Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Barbican Support for Luna HSM #168

Merged
merged 1 commit into from
Dec 6, 2024
+1,834 −74
Merged

Barbican Support for Luna HSM #168

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 127 additions & 0 deletions api/bases/barbican.openstack.org_barbicanapis.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,26 @@ spec:
description: EnableSecureRBAC - Enable Consistent and Secure RBAC
policies
type: boolean
enabledSecretStores:
items:
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
maxItems: 2
minItems: 1
type: array
x-kubernetes-list-type: set
globalDefaultSecretStore:
default: simple_crypto
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
networkAttachments:
description: NetworkAttachments is a list of NetworkAttachment resource
names to expose the services to the given network
Expand Down Expand Up @@ -292,6 +312,113 @@ spec:
default: SimpleCryptoKEK
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
AESGCMGenerateIV:
default: true
description: Generate IVs for CKM_AES_GCM mechanism
type: boolean
HMACKeyType:
default: CKK_GENERIC_SECRET
description: HMAC Key Type
type: string
HMACKeygenMechanism:
default: CKM_GENERIC_SECRET_KEY_GEN
description: HMAC Keygen Mechanism
type: string
HMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
HMACMechanism:
default: CKM_SHA256_HMAC
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
type: string
MKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
MKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
OSLockingOK:
default: false
description: Set os_locking_ok
type: boolean
alwaysSetCKASensitive:
default: true
description: Always set cka_sensitive
type: boolean
certificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
certificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
clientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
encryptionMechanism:
default: CKM_AES_GCM
description: Secret encryption mechanism
type: string
keyWrapGenerateIV:
default: true
description: Generate IVs for the key wrap mechanism
type: boolean
keyWrapMechanism:
default: CKM_AES_KEY_WRAP_KWP
description: Key wrap mechanism
type: string
libraryPath:
description: Path to vendor's PKCS11 library
type: string
loggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
loginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
serverAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
slotId:
description: One of TokenSerialNumber, TokenLabels or SlotId must
be defined. SlotId is used if none of the others is defined
type: string
tokenLabels:
description: Token labels used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must be specified.
TokenLabels takes priority over SlotId. This can be a comma
separated string of labels
type: string
tokenSerialNumber:
description: Token serial number used to identify the token to
be used. One of TokenSerialNumber, TokenLabels or SlotId must
be defined. TokenSerialNumber takes priority over TokenLabels
and SlotId
type: string
type:
description: 'A string containing the HSM type (currently supported:
"luna").'
type: string
required:
- HMACLabel
- MKEKLabel
- libraryPath
- loginSecret
- serverAddress
- type
type: object
rabbitMqClusterName:
default: rabbitmq
description: RabbitMQ instance name Needed to request a transportURL
Expand Down
127 changes: 127 additions & 0 deletions api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,26 @@ spec:
files. Those get added to the service config dir in /etc/<service>
. TODO: -> implement'
type: object
enabledSecretStores:
items:
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
maxItems: 2
minItems: 1
type: array
x-kubernetes-list-type: set
globalDefaultSecretStore:
default: simple_crypto
description: This SecretStore type is used by the EnabledSecretStores
variable inside the specification.
enum:
- simple_crypto
- pkcs11
type: string
networkAttachments:
description: NetworkAttachments is a list of NetworkAttachment resource
names to expose the services to the given network
Expand Down Expand Up @@ -114,6 +134,113 @@ spec:
default: SimpleCryptoKEK
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
properties:
AESGCMGenerateIV:
default: true
description: Generate IVs for CKM_AES_GCM mechanism
type: boolean
HMACKeyType:
default: CKK_GENERIC_SECRET
description: HMAC Key Type
type: string
HMACKeygenMechanism:
default: CKM_GENERIC_SECRET_KEY_GEN
description: HMAC Keygen Mechanism
type: string
HMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
HMACMechanism:
default: CKM_SHA256_HMAC
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
type: string
MKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
MKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
OSLockingOK:
default: false
description: Set os_locking_ok
type: boolean
alwaysSetCKASensitive:
default: true
description: Always set cka_sensitive
type: boolean
certificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
certificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
clientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
encryptionMechanism:
default: CKM_AES_GCM
description: Secret encryption mechanism
type: string
keyWrapGenerateIV:
default: true
description: Generate IVs for the key wrap mechanism
type: boolean
keyWrapMechanism:
default: CKM_AES_KEY_WRAP_KWP
description: Key wrap mechanism
type: string
libraryPath:
description: Path to vendor's PKCS11 library
type: string
loggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
loginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
serverAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
slotId:
description: One of TokenSerialNumber, TokenLabels or SlotId must
be defined. SlotId is used if none of the others is defined
type: string
tokenLabels:
description: Token labels used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must be specified.
TokenLabels takes priority over SlotId. This can be a comma
separated string of labels
type: string
tokenSerialNumber:
description: Token serial number used to identify the token to
be used. One of TokenSerialNumber, TokenLabels or SlotId must
be defined. TokenSerialNumber takes priority over TokenLabels
and SlotId
type: string
type:
description: 'A string containing the HSM type (currently supported:
"luna").'
type: string
required:
- HMACLabel
- MKEKLabel
- libraryPath
- loginSecret
- serverAddress
- type
type: object
rabbitMqClusterName:
default: rabbitmq
description: RabbitMQ instance name Needed to request a transportURL
Expand Down
Loading
Loading