Skip to content

Commit

Permalink
Initial change to simplify the config
Browse files Browse the repository at this point in the history
I have not fixed the functional tests yet, or tested whether this works,
but this is ready for initial review to see if it meets our
expectations.
  • Loading branch information
vakwetu committed Jan 15, 2025
1 parent 1482a31 commit 4f21104
Show file tree
Hide file tree
Showing 29 changed files with 361 additions and 1,188 deletions.
111 changes: 12 additions & 99 deletions api/bases/barbican.openstack.org_barbicanapis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,9 @@ spec:
description: PasswordSelectors - Selectors to identify the ServiceUser
password from the Secret
properties:
p11cryptologin:
default: P11CryptoLogin
type: string
service:
default: BarbicanPassword
description: Service - Selector to get the barbican service user
Expand All @@ -306,114 +309,24 @@ spec:
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
description: BarbicanPKCS11Template - Includes common HSM properties
properties:
AESGCMGenerateIV:
default: true
description: Generate IVs for CKM_AES_GCM mechanism
type: boolean
HMACKeyType:
default: CKK_GENERIC_SECRET
description: HMAC Key Type
type: string
HMACKeygenMechanism:
default: CKM_GENERIC_SECRET_KEY_GEN
description: HMAC Keygen Mechanism
type: string
HMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
HMACMechanism:
default: CKM_SHA256_HMAC
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
type: string
MKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
MKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
OSLockingOK:
default: false
description: Set os_locking_ok
type: boolean
alwaysSetCKASensitive:
default: true
description: Always set cka_sensitive
type: boolean
certificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
certificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
clientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
encryptionMechanism:
default: CKM_AES_GCM
description: Secret encryption mechanism
type: string
keyWrapGenerateIV:
default: true
description: Generate IVs for the key wrap mechanism
type: boolean
keyWrapMechanism:
default: CKM_AES_KEY_WRAP_KWP
description: Key wrap mechanism
clientDataPath:
default: /etc/hsm-client
description: Location to which kolla will copy the data in ClientDataSecret.
type: string
libraryPath:
description: Path to vendor's PKCS11 library
clientDataSecret:
description: |-
The OpenShift secret that stores the HSM client data.
These will be mounted to /var/lib/config-data/hsm
type: string
loggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
loginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
serverAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
slotId:
description: |-
One of TokenSerialNumber, TokenLabels or SlotId must
be defined. SlotId is used if none of the others is defined
type: string
tokenLabels:
description: |-
Token labels used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must
be specified. TokenLabels takes priority over SlotId.
This can be a comma separated string of labels
type: string
tokenSerialNumber:
description: |-
Token serial number used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must
be defined. TokenSerialNumber takes priority over
TokenLabels and SlotId
type: string
type:
description: 'A string containing the HSM type (currently supported:
"luna").'
type: string
required:
- HMACLabel
- MKEKLabel
- libraryPath
- clientDataSecret
- loginSecret
- serverAddress
- type
type: object
rabbitMqClusterName:
default: rabbitmq
Expand Down
111 changes: 12 additions & 99 deletions api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,9 @@ spec:
description: PasswordSelectors - Selectors to identify the ServiceUser
password from the Secret
properties:
p11cryptologin:
default: P11CryptoLogin
type: string
service:
default: BarbicanPassword
description: Service - Selector to get the barbican service user
Expand All @@ -140,114 +143,24 @@ spec:
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
description: BarbicanPKCS11Template - Includes common HSM properties
properties:
AESGCMGenerateIV:
default: true
description: Generate IVs for CKM_AES_GCM mechanism
type: boolean
HMACKeyType:
default: CKK_GENERIC_SECRET
description: HMAC Key Type
type: string
HMACKeygenMechanism:
default: CKM_GENERIC_SECRET_KEY_GEN
description: HMAC Keygen Mechanism
type: string
HMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
HMACMechanism:
default: CKM_SHA256_HMAC
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
type: string
MKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
MKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
OSLockingOK:
default: false
description: Set os_locking_ok
type: boolean
alwaysSetCKASensitive:
default: true
description: Always set cka_sensitive
type: boolean
certificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
certificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
clientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
encryptionMechanism:
default: CKM_AES_GCM
description: Secret encryption mechanism
type: string
keyWrapGenerateIV:
default: true
description: Generate IVs for the key wrap mechanism
type: boolean
keyWrapMechanism:
default: CKM_AES_KEY_WRAP_KWP
description: Key wrap mechanism
clientDataPath:
default: /etc/hsm-client
description: Location to which kolla will copy the data in ClientDataSecret.
type: string
libraryPath:
description: Path to vendor's PKCS11 library
clientDataSecret:
description: |-
The OpenShift secret that stores the HSM client data.
These will be mounted to /var/lib/config-data/hsm
type: string
loggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
loginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
serverAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
slotId:
description: |-
One of TokenSerialNumber, TokenLabels or SlotId must
be defined. SlotId is used if none of the others is defined
type: string
tokenLabels:
description: |-
Token labels used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must
be specified. TokenLabels takes priority over SlotId.
This can be a comma separated string of labels
type: string
tokenSerialNumber:
description: |-
Token serial number used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must
be defined. TokenSerialNumber takes priority over
TokenLabels and SlotId
type: string
type:
description: 'A string containing the HSM type (currently supported:
"luna").'
type: string
required:
- HMACLabel
- MKEKLabel
- libraryPath
- clientDataSecret
- loginSecret
- serverAddress
- type
type: object
rabbitMqClusterName:
default: rabbitmq
Expand Down
Loading

0 comments on commit 4f21104

Please sign in to comment.