From ec397323b65e3e0ca4fd7f67f67182b8fe35d906 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Thu, 25 Dec 2025 15:10:33 +0000 Subject: [PATCH] Separate the kustomization from the image creation This commit separates the Barbican Proteccio playbook into two parts to support adoption scenarios where image creation and kustomization need to happen at different times: - barbican-prepare-proteccio.yml: Creates custom Barbican images with HSM client and sets up OpenShift secrets - barbican-enable-proteccio.yml: Applies kustomization to configure Barbican to use Proteccio HSM Additionally, this adds support for loading the HSM password from a Zuul secret file (/var/tmp/qe-secrets/proteccio_pin.yaml) when the cifmw_hsm_password variable is not already defined. This file is created by the qe-creds-crc.yaml pre-run playbook in the components-integration-config repository. This change is based on PR #3543 by Ade Lee, with the addition of the HSM password file loading logic. Jira: OSPRH-20112 Signed-off-by: Mauricio Harley --- hooks/playbooks/barbican-enable-proteccio.yml | 45 ------------- .../playbooks/barbican-prepare-proteccio.yml | 67 +++++++++++++++++++ 2 files changed, 67 insertions(+), 45 deletions(-) create mode 100644 hooks/playbooks/barbican-prepare-proteccio.yml diff --git a/hooks/playbooks/barbican-enable-proteccio.yml b/hooks/playbooks/barbican-enable-proteccio.yml index 5bd6ff4fcb..3f5f27abdc 100644 --- a/hooks/playbooks/barbican-enable-proteccio.yml +++ b/hooks/playbooks/barbican-enable-proteccio.yml @@ -1,49 +1,4 @@ --- -- name: Create modified barbican image and get secrets - hosts: "{{ cifmw_target_hook_host | default('localhost') }}" - tasks: - - name: Check out the role Git repository - ansible.builtin.git: - dest: "./rhoso_proteccio_hsm" - repo: "{{ cifmw_hsm_proteccio_ansible_role_repo | default('https://github.com/openstack-k8s-operators/ansible-role-rhoso-proteccio-hsm.git', true) }}" - version: "{{ cifmw_hsm_proteccio_ansible_role_version| default('main', true) }}" - - - name: Create and upload the new Barbican images - ansible.builtin.include_role: - name: rhoso_proteccio_hsm - tasks_from: create_image - vars: - barbican_src_api_image_name: "{{ cifmw_barbican_src_api_image_name }}" - barbican_src_worker_image_name: "{{ cifmw_barbican_src_worker_image_name }}" - barbican_src_image_registry: "{{ content_provider_registry_ip }}:5001" - barbican_src_image_namespace: "{{ cifmw_update_containers_org | default('podified-antelope-centos9') }}" - barbican_src_image_tag: "{{ cifmw_update_containers_tag | default('component-ci-testing') }}" - barbican_dest_api_image_name: "{{ cifmw_barbican_dest_api_image_name }}" - barbican_dest_worker_image_name: "{{ cifmw_barbican_dest_worker_image_name }}" - barbican_dest_image_registry: "{{ content_provider_registry_ip }}:5001" - barbican_dest_image_namespace: "{{ cifmw_update_containers_org | default('podified-antelope-centos9') }}" - barbican_dest_image_tag: "{{ cifmw_update_containers_barbican_custom_tag }}" - image_registry_verify_tls: "{{ cifmw_image_registry_verify_tls | default('false', true) }}" - proteccio_client_src: "{{ cifmw_hsm_proteccio_client_src }}" - proteccio_client_iso: "{{ cifmw_hsm_proteccio_client_iso | default('Proteccio3.06.05.iso') }}" - - - name: Create secrets with the HSM certificates and hsm-login credentials - ansible.builtin.include_role: - name: rhoso_proteccio_hsm - tasks_from: create_secrets - vars: - proteccio_conf_src: "{{ cifmw_hsm_proteccio_conf_src }}" - proteccio_client_crt_src: "{{ cifmw_hsm_proteccio_client_crt_src }}" - proteccio_client_key_src: "{{ cifmw_hsm_proteccio_client_key_src }}" - proteccio_server_crt_src: "{{ cifmw_hsm_proteccio_server_crt_src }}" - proteccio_password: "{{ cifmw_hsm_password }}" - kubeconfig_path: "{{ cifmw_openshift_kubeconfig }}" - oc_dir: "{{ cifmw_path }}" - proteccio_data_secret: "{{ cifmw_hsm_proteccio_client_data_secret | default('barbican-proteccio-client-data', true) }}" - proteccio_data_secret_namespace: "{{ cifmw_hsm_proteccio_client_data_secret_namespace }}" - login_secret: "{{ cifmw_hsm_login_secret | default('barbican-proteccio-login', true) }}" - login_secret_field: "{{ cifmw_hsm_login_secret_field | default('PKCS11Pin') }}" - - name: Create kustomization to update Barbican to use proteccio hosts: "{{ cifmw_target_hook_host | default('localhost') }}" tasks: diff --git a/hooks/playbooks/barbican-prepare-proteccio.yml b/hooks/playbooks/barbican-prepare-proteccio.yml new file mode 100644 index 0000000000..34776311ef --- /dev/null +++ b/hooks/playbooks/barbican-prepare-proteccio.yml @@ -0,0 +1,67 @@ +--- +- name: Create modified barbican image and get secrets + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + # Load HSM password from Zuul secret file if not already defined. + # The file is created by the qe-creds-crc.yaml pre-run playbook + # in the components-integration-config repository. + - name: Load HSM password from secrets file if not defined + when: cifmw_hsm_password is not defined + block: + - name: Check if Proteccio PIN file exists + ansible.builtin.stat: + path: /var/tmp/qe-secrets/proteccio_pin.yaml + register: _proteccio_pin_file + + - name: Read Proteccio PIN from file + when: _proteccio_pin_file.stat.exists + ansible.builtin.include_vars: + file: /var/tmp/qe-secrets/proteccio_pin.yaml + name: _proteccio_pin_data + + - name: Set cifmw_hsm_password from file + when: _proteccio_pin_file.stat.exists + ansible.builtin.set_fact: + cifmw_hsm_password: "{{ _proteccio_pin_data.rdu2Pin }}" + + - name: Check out the role Git repository + ansible.builtin.git: + dest: "./rhoso_proteccio_hsm" + repo: "{{ cifmw_hsm_proteccio_ansible_role_repo | default('https://github.com/openstack-k8s-operators/ansible-role-rhoso-proteccio-hsm.git', true) }}" + version: "{{ cifmw_hsm_proteccio_ansible_role_version| default('main', true) }}" + + - name: Create and upload the new Barbican images + ansible.builtin.include_role: + name: rhoso_proteccio_hsm + tasks_from: create_image + vars: + barbican_src_api_image_name: "{{ cifmw_barbican_src_api_image_name }}" + barbican_src_worker_image_name: "{{ cifmw_barbican_src_worker_image_name }}" + barbican_src_image_registry: "{{ content_provider_registry_ip }}:5001" + barbican_src_image_namespace: "{{ cifmw_update_containers_org | default('podified-antelope-centos9') }}" + barbican_src_image_tag: "{{ cifmw_update_containers_tag | default('component-ci-testing') }}" + barbican_dest_api_image_name: "{{ cifmw_barbican_dest_api_image_name }}" + barbican_dest_worker_image_name: "{{ cifmw_barbican_dest_worker_image_name }}" + barbican_dest_image_registry: "{{ content_provider_registry_ip }}:5001" + barbican_dest_image_namespace: "{{ cifmw_update_containers_org | default('podified-antelope-centos9') }}" + barbican_dest_image_tag: "{{ cifmw_update_containers_barbican_custom_tag }}" + image_registry_verify_tls: "{{ cifmw_image_registry_verify_tls | default('false', true) }}" + proteccio_client_src: "{{ cifmw_hsm_proteccio_client_src }}" + proteccio_client_iso: "{{ cifmw_hsm_proteccio_client_iso | default('Proteccio3.06.05.iso') }}" + + - name: Create secrets with the HSM certificates and hsm-login credentials + ansible.builtin.include_role: + name: rhoso_proteccio_hsm + tasks_from: create_secrets + vars: + proteccio_conf_src: "{{ cifmw_hsm_proteccio_conf_src }}" + proteccio_client_crt_src: "{{ cifmw_hsm_proteccio_client_crt_src }}" + proteccio_client_key_src: "{{ cifmw_hsm_proteccio_client_key_src }}" + proteccio_server_crt_src: "{{ cifmw_hsm_proteccio_server_crt_src }}" + proteccio_password: "{{ cifmw_hsm_password }}" + kubeconfig_path: "{{ cifmw_openshift_kubeconfig }}" + oc_dir: "{{ cifmw_path }}" + proteccio_data_secret: "{{ cifmw_hsm_proteccio_client_data_secret | default('barbican-proteccio-client-data', true) }}" + proteccio_data_secret_namespace: "{{ cifmw_hsm_proteccio_client_data_secret_namespace }}" + login_secret: "{{ cifmw_hsm_login_secret | default('barbican-proteccio-login', true) }}" + login_secret_field: "{{ cifmw_hsm_login_secret_field | default('PKCS11Pin') }}"