openstack-k8s-operators · mauricioharley · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024 · Sep 27, 2024
diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml
@@ -35,6 +35,10 @@ spec:
           spec:
             description: BarbicanAPISpec defines the desired state of BarbicanAPI
             properties:
+              clientCertificate:
+                description: The OpenShift secret storing the client certificate plus
+                  its key
+                type: string
               containerImage:
                 description: ContainerImage - Barbican Container Image URL (will be
                   set to environmental default if empty)
@@ -80,6 +84,31 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              hsmCertificates:
+                additionalProperties:
+                  type: string
+                description: The HSM certificates. The map's key is the HSM's IP address
+                  and the value is the OpenShift secret storing the certificate.
+                type: object
+              ipAddress:
+                description: IP address(es) of the HSM(s)
+                items:
+                  type: string
+                type: array
+              loggingLevel:
+                default: 4
+                description: Level of logging, where 0 means "no logging" and 7 means
+                  "debug".
+                maximum: 7
+                minimum: 0
+                type: integer
+              mode:
+                default: 0
+                description: Working mode for the HSM
+                enum:
+                - 0
+                - 2
+                type: integer
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network
@@ -283,6 +312,9 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pin:
+                description: The OpenShift secret storing the PKCS#11 HSM's password
+                type: string
               rabbitMqClusterName:
                 default: rabbitmq
                 description: RabbitMQ instance name Needed to request a transportURL

diff --git a/api/bases/barbican.openstack.org_barbicanworkers.yaml b/api/bases/barbican.openstack.org_barbicanworkers.yaml
@@ -35,6 +35,10 @@ spec:
           spec:
             description: BarbicanWorkerSpec defines the desired state of BarbicanWorker
             properties:
+              clientCertificate:
+                description: The OpenShift secret storing the client certificate plus
+                  its key
+                type: string
               containerImage:
                 description: ContainerImage - Barbican Container Image URL (will be
                   set to environmental default if empty)
@@ -74,6 +78,31 @@ spec:
                   files. Those get added to the service config dir in /etc/<service>
                   . TODO: -> implement'
                 type: object
+              hsmCertificates:
+                additionalProperties:
+                  type: string
+                description: The HSM certificates. The map's key is the HSM's IP address
+                  and the value is the OpenShift secret storing the certificate.
+                type: object
+              ipAddress:
+                description: IP address(es) of the HSM(s)
+                items:
+                  type: string
+                type: array
+              loggingLevel:
+                default: 4
+                description: Level of logging, where 0 means "no logging" and 7 means
+                  "debug".
+                maximum: 7
+                minimum: 0
+                type: integer
+              mode:
+                default: 0
+                description: Working mode for the HSM
+                enum:
+                - 0
+                - 2
+                type: integer
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network
@@ -103,6 +132,9 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pin:
+                description: The OpenShift secret storing the PKCS#11 HSM's password
+                type: string
               rabbitMqClusterName:
                 default: rabbitmq
                 description: RabbitMQ instance name Needed to request a transportURL

diff --git a/api/v1beta1/barbicanapi_types.go b/api/v1beta1/barbicanapi_types.go
@@ -64,6 +64,9 @@ type BarbicanAPISpec struct {
 
 	BarbicanAPITemplate `json:",inline"`
 
+	// BarbicanTrustwayTemplate - Representing the presence of an Eviden Trustway HSM
+	BarbicanTrustwayTemplate `json:",inline"`
+
 	// +kubebuilder:validation:Required
 	// DatabaseHostname - Barbican Database Hostname
 	DatabaseHostname string `json:"databaseHostname"`

diff --git a/api/v1beta1/barbicanworker_types.go b/api/v1beta1/barbicanworker_types.go
@@ -48,6 +48,9 @@ type BarbicanWorkerSpec struct {
 
 	TransportURLSecret string `json:"transportURLSecret,omitempty"`
 
+	// BarbicanTrustwayTemplate - Representing the presence of an Eviden Trustway HSM
+        BarbicanTrustwayTemplate `json:",inline"`
+
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// TLS - Parameters related to the TLS

diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -101,6 +101,44 @@ type BarbicanComponentTemplate struct {
 	NetworkAttachments []string `json:"networkAttachments,omitempty"`
 }
 
+// BarbicanHSMTemplate - Variables used by the operator to interact with an HSM
+type BarbicanHSMTemplate struct {
+        // +kubebuilder:validation:Optional
+        // IP address(es) of the HSM(s)
+        IPAddress []string `json:"ipAddress"`
+
+        // +kubebuilder:validation:Optional
+        // The OpenShift secret storing the PKCS#11 HSM's password
+        Pin string `json:"pin"`
+}
+
+// BarbicanTrustwayTemplate - Variables specific to Eviden's Trustway Proteccio HSMs
+type BarbicanTrustwayTemplate struct {
+        BarbicanHSMTemplate `json:",inline"`
+
+        // +kubebuilder:validation:Optional
+        // +kubebuilder:default=4
+        // +kubebuilder:validation:Maximum=7
+        // +kubebuilder:validation:Minimum=0
+        // Level of logging, where 0 means "no logging" and 7 means "debug".
+        LoggingLevel int `json:"loggingLevel"`
+
+        // +kubebuilder:validation:Optional
+        // The HSM certificates. The map's key is the HSM's IP address and
+        // the value is the OpenShift secret storing the certificate.
+        HSMCertificates map[string]string `json:"hsmCertificates"`
+
+        // +kubebuilder:validation:Optional
+        // The OpenShift secret storing the client certificate plus its key
+        ClientCertificate string `json:"clientCertificate"`
+
+        // +kubebuilder:validation:Optional
+        // +kubebuilder:default=0
+        // +kubebuilder:validation:Enum=0;2
+        // Working mode for the HSM
+        Mode int `json:"mode"`
+}
+
 // PasswordSelector to identify the DB and AdminUser password from the Secret
 type PasswordSelector struct {
 	// +kubebuilder:validation:Optional

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml
@@ -35,6 +35,10 @@ spec:
           spec:
             description: BarbicanAPISpec defines the desired state of BarbicanAPI
             properties:
+              clientCertificate:
+                description: The OpenShift secret storing the client certificate plus
+                  its key
+                type: string
               containerImage:
                 description: ContainerImage - Barbican Container Image URL (will be
                   set to environmental default if empty)
@@ -80,6 +84,31 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              hsmCertificates:
+                additionalProperties:
+                  type: string
+                description: The HSM certificates. The map's key is the HSM's IP address
+                  and the value is the OpenShift secret storing the certificate.
+                type: object
+              ipAddress:
+                description: IP address(es) of the HSM(s)
+                items:
+                  type: string
+                type: array
+              loggingLevel:
+                default: 4
+                description: Level of logging, where 0 means "no logging" and 7 means
+                  "debug".
+                maximum: 7
+                minimum: 0
+                type: integer
+              mode:
+                default: 0
+                description: Working mode for the HSM
+                enum:
+                - 0
+                - 2
+                type: integer
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network
@@ -283,6 +312,9 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pin:
+                description: The OpenShift secret storing the PKCS#11 HSM's password
+                type: string
               rabbitMqClusterName:
                 default: rabbitmq
                 description: RabbitMQ instance name Needed to request a transportURL

diff --git a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml
@@ -35,6 +35,10 @@ spec:
           spec:
             description: BarbicanWorkerSpec defines the desired state of BarbicanWorker
             properties:
+              clientCertificate:
+                description: The OpenShift secret storing the client certificate plus
+                  its key
+                type: string
               containerImage:
                 description: ContainerImage - Barbican Container Image URL (will be
                   set to environmental default if empty)
@@ -74,6 +78,31 @@ spec:
                   files. Those get added to the service config dir in /etc/<service>
                   . TODO: -> implement'
                 type: object
+              hsmCertificates:
+                additionalProperties:
+                  type: string
+                description: The HSM certificates. The map's key is the HSM's IP address
+                  and the value is the OpenShift secret storing the certificate.
+                type: object
+              ipAddress:
+                description: IP address(es) of the HSM(s)
+                items:
+                  type: string
+                type: array
+              loggingLevel:
+                default: 4
+                description: Level of logging, where 0 means "no logging" and 7 means
+                  "debug".
+                maximum: 7
+                minimum: 0
+                type: integer
+              mode:
+                default: 0
+                description: Working mode for the HSM
+                enum:
+                - 0
+                - 2
+                type: integer
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network
@@ -103,6 +132,9 @@ spec:
                     default: SimpleCryptoKEK
                     type: string
                 type: object
+              pin:
+                description: The OpenShift secret storing the PKCS#11 HSM's password
+                type: string
               rabbitMqClusterName:
                 default: rabbitmq
                 description: RabbitMQ instance name Needed to request a transportURL

diff --git a/hack/automation_scripts.md b/hack/automation_scripts.md
@@ -0,0 +1,45 @@
+# Automation Scripts
+
+## Build Custom Container Images
+
+This script is meant to be used when the environment where Barbican will work has an HSM (Hardware Security Module) in place.
+Since Barbican is able to store secrets when an HSM is present, it needs to be made aware of such presence. Two components
+are directly affected by the presence of an HSM:  Barbican API and Barbican Worker. The default container images do not have
+any HSM client software embedded in them since each manufacturer may have specifics on how their software can be distributed.
+
+Therefore, the container images need to be customized to include such client software. Depending on the vendor, the installation
+procedures might differ. You need to run the script corresponding to the vendor you use.
+
+### Eviden Trustway (previously, ATOS)
+
+For the Eviden (previously, ATOS) Trustway HSMs, you will use the `build_custom_image-eviden.sh` script. The usage is as follows:
+
+```bash
+$ bash build_custom_image-eviden.sh <source_registry_host> <namespace> <barbican-api_image_tag> <barbican-worker_image_tag> <eviden_iso_file> <destination_registry_host>
+```
+
+where:
+* `source_registry_host`:  corresponds to the FQDN (Fully Qualified Domain Name) of the registry that holds the default container images.
+Example:  quay.io.
+* `namespace`:  it's an internal repository organization that matches the OpenStack distribution with an operating system. Example: `podified-antelope-centos9`.
+* `barbican-api_image_tag`:  because OpenStack container images may not have the usual `latest` tag, you may need to manually obtain and provide the newest tag.  Example:  `75c508097e39a3423d9f2eef86648c4e`.
+* `barbican-worker_image_tag`:  something similar happens for the Barbican Worker image.  Example:  `71849c7583fa95ee18dcc0c73c93569d`.
+* `eviden_iso_file`:  this is the filename of the ISO file holding the Eviden HSM client software.  Example:  `Proteccio3.00.03.iso`.  **Please put it in the same directory as this script.**
+* `destination_registry_host`:  corresponds to the FQDN (Fully Qualified Domain Name) of the registry that will store the customized container images.
+Example:  hub.docker.com.
+
+>**Note 1**<br>
+**You need to edit the `build_custom_image-eviden.sh` script to include your username on the container registry. <br> This is necessary since one of the final steps the script takes is to push the new customized image to the registry.**
+
+>**Note 2**<br>
+**You must install both, `podman` and `buildah` for this script to successfully execute.**
+
+The script proceeds as follows:
+1. Pulls with `podman` the container images of Barbican API and Barbican Worker from the provided registry host.
+2. Creates a temporary directory and mounts the ISO client file on it.
+3. Creates two `Dockerfile`s (`Dockerfile.barbican-api` and `Dockerfile.barbican-worker`), for the two new container images. These files have instructions to copy and invoke the Eviden's installation script.
+4. Builds the new images with `buildah`.  At this stage, temporary containers will be created to execute the client software installation.
+5. Pushes the new image to the registry host you provided as parameter.  **For this sake, the script needs to be edited to have your username on this registry host.**
+6. Unmounts the ISO client software and deletes the temporary directory created on step 2.
+
+After this script successfully runs, you can start your Barbican operator deployment.