Add Barbican adoption with Proteccio HSM integration documentation #1058
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
mauricioharley
force-pushed
the
adopt_proteccio_doc
branch
3 times, most recently
from
c8a1a0b to
523d445
Compare
docs_user/modules/proc_adopting-key-manager-service-with-proteccio-hsm.adoc
Outdated
Show resolved
Hide resolved
mauricioharley
force-pushed
the
adopt_proteccio_doc
branch
7 times, most recently
from
ed1b655 to
1c4f6b4
Compare
|
@mauricioharley Do you consider this PR to be a work in progress? |
mauricioharley
force-pushed
the
adopt_proteccio_doc
branch
from
1c4f6b4 to
5a5d7b0
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/e8aac29c00b7476eb3b1c91d6e1b0d10 ✔️ noop SUCCESS in 0s |
mauricioharley
force-pushed
the
adopt_proteccio_doc
branch
from
5a5d7b0 to
3f68299
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/a3ab0f81b626426781e3db7f4a4fdb51 ✔️ noop SUCCESS in 0s |
mauricioharley
force-pushed
the
adopt_proteccio_doc
branch
from
3f68299 to
a748b92
Compare
Hi, @klgill. This PR is a bit dependent of what is being done on #1059. I'm adding @vakwetu as reviewer so he can provide his PoV on what is being proposed here. |
mauricioharley
force-pushed
the
adopt_proteccio_doc
branch
from
a748b92 to
551f4a6
Compare
|
This PR is stale because it has been for over 15 days with no activity. |
mauricioharley
force-pushed
the
adopt_proteccio_doc
branch
from
551f4a6 to
43c97e0
Compare
|
Note: Will plan to start reviewing this before Dec. 24th. Might need to finish it after I return from recharge (Jan. 5th). |
Hello, @klgill. This PR is ready to be reviewed by your team. |
klgill
left a comment
klgill
left a comment
There was a problem hiding this comment.
@mauricioharley I'm not finished with my review yet. I submitted my comments so they would not get lost while I'm out for recharge. I'll finish my review when I return on Jan. 5th. Enjoy your break!
| @@ -0,0 +1,19 @@ | |||
| :_mod-docs-content-type: ASSEMBLY | |||
| [id="adopting-key-manager-service-with-hsm"] | |||
There was a problem hiding this comment.
| [id="adopting-key-manager-service-with-hsm"] | |
| [id="adopting-key-manager-service-with-hsm_{context}"] | |
| :context: hsm-integration |
| @@ -0,0 +1,19 @@ | |||
| :_mod-docs-content-type: ASSEMBLY | |||
| [id="adopting-key-manager-service-with-hsm"] | |||
| = Adopting the {key_manager} with Hardware Security Module integration | |||
There was a problem hiding this comment.
| = Adopting the {key_manager} with Hardware Security Module integration | |
| = Adopting the {key_manager} with HSM integration |
| [id="adopting-key-manager-service-with-hsm"] | ||
| = Adopting the {key_manager} with Hardware Security Module integration | ||
|
|
||
| This assembly describes how to adopt the {key_manager_first_ref} from {OpenStackPreviousInstaller} to {rhos_long} when your source environment includes Hardware Security Module (HSM) integration. |
There was a problem hiding this comment.
| This assembly describes how to adopt the {key_manager_first_ref} from {OpenStackPreviousInstaller} to {rhos_long} when your source environment includes Hardware Security Module (HSM) integration. | |
| [role="_abstract"] | |
| Adopt the {key_manager_first_ref} from {OpenStackPreviousInstaller} to {rhos_long} when your source environment includes hardware security module (HSM) integration to preserve HSM functionality and maintain access to HSM-backed secrets. HSM provides enhanced security for cryptographic operations by storing encryption keys in dedicated hardware devices. |
|
|
||
| This assembly describes how to adopt the {key_manager_first_ref} from {OpenStackPreviousInstaller} to {rhos_long} when your source environment includes Hardware Security Module (HSM) integration. | ||
|
|
||
| Hardware Security Modules provide enhanced security for cryptographic operations by storing encryption keys in dedicated hardware devices. When migrating from {OpenStackPreviousInstaller} to {rhos_acro}, it is essential to preserve HSM functionality and maintain access to HSM-backed secrets. |
There was a problem hiding this comment.
| Hardware Security Modules provide enhanced security for cryptographic operations by storing encryption keys in dedicated hardware devices. When migrating from {OpenStackPreviousInstaller} to {rhos_acro}, it is essential to preserve HSM functionality and maintain access to HSM-backed secrets. |
| include::../modules/proc_configuring-ldap-with-domain-specific-drivers.adoc[leveloffset=+1] | ||
|
|
||
| include::../modules/proc_adopting-key-manager-service.adoc[leveloffset=+1] | ||
|
|
There was a problem hiding this comment.
@mauricioharley Did you intend for the following assembly to be placed here as well?assembly_adopting-key-manager-service-with-hsm.adoc
It's currently not included in the guide.
There was a problem hiding this comment.
@klgill, thank you for catching this! The assembly_adopting-key-manager-service-with-hsm.adoc
was designed to be a standalone assembly that could be published separately for users who
specifically need HSM integration guidance.
The individual modules (proc_adopting-key-manager-service-with-proteccio-hsm.adoc and
ref_troubleshooting-key-manager-proteccio-adoption.adoc) are already included directly
in the main control plane services assembly (lines 19 and 21) to provide the HSM procedures
within the main adoption workflow.
Would you prefer that I:
A) Keep the current structure (modules included directly), or
B) Replace the direct module includes with the assembly include for better organization?
| * Compliance with security requirements for production environments | ||
| * Preservation of existing HSM-protected secrets during adoption | ||
|
|
||
| HSM integration is configured through a simple boolean flag (`barbican_hsm_enabled`) during the adoption process. |
There was a problem hiding this comment.
| HSM integration is configured through a simple boolean flag (`barbican_hsm_enabled`) during the adoption process. | |
| HSM integration is configured through a simple boolean flag (`barbican_hsm_enabled`) during the adoption process. For environments that require HSM integration during adoption, see xref:adopting-key-manager-service-with-proteccio-hsm_{context}[Adopting the {key_manager} with Proteccio HSM integration]. |
| //*TODO: Talk about Ceph Storage and Swift Storage nodes, HCI deployments, | ||
| //etc.* | ||
|
|
||
| For environments that require HSM integration during adoption, see xref:adopting-key-manager-service-with-proteccio-hsm_{context}[Adopting the {key_manager} with Proteccio HSM integration]. |
There was a problem hiding this comment.
| For environments that require HSM integration during adoption, see xref:adopting-key-manager-service-with-proteccio-hsm_{context}[Adopting the {key_manager} with Proteccio HSM integration]. |
Note: I moved this line to line 30.
|
|
||
| == HSM Integration | ||
|
|
||
| The Key Manager service supports Hardware Security Module (HSM) integration through the PKCS#11 plugin. This enables: |
There was a problem hiding this comment.
| The Key Manager service supports Hardware Security Module (HSM) integration through the PKCS#11 plugin. This enables: | |
| The {key_manager} supports HSM integration through the PKCS#11 plugin. This enables: |
| == HSM Integration | ||
|
|
There was a problem hiding this comment.
| == HSM Integration |
|
|
||
| [NOTE] | ||
| This procedure configures the {key_manager} to use the `simple_crypto` back end. Additional back ends, such as PKCS11 and DogTag, are currently not supported in {rhos_long}. | ||
| This procedure configures the {key_manager} to use the `simple_crypto` back end. For Hardware Security Module (HSM) integration with Proteccio HSM, see xref:adopting-key-manager-service-with-proteccio-hsm_{context}[Adopting the {key_manager} with Proteccio HSM integration]. |
There was a problem hiding this comment.
| This procedure configures the {key_manager} to use the `simple_crypto` back end. For Hardware Security Module (HSM) integration with Proteccio HSM, see xref:adopting-key-manager-service-with-proteccio-hsm_{context}[Adopting the {key_manager} with Proteccio HSM integration]. | |
| This procedure configures the {key_manager} to use the `simple_crypto` back end. To configure hardware security module (HSM) integration with Proteccio HSM, see xref:adopting-key-manager-service-with-proteccio-hsm_{context}[Adopting the {key_manager} with Proteccio HSM integration]. |
Thank you for your review, @klgill. I'll address your suggestions real soon. |
Add comprehensive documentation for Barbican service adoption from OpenStack 17.1 to RHOSO 18 with Proteccio HSM integration. This PR introduces documentation for extending the Barbican adoption approach that preserves Proteccio Hardware Security Module (HSM) integration during the migration from TripleO-based OpenStack 17.1 to RHOSO 18. Fixes: OSPRH-20143 Signed-off-by: Mauricio Harley <mharley@redhat.com>
Addresses feedback from PR 1058 review Fixes: OSPRH-20143 Signed-off-by: Mauricio Harley <mharley@redhat.com>
This commit implements all suggestions from klgill's review on PR openstack-k8s-operators#1058: assembly_adopting-key-manager-service-with-hsm.adoc: - Add context preservation with ifdef/ifndef directives - Add {context} suffix to module ID - Shorten title to use "HSM integration" instead of full text - Consolidate abstract into single paragraph with [role="_abstract"] - Change ".Additional resources" to proper heading format con_key-manager-service-hsm-adoption-approaches.adoc: - Use {key_manager} variable in title - Restructure abstract with bullet points for clarity - Convert section headings to definition list format (::) - Consolidate HSM vendor support info into HSM-enabled approach - Fix terminology: "backend" -> "back end", "etc." -> "and so on" - Simplify table header and remove redundant sections con_key-manager-service-support-for-crypto-plugins.adoc: - Use {key_manager_first_ref} in abstract - Remove redundant "== Supported crypto plug-ins" heading - Move xref to end of content section con_adoption-limitations.adoc: - Remove Key Manager plug-in line (not a limitation) proc_adopting-key-manager-service.adoc: - Update phrasing to "To configure hardware security module" Signed-off-by: Mauricio Harley <mharley@redhat.com>
mauricioharley
force-pushed
the
adopt_proteccio_doc
branch
from
43c97e0 to
b749ff0
Compare
3 participants
Add comprehensive documentation for Barbican service adoption from OpenStack 17.1 to RHOSO 18 with Proteccio HSM integration.
This PR introduces documentation for a specialized Barbican adoption approach that preserves Proteccio Hardware Security Module (HSM) integration during the migration from TripleO-based OpenStack 17.1 to RHOSO 18.
Fixes: OSPRH-20143