment.go | 22 +-- pkg/barbicankeystonelistener/deployment.go | 15 +- pkg/barbicanworker/deployment.go | 22 +-- templates/barbican/bin/generate_p11_keys.sh | 24 ++++ templates/barbican/config/00-default.conf | 57 +++++++- templates/barbican/config/Chrystoki.conf | 41 ++++++ .../barbican/config/barbican-api-config.json | 8 ++ .../config/barbican-p11-prep-config.json | 25 ++++ .../config/barbican-worker-config.json | 8 ++ 32 files changed, 1834 insertions(+), 74 deletions(-) create mode 100644 config/samples/pods_with_pkcs11-luna.yaml create mode 100644 pkg/barbican/p11_prep.go create mode 100755 templates/barbican/bin/generate_p11_keys.sh create mode 100644 templates/barbican/config/Chrystoki.conf create mode 100644 templates/barbican/config/barbican-p11-prep-config.json diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml index 71010bfd..a6c1f5b0 100644 --- a/api/bases/barbican.openstack.org_barbicanapis.yaml +++ b/api/bases/barbican.openstack.org_barbicanapis.yaml @@ -89,6 +89,26 @@ spec: description: EnableSecureRBAC - Enable Consistent and Secure RBAC policies type: boolean + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -292,6 +312,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index bdea1d33..83665308 100644 --- a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -85,6 +85,26 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -114,6 +134,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml index cf99e64f..bf9d770c 100644 --- a/api/bases/barbican.openstack.org_barbicans.yaml +++ b/api/bases/barbican.openstack.org_barbicans.yaml @@ -601,6 +601,26 @@ spec: to add additional files. Those get added to the service config dir in /etc/ . TODO(dmendiza): -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string nodeSelector: additionalProperties: type: string @@ -624,6 +644,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object preserveJobs: default: false description: PreserveJobs - do not delete jobs after they finished diff --git a/api/bases/barbican.openstack.org_barbicanworkers.yaml b/api/bases/barbican.openstack.org_barbicanworkers.yaml index 41dadbc2..584c4df4 100644 --- a/api/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/api/bases/barbican.openstack.org_barbicanworkers.yaml @@ -83,6 +83,26 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -112,6 +132,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/api/v1beta1/barbican_types.go b/api/v1beta1/barbican_types.go index 80d41a01..39acdc4f 100644 --- a/api/v1beta1/barbican_types.go +++ b/api/v1beta1/barbican_types.go @@ -22,10 +22,16 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// Supported HSM models +var HSMTypes = []string{"luna"} + const ( // DbSyncHash hash DbSyncHash = "dbsync" + // P11PrepHash hash + P11PrepHash = "p11prep" + // Container image fall-back defaults // BarbicanAPIContainerImage is the fall-back container image for BarbicanAPI diff --git a/api/v1beta1/barbican_webhook.go b/api/v1beta1/barbican_webhook.go index ab235c3d..fa9051a8 100644 --- a/api/v1beta1/barbican_webhook.go +++ b/api/v1beta1/barbican_webhook.go @@ -24,6 +24,7 @@ package v1beta1 import ( "fmt" + "slices" "github.com/openstack-k8s-operators/lib-common/modules/common/service" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -133,6 +134,23 @@ func (r *BarbicanSpec) ValidateCreate(basePath *field.Path) field.ErrorList { basePath.Child("barbicanAPI").Child("override").Child("service"), r.BarbicanAPI.Override.Service)...) + // pkcs11 verifications + if slices.Contains(r.EnabledSecretStores, "pkcs11") { + if r.PKCS11 == nil { + allErrs = append(allErrs, field.Required(basePath.Child("PKCS11"), + "PKCS11 specification is missing, PKCS11 is required when pkcs11 is an enabled SecretStore"), + ) + } else { + // Checking that at least one of the following parameters has been provided. + if len(r.PKCS11.TokenSerialNumber) == 0 && len(r.PKCS11.TokenLabels) == 0 && len(r.PKCS11.SlotId) == 0 { + allErrs = append(allErrs, field.Required(basePath.Child("PKCS11"), + "No token identifier provided. One of TokenSerialNumber, TokenLabels or SlotId needed"), + ) + } + } + } + + return allErrs } diff --git a/api/v1beta1/barbicankeystonelistener_types.go b/api/v1beta1/barbicankeystonelistener_types.go index 9e393dff..97bf3d9a 100644 --- a/api/v1beta1/barbicankeystonelistener_types.go +++ b/api/v1beta1/barbicankeystonelistener_types.go @@ -44,6 +44,7 @@ type BarbicanKeystoneListenerSpec struct { BarbicanTemplate `json:",inline"` BarbicanKeystoneListenerTemplate `json:",inline"` + DatabaseHostname string `json:"databaseHostname"` TransportURLSecret string `json:"transportURLSecret,omitempty"` diff --git a/api/v1beta1/barbicanworker_types.go b/api/v1beta1/barbicanworker_types.go index 67ddf196..ffaab1eb 100644 --- a/api/v1beta1/barbicanworker_types.go +++ b/api/v1beta1/barbicanworker_types.go @@ -44,7 +44,8 @@ type BarbicanWorkerSpec struct { BarbicanTemplate `json:",inline"` BarbicanWorkerTemplate `json:",inline"` - DatabaseHostname string `json:"databaseHostname"` + + DatabaseHostname string `json:"databaseHostname"` TransportURLSecret string `json:"transportURLSecret,omitempty"` diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index 383178f0..95af613d 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -49,6 +49,19 @@ type BarbicanTemplate struct { // +kubebuilder:validation:Required // ServiceAccount - service account name used internally to provide Barbican services the default SA name ServiceAccount string `json:"serviceAccount"` + + // +kubebuilder:validation:Optional + PKCS11 *BarbicanPKCS11Template `json:"pkcs11,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=2 + // +listType:=set + EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default="simple_crypto" + GlobalDefaultSecretStore SecretStore `json:"globalDefaultSecretStore" yaml:"globalDefaultSecretStore"` } // BarbicanComponentTemplate - Variables used by every sub-component of Barbican @@ -95,6 +108,126 @@ type BarbicanComponentTemplate struct { NetworkAttachments []string `json:"networkAttachments,omitempty"` } +// +kubebuilder:validation:Enum=simple_crypto;pkcs11 +// This SecretStore type is used by the EnabledSecretStores variable inside the specification. +type SecretStore string + +// BarbicanPKCS11Template - Includes all common HSM properties +type BarbicanPKCS11Template struct { + // +kubebuilder:validation:Required + // +kubebuilder:validation:Items:Enum=luna + // A string containing the HSM type (currently supported: "luna"). + Type string `json:"type"` + + // +kubebuilder:validation:Required + // Path to vendor's PKCS11 library + LibraryPath string `json:"libraryPath"` + + // +kubebuilder:validation:Optional + // Token serial number used to identify the token to be used. + // One of TokenSerialNumber, TokenLabels or SlotId must + // be defined. TokenSerialNumber takes priority over + // TokenLabels and SlotId + TokenSerialNumber string `json:"tokenSerialNumber,omitempty"` + + // +kubebuilder:validation:Optional + // Token labels used to identify the token to be used. + // One of TokenSerialNumber, TokenLabels or SlotId must + // be specified. TokenLabels takes priority over SlotId. + // This can be a comma separated string of labels + TokenLabels string `json:"tokenLabels,omitempty"` + + // +kubebuilder:validation:Optional + // One of TokenSerialNumber, TokenLabels or SlotId must + // be defined. SlotId is used if none of the others is defined + SlotId string `json:"slotId,omitempty"` + + // +kubebuilder:validation:Required + // Label to identify master KEK in the HSM (must not be the same as HMAC label) + MKEKLabel string `json:"MKEKLabel"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=32 + // Length in bytes of master KEK + MKEKLength int `json:"MKEKLength"` + + // +kubebuilder:validation:Required + // Label to identify HMAC key in the HSM (must not be the same as MKEK label) + HMACLabel string `json:"HMACLabel"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKK_GENERIC_SECRET + // HMAC Key Type + HMACKeyType string `json:"HMACKeyType"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKM_GENERIC_SECRET_KEY_GEN + // HMAC Keygen Mechanism + HMACKeygenMechanism string `json:"HMACKeygenMechanism"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKM_SHA256_HMAC + // HMAC Mechanism. This replaces hsm_keywrap_mechanism + HMACMechanism string `json:"HMACMechanism"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=4 + // +kubebuilder:validation:Maximum=7 + // +kubebuilder:validation:Minimum=0 + // Level of logging, where 0 means "no logging" and 7 means "debug". + LoggingLevel int `json:"loggingLevel"` + + // +kubebuilder:validation:Required + // The HSM's IPv4 address (X.Y.Z.K) + ServerAddress string `json:"serverAddress"` + + // +kubebuilder:validation:Optional + // The IP address of the client connecting to the HSM (X.Y.Z.K) + ClientAddress string `json:"clientAddress,omitempty"` + + // +kubebuilder:validation:Required + // OpenShift secret that stores the password to login to the PKCS11 session + LoginSecret string `json:"loginSecret"` + + // +kubebuilder:validation:Optional + // The OpenShift secret that stores the HSM certificates. + CertificatesSecret string `json:"certificatesSecret,omitempty"` + + // +kubebuilder:validation:Optional + // The mounting point where the certificates will be copied to (e.g., /usr/local/luna/config/certs). + CertificatesMountPoint string `json:"certificatesMountPoint,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKM_AES_GCM + // Secret encryption mechanism + EncryptionMechanism string `json:"encryptionMechanism"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKM_AES_KEY_WRAP_KWP + // Key wrap mechanism + KeyWrapMechanism string `json:"keyWrapMechanism"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + // Generate IVs for the key wrap mechanism + KeyWrapGenerateIV bool `json:"keyWrapGenerateIV"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + // Generate IVs for CKM_AES_GCM mechanism + AESGCMGenerateIV bool `json:"AESGCMGenerateIV"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + // Always set cka_sensitive + AlwaysSetCKASensitive bool `json:"alwaysSetCKASensitive"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=false + // Set os_locking_ok + OSLockingOK bool `json:"OSLockingOK"` +} + // PasswordSelector to identify the DB and AdminUser password from the Secret type PasswordSelector struct { // +kubebuilder:validation:Optional diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 05d8a54c..f61b4995 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -138,7 +138,7 @@ func (in *BarbicanAPIList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanAPISpec) DeepCopyInto(out *BarbicanAPISpec) { *out = *in - out.BarbicanTemplate = in.BarbicanTemplate + in.BarbicanTemplate.DeepCopyInto(&out.BarbicanTemplate) in.BarbicanAPITemplate.DeepCopyInto(&out.BarbicanAPITemplate) } @@ -363,7 +363,7 @@ func (in *BarbicanKeystoneListenerList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanKeystoneListenerSpec) DeepCopyInto(out *BarbicanKeystoneListenerSpec) { *out = *in - out.BarbicanTemplate = in.BarbicanTemplate + in.BarbicanTemplate.DeepCopyInto(&out.BarbicanTemplate) in.BarbicanKeystoneListenerTemplate.DeepCopyInto(&out.BarbicanKeystoneListenerTemplate) out.TLS = in.TLS } @@ -486,6 +486,21 @@ func (in *BarbicanList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BarbicanPKCS11Template) DeepCopyInto(out *BarbicanPKCS11Template) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanPKCS11Template. +func (in *BarbicanPKCS11Template) DeepCopy() *BarbicanPKCS11Template { + if in == nil { + return nil + } + out := new(BarbicanPKCS11Template) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanSpec) DeepCopyInto(out *BarbicanSpec) { *out = *in @@ -508,7 +523,7 @@ func (in *BarbicanSpec) DeepCopy() *BarbicanSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanSpecBase) DeepCopyInto(out *BarbicanSpecBase) { *out = *in - out.BarbicanTemplate = in.BarbicanTemplate + in.BarbicanTemplate.DeepCopyInto(&out.BarbicanTemplate) if in.NodeSelector != nil { in, out := &in.NodeSelector, &out.NodeSelector *out = new(map[string]string) @@ -591,6 +606,16 @@ func (in *BarbicanStatus) DeepCopy() *BarbicanStatus { func (in *BarbicanTemplate) DeepCopyInto(out *BarbicanTemplate) { *out = *in out.PasswordSelectors = in.PasswordSelectors + if in.PKCS11 != nil { + in, out := &in.PKCS11, &out.PKCS11 + *out = new(BarbicanPKCS11Template) + **out = **in + } + if in.EnabledSecretStores != nil { + in, out := &in.EnabledSecretStores, &out.EnabledSecretStores + *out = make([]SecretStore, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanTemplate. @@ -665,7 +690,7 @@ func (in *BarbicanWorkerList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanWorkerSpec) DeepCopyInto(out *BarbicanWorkerSpec) { *out = *in - out.BarbicanTemplate = in.BarbicanTemplate + in.BarbicanTemplate.DeepCopyInto(&out.BarbicanTemplate) in.BarbicanWorkerTemplate.DeepCopyInto(&out.BarbicanWorkerTemplate) out.TLS = in.TLS } diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml index 71010bfd..a6c1f5b0 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml @@ -89,6 +89,26 @@ spec: description: EnableSecureRBAC - Enable Consistent and Secure RBAC policies type: boolean + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -292,6 +312,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index bdea1d33..83665308 100644 --- a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -85,6 +85,26 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -114,6 +134,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml index cf99e64f..bf9d770c 100644 --- a/config/crd/bases/barbican.openstack.org_barbicans.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicans.yaml @@ -601,6 +601,26 @@ spec: to add additional files. Those get added to the service config dir in /etc/ . TODO(dmendiza): -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string nodeSelector: additionalProperties: type: string @@ -624,6 +644,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object preserveJobs: default: false description: PreserveJobs - do not delete jobs after they finished diff --git a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml index 41dadbc2..584c4df4 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml @@ -83,6 +83,26 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -112,6 +132,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/config/samples/pods_with_pkcs11-luna.yaml b/config/samples/pods_with_pkcs11-luna.yaml new file mode 100644 index 00000000..45416f99 --- /dev/null +++ b/config/samples/pods_with_pkcs11-luna.yaml @@ -0,0 +1,53 @@ +apiVersion: barbican.openstack.org/v1beta1 +kind: Barbican +metadata: + labels: + app.kubernetes.io/name: barbican + app.kubernetes.io/instance: barbican + app.kubernetes.io/part-of: barbican-operator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: barbican-operator + name: barbican +spec: + serviceAccount: barbican + serviceUser: barbican + databaseInstance: openstack + databaseAccount: barbican + rabbitMqCusterName: barbican_rabbit + secret: osp-secret + passwordSelectors: + database: BarbicanDatabasePassword + service: BarbicanPassword + simplecryptokek: BarbicanSimpleCryptoKEK + preserveJobs: true + customServiceConfig: | + [DEFAULT] + debug = True + globalDefaultSecretStore: pkcs11 + enabledSecretStores: + - simple_crypto + - pkcs11 + pkcs11: + hsmType: luna + hsmLibraryPath: /usr/local/luna/libs/64/libCryptoki2.so + hsmTokenLabels: my_hsm_partition_label + hsmMKEKLabel: my_mkek_label + hsmHMACLabel: my_hmac_label + hsmIpAddress: my_hsm_server_ip_address + hsmClientAddress: my_hsm_client_ip_address + hsmLoginSecret: my_luna_login_secret + hsmCertificatesSecret: my_luna_certs_secret + hsmCertificatesMountPoint: /usr/local/luna/config/certs + hsmKeyWrapMechanism: CKM_AES_CBC_PAD + barbicanAPI: + containerImage: my_custom_barbican_api_image + passwordSelectors: + database: BarbicanDatabasePassword + service: BarbicanPassword + replicas: 1 + barbicanWorker: + containerImage: my_custom_barbican_worker_image + replicas: 1 + barbicanKeystoneListener: + containerImage: quay.io/podified-antelope-centos9/openstack-barbican-keystone-listener@sha256:9a5deaf4a7db671dab48aface9d426b8fc1ae7cb20d3be64c9c7bf90241fb65c + replicas: 1 diff --git a/controllers/barbican_common.go b/controllers/barbican_common.go index 4f99f3d6..417e55d1 100644 --- a/controllers/barbican_common.go +++ b/controllers/barbican_common.go @@ -18,11 +18,16 @@ package controllers import ( "context" + "errors" "fmt" + "slices" + "strings" + barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" "github.com/openstack-k8s-operators/lib-common/modules/common/env" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" "github.com/openstack-k8s-operators/lib-common/modules/common/secret" + oko_secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret" "github.com/openstack-k8s-operators/lib-common/modules/common/util" "sigs.k8s.io/controller-runtime/pkg/client" ) @@ -52,12 +57,91 @@ func GenerateConfigsGeneric( } if scripts { cms = append(cms, util.Template{ - Name: fmt.Sprintf("%s-scripts", instance.GetName()), - Namespace: instance.GetNamespace(), - Type: util.TemplateTypeScripts, - InstanceType: instance.GetObjectKind().GroupVersionKind().Kind, - Labels: cmLabels, + Name: fmt.Sprintf("%s-scripts", instance.GetName()), + Namespace: instance.GetNamespace(), + Type: util.TemplateTypeScripts, + InstanceType: instance.GetObjectKind().GroupVersionKind().Kind, + ConfigOptions: templateParameters, + Labels: cmLabels, }) } return secret.EnsureSecrets(ctx, h, instance, cms, envVars) } + +func GenerateSecretStoreTemplateMap( + enabledSecretStores []barbicanv1beta1.SecretStore, + globalDefaultSecretStore barbicanv1beta1.SecretStore, +) (map[string]interface{}, error) { + // Log := r.GetLogger(ctx) + stores := []string{} + if len(enabledSecretStores) == 0 { + stores = []string{"simple_crypto"} + } else { + for _, value := range enabledSecretStores { + stores = append(stores, string(value)) + } + } + + if len(globalDefaultSecretStore) == 0 { + globalDefaultSecretStore = "simple_crypto" + } + + tempMap := map[string]interface{}{ + "EnabledSecretStores": strings.Join(stores, ","), + "GlobalDefaultSecretStore": globalDefaultSecretStore, + "SimpleCryptoEnabled": slices.Contains(stores, "simple_crypto"), + "PKCS11CryptoEnabled": slices.Contains(stores, "pkcs11"), + } + return tempMap, nil +} + +func GeneratePKCS11TemplateMap( + ctx context.Context, + h *helper.Helper, + pkcs11 barbicanv1beta1.BarbicanPKCS11Template, + namespace string, +) (map[string]interface{}, error) { + tempMap := map[string]interface{}{} + hsmLoginSecret, _, err := oko_secret.GetSecret(ctx, h, pkcs11.LoginSecret, namespace) + if err != nil { + return nil, err + } + + if len(pkcs11.TokenSerialNumber) > 0 { + tempMap["P11TokenSerialNumber"] = pkcs11.TokenSerialNumber + } + if len(pkcs11.TokenLabels) > 0 { + tempMap["P11TokenLabels"] = pkcs11.TokenLabels + } + if len(pkcs11.SlotId) > 0 { + tempMap["P11SlotId"] = pkcs11.SlotId + } + + // Checking if a supported HSM type has been provided. + if !slices.Contains(barbicanv1beta1.HSMTypes, strings.ToLower(pkcs11.Type)) { + return nil, errors.New("no valid HSM type provided!map[string]interface{}") + } + + tempMap["P11Enabled"] = true + tempMap["P11LibraryPath"] = pkcs11.LibraryPath + tempMap["P11CertificatesMountPoint"] = pkcs11.CertificatesMountPoint + tempMap["P11Login"] = string(hsmLoginSecret.Data["hsmLogin"]) + tempMap["P11MKEKLabel"] = pkcs11.MKEKLabel + tempMap["P11MKEKLength"] = pkcs11.MKEKLength + tempMap["P11HMACLabel"] = pkcs11.HMACLabel + tempMap["P11HMACKeyType"] = pkcs11.HMACKeyType + tempMap["P11HMACKeygenMechanism"] = pkcs11.HMACKeygenMechanism + tempMap["P11HMACMechanism"] = pkcs11.HMACMechanism + tempMap["P11LoggingLevel"] = pkcs11.LoggingLevel + tempMap["P11ServerAddress"] = pkcs11.ServerAddress + tempMap["P11ClientAddress"] = pkcs11.ClientAddress + tempMap["P11Type"] = strings.ToLower(pkcs11.Type) + tempMap["P11EncryptionMechanism"] = pkcs11.EncryptionMechanism + tempMap["P11KeyWrapMechanism"] = pkcs11.KeyWrapMechanism + tempMap["P11AESGCMGenerateIV"] = pkcs11.AESGCMGenerateIV + tempMap["P11KeyWrapGenerateIV"] = pkcs11.KeyWrapGenerateIV + tempMap["P11AlwaysSetCKASensitive"] = pkcs11.AlwaysSetCKASensitive + tempMap["P11OSLockingOK"] = pkcs11.OSLockingOK + + return tempMap, nil +} diff --git a/controllers/barbican_controller.go b/controllers/barbican_controller.go index f677ea90..164ee48e 100644 --- a/controllers/barbican_controller.go +++ b/controllers/barbican_controller.go @@ -19,6 +19,7 @@ package controllers import ( "context" "fmt" + "slices" "time" "k8s.io/apimachinery/pkg/runtime" @@ -48,6 +49,7 @@ import ( "github.com/openstack-k8s-operators/lib-common/modules/common/tls" "github.com/openstack-k8s-operators/lib-common/modules/common/util" mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1" + "golang.org/x/exp/maps" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -55,6 +57,15 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +const ( + P11PrepReadyCondition = "P11PrepReady" + P11PrepReadyInitMessage = "P11 Prep job not started" + P11PrepReadyMessage = "P11 Prep job completed" + P11PrepReadyErrorMessage = "P11 Prep job error occurred %s" + P11PrepReadyRunningMessage = "P11 Prep job is still running" + P11PrepReadyNotRunMessage = "P11 Prep job not run" +) + // BarbicanReconciler reconciles a Barbican object type BarbicanReconciler struct { client.Client @@ -136,7 +147,7 @@ func (r *BarbicanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (r instance.Status.Conditions = condition.Conditions{} } - // Save a copy of the condtions so that we can restore the LastTransitionTime + // Save a copy of the conditions so that we can restore the LastTransitionTime // when a condition's state doesn't change. savedConditions := instance.Status.Conditions.DeepCopy() @@ -163,6 +174,7 @@ func (r *BarbicanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (r // failure/in-progress operation condition.UnknownCondition(condition.ReadyCondition, condition.InitReason, condition.ReadyInitMessage), condition.UnknownCondition(condition.DBReadyCondition, condition.InitReason, condition.DBReadyInitMessage), + condition.UnknownCondition(P11PrepReadyCondition, condition.InitReason, P11PrepReadyInitMessage), condition.UnknownCondition(condition.DBSyncReadyCondition, condition.InitReason, condition.DBSyncReadyInitMessage), condition.UnknownCondition(condition.InputReadyCondition, condition.InitReason, condition.InputReadyInitMessage), condition.UnknownCondition(condition.ServiceConfigReadyCondition, condition.InitReason, condition.ServiceConfigReadyInitMessage), @@ -647,7 +659,26 @@ func (r *BarbicanReconciler) generateServiceConfig( "EnableSecureRBAC": instance.Spec.BarbicanAPI.EnableSecureRBAC, } - return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) + // Set secret store parameters + secretStoreTemplateMap, err := GenerateSecretStoreTemplateMap( + instance.Spec.EnabledSecretStores, + instance.Spec.GlobalDefaultSecretStore) + if err != nil { + return err + } + maps.Copy(templateParameters, secretStoreTemplateMap) + + // Set pkcs11 parameters + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( + ctx, h, *instance.Spec.PKCS11, instance.Namespace) + if err != nil { + return err + } + maps.Copy(templateParameters, pkcs11TemplateMap) + } + + return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, true) } func (r *BarbicanReconciler) transportURLCreateOrUpdate( @@ -919,11 +950,55 @@ func (r *BarbicanReconciler) reconcileInit( } instance.Status.Conditions.MarkTrue(condition.DBSyncReadyCondition, condition.DBSyncReadyMessage) + // + // run Barbican p11-prep if needed + // + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + p11Hash := instance.Status.Hash[barbicanv1beta1.P11PrepHash] + jobDef := barbican.P11PrepJob(instance, serviceLabels, serviceAnnotations) + + p11job := job.NewJob( + jobDef, + barbicanv1beta1.P11PrepHash, + instance.Spec.PreserveJobs, + time.Duration(5)*time.Second, + p11Hash, + ) + ctrlResult, err = p11job.DoJob( + ctx, + helper, + ) + if (ctrlResult != ctrl.Result{}) { + instance.Status.Conditions.Set(condition.FalseCondition( + P11PrepReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + P11PrepReadyRunningMessage)) + return ctrlResult, nil + } + if err != nil { + instance.Status.Conditions.Set(condition.FalseCondition( + P11PrepReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + P11PrepReadyErrorMessage, + err.Error())) + return ctrl.Result{}, err + } + if p11job.HasChanged() { + instance.Status.Hash[barbicanv1beta1.P11PrepHash] = p11job.GetHash() + Log.Info(fmt.Sprintf("Service '%s' - Job %s hash added - %s", instance.Name, jobDef.Name, instance.Status.Hash[barbicanv1beta1.P11PrepHash])) + } + instance.Status.Conditions.MarkTrue(P11PrepReadyCondition, P11PrepReadyMessage) + } else { + instance.Status.Conditions.MarkTrue(P11PrepReadyCondition, P11PrepReadyNotRunMessage) + } + + // run Barbican p11 prep - end + // when job passed, mark NetworkAttachmentsReadyCondition ready instance.Status.Conditions.MarkTrue(condition.NetworkAttachmentsReadyCondition, condition.NetworkAttachmentsReadyMessage) - // run Barbican db sync - end - Log.Info(fmt.Sprintf("Reconciled Service '%s' init successfully", instance.Name)) return ctrl.Result{}, nil } diff --git a/controllers/barbicanapi_controller.go b/controllers/barbicanapi_controller.go index 9d96d5e8..6c2ecf48 100644 --- a/controllers/barbicanapi_controller.go +++ b/controllers/barbicanapi_controller.go @@ -19,6 +19,8 @@ package controllers import ( "context" "fmt" + "maps" + "slices" "time" "github.com/go-logr/logr" @@ -327,6 +329,25 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs( "EnableSecureRBAC": instance.Spec.EnableSecureRBAC, } + // Set secret store parameters + secretStoreTemplateMap, err := GenerateSecretStoreTemplateMap( + instance.Spec.EnabledSecretStores, + instance.Spec.GlobalDefaultSecretStore) + if err != nil { + return err + } + maps.Copy(templateParameters, secretStoreTemplateMap) + + // Set pkcs11 parameters + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( + ctx, h, *instance.Spec.PKCS11, instance.Namespace) + if err != nil { + return err + } + maps.Copy(templateParameters, pkcs11TemplateMap) + } + // create httpd vhost template parameters httpdVhostConfig := map[string]interface{}{} for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} { diff --git a/controllers/barbicanworker_controller.go b/controllers/barbicanworker_controller.go index bffdf5bf..ef850914 100644 --- a/controllers/barbicanworker_controller.go +++ b/controllers/barbicanworker_controller.go @@ -19,6 +19,8 @@ package controllers import ( "context" "fmt" + "maps" + "slices" "time" "github.com/go-logr/logr" @@ -279,6 +281,25 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs( "SimpleCryptoKEK": string(simpleCryptoSecret.Data[instance.Spec.PasswordSelectors.SimpleCryptoKEK]), } + // Set secret store parameters + secretStoreTemplateMap, err := GenerateSecretStoreTemplateMap( + instance.Spec.EnabledSecretStores, + instance.Spec.GlobalDefaultSecretStore) + if err != nil { + return err + } + maps.Copy(templateParameters, secretStoreTemplateMap) + + // Set pkcs11 parameters + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( + ctx, h, *instance.Spec.PKCS11, instance.Namespace) + if err != nil { + return err + } + maps.Copy(templateParameters, pkcs11TemplateMap) + } + return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) } diff --git a/hack/crd-schema-checker.sh b/hack/crd-schema-checker.sh index c431ae50..245ac0d5 100755 --- a/hack/crd-schema-checker.sh +++ b/hack/crd-schema-checker.sh @@ -16,6 +16,7 @@ for crd in config/crd/bases/*.yaml; do mkdir -p "$(dirname "$TMP_DIR/$crd")" git show "$BASE_REF:$crd" > "$TMP_DIR/$crd" $CHECKER check-manifests \ + --disabled-validators=NoBools,NoNewRequiredFields \ --existing-crd-filename="$TMP_DIR/$crd" \ --new-crd-filename="$crd" done diff --git a/pkg/barbican/const.go b/pkg/barbican/const.go index 992d5497..b5ef16ac 100644 --- a/pkg/barbican/const.go +++ b/pkg/barbican/const.go @@ -47,7 +47,12 @@ const ( Barbican storage.PropagationType = "Barbican" // BarbicanLogPath is the path used by BarbicanAPI to stream/store its logs BarbicanLogPath = "/var/log/barbican/" - // LogVolume is the default logVolume name used to mount logs on both - // BarbicanAPI and the sidecar container + // LogVolume is the default volume name used to mount logs LogVolume = "logs" + // ConfigVolume is the default volume name used to mount service config + ConfigVolume = "config-data" + // ScriptVolume is the default volume name used to mount scripts + ScriptVolume = "scripts" + // LunaVolume is the volume used to mount Luna certificates + LunaVolume = "hsm-luna-certificates" ) diff --git a/pkg/barbican/p11_prep.go b/pkg/barbican/p11_prep.go new file mode 100644 index 00000000..0e3cee99 --- /dev/null +++ b/pkg/barbican/p11_prep.go @@ -0,0 +1,91 @@ +package barbican + +import ( + barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" + + "github.com/openstack-k8s-operators/lib-common/modules/common/env" + batchv1 "k8s.io/api/batch/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + // P11PrepCommand - + P11PrepCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + P11PrepConfig = "p11-prep-config-data" +) + +// P11PrepJob func +func P11PrepJob(instance *barbicanv1beta1.Barbican, labels map[string]string, annotations map[string]string) *batchv1.Job { + secretNames := []string{} + + // The P11 Prep job just needs the main barbican config files, and the files + // needed to communicate with the relevant HSM. + p11Volumes := []corev1.Volume{ + GetScriptVolume(instance.Name + "-scripts"), + } + p11Volumes = append(p11Volumes, GetVolumes(instance.Name, secretNames)...) + + p11Mounts := []corev1.VolumeMount{ + GetKollaConfigVolumeMount(instance.Name + "-p11-prep"), + GetScriptVolumeMount(), + } + p11Mounts = append(p11Mounts, GetVolumeMounts(secretNames)...) + + // add CA cert if defined + if instance.Spec.BarbicanAPI.TLS.CaBundleSecretName != "" { + p11Volumes = append(p11Volumes, instance.Spec.BarbicanAPI.TLS.CreateVolume()) + p11Mounts = append(p11Mounts, instance.Spec.BarbicanAPI.TLS.CreateVolumeMounts(nil)...) + } + + // add any HSM volumes + p11Volumes = append(p11Volumes, GetHSMVolumes(*instance.Spec.PKCS11)...) + p11Mounts = append(p11Mounts, GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + + // add luna specific config files + + args := []string{"-c", P11PrepCommand} + + runAsUser := int64(0) + envVars := map[string]env.Setter{} + envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS") + envVars["KOLLA_BOOTSTRAP"] = env.SetValue("TRUE") + + job := &batchv1.Job{ + ObjectMeta: metav1.ObjectMeta{ + Name: instance.Name + "-p11-prep", + Namespace: instance.Namespace, + Labels: labels, + }, + Spec: batchv1.JobSpec{ + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: annotations, + }, + Spec: corev1.PodSpec{ + RestartPolicy: corev1.RestartPolicyOnFailure, + ServiceAccountName: instance.RbacResourceName(), + Containers: []corev1.Container{ + { + Name: instance.Name + "-p11-prep", + Command: []string{ + "/bin/bash", + }, + Args: args, + Image: instance.Spec.BarbicanAPI.ContainerImage, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + }, + Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), + VolumeMounts: p11Mounts, + }, + }, + }, + }, + }, + } + + job.Spec.Template.Spec.Volumes = p11Volumes + + return job +} diff --git a/pkg/barbican/volumes.go b/pkg/barbican/volumes.go index 12714651..08c09b97 100644 --- a/pkg/barbican/volumes.go +++ b/pkg/barbican/volumes.go @@ -2,17 +2,24 @@ package barbican import ( "strconv" + "strings" + barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" corev1 "k8s.io/api/core/v1" ) +var ( + configMode int32 = 0640 + scriptMode int32 = 0740 +) + // GetVolumes - service volumes func GetVolumes(name string, secretNames []string) []corev1.Volume { var config0644AccessMode int32 = 0644 vm := []corev1.Volume{ { - Name: "config-data", + Name: ConfigVolume, VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &config0644AccessMode, @@ -32,12 +39,12 @@ func GetVolumeMounts(secretNames []string) []corev1.VolumeMount { vm := []corev1.VolumeMount{ { - Name: "config-data", + Name: ConfigVolume, MountPath: "/var/lib/config-data/default", ReadOnly: true, }, { - Name: "config-data", + Name: ConfigVolume, MountPath: "/etc/my.cnf", SubPath: "my.cnf", ReadOnly: true, @@ -51,7 +58,6 @@ func GetVolumeMounts(secretNames []string) []corev1.VolumeMount { // GetConfigSecretVolumes - Returns a list of volumes associated with a list of Secret names func GetConfigSecretVolumes(secretNames []string) ([]corev1.Volume, []corev1.VolumeMount) { - var config0640AccessMode int32 = 0640 secretVolumes := []corev1.Volume{} secretMounts := []corev1.VolumeMount{} @@ -61,7 +67,7 @@ func GetConfigSecretVolumes(secretNames []string) ([]corev1.Volume, []corev1.Vol VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ SecretName: secretName, - DefaultMode: &config0640AccessMode, + DefaultMode: &configMode, }, }, } @@ -79,24 +85,85 @@ func GetConfigSecretVolumes(secretNames []string) ([]corev1.Volume, []corev1.Vol } // GetLogVolumeMount - Returns the VolumeMount used for logging purposes -func GetLogVolumeMount() []corev1.VolumeMount { - return []corev1.VolumeMount{ - { - Name: LogVolume, - MountPath: "/var/log/barbican", - ReadOnly: false, - }, +func GetLogVolumeMount() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: LogVolume, + MountPath: "/var/log/barbican", + ReadOnly: false, } } // GetLogVolume - Returns the Volume used for logging purposes -func GetLogVolume() []corev1.Volume { - return []corev1.Volume{ - { - Name: LogVolume, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{Medium: ""}, +func GetLogVolume() corev1.Volume { + return corev1.Volume{ + Name: LogVolume, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{Medium: ""}, + }, + } +} + +// GetScriptVolumeMount - Returns the VolumeMount for scripts +func GetScriptVolumeMount() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: ScriptVolume, + MountPath: "/var/lib/openstack/bin", + ReadOnly: true, + } +} + +// GetScriptVolume - Return the Volume for scripts +func GetScriptVolume(secretName string) corev1.Volume { + return corev1.Volume{ + Name: ScriptVolume, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: &scriptMode, + SecretName: secretName, }, }, } } + +// GetKollaConfigVolumeMount - Returns the VolumeMount for the kolla config file +func GetKollaConfigVolumeMount(serviceName string) corev1.VolumeMount { + return corev1.VolumeMount{ + Name: ConfigVolume, + MountPath: "/var/lib/kolla/config_files/config.json", + SubPath: serviceName + "-config.json", + ReadOnly: true, + } +} + +// GetHSMVolume - Returns Volumes for HSM secrets +func GetHSMVolumes(pkcs11 barbicanv1beta1.BarbicanPKCS11Template) []corev1.Volume { + var config0644AccessMode int32 = 0644 + if strings.ToLower(pkcs11.Type) == "luna" { + return []corev1.Volume{ + { + Name: LunaVolume, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: &config0644AccessMode, + SecretName: pkcs11.CertificatesSecret, + }, + }, + }, + } + } + return nil +} + +// GetHSMVolumeMount - Returns Volume Mounts for HSM secrets +func GetHSMVolumeMounts(pkcs11 barbicanv1beta1.BarbicanPKCS11Template) []corev1.VolumeMount { + if strings.ToLower(pkcs11.Type) == "luna" { + return []corev1.VolumeMount{ + { + Name: LunaVolume, + MountPath: pkcs11.CertificatesMountPoint, + ReadOnly: true, + }, + } + } + return nil +} diff --git a/pkg/barbicanapi/deployment.go b/pkg/barbicanapi/deployment.go index 19eb286c..aad85e8d 100644 --- a/pkg/barbicanapi/deployment.go +++ b/pkg/barbicanapi/deployment.go @@ -2,6 +2,7 @@ package barbicanapi import ( "fmt" + "slices" "github.com/openstack-k8s-operators/lib-common/modules/common/env" "github.com/openstack-k8s-operators/lib-common/modules/common/service" @@ -70,20 +71,13 @@ func Deployment( }, }, }, + barbican.GetLogVolume(), } - apiVolumes = append(apiVolumes, barbican.GetLogVolume()...) apiVolumeMounts := []corev1.VolumeMount{ - { - Name: "config-data", - MountPath: "/var/lib/kolla/config_files/config.json", - SubPath: "barbican-api-config.json", - ReadOnly: true, - }, + barbican.GetKollaConfigVolumeMount(instance.Name), + barbican.GetLogVolumeMount(), } - // Append LogVolume to the apiVolumes: this will be used to stream - // logging - apiVolumeMounts = append(apiVolumeMounts, barbican.GetLogVolumeMount()...) // add CA cert if defined if instance.Spec.TLS.CaBundleSecretName != "" { @@ -110,6 +104,12 @@ func Deployment( } } + // Add PKCS11 volumes + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + apiVolumes = append(apiVolumes, barbican.GetHSMVolumes(*instance.Spec.PKCS11)...) + apiVolumeMounts = append(apiVolumeMounts, barbican.GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + } + deployment := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-api", instance.Name), @@ -147,7 +147,7 @@ func Deployment( RunAsUser: &runAsUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: barbican.GetLogVolumeMount(), + VolumeMounts: []corev1.VolumeMount{barbican.GetLogVolumeMount()}, Resources: instance.Spec.Resources, ReadinessProbe: readinessProbe, LivenessProbe: livenessProbe, diff --git a/pkg/barbicankeystonelistener/deployment.go b/pkg/barbicankeystonelistener/deployment.go index 85562dbc..a4945b46 100644 --- a/pkg/barbicankeystonelistener/deployment.go +++ b/pkg/barbicankeystonelistener/deployment.go @@ -41,20 +41,13 @@ func Deployment( }, }, }, + barbican.GetLogVolume(), } - keystoneListenerVolumes = append(keystoneListenerVolumes, barbican.GetLogVolume()...) keystoneListenerVolumeMounts := []corev1.VolumeMount{ - { - Name: "config-data", - MountPath: "/var/lib/kolla/config_files/config.json", - SubPath: "barbican-keystone-listener-config.json", - ReadOnly: true, - }, + barbican.GetKollaConfigVolumeMount(instance.Name), + barbican.GetLogVolumeMount(), } - // Append LogVolume to the apiVolumes: this will be used to stream - // logging - keystoneListenerVolumeMounts = append(keystoneListenerVolumeMounts, barbican.GetLogVolumeMount()...) // Add the CA bundle if instance.Spec.TLS.CaBundleSecretName != "" { @@ -99,7 +92,7 @@ func Deployment( RunAsUser: &runAsUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: barbican.GetLogVolumeMount(), + VolumeMounts: []corev1.VolumeMount{barbican.GetLogVolumeMount()}, Resources: instance.Spec.Resources, }, { diff --git a/pkg/barbicanworker/deployment.go b/pkg/barbicanworker/deployment.go index d7406de8..4bd8a12a 100644 --- a/pkg/barbicanworker/deployment.go +++ b/pkg/barbicanworker/deployment.go @@ -2,6 +2,7 @@ package barbicanworker import ( "fmt" + "slices" "github.com/openstack-k8s-operators/lib-common/modules/common/env" appsv1 "k8s.io/api/apps/v1" @@ -65,20 +66,13 @@ func Deployment( }, }, }, + barbican.GetLogVolume(), } - workerVolumes = append(workerVolumes, barbican.GetLogVolume()...) workerVolumeMounts := []corev1.VolumeMount{ - { - Name: "config-data", - MountPath: "/var/lib/kolla/config_files/config.json", - SubPath: "barbican-worker-config.json", - ReadOnly: true, - }, + barbican.GetKollaConfigVolumeMount(instance.Name), + barbican.GetLogVolumeMount(), } - // Append LogVolume to the apiVolumes: this will be used to stream - // logging - workerVolumeMounts = append(workerVolumeMounts, barbican.GetLogVolumeMount()...) // Add the CA bundle if instance.Spec.TLS.CaBundleSecretName != "" { @@ -86,6 +80,12 @@ func Deployment( workerVolumeMounts = append(workerVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...) } + // Add PKCS11 volumes + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + workerVolumes = append(workerVolumes, barbican.GetHSMVolumes(*instance.Spec.PKCS11)...) + workerVolumeMounts = append(workerVolumeMounts, barbican.GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + } + deployment := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-worker", instance.Name), @@ -123,7 +123,7 @@ func Deployment( RunAsUser: &runAsUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: barbican.GetLogVolumeMount(), + VolumeMounts: []corev1.VolumeMount{barbican.GetLogVolumeMount()}, Resources: instance.Spec.Resources, //ReadinessProbe: readinessProbe, //LivenessProbe: livenessProbe, diff --git a/templates/barbican/bin/generate_p11_keys.sh b/templates/barbican/bin/generate_p11_keys.sh new file mode 100755 index 00000000..fed31bc8 --- /dev/null +++ b/templates/barbican/bin/generate_p11_keys.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# Copyright 2024. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +set -xe + +{{- if and (index . "P11Enabled") .P11Enabled }} +echo "Creating MKEK label {{ .P11MKEKLabel }}" +barbican-manage hsm check_mkek --label {{ .P11MKEKLabel }} || barbican-manage hsm gen_mkek --label {{ .P11MKEKLabel }} + +echo "Creating HMAC label {{ .P11HMACLabel }}" +barbican-manage hsm check_hmac --label {{ .P11HMACLabel }} || barbican-manage hsm gen_hmac --label {{ .P11HMACLabel }} +{{- end }} diff --git a/templates/barbican/config/00-default.conf b/templates/barbican/config/00-default.conf index 9583f72d..2149ad73 100644 --- a/templates/barbican/config/00-default.conf +++ b/templates/barbican/config/00-default.conf @@ -1,9 +1,9 @@ [DEFAULT] # keep this for backward compatibility sql_connection = {{ .DatabaseConnection }} -{{ if (index . "ServiceURL") }} +{{- if (index . "ServiceURL") }} host_href = {{ .ServiceURL }} -{{ end }} +{{- end }} debug = true transport_url = {{ .TransportURL }} log_file = {{ .LogFile }} @@ -24,7 +24,7 @@ password = {{ .ServicePassword }} project_name=service project_domain_name=Default interface = internal -{{ end }} +{{- end }} [keystone_notifications] enable = true @@ -33,26 +33,69 @@ topic = barbican_notifications [oslo_messaging_notifications] driver=messagingv2 -{{ if (index . "EnableSecureRBAC") }} +{{- if (index . "EnableSecureRBAC") }} [oslo_policy] enforce_scope = {{ .EnableSecureRBAC }} enforce_new_defaults = {{ .EnableSecureRBAC }} -{{ end }} +{{- end }} [queue] enable = true +{{- if (index . "EnabledSecretStores") }} + [secretstore] enable_multiple_secret_stores = true -stores_lookup_suffix = simple_crypto +stores_lookup_suffix = {{ .EnabledSecretStores }} +{{- end }} + +{{- if and (index . "SimpleCryptoEnabled") .SimpleCryptoEnabled }} [secretstore:simple_crypto] secret_store_plugin = store_crypto crypto_plugin = simple_crypto +{{- if eq .GlobalDefaultSecretStore "simple_crypto" }} global_default = true +{{- end }} [simple_crypto_plugin] plugin_name = Software Only Crypto -{{ if (index . "SimpleCryptoKEK") }} +{{- if (index . "SimpleCryptoKEK") }} kek = {{ .SimpleCryptoKEK }} +{{- end }} {{ end }} + +{{- if and (index . "P11Enabled") .P11Enabled }} +[secretstore:pkcs11] +secret_store_plugin = store_crypto +crypto_plugin = p11_crypto +{{- if eq .GlobalDefaultSecretStore "pkcs11" }} +global_default = true +{{- end }} + +[p11_crypto_plugin] +plugin_name = PKCS11 +library_path = {{ .P11LibraryPath }} +{{- if (index . "P11TokenSerialNumber") }} +token_serial_number = {{ .P11TokenSerialNumber }} +{{- end }} +{{- if (index . "P11TokenLabels") }} +token_labels = {{ .P11TokenLabels }} +{{- end -}} +{{- if (index . "P11SlotId") }} +slot_id = {{ .P11SlotId }} +{{- end }} +mkek_label = {{ .P11MKEKLabel }} +mkek_length = {{ .P11MKEKLength }} +hmac_label = {{ .P11HMACLabel }} +encryption_mechanism = {{ .P11EncryptionMechanism }} +aes_gcm_generate_iv = {{ .P11AESGCMGenerateIV }} +hmac_key_type = {{ .P11HMACKeyType }} +hmac_keygen_mechanism = {{ .P11HMACKeygenMechanism }} +hmac_keywrap_mechanism = {{ .P11HMACMechanism }} +key_wrap_mechanism = {{ .P11KeyWrapMechanism }} +key_wrap_generate_iv = {{ .P11KeyWrapGenerateIV }} +always_set_cka_sensitive = {{ .P11AlwaysSetCKASensitive }} +os_locking_ok = {{ .P11OSLockingOK }} +login = {{ .P11Login }} +{{- end }} diff --git a/templates/barbican/config/Chrystoki.conf b/templates/barbican/config/Chrystoki.conf new file mode 100644 index 00000000..92f5e23c --- /dev/null +++ b/templates/barbican/config/Chrystoki.conf @@ -0,0 +1,41 @@ +{{- if and (index . "P11Enabled") .P11Enabled }} +{{- if eq .P11Type "luna" }} +Chrystoki2 = { + LibUNIX = {{ .P11LibraryPath }}; + LibUNIX64 = {{ .P11LibraryPath }}; +} + +Luna = { + DefaultTimeOut = 500000; + PEDTimeout1 = 100000; + PEDTimeout2 = 200000; + PEDTimeout3 = 10000; + KeypairGenTimeOut = 2700000; + CloningCommandTimeOut = 300000; + CommandTimeOutPedSet = 720000; +} + +CardReader = { + RemoteCommand = 1; +} + +Misc = { + PE1746Enabled = 0; + ProtectedAuthenticationPathFlagStatus = 0; +} + +LunaSA Client = { + ReceiveTimeout = 20000; + SSLConfigFile = /usr/local/luna/openssl.cnf; + ClientPrivKeyFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}Key.pem; + ClientCertFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}.pem; + ServerCAFile = {{ .P11CertificatesMountPoint }}/{{ .P11ServerAddress }}Cert.pem; + NetClient = 1; + TCPKeepAlive = 1; + EnableTLS1_2 = 1; + ServerName00 = {{ .P11ServerAddress }}; + ServerPort00 = 1792; + ServerHtl00 = 0; +} +{{ end -}} +{{ end -}} diff --git a/templates/barbican/config/barbican-api-config.json b/templates/barbican/config/barbican-api-config.json index d5fe8f04..1d24f3f8 100644 --- a/templates/barbican/config/barbican-api-config.json +++ b/templates/barbican/config/barbican-api-config.json @@ -77,6 +77,14 @@ "perm": "0600", "optional": true, "merge": true + }, + { + "source": "/var/lib/config-data/default/Chrystoki.conf", + "dest": "/usr/local/luna/Chrystoki.conf", + "owner": "barbican", + "perm": "0600", + "optional": true, + "merge": true } ], "permissions": [ diff --git a/templates/barbican/config/barbican-p11-prep-config.json b/templates/barbican/config/barbican-p11-prep-config.json new file mode 100644 index 00000000..d811bb2e --- /dev/null +++ b/templates/barbican/config/barbican-p11-prep-config.json @@ -0,0 +1,25 @@ +{ + "command": "generate_p11_keys.sh", + "config_files": [ + { + "source": "/var/lib/openstack/bin/generate_p11_keys.sh", + "dest": "/bin/", + "owner": "barbican", + "perm": "0700" + }, + { + "source": "/var/lib/config-data/default/00-default.conf", + "dest": "/etc/barbican/barbican.conf.d/00-default.conf", + "owner": "barbican", + "perm": "0600" + }, + { + "source": "/var/lib/config-data/default/Chrystoki.conf", + "dest": "//usr/local/luna/Chrystoki.conf", + "owner": "barbican", + "perm": "0600", + "optional": true, + "merge": true + } + ] +} diff --git a/templates/barbican/config/barbican-worker-config.json b/templates/barbican/config/barbican-worker-config.json index 18d91f3f..860be3c6 100644 --- a/templates/barbican/config/barbican-worker-config.json +++ b/templates/barbican/config/barbican-worker-config.json @@ -27,6 +27,14 @@ "owner": "barbican", "perm": "0755", "optional": true + }, + { + "source": "/var/lib/config-data/default/Chrystoki.conf", + "dest": "/usr/local/luna/Chrystoki.conf", + "owner": "barbican", + "perm": "0600", + "optional": true, + "merge": true } ], "permissions": [