Add Barbican adoption support with Proteccio HSM integration

Mauricio Harley · Mauricio Harley · commit f510dd48a69b · 2025-10-03T15:57:51.000Z
Implements comprehensive Barbican service adoption from OSP 17.1 to RHOSO 18
with optional Proteccio Hardware Security Module (HSM) integration.

Features:
- Base scenario for Barbican adoption without HSM (barbican.yaml)
- Extended scenario with Proteccio HSM support (barbican-proteccio.yaml)
- OSP 17.1 HSM configuration hook (barbican-osp17-proteccio-setup.yml)
- Conditional HSM environment file inclusion in adoption workflow

Implements: OSPRH-18874

Signed-off-by: Mauricio Harley &lt;mharley@redhat.com&gt;
diff --git a/hooks/playbooks/barbican-osp17-proteccio-setup.yml b/hooks/playbooks/barbican-osp17-proteccio-setup.yml
@@ -0,0 +1,57 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Configure OSP 17.1 Barbican with Proteccio HSM
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Gather ansible_user_dir from undercloud
+      delegate_to: "osp-undercloud-0"
+      ansible.builtin.setup:
+        gather_subset:
+          - user_dir
+
+    - name: Generate Barbican Proteccio Heat environment file
+      delegate_to: "osp-undercloud-0"
+      ansible.builtin.copy:
+        mode: '0644'
+        dest: "{{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
+        content: |-
+          parameter_defaults:
+            # Enable PKCS11 backend for Barbican
+            BarbicanPkcs11CryptoEnabled: true
+            BarbicanPkcs11CryptoGlobalDefault: true
+            BarbicanSimpleCryptoGlobalDefault: false
+
+            # Proteccio HSM configuration
+            BarbicanPkcs11CryptoLibraryPath: {{ cifmw_barbican_proteccio_library_path | default('/usr/lib64/libnethsm.so') }}
+            BarbicanPkcs11CryptoTokenLabels: {{ cifmw_barbican_proteccio_partition }}
+            BarbicanPkcs11CryptoMKEKLabel: {{ cifmw_barbican_proteccio_mkek_label }}
+            BarbicanPkcs11CryptoHMACLabel: {{ cifmw_barbican_proteccio_hmac_label }}
+            BarbicanPkcs11CryptoLogin: {{ cifmw_hsm_password }}
+            BarbicanPkcs11CryptoSlotId: {{ cifmw_barbican_proteccio_slot_id | default('1') }}
+
+            # Encryption mechanisms
+            BarbicanPkcs11CryptoEncryptionMechanism: CKM_AES_CBC
+            BarbicanPkcs11CryptoHMACKeyType: CKK_GENERIC_SECRET
+            BarbicanPkcs11CryptoHMACKeygenMechanism: CKM_GENERIC_SECRET_KEY_GEN
+            BarbicanPkcs11CryptoMKEKLength: 32
+            BarbicanPkcs11AlwaysSetCkaSensitive: false
+            BarbicanPkcs11CryptoOsLockingOk: true
+            BarbicanPkcs11CryptoATOSEnabled: true
+
+    - name: Display generated file location
+      ansible.builtin.debug:
+        msg: "Generated Barbican Proteccio HSM configuration at: {{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
diff --git a/roles/adoption_osp_deploy/tasks/deploy_overcloud.yml b/roles/adoption_osp_deploy/tasks/deploy_overcloud.yml
@@ -62,6 +62,17 @@
         dest: "{{ _private_overcloud_conf_file }}"
         mode: "0644"
 
+    - name: Check if Barbican Proteccio HSM env file exists
+      delegate_to: "osp-undercloud-0"
+      ansible.builtin.stat:
+        path: "{{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
+      register: _barbican_proteccio_env_file
+
+    - name: Include Barbican Proteccio HSM environment file if exists
+      when: _barbican_proteccio_env_file.stat.exists
+      ansible.builtin.set_fact:
+        _overcloud_args: "{{ _overcloud_args }} -e {{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
+
     - name: Run overcloud deploy
       delegate_to: "osp-undercloud-0"
       vars:
diff --git a/scenarios/adoption/barbican-proteccio.yaml b/scenarios/adoption/barbican-proteccio.yaml
@@ -0,0 +1,13 @@
+---
+# OSP 17.1 deployment scenario for Barbican with Proteccio HSM
+# Extends the base Barbican scenario with HSM configuration
+
+undercloud:
+  config: []
+
+stacks:
+  - stackname: overcloud
+    pre_oc_run:
+      - name: Configure Barbican with Proteccio HSM on OSP 17.1
+        type: playbook
+        source: barbican-osp17-proteccio-setup.yml
diff --git a/scenarios/adoption/barbican.yaml b/scenarios/adoption/barbican.yaml
@@ -0,0 +1,12 @@
+---
+# Base OSP 17.1 deployment scenario for Barbican adoption
+# This deploys Barbican with simple_crypto backend (no HSM)
+# Can be extended with HSM-specific scenarios
+
+undercloud:
+  config: []
+
+stacks:
+  - stackname: overcloud
+    # No pre_oc_run hooks needed for basic Barbican
+    # It will use the default simple_crypto backend
