Barbican Support for Luna HSM #168
Conversation
There was a problem hiding this comment.
Next step of course is to take what you have here and add to the relevant specs.
Then you need to find where the config files are generated/templated and make the changes. See https://github.com/openstack-k8s-operators/keystone-operator/pull/479/files# as an example of what Dave is doing on the federation side.
mauricioharley
changed the title
api/v1beta1/common_types.go
Outdated
| // +kubebuilder:validation:Optional | ||
| // The HSM certificates. The map's key is the OpenShift secret storing the certificate, and | ||
| // the value is the mounting point (e.g., "luna-certificates": "/usr/local/luna/config/certs"). | ||
| HSMCertificates map[string]string `json:"hsmCertificates"` |
There was a problem hiding this comment.
can there be multiple hsm certificates involved? because if I read the PR correct, only one would be mounted . If if only one cert secret is used, can't we just mount them to a fixed patch, instead of making the path configurable?
If we need it to be configurable, why not have a list of a sub struct type with secretName and mountPath ?
There was a problem hiding this comment.
also what is the expected content of the secret? specific keys for referencing cert/key?
There was a problem hiding this comment.
This has been modified. We can have multiple certs but they will all be contained in a single secret - which will be mounted to a specific directory (mountpoint). The contents of the secret will be all the files that will be created in that directory.
mauricioharley
force-pushed
the
add_thales_luna_support
branch
from
ce15cd3 to
e57a4e2
Compare
mauricioharley
force-pushed
the
add_thales_luna_support
branch
2 times, most recently
from
7be00a5 to
3cab58f
Compare
mauricioharley
force-pushed
the
add_thales_luna_support
branch
3 times, most recently
from
ef4921e to
434b386
Compare
|
Looks like kuttl tests are passing. but the deploy-test there is failing while waiting on galera. |
|
/test barbican-operator-build-deploy-kuttl |
1 similar comment
|
/test barbican-operator-build-deploy-kuttl |
|
/test barbican-operator-build-deploy-kuttl |
|
/retest |
mauricioharley
force-pushed
the
add_thales_luna_support
branch
3 times, most recently
from
2723ff1 to
693987b
Compare
|
/test barbican-operator-build-deploy-kuttl |
hold-the-node Signed-off-by: Mauricio Harley <[email protected]> Co-authored-by: Ade Lee <[email protected]> Co-authored-by: Grzegorz Grasza <[email protected]>
xek
force-pushed
the
add_thales_luna_support
branch
from
693987b to
d84132c
Compare
| @@ -16,6 +16,7 @@ for crd in config/crd/bases/*.yaml; do | |||
| mkdir -p "$(dirname "$TMP_DIR/$crd")" | |||
| git show "$BASE_REF:$crd" > "$TMP_DIR/$crd" | |||
| $CHECKER check-manifests \ | |||
| --disabled-validators=NoBools,NoNewRequiredFields \ | |||
There was a problem hiding this comment.
OK - so this was just for testing. We want to remove this and then explicitly waive the test failures.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mauricioharley, xek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit cc2b30a
into
openstack-k8s-operators:main
|
Just to add a comment here about the CRD checker. This patch was accidentally merged without removing the changes to the crd-schema-checker. We will re-enable them in a follow-on commit. The checker flagged a bunch of bools that were added in the pkcs11 spec. These bools are in fact really bools that would be set as such in the barbican.conf file. So the errors here would have been waived. Further, the checker flagged a bunch of new required fields in the PKCS11 struct. This is OK because the PKCS11 struct itself is new and it is included into our existing structs as an optional pointer to a PKCS11 struct. Existing CRs will not have this field defined, and upon update, will instantiate that pointer as a nil value. Which won't trigger any issues with required fields in the struct. |
This patch is a Work in Progress to support Thales Luna HSMs on Barbican v18.
It templates the Luna HSM configuration into Barbican variables.