Skip to content

Commit

Permalink
Barbican support for Thales Luna HSM
Browse files Browse the repository at this point in the history 
Signed-off-by: Mauricio Harley <[email protected]>
Co-authored-by: Ade Lee <[email protected]>
  • Loading branch information
@vakwetu
Mauricio Harley and vakwetu committed Nov 14, 2024
1 parent b7a77ac commit ef4921e
Show file tree
Hide file tree
Showing 30 changed files with 1,806 additions and 75 deletions.
126 changes: 126 additions & 0 deletions api/bases/barbican.openstack.org_barbicanapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,25 @@ spec:
description: EnableSecureRBAC - Enable Consistent and Secure RBAC
policies
type: boolean
enabledSecretStores:
items:
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
maxItems: 2
minItems: 1
type: array
globalDefaultSecretStore:
default: simple_crypto
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
networkAttachments:
description: NetworkAttachments is a list of NetworkAttachment resource
names to expose the services to the given network
Expand Down Expand Up @@ -292,6 +311,113 @@ spec:
default: SimpleCryptoKEK
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
AESGCMGenerateIV:
default: true
description: Generate IVs for CKM_AES_GCM mechanism
type: boolean
HMACKeyType:
default: CKK_GENERIC_SECRET
description: HMAC Key Type
type: string
HMACKeygenMechanism:
default: CKM_GENERIC_SECRET_KEY_GEN
description: HMAC Keygen Mechanism
type: string
HMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
HMACMechanism:
default: CKM_SHA256_HMAC
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
type: string
MKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
MKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
OSLockingOK:
default: false
description: Set os_locking_ok
type: boolean
alwaysSetCKASensitive:
default: true
description: Always set cka_sentivie
type: boolean
certificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
certificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
clientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
encryptionMechanism:
default: CKM_AES_GCM
description: Secret encryption mechanism
type: string
keyWrapGenerateIV:
default: true
description: Generate IVs for the key wrap mechanism
type: boolean
keyWrapMechanism:
default: CKM_AES_KEY_WRAP_KWP
description: Key wrap mechanism
type: string
libraryPath:
description: Path to vendor's PKCS11 library
type: string
loggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
loginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
serverAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
slotId:
description: One of TokenSerialNumber, TokenLabels or SlotId must
be defined. SlotId is used if none of the others is defined
type: string
tokenLabels:
description: Token labels used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must be specified.
TokenLabels takes priority over SlotId. This can be a comma
separated string of labels
type: string
tokenSerialNumber:
description: Token serial number used to identify the token to
be used. One of TokenSerialNumber, TokenLabels or SlotId must
be defined. TokenSerialNumber takes priority over TokenLabels
and SlotId
type: string
type:
description: 'A string containing the HSM type (currently supported:
"luna").'
type: string
required:
- HMACLabel
- MKEKLabel
- libraryPath
- loginSecret
- serverAddress
- type
type: object
rabbitMqClusterName:
default: rabbitmq
description: RabbitMQ instance name Needed to request a transportURL
Expand Down
126 changes: 126 additions & 0 deletions api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,25 @@ spec:
files. Those get added to the service config dir in /etc/<service>
. TODO: -> implement'
type: object
enabledSecretStores:
items:
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
maxItems: 2
minItems: 1
type: array
globalDefaultSecretStore:
default: simple_crypto
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
networkAttachments:
description: NetworkAttachments is a list of NetworkAttachment resource
names to expose the services to the given network
Expand Down Expand Up @@ -114,6 +133,113 @@ spec:
default: SimpleCryptoKEK
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
AESGCMGenerateIV:
default: true
description: Generate IVs for CKM_AES_GCM mechanism
type: boolean
HMACKeyType:
default: CKK_GENERIC_SECRET
description: HMAC Key Type
type: string
HMACKeygenMechanism:
default: CKM_GENERIC_SECRET_KEY_GEN
description: HMAC Keygen Mechanism
type: string
HMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
HMACMechanism:
default: CKM_SHA256_HMAC
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
type: string
MKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
MKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
OSLockingOK:
default: false
description: Set os_locking_ok
type: boolean
alwaysSetCKASensitive:
default: true
description: Always set cka_sentivie
type: boolean
certificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
certificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
clientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
encryptionMechanism:
default: CKM_AES_GCM
description: Secret encryption mechanism
type: string
keyWrapGenerateIV:
default: true
description: Generate IVs for the key wrap mechanism
type: boolean
keyWrapMechanism:
default: CKM_AES_KEY_WRAP_KWP
description: Key wrap mechanism
type: string
libraryPath:
description: Path to vendor's PKCS11 library
type: string
loggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
loginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
serverAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
slotId:
description: One of TokenSerialNumber, TokenLabels or SlotId must
be defined. SlotId is used if none of the others is defined
type: string
tokenLabels:
description: Token labels used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must be specified.
TokenLabels takes priority over SlotId. This can be a comma
separated string of labels
type: string
tokenSerialNumber:
description: Token serial number used to identify the token to
be used. One of TokenSerialNumber, TokenLabels or SlotId must
be defined. TokenSerialNumber takes priority over TokenLabels
and SlotId
type: string
type:
description: 'A string containing the HSM type (currently supported:
"luna").'
type: string
required:
- HMACLabel
- MKEKLabel
- libraryPath
- loginSecret
- serverAddress
- type
type: object
rabbitMqClusterName:
default: rabbitmq
description: RabbitMQ instance name Needed to request a transportURL
Expand Down
Loading

0 comments on commit ef4921e

Please sign in to comment.