diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml index 6e38ed9..ef44a64 100644 --- a/api/bases/barbican.openstack.org_barbicanapis.yaml +++ b/api/bases/barbican.openstack.org_barbicanapis.yaml @@ -296,6 +296,9 @@ spec: description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: + p11cryptologin: + default: P11CryptoLogin + type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user @@ -306,114 +309,24 @@ spec: type: string type: object pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties + description: BarbicanPKCS11Template - Includes common HSM properties properties: - AESGCMGenerateIV: - default: true - description: Generate IVs for CKM_AES_GCM mechanism - type: boolean - HMACKeyType: - default: CKK_GENERIC_SECRET - description: HMAC Key Type - type: string - HMACKeygenMechanism: - default: CKM_GENERIC_SECRET_KEY_GEN - description: HMAC Keygen Mechanism - type: string - HMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - HMACMechanism: - default: CKM_SHA256_HMAC - description: HMAC Mechanism. This replaces hsm_keywrap_mechanism - type: string - MKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - MKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - OSLockingOK: - default: false - description: Set os_locking_ok - type: boolean - alwaysSetCKASensitive: - default: true - description: Always set cka_sensitive - type: boolean - certificatesMountPoint: - description: The mounting point where the certificates will be - copied to (e.g., /usr/local/luna/config/certs). - type: string - certificatesSecret: - description: The OpenShift secret that stores the HSM certificates. - type: string - clientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - encryptionMechanism: - default: CKM_AES_GCM - description: Secret encryption mechanism - type: string - keyWrapGenerateIV: - default: true - description: Generate IVs for the key wrap mechanism - type: boolean - keyWrapMechanism: - default: CKM_AES_KEY_WRAP_KWP - description: Key wrap mechanism + clientDataPath: + description: Location to which kolla will copy the data in ClientDataSecret. type: string - libraryPath: - description: Path to vendor's PKCS11 library + clientDataSecret: + description: |- + The OpenShift secret that stores the HSM client data. + These will be mounted to /etc/hsm-client type: string - loggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string - serverAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - slotId: - description: |- - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. SlotId is used if none of the others is defined - type: string - tokenLabels: - description: |- - Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be specified. TokenLabels takes priority over SlotId. - This can be a comma separated string of labels - type: string - tokenSerialNumber: - description: |- - Token serial number used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over - TokenLabels and SlotId - type: string - type: - description: 'A string containing the HSM type (currently supported: - "luna").' - type: string required: - - HMACLabel - - MKEKLabel - - libraryPath + - clientDataPath + - clientDataSecret - loginSecret - - serverAddress - - type type: object rabbitMqClusterName: default: rabbitmq diff --git a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index 80e9920..3d2f64f 100644 --- a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -130,6 +130,9 @@ spec: description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: + p11cryptologin: + default: P11CryptoLogin + type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user @@ -140,114 +143,24 @@ spec: type: string type: object pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties + description: BarbicanPKCS11Template - Includes common HSM properties properties: - AESGCMGenerateIV: - default: true - description: Generate IVs for CKM_AES_GCM mechanism - type: boolean - HMACKeyType: - default: CKK_GENERIC_SECRET - description: HMAC Key Type - type: string - HMACKeygenMechanism: - default: CKM_GENERIC_SECRET_KEY_GEN - description: HMAC Keygen Mechanism - type: string - HMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - HMACMechanism: - default: CKM_SHA256_HMAC - description: HMAC Mechanism. This replaces hsm_keywrap_mechanism - type: string - MKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - MKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - OSLockingOK: - default: false - description: Set os_locking_ok - type: boolean - alwaysSetCKASensitive: - default: true - description: Always set cka_sensitive - type: boolean - certificatesMountPoint: - description: The mounting point where the certificates will be - copied to (e.g., /usr/local/luna/config/certs). - type: string - certificatesSecret: - description: The OpenShift secret that stores the HSM certificates. - type: string - clientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - encryptionMechanism: - default: CKM_AES_GCM - description: Secret encryption mechanism - type: string - keyWrapGenerateIV: - default: true - description: Generate IVs for the key wrap mechanism - type: boolean - keyWrapMechanism: - default: CKM_AES_KEY_WRAP_KWP - description: Key wrap mechanism + clientDataPath: + description: Location to which kolla will copy the data in ClientDataSecret. type: string - libraryPath: - description: Path to vendor's PKCS11 library + clientDataSecret: + description: |- + The OpenShift secret that stores the HSM client data. + These will be mounted to /etc/hsm-client type: string - loggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string - serverAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - slotId: - description: |- - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. SlotId is used if none of the others is defined - type: string - tokenLabels: - description: |- - Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be specified. TokenLabels takes priority over SlotId. - This can be a comma separated string of labels - type: string - tokenSerialNumber: - description: |- - Token serial number used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over - TokenLabels and SlotId - type: string - type: - description: 'A string containing the HSM type (currently supported: - "luna").' - type: string required: - - HMACLabel - - MKEKLabel - - libraryPath + - clientDataPath + - clientDataSecret - loginSecret - - serverAddress - - type type: object rabbitMqClusterName: default: rabbitmq diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml index 3de834c..3e40fe8 100644 --- a/api/bases/barbican.openstack.org_barbicans.yaml +++ b/api/bases/barbican.openstack.org_barbicans.yaml @@ -639,6 +639,9 @@ spec: description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: + p11cryptologin: + default: P11CryptoLogin + type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user @@ -649,114 +652,24 @@ spec: type: string type: object pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties + description: BarbicanPKCS11Template - Includes common HSM properties properties: - AESGCMGenerateIV: - default: true - description: Generate IVs for CKM_AES_GCM mechanism - type: boolean - HMACKeyType: - default: CKK_GENERIC_SECRET - description: HMAC Key Type - type: string - HMACKeygenMechanism: - default: CKM_GENERIC_SECRET_KEY_GEN - description: HMAC Keygen Mechanism - type: string - HMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - HMACMechanism: - default: CKM_SHA256_HMAC - description: HMAC Mechanism. This replaces hsm_keywrap_mechanism - type: string - MKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - MKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - OSLockingOK: - default: false - description: Set os_locking_ok - type: boolean - alwaysSetCKASensitive: - default: true - description: Always set cka_sensitive - type: boolean - certificatesMountPoint: - description: The mounting point where the certificates will be - copied to (e.g., /usr/local/luna/config/certs). - type: string - certificatesSecret: - description: The OpenShift secret that stores the HSM certificates. - type: string - clientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - encryptionMechanism: - default: CKM_AES_GCM - description: Secret encryption mechanism + clientDataPath: + description: Location to which kolla will copy the data in ClientDataSecret. type: string - keyWrapGenerateIV: - default: true - description: Generate IVs for the key wrap mechanism - type: boolean - keyWrapMechanism: - default: CKM_AES_KEY_WRAP_KWP - description: Key wrap mechanism - type: string - libraryPath: - description: Path to vendor's PKCS11 library + clientDataSecret: + description: |- + The OpenShift secret that stores the HSM client data. + These will be mounted to /etc/hsm-client type: string - loggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string - serverAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - slotId: - description: |- - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. SlotId is used if none of the others is defined - type: string - tokenLabels: - description: |- - Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be specified. TokenLabels takes priority over SlotId. - This can be a comma separated string of labels - type: string - tokenSerialNumber: - description: |- - Token serial number used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over - TokenLabels and SlotId - type: string - type: - description: 'A string containing the HSM type (currently supported: - "luna").' - type: string required: - - HMACLabel - - MKEKLabel - - libraryPath + - clientDataPath + - clientDataSecret - loginSecret - - serverAddress - - type type: object preserveJobs: default: false diff --git a/api/bases/barbican.openstack.org_barbicanworkers.yaml b/api/bases/barbican.openstack.org_barbicanworkers.yaml index ad89946..3e8f783 100644 --- a/api/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/api/bases/barbican.openstack.org_barbicanworkers.yaml @@ -128,6 +128,9 @@ spec: description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: + p11cryptologin: + default: P11CryptoLogin + type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user @@ -138,114 +141,24 @@ spec: type: string type: object pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties + description: BarbicanPKCS11Template - Includes common HSM properties properties: - AESGCMGenerateIV: - default: true - description: Generate IVs for CKM_AES_GCM mechanism - type: boolean - HMACKeyType: - default: CKK_GENERIC_SECRET - description: HMAC Key Type - type: string - HMACKeygenMechanism: - default: CKM_GENERIC_SECRET_KEY_GEN - description: HMAC Keygen Mechanism - type: string - HMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - HMACMechanism: - default: CKM_SHA256_HMAC - description: HMAC Mechanism. This replaces hsm_keywrap_mechanism - type: string - MKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - MKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - OSLockingOK: - default: false - description: Set os_locking_ok - type: boolean - alwaysSetCKASensitive: - default: true - description: Always set cka_sensitive - type: boolean - certificatesMountPoint: - description: The mounting point where the certificates will be - copied to (e.g., /usr/local/luna/config/certs). - type: string - certificatesSecret: - description: The OpenShift secret that stores the HSM certificates. - type: string - clientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - encryptionMechanism: - default: CKM_AES_GCM - description: Secret encryption mechanism - type: string - keyWrapGenerateIV: - default: true - description: Generate IVs for the key wrap mechanism - type: boolean - keyWrapMechanism: - default: CKM_AES_KEY_WRAP_KWP - description: Key wrap mechanism + clientDataPath: + description: Location to which kolla will copy the data in ClientDataSecret. type: string - libraryPath: - description: Path to vendor's PKCS11 library + clientDataSecret: + description: |- + The OpenShift secret that stores the HSM client data. + These will be mounted to /etc/hsm-client type: string - loggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string - serverAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - slotId: - description: |- - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. SlotId is used if none of the others is defined - type: string - tokenLabels: - description: |- - Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be specified. TokenLabels takes priority over SlotId. - This can be a comma separated string of labels - type: string - tokenSerialNumber: - description: |- - Token serial number used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over - TokenLabels and SlotId - type: string - type: - description: 'A string containing the HSM type (currently supported: - "luna").' - type: string required: - - HMACLabel - - MKEKLabel - - libraryPath + - clientDataPath + - clientDataSecret - loginSecret - - serverAddress - - type type: object rabbitMqClusterName: default: rabbitmq diff --git a/api/v1beta1/barbican_types.go b/api/v1beta1/barbican_types.go index 9e63f4c..90cddc1 100644 --- a/api/v1beta1/barbican_types.go +++ b/api/v1beta1/barbican_types.go @@ -22,9 +22,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -// Supported HSM models -var HSMTypes = []string{"luna"} - const ( // DbSyncHash hash DbSyncHash = "dbsync" diff --git a/api/v1beta1/barbican_webhook.go b/api/v1beta1/barbican_webhook.go index 05ea5cb..d506972 100644 --- a/api/v1beta1/barbican_webhook.go +++ b/api/v1beta1/barbican_webhook.go @@ -141,13 +141,6 @@ func (r *BarbicanSpec) ValidateCreate(basePath *field.Path) field.ErrorList { allErrs = append(allErrs, field.Required(basePath.Child("PKCS11"), "PKCS11 specification is missing, PKCS11 is required when pkcs11 is an enabled SecretStore"), ) - } else { - // Checking that at least one of the following parameters has been provided. - if len(r.PKCS11.TokenSerialNumber) == 0 && len(r.PKCS11.TokenLabels) == 0 && len(r.PKCS11.SlotId) == 0 { - allErrs = append(allErrs, field.Required(basePath.Child("PKCS11"), - "No token identifier provided. One of TokenSerialNumber, TokenLabels or SlotId needed"), - ) - } } } diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index 95af613..a3a14dd 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -112,120 +112,20 @@ type BarbicanComponentTemplate struct { // This SecretStore type is used by the EnabledSecretStores variable inside the specification. type SecretStore string -// BarbicanPKCS11Template - Includes all common HSM properties +// BarbicanPKCS11Template - Includes common HSM properties type BarbicanPKCS11Template struct { - // +kubebuilder:validation:Required - // +kubebuilder:validation:Items:Enum=luna - // A string containing the HSM type (currently supported: "luna"). - Type string `json:"type"` - - // +kubebuilder:validation:Required - // Path to vendor's PKCS11 library - LibraryPath string `json:"libraryPath"` - - // +kubebuilder:validation:Optional - // Token serial number used to identify the token to be used. - // One of TokenSerialNumber, TokenLabels or SlotId must - // be defined. TokenSerialNumber takes priority over - // TokenLabels and SlotId - TokenSerialNumber string `json:"tokenSerialNumber,omitempty"` - - // +kubebuilder:validation:Optional - // Token labels used to identify the token to be used. - // One of TokenSerialNumber, TokenLabels or SlotId must - // be specified. TokenLabels takes priority over SlotId. - // This can be a comma separated string of labels - TokenLabels string `json:"tokenLabels,omitempty"` - - // +kubebuilder:validation:Optional - // One of TokenSerialNumber, TokenLabels or SlotId must - // be defined. SlotId is used if none of the others is defined - SlotId string `json:"slotId,omitempty"` - - // +kubebuilder:validation:Required - // Label to identify master KEK in the HSM (must not be the same as HMAC label) - MKEKLabel string `json:"MKEKLabel"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=32 - // Length in bytes of master KEK - MKEKLength int `json:"MKEKLength"` - - // +kubebuilder:validation:Required - // Label to identify HMAC key in the HSM (must not be the same as MKEK label) - HMACLabel string `json:"HMACLabel"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=CKK_GENERIC_SECRET - // HMAC Key Type - HMACKeyType string `json:"HMACKeyType"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=CKM_GENERIC_SECRET_KEY_GEN - // HMAC Keygen Mechanism - HMACKeygenMechanism string `json:"HMACKeygenMechanism"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=CKM_SHA256_HMAC - // HMAC Mechanism. This replaces hsm_keywrap_mechanism - HMACMechanism string `json:"HMACMechanism"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=4 - // +kubebuilder:validation:Maximum=7 - // +kubebuilder:validation:Minimum=0 - // Level of logging, where 0 means "no logging" and 7 means "debug". - LoggingLevel int `json:"loggingLevel"` - - // +kubebuilder:validation:Required - // The HSM's IPv4 address (X.Y.Z.K) - ServerAddress string `json:"serverAddress"` - - // +kubebuilder:validation:Optional - // The IP address of the client connecting to the HSM (X.Y.Z.K) - ClientAddress string `json:"clientAddress,omitempty"` - // +kubebuilder:validation:Required // OpenShift secret that stores the password to login to the PKCS11 session LoginSecret string `json:"loginSecret"` - // +kubebuilder:validation:Optional - // The OpenShift secret that stores the HSM certificates. - CertificatesSecret string `json:"certificatesSecret,omitempty"` - - // +kubebuilder:validation:Optional - // The mounting point where the certificates will be copied to (e.g., /usr/local/luna/config/certs). - CertificatesMountPoint string `json:"certificatesMountPoint,omitempty"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=CKM_AES_GCM - // Secret encryption mechanism - EncryptionMechanism string `json:"encryptionMechanism"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=CKM_AES_KEY_WRAP_KWP - // Key wrap mechanism - KeyWrapMechanism string `json:"keyWrapMechanism"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=true - // Generate IVs for the key wrap mechanism - KeyWrapGenerateIV bool `json:"keyWrapGenerateIV"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=true - // Generate IVs for CKM_AES_GCM mechanism - AESGCMGenerateIV bool `json:"AESGCMGenerateIV"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=true - // Always set cka_sensitive - AlwaysSetCKASensitive bool `json:"alwaysSetCKASensitive"` + // +kubebuilder:validation:Required + // The OpenShift secret that stores the HSM client data. + // These will be mounted to /etc/hsm-client + ClientDataSecret string `json:"clientDataSecret"` - // +kubebuilder:validation:Optional - // +kubebuilder:default=false - // Set os_locking_ok - OSLockingOK bool `json:"OSLockingOK"` + // +kubebuilder:validation:Required + // Location to which kolla will copy the data in ClientDataSecret. + ClientDataPath string `json:"clientDataPath"` } // PasswordSelector to identify the DB and AdminUser password from the Secret @@ -237,4 +137,7 @@ type PasswordSelector struct { // +kubebuilder:validation:Optional // +kubebuilder:default="SimpleCryptoKEK" SimpleCryptoKEK string `json:"simplecryptokek"` + // +kubebuilder:validation:Optional + // +kubebuilder:default="P11CryptoLogin" + P11CryptoLogin string `json:"p11cryptologin"` } diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml index 6e38ed9..ef44a64 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml @@ -296,6 +296,9 @@ spec: description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: + p11cryptologin: + default: P11CryptoLogin + type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user @@ -306,114 +309,24 @@ spec: type: string type: object pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties + description: BarbicanPKCS11Template - Includes common HSM properties properties: - AESGCMGenerateIV: - default: true - description: Generate IVs for CKM_AES_GCM mechanism - type: boolean - HMACKeyType: - default: CKK_GENERIC_SECRET - description: HMAC Key Type - type: string - HMACKeygenMechanism: - default: CKM_GENERIC_SECRET_KEY_GEN - description: HMAC Keygen Mechanism - type: string - HMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - HMACMechanism: - default: CKM_SHA256_HMAC - description: HMAC Mechanism. This replaces hsm_keywrap_mechanism - type: string - MKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - MKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - OSLockingOK: - default: false - description: Set os_locking_ok - type: boolean - alwaysSetCKASensitive: - default: true - description: Always set cka_sensitive - type: boolean - certificatesMountPoint: - description: The mounting point where the certificates will be - copied to (e.g., /usr/local/luna/config/certs). - type: string - certificatesSecret: - description: The OpenShift secret that stores the HSM certificates. - type: string - clientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - encryptionMechanism: - default: CKM_AES_GCM - description: Secret encryption mechanism - type: string - keyWrapGenerateIV: - default: true - description: Generate IVs for the key wrap mechanism - type: boolean - keyWrapMechanism: - default: CKM_AES_KEY_WRAP_KWP - description: Key wrap mechanism + clientDataPath: + description: Location to which kolla will copy the data in ClientDataSecret. type: string - libraryPath: - description: Path to vendor's PKCS11 library + clientDataSecret: + description: |- + The OpenShift secret that stores the HSM client data. + These will be mounted to /etc/hsm-client type: string - loggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string - serverAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - slotId: - description: |- - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. SlotId is used if none of the others is defined - type: string - tokenLabels: - description: |- - Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be specified. TokenLabels takes priority over SlotId. - This can be a comma separated string of labels - type: string - tokenSerialNumber: - description: |- - Token serial number used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over - TokenLabels and SlotId - type: string - type: - description: 'A string containing the HSM type (currently supported: - "luna").' - type: string required: - - HMACLabel - - MKEKLabel - - libraryPath + - clientDataPath + - clientDataSecret - loginSecret - - serverAddress - - type type: object rabbitMqClusterName: default: rabbitmq diff --git a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index 80e9920..3d2f64f 100644 --- a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -130,6 +130,9 @@ spec: description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: + p11cryptologin: + default: P11CryptoLogin + type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user @@ -140,114 +143,24 @@ spec: type: string type: object pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties + description: BarbicanPKCS11Template - Includes common HSM properties properties: - AESGCMGenerateIV: - default: true - description: Generate IVs for CKM_AES_GCM mechanism - type: boolean - HMACKeyType: - default: CKK_GENERIC_SECRET - description: HMAC Key Type - type: string - HMACKeygenMechanism: - default: CKM_GENERIC_SECRET_KEY_GEN - description: HMAC Keygen Mechanism - type: string - HMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - HMACMechanism: - default: CKM_SHA256_HMAC - description: HMAC Mechanism. This replaces hsm_keywrap_mechanism - type: string - MKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - MKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - OSLockingOK: - default: false - description: Set os_locking_ok - type: boolean - alwaysSetCKASensitive: - default: true - description: Always set cka_sensitive - type: boolean - certificatesMountPoint: - description: The mounting point where the certificates will be - copied to (e.g., /usr/local/luna/config/certs). - type: string - certificatesSecret: - description: The OpenShift secret that stores the HSM certificates. - type: string - clientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - encryptionMechanism: - default: CKM_AES_GCM - description: Secret encryption mechanism - type: string - keyWrapGenerateIV: - default: true - description: Generate IVs for the key wrap mechanism - type: boolean - keyWrapMechanism: - default: CKM_AES_KEY_WRAP_KWP - description: Key wrap mechanism + clientDataPath: + description: Location to which kolla will copy the data in ClientDataSecret. type: string - libraryPath: - description: Path to vendor's PKCS11 library + clientDataSecret: + description: |- + The OpenShift secret that stores the HSM client data. + These will be mounted to /etc/hsm-client type: string - loggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string - serverAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - slotId: - description: |- - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. SlotId is used if none of the others is defined - type: string - tokenLabels: - description: |- - Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be specified. TokenLabels takes priority over SlotId. - This can be a comma separated string of labels - type: string - tokenSerialNumber: - description: |- - Token serial number used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over - TokenLabels and SlotId - type: string - type: - description: 'A string containing the HSM type (currently supported: - "luna").' - type: string required: - - HMACLabel - - MKEKLabel - - libraryPath + - clientDataPath + - clientDataSecret - loginSecret - - serverAddress - - type type: object rabbitMqClusterName: default: rabbitmq diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml index 3de834c..3e40fe8 100644 --- a/config/crd/bases/barbican.openstack.org_barbicans.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicans.yaml @@ -639,6 +639,9 @@ spec: description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: + p11cryptologin: + default: P11CryptoLogin + type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user @@ -649,114 +652,24 @@ spec: type: string type: object pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties + description: BarbicanPKCS11Template - Includes common HSM properties properties: - AESGCMGenerateIV: - default: true - description: Generate IVs for CKM_AES_GCM mechanism - type: boolean - HMACKeyType: - default: CKK_GENERIC_SECRET - description: HMAC Key Type - type: string - HMACKeygenMechanism: - default: CKM_GENERIC_SECRET_KEY_GEN - description: HMAC Keygen Mechanism - type: string - HMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - HMACMechanism: - default: CKM_SHA256_HMAC - description: HMAC Mechanism. This replaces hsm_keywrap_mechanism - type: string - MKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - MKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - OSLockingOK: - default: false - description: Set os_locking_ok - type: boolean - alwaysSetCKASensitive: - default: true - description: Always set cka_sensitive - type: boolean - certificatesMountPoint: - description: The mounting point where the certificates will be - copied to (e.g., /usr/local/luna/config/certs). - type: string - certificatesSecret: - description: The OpenShift secret that stores the HSM certificates. - type: string - clientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - encryptionMechanism: - default: CKM_AES_GCM - description: Secret encryption mechanism + clientDataPath: + description: Location to which kolla will copy the data in ClientDataSecret. type: string - keyWrapGenerateIV: - default: true - description: Generate IVs for the key wrap mechanism - type: boolean - keyWrapMechanism: - default: CKM_AES_KEY_WRAP_KWP - description: Key wrap mechanism - type: string - libraryPath: - description: Path to vendor's PKCS11 library + clientDataSecret: + description: |- + The OpenShift secret that stores the HSM client data. + These will be mounted to /etc/hsm-client type: string - loggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string - serverAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - slotId: - description: |- - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. SlotId is used if none of the others is defined - type: string - tokenLabels: - description: |- - Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be specified. TokenLabels takes priority over SlotId. - This can be a comma separated string of labels - type: string - tokenSerialNumber: - description: |- - Token serial number used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over - TokenLabels and SlotId - type: string - type: - description: 'A string containing the HSM type (currently supported: - "luna").' - type: string required: - - HMACLabel - - MKEKLabel - - libraryPath + - clientDataPath + - clientDataSecret - loginSecret - - serverAddress - - type type: object preserveJobs: default: false diff --git a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml index ad89946..3e8f783 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml @@ -128,6 +128,9 @@ spec: description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: + p11cryptologin: + default: P11CryptoLogin + type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user @@ -138,114 +141,24 @@ spec: type: string type: object pkcs11: - description: BarbicanPKCS11Template - Includes all common HSM properties + description: BarbicanPKCS11Template - Includes common HSM properties properties: - AESGCMGenerateIV: - default: true - description: Generate IVs for CKM_AES_GCM mechanism - type: boolean - HMACKeyType: - default: CKK_GENERIC_SECRET - description: HMAC Key Type - type: string - HMACKeygenMechanism: - default: CKM_GENERIC_SECRET_KEY_GEN - description: HMAC Keygen Mechanism - type: string - HMACLabel: - description: Label to identify HMAC key in the HSM (must not be - the same as MKEK label) - type: string - HMACMechanism: - default: CKM_SHA256_HMAC - description: HMAC Mechanism. This replaces hsm_keywrap_mechanism - type: string - MKEKLabel: - description: Label to identify master KEK in the HSM (must not - be the same as HMAC label) - type: string - MKEKLength: - default: 32 - description: Length in bytes of master KEK - type: integer - OSLockingOK: - default: false - description: Set os_locking_ok - type: boolean - alwaysSetCKASensitive: - default: true - description: Always set cka_sensitive - type: boolean - certificatesMountPoint: - description: The mounting point where the certificates will be - copied to (e.g., /usr/local/luna/config/certs). - type: string - certificatesSecret: - description: The OpenShift secret that stores the HSM certificates. - type: string - clientAddress: - description: The IP address of the client connecting to the HSM - (X.Y.Z.K) - type: string - encryptionMechanism: - default: CKM_AES_GCM - description: Secret encryption mechanism - type: string - keyWrapGenerateIV: - default: true - description: Generate IVs for the key wrap mechanism - type: boolean - keyWrapMechanism: - default: CKM_AES_KEY_WRAP_KWP - description: Key wrap mechanism + clientDataPath: + description: Location to which kolla will copy the data in ClientDataSecret. type: string - libraryPath: - description: Path to vendor's PKCS11 library + clientDataSecret: + description: |- + The OpenShift secret that stores the HSM client data. + These will be mounted to /etc/hsm-client type: string - loggingLevel: - default: 4 - description: Level of logging, where 0 means "no logging" and - 7 means "debug". - maximum: 7 - minimum: 0 - type: integer loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string - serverAddress: - description: The HSM's IPv4 address (X.Y.Z.K) - type: string - slotId: - description: |- - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. SlotId is used if none of the others is defined - type: string - tokenLabels: - description: |- - Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be specified. TokenLabels takes priority over SlotId. - This can be a comma separated string of labels - type: string - tokenSerialNumber: - description: |- - Token serial number used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over - TokenLabels and SlotId - type: string - type: - description: 'A string containing the HSM type (currently supported: - "luna").' - type: string required: - - HMACLabel - - MKEKLabel - - libraryPath + - clientDataPath + - clientDataSecret - loginSecret - - serverAddress - - type type: object rabbitMqClusterName: default: rabbitmq diff --git a/config/samples/pods_with_pkcs11-luna.yaml b/config/samples/pods_with_pkcs11-luna.yaml index 45416f9..5439e00 100644 --- a/config/samples/pods_with_pkcs11-luna.yaml +++ b/config/samples/pods_with_pkcs11-luna.yaml @@ -19,31 +19,44 @@ spec: database: BarbicanDatabasePassword service: BarbicanPassword simplecryptokek: BarbicanSimpleCryptoKEK + p11cryptologin: BarbicanP11Login preserveJobs: true customServiceConfig: | [DEFAULT] debug = True + + [secretstore:pkcs11] + secret_store_plugin = store_crypto + crypto_plugin = p11_crypto + + [p11_crypto_plugin] + plugin_name = PKCS11 + library_path = /usr/local/luna/libs/64/libCryptoki2.so + token_serial_number = 12345 + token_labels = some_token_label + slot_id = 123 + mkek_label = some_mkek_label + mkek_length = 123455 + hmac_label = some_hmac_label + encryption_mechanism = CKM_AES_GCM + aes_gcm_generate_iv = true + hmac_key_type = CKK_GENERIC_SECRET + hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN + hmac_keywrap_mechanism = CKM_AES_KEY_WRAP_KWP + key_wrap_mechanism = true + key_wrap_generate_iv = true + always_set_cka_sensitive = true + os_locking_ok = false globalDefaultSecretStore: pkcs11 enabledSecretStores: - simple_crypto - pkcs11 pkcs11: - hsmType: luna - hsmLibraryPath: /usr/local/luna/libs/64/libCryptoki2.so - hsmTokenLabels: my_hsm_partition_label - hsmMKEKLabel: my_mkek_label - hsmHMACLabel: my_hmac_label - hsmIpAddress: my_hsm_server_ip_address - hsmClientAddress: my_hsm_client_ip_address - hsmLoginSecret: my_luna_login_secret - hsmCertificatesSecret: my_luna_certs_secret - hsmCertificatesMountPoint: /usr/local/luna/config/certs - hsmKeyWrapMechanism: CKM_AES_CBC_PAD + loginSecret: my_luna_login_secret + clientDataSecret: my_luna_certs_secret + clientDataPatth: /usr/local/luna barbicanAPI: containerImage: my_custom_barbican_api_image - passwordSelectors: - database: BarbicanDatabasePassword - service: BarbicanPassword replicas: 1 barbicanWorker: containerImage: my_custom_barbican_worker_image diff --git a/controllers/barbican_common.go b/controllers/barbican_common.go index c424787..a6cd90a 100644 --- a/controllers/barbican_common.go +++ b/controllers/barbican_common.go @@ -18,7 +18,6 @@ package controllers import ( "context" - "errors" "fmt" "slices" "strings" @@ -27,7 +26,6 @@ import ( "github.com/openstack-k8s-operators/lib-common/modules/common/env" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" "github.com/openstack-k8s-operators/lib-common/modules/common/secret" - oko_secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret" "github.com/openstack-k8s-operators/lib-common/modules/common/util" "sigs.k8s.io/controller-runtime/pkg/client" ) @@ -94,54 +92,3 @@ func GenerateSecretStoreTemplateMap( } return tempMap, nil } - -func GeneratePKCS11TemplateMap( - ctx context.Context, - h *helper.Helper, - pkcs11 barbicanv1beta1.BarbicanPKCS11Template, - namespace string, -) (map[string]interface{}, error) { - tempMap := map[string]interface{}{} - hsmLoginSecret, _, err := oko_secret.GetSecret(ctx, h, pkcs11.LoginSecret, namespace) - if err != nil { - return nil, err - } - - if len(pkcs11.TokenSerialNumber) > 0 { - tempMap["P11TokenSerialNumber"] = pkcs11.TokenSerialNumber - } - if len(pkcs11.TokenLabels) > 0 { - tempMap["P11TokenLabels"] = pkcs11.TokenLabels - } - if len(pkcs11.SlotId) > 0 { - tempMap["P11SlotId"] = pkcs11.SlotId - } - - // Checking if a supported HSM type has been provided. - if !slices.Contains(barbicanv1beta1.HSMTypes, strings.ToLower(pkcs11.Type)) { - return nil, errors.New("no valid HSM type provided") - } - - tempMap["P11Enabled"] = true - tempMap["P11LibraryPath"] = pkcs11.LibraryPath - tempMap["P11CertificatesMountPoint"] = pkcs11.CertificatesMountPoint - tempMap["P11Login"] = string(hsmLoginSecret.Data["hsmLogin"]) - tempMap["P11MKEKLabel"] = pkcs11.MKEKLabel - tempMap["P11MKEKLength"] = pkcs11.MKEKLength - tempMap["P11HMACLabel"] = pkcs11.HMACLabel - tempMap["P11HMACKeyType"] = pkcs11.HMACKeyType - tempMap["P11HMACKeygenMechanism"] = pkcs11.HMACKeygenMechanism - tempMap["P11HMACMechanism"] = pkcs11.HMACMechanism - tempMap["P11LoggingLevel"] = pkcs11.LoggingLevel - tempMap["P11ServerAddress"] = pkcs11.ServerAddress - tempMap["P11ClientAddress"] = pkcs11.ClientAddress - tempMap["P11Type"] = strings.ToLower(pkcs11.Type) - tempMap["P11EncryptionMechanism"] = pkcs11.EncryptionMechanism - tempMap["P11KeyWrapMechanism"] = pkcs11.KeyWrapMechanism - tempMap["P11AESGCMGenerateIV"] = pkcs11.AESGCMGenerateIV - tempMap["P11KeyWrapGenerateIV"] = pkcs11.KeyWrapGenerateIV - tempMap["P11AlwaysSetCKASensitive"] = pkcs11.AlwaysSetCKASensitive - tempMap["P11OSLockingOK"] = pkcs11.OSLockingOK - - return tempMap, nil -} diff --git a/controllers/barbican_controller.go b/controllers/barbican_controller.go index afdbb1a..e6a0800 100644 --- a/controllers/barbican_controller.go +++ b/controllers/barbican_controller.go @@ -670,12 +670,13 @@ func (r *BarbicanReconciler) generateServiceConfig( // Set pkcs11 parameters if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { - pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( - ctx, h, *instance.Spec.PKCS11, instance.Namespace) + hsmLoginSecret, _, err := oko_secret.GetSecret(ctx, h, instance.Spec.PKCS11.LoginSecret, instance.Namespace) if err != nil { return err } - maps.Copy(templateParameters, pkcs11TemplateMap) + templateParameters["P11Login"] = string(hsmLoginSecret.Data[instance.Spec.PasswordSelectors.P11CryptoLogin]) + templateParameters["P11Enabled"] = true + templateParameters["P11ClientDataPath"] = instance.Spec.PKCS11.ClientDataPath } return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, true) diff --git a/controllers/barbicanapi_controller.go b/controllers/barbicanapi_controller.go index 30b4be8..3ecba4e 100644 --- a/controllers/barbicanapi_controller.go +++ b/controllers/barbicanapi_controller.go @@ -340,12 +340,13 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs( // Set pkcs11 parameters if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { - pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( - ctx, h, *instance.Spec.PKCS11, instance.Namespace) + hsmLoginSecret, _, err := secret.GetSecret(ctx, h, instance.Spec.PKCS11.LoginSecret, instance.Namespace) if err != nil { return err } - maps.Copy(templateParameters, pkcs11TemplateMap) + templateParameters["P11Login"] = string(hsmLoginSecret.Data[instance.Spec.PasswordSelectors.P11CryptoLogin]) + templateParameters["P11Enabled"] = true + templateParameters["P11ClientDataPath"] = instance.Spec.PKCS11.ClientDataPath } // create httpd vhost template parameters diff --git a/controllers/barbicanworker_controller.go b/controllers/barbicanworker_controller.go index ef85091..473fb4e 100644 --- a/controllers/barbicanworker_controller.go +++ b/controllers/barbicanworker_controller.go @@ -292,12 +292,13 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs( // Set pkcs11 parameters if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { - pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( - ctx, h, *instance.Spec.PKCS11, instance.Namespace) + hsmLoginSecret, _, err := secret.GetSecret(ctx, h, instance.Spec.PKCS11.LoginSecret, instance.Namespace) if err != nil { return err } - maps.Copy(templateParameters, pkcs11TemplateMap) + templateParameters["P11Login"] = string(hsmLoginSecret.Data[instance.Spec.PasswordSelectors.P11CryptoLogin]) + templateParameters["P11Enabled"] = true + templateParameters["P11ClientDataPath"] = instance.Spec.PKCS11.ClientDataPath } return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) diff --git a/pkg/barbican/const.go b/pkg/barbican/const.go index b5ef16a..3c9e1eb 100644 --- a/pkg/barbican/const.go +++ b/pkg/barbican/const.go @@ -53,6 +53,8 @@ const ( ConfigVolume = "config-data" // ScriptVolume is the default volume name used to mount scripts ScriptVolume = "scripts" - // LunaVolume is the volume used to mount Luna certificates - LunaVolume = "hsm-luna-certificates" + // P11DataVolume is the volume used to mount PKCS11 client Data + P11ClientDataVolume = "p11-client-data" + // P11DataVolume is the mount point used for PKCS11 client Data + P11ClientDataMountPoint = "/var/lib/config-data/hsm" ) diff --git a/pkg/barbican/p11_prep.go b/pkg/barbican/p11_prep.go index b51ff1a..952c4d7 100644 --- a/pkg/barbican/p11_prep.go +++ b/pkg/barbican/p11_prep.go @@ -40,7 +40,7 @@ func P11PrepJob(instance *barbicanv1beta1.Barbican, labels map[string]string, an // add any HSM volumes p11Volumes = append(p11Volumes, GetHSMVolumes(*instance.Spec.PKCS11)...) - p11Mounts = append(p11Mounts, GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + p11Mounts = append(p11Mounts, GetHSMVolumeMounts()...) // add luna specific config files diff --git a/pkg/barbican/volumes.go b/pkg/barbican/volumes.go index ef69a15..0f5345d 100644 --- a/pkg/barbican/volumes.go +++ b/pkg/barbican/volumes.go @@ -2,7 +2,6 @@ package barbican import ( "strconv" - "strings" barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" corev1 "k8s.io/api/core/v1" @@ -138,32 +137,26 @@ func GetKollaConfigVolumeMount(serviceName string) corev1.VolumeMount { // GetHSMVolume - Returns Volumes for HSM secrets func GetHSMVolumes(pkcs11 barbicanv1beta1.BarbicanPKCS11Template) []corev1.Volume { var config0644AccessMode int32 = 0644 - if strings.ToLower(pkcs11.Type) == "luna" { - return []corev1.Volume{ - { - Name: LunaVolume, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - DefaultMode: &config0644AccessMode, - SecretName: pkcs11.CertificatesSecret, - }, + return []corev1.Volume{ + { + Name: P11ClientDataVolume, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: &config0644AccessMode, + SecretName: pkcs11.ClientDataSecret, }, }, - } + }, } - return nil } // GetHSMVolumeMount - Returns Volume Mounts for HSM secrets -func GetHSMVolumeMounts(pkcs11 barbicanv1beta1.BarbicanPKCS11Template) []corev1.VolumeMount { - if strings.ToLower(pkcs11.Type) == "luna" { - return []corev1.VolumeMount{ - { - Name: LunaVolume, - MountPath: pkcs11.CertificatesMountPoint, - ReadOnly: true, - }, - } +func GetHSMVolumeMounts() []corev1.VolumeMount { + return []corev1.VolumeMount{ + { + Name: P11ClientDataVolume, + MountPath: P11ClientDataMountPoint, + ReadOnly: true, + }, } - return nil } diff --git a/pkg/barbicanapi/deployment.go b/pkg/barbicanapi/deployment.go index aad85e8..2f34ae4 100644 --- a/pkg/barbicanapi/deployment.go +++ b/pkg/barbicanapi/deployment.go @@ -107,7 +107,7 @@ func Deployment( // Add PKCS11 volumes if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { apiVolumes = append(apiVolumes, barbican.GetHSMVolumes(*instance.Spec.PKCS11)...) - apiVolumeMounts = append(apiVolumeMounts, barbican.GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + apiVolumeMounts = append(apiVolumeMounts, barbican.GetHSMVolumeMounts()...) } deployment := &appsv1.Deployment{ diff --git a/pkg/barbicanworker/deployment.go b/pkg/barbicanworker/deployment.go index 4bd8a12..ac2e2c8 100644 --- a/pkg/barbicanworker/deployment.go +++ b/pkg/barbicanworker/deployment.go @@ -83,7 +83,7 @@ func Deployment( // Add PKCS11 volumes if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { workerVolumes = append(workerVolumes, barbican.GetHSMVolumes(*instance.Spec.PKCS11)...) - workerVolumeMounts = append(workerVolumeMounts, barbican.GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + workerVolumeMounts = append(workerVolumeMounts, barbican.GetHSMVolumeMounts()...) } deployment := &appsv1.Deployment{ diff --git a/templates/barbican/bin/generate_p11_keys.sh b/templates/barbican/bin/generate_p11_keys.sh index fed31bc..124bebe 100755 --- a/templates/barbican/bin/generate_p11_keys.sh +++ b/templates/barbican/bin/generate_p11_keys.sh @@ -16,9 +16,12 @@ set -xe {{- if and (index . "P11Enabled") .P11Enabled }} + +# TODO(alee) We need to read the MKEKLabel from the config file here first echo "Creating MKEK label {{ .P11MKEKLabel }}" barbican-manage hsm check_mkek --label {{ .P11MKEKLabel }} || barbican-manage hsm gen_mkek --label {{ .P11MKEKLabel }} +# TODO(alee) We need to read the HMACLabel from the config file here first echo "Creating HMAC label {{ .P11HMACLabel }}" barbican-manage hsm check_hmac --label {{ .P11HMACLabel }} || barbican-manage hsm gen_hmac --label {{ .P11HMACLabel }} {{- end }} diff --git a/templates/barbican/config/00-default.conf b/templates/barbican/config/00-default.conf index 2149ad7..bdf420d 100644 --- a/templates/barbican/config/00-default.conf +++ b/templates/barbican/config/00-default.conf @@ -74,28 +74,5 @@ global_default = true {{- end }} [p11_crypto_plugin] -plugin_name = PKCS11 -library_path = {{ .P11LibraryPath }} -{{- if (index . "P11TokenSerialNumber") }} -token_serial_number = {{ .P11TokenSerialNumber }} -{{- end }} -{{- if (index . "P11TokenLabels") }} -token_labels = {{ .P11TokenLabels }} -{{- end -}} -{{- if (index . "P11SlotId") }} -slot_id = {{ .P11SlotId }} -{{- end }} -mkek_label = {{ .P11MKEKLabel }} -mkek_length = {{ .P11MKEKLength }} -hmac_label = {{ .P11HMACLabel }} -encryption_mechanism = {{ .P11EncryptionMechanism }} -aes_gcm_generate_iv = {{ .P11AESGCMGenerateIV }} -hmac_key_type = {{ .P11HMACKeyType }} -hmac_keygen_mechanism = {{ .P11HMACKeygenMechanism }} -hmac_keywrap_mechanism = {{ .P11HMACMechanism }} -key_wrap_mechanism = {{ .P11KeyWrapMechanism }} -key_wrap_generate_iv = {{ .P11KeyWrapGenerateIV }} -always_set_cka_sensitive = {{ .P11AlwaysSetCKASensitive }} -os_locking_ok = {{ .P11OSLockingOK }} login = {{ .P11Login }} {{- end }} diff --git a/templates/barbican/config/Chrystoki.conf b/templates/barbican/config/Chrystoki.conf deleted file mode 100644 index 1b580e4..0000000 --- a/templates/barbican/config/Chrystoki.conf +++ /dev/null @@ -1,41 +0,0 @@ -{{- if and (index . "P11Enabled") .P11Enabled }} -{{- if eq .P11Type "luna" }} -Chrystoki2 = { - LibUNIX = {{ .P11LibraryPath }}; - LibUNIX64 = {{ .P11LibraryPath }}; -} - -Luna = { - DefaultTimeOut = 500000; - PEDTimeout1 = 100000; - PEDTimeout2 = 200000; - PEDTimeout3 = 10000; - KeypairGenTimeOut = 2700000; - CloningCommandTimeOut = 300000; - CommandTimeOutPedSet = 720000; -} - -CardReader = { - RemoteCommand = 1; -} - -Misc = { - PE1746Enabled = 0; - ProtectedAuthenticationPathFlagStatus = 0; -} - -LunaSA Client = { - ReceiveTimeout = 20000; - SSLConfigFile = /usr/local/luna/openssl.cnf; - ClientPrivKeyFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}Key.pem; - ClientCertFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}.pem; - ServerCAFile = {{ .P11CertificatesMountPoint }}/CACert.pem; - NetClient = 1; - TCPKeepAlive = 1; - EnableTLS1_2 = 1; - ServerName00 = {{ .P11ServerAddress }}; - ServerPort00 = 1792; - ServerHtl00 = 0; -} -{{ end -}} -{{ end -}} diff --git a/templates/barbican/config/barbican-api-config.json b/templates/barbican/config/barbican-api-config.json index 1d24f3f..cea30cc 100644 --- a/templates/barbican/config/barbican-api-config.json +++ b/templates/barbican/config/barbican-api-config.json @@ -78,14 +78,16 @@ "optional": true, "merge": true }, + {{- if (index . "P11ClientDataPath") }} { - "source": "/var/lib/config-data/default/Chrystoki.conf", - "dest": "/usr/local/luna/Chrystoki.conf", + "source": "/etc/p11-client/*", + "dest": "{{ .P11ClientDataPath }}", "owner": "barbican", "perm": "0600", "optional": true, "merge": true } + {{- end }} ], "permissions": [ { diff --git a/templates/barbican/config/barbican-p11-prep-config.json b/templates/barbican/config/barbican-p11-prep-config.json index 3152baa..3b765f6 100644 --- a/templates/barbican/config/barbican-p11-prep-config.json +++ b/templates/barbican/config/barbican-p11-prep-config.json @@ -13,14 +13,16 @@ "owner": "barbican", "perm": "0600" }, + {{- if (index . "P11ClientDataPath") }} { - "source": "/var/lib/config-data/default/Chrystoki.conf", - "dest": "/usr/local/luna/Chrystoki.conf", + "source": "/etc/p11-client/*", + "dest": "{{ .P11ClientDataPath }}", "owner": "barbican", "perm": "0600", "optional": true, "merge": true } + {{- end }} ], "permissions": [ { diff --git a/templates/barbican/config/barbican-worker-config.json b/templates/barbican/config/barbican-worker-config.json index 860be3c..1cd6167 100644 --- a/templates/barbican/config/barbican-worker-config.json +++ b/templates/barbican/config/barbican-worker-config.json @@ -28,14 +28,16 @@ "perm": "0755", "optional": true }, + {{- if (index . "P11ClientDataPath") }} { - "source": "/var/lib/config-data/default/Chrystoki.conf", - "dest": "/usr/local/luna/Chrystoki.conf", - "owner": "barbican", - "perm": "0600", - "optional": true, - "merge": true + "source": "/etc/p11-client/*", + "dest": "{{ .P11ClientDataPath }}", + "owner": "barbican", + "perm": "0600", + "optional": true, + "merge": true } + {{- end }} ], "permissions": [ { diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index 333a62b..afa2e74 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -488,14 +488,14 @@ var _ = Describe("Barbican controller", func() { foundMount := false indexMount := 0 for index, volumeMount := range container.VolumeMounts { - if volumeMount.Name == barbican.LunaVolume { + if volumeMount.Name == barbican.P11ClientDataVolume { foundMount = true indexMount = index break } } Expect(foundMount).To(BeTrue()) - Expect(container.VolumeMounts[indexMount].MountPath).To(Equal(HSMCertificatesMountPoint)) + Expect(container.VolumeMounts[indexMount].MountPath).To(Equal(barbican.P11ClientDataMountPoint)) }) It("Verifies the PKCS11 struct is in good shape", func() { @@ -504,16 +504,7 @@ var _ = Describe("Barbican controller", func() { Expect(Barbican.Spec.GlobalDefaultSecretStore).Should(Equal(barbicanv1beta1.SecretStore("pkcs11"))) pkcs11 := Barbican.Spec.PKCS11 - Expect(pkcs11.SlotId).Should(Equal(HSMSlotID)) - Expect(pkcs11.LibraryPath).Should(Equal(HSMLibraryPath)) - Expect(pkcs11.CertificatesMountPoint).Should(Equal(HSMCertificatesMountPoint)) Expect(pkcs11.LoginSecret).Should(Equal(HSMLoginSecret)) - Expect(pkcs11.CertificatesSecret).Should(Equal(HSMCertsSecret)) - Expect(pkcs11.MKEKLabel).Should(Equal(HSMMKEKLabel)) - Expect(pkcs11.HMACLabel).Should(Equal(HSMHMACLabel)) - Expect(pkcs11.ServerAddress).Should(Equal(HSMServerAddress)) - Expect(pkcs11.ClientAddress).Should(Equal(HSMClientAddress)) - Expect(pkcs11.Type).Should(Equal(HSMType)) }) It("Checks if the two relevant secrets have the right contents", func() { @@ -586,7 +577,7 @@ var _ = Describe("Barbican controller", func() { // Checking if both, the volume mount name and its mount path match the specified values. var elemLuna, elemScript = 0, 0 for index, mount := range th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts { - if mount.Name == barbican.LunaVolume { + if mount.Name == barbican.P11ClientDataVolume { elemLuna = index } else if mount.Name == barbican.ScriptVolume { elemScript = index @@ -597,8 +588,8 @@ var _ = Describe("Barbican controller", func() { mountPath := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemLuna].MountPath Eventually(func(g Gomega) { - g.Expect(volume).To(Equal(barbican.LunaVolume)) - g.Expect(mountPath).To(Equal(HSMCertificatesMountPoint)) + g.Expect(volume).To(Equal(barbican.P11ClientDataVolume)) + g.Expect(mountPath).To(Equal(barbican.P11ClientDataMountPoint)) }, timeout, interval).Should(Succeed()) volume = th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemScript].Name