-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Barbican Support for Luna HSM #168
Barbican Support for Luna HSM #168
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Next step of course is to take what you have here and add to the relevant specs.
Then you need to find where the config files are generated/templated and make the changes. See https://github.com/openstack-k8s-operators/keystone-operator/pull/479/files# as an example of what Dave is doing on the federation side.
api/v1beta1/common_types.go
Outdated
// +kubebuilder:validation:Optional | ||
// The HSM certificates. The map's key is the OpenShift secret storing the certificate, and | ||
// the value is the mounting point (e.g., "luna-certificates": "/usr/local/luna/config/certs"). | ||
HSMCertificates map[string]string `json:"hsmCertificates"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can there be multiple hsm certificates involved? because if I read the PR correct, only one would be mounted . If if only one cert secret is used, can't we just mount them to a fixed patch, instead of making the path configurable?
If we need it to be configurable, why not have a list of a sub struct type with secretName
and mountPath
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also what is the expected content of the secret? specific keys for referencing cert/key?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been modified. We can have multiple certs but they will all be contained in a single secret - which will be mounted to a specific directory (mountpoint). The contents of the secret will be all the files that will be created in that directory.
ce15cd3
to
e57a4e2
Compare
7be00a5
to
3cab58f
Compare
ef4921e
to
434b386
Compare
Looks like kuttl tests are passing. but the deploy-test there is failing while waiting on galera. |
/test barbican-operator-build-deploy-kuttl |
1 similar comment
/test barbican-operator-build-deploy-kuttl |
/test barbican-operator-build-deploy-kuttl |
/retest |
2723ff1
to
693987b
Compare
/test barbican-operator-build-deploy-kuttl |
hold-the-node Signed-off-by: Mauricio Harley <[email protected]> Co-authored-by: Ade Lee <[email protected]> Co-authored-by: Grzegorz Grasza <[email protected]>
693987b
to
d84132c
Compare
@@ -16,6 +16,7 @@ for crd in config/crd/bases/*.yaml; do | |||
mkdir -p "$(dirname "$TMP_DIR/$crd")" | |||
git show "$BASE_REF:$crd" > "$TMP_DIR/$crd" | |||
$CHECKER check-manifests \ | |||
--disabled-validators=NoBools,NoNewRequiredFields \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK - so this was just for testing. We want to remove this and then explicitly waive the test failures.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mauricioharley, xek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cc2b30a
into
openstack-k8s-operators:main
Just to add a comment here about the CRD checker. This patch was accidentally merged without removing the changes to the crd-schema-checker. We will re-enable them in a follow-on commit. The checker flagged a bunch of bools that were added in the pkcs11 spec. These bools are in fact really bools that would be set as such in the barbican.conf file. So the errors here would have been waived. Further, the checker flagged a bunch of new required fields in the PKCS11 struct. This is OK because the PKCS11 struct itself is new and it is included into our existing structs as an optional pointer to a PKCS11 struct. Existing CRs will not have this field defined, and upon update, will instantiate that pointer as a nil value. Which won't trigger any issues with required fields in the struct. |
This patch is a Work in Progress to support Thales Luna HSMs on Barbican v18.
It templates the Luna HSM configuration into Barbican variables.