Skip to content

Add Barbican adoption support with Proteccio HSM integration #3351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add Barbican adoption support with Proteccio HSM integration #3351

wants to merge 2 commits into from

Conversation

@mauricioharley
Copy link

@mauricioharley mauricioharley commented Sep 29, 2025
edited by openshift-ci bot
Loading

Implements comprehensive Barbican service adoption from OSP 17.1 to RHOSO 18 while preserving Proteccio Hardware Security Module (HSM) integration. This extends the existing ci-framework adoption infrastructure rather than creating separate components.

Implements: OSPRH-18874

@mauricioharley mauricioharley requested a review from a team as a code owner September 29, 2025 14:45
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 29, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mauricioharley mauricioharley marked this pull request as draft September 29, 2025 14:49
@mauricioharley mauricioharley force-pushed the proteccio_ci branch 2 times, most recently from 18d1c05 to fc89b9d Compare September 29, 2025 16:10
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Sep 29, 2025

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/81e9957f54724f2289b84ba87dfc1d5c

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 46m 11s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 15m 27s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 12m 49s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 26s
cifmw-pod-pre-commit FAILURE in 7m 50s
✔️ build-push-container-cifmw-client SUCCESS in 21m 06s

@mauricioharley mauricioharley force-pushed the proteccio_ci branch 3 times, most recently from 2c3efaf to 67f4fe0 Compare September 30, 2025 22:36
@mauricioharley mauricioharley requested review from vakwetu and xek October 2, 2025 10:50
vakwetu
vakwetu reviewed Oct 6, 2025
View reviewed changes
hooks/playbooks/barbican-osp17-proteccio-setup.yml
delegate_to: "osp-undercloud-0"
ansible.builtin.copy:
mode: '0644'
dest: "{{ ansible_user_dir }}/enable-barbican-proteccio.yaml"
Copy link
Contributor

@vakwetu vakwetu Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does the framework know to use the file in doing the 17.1 deployment?

I see in your rdo-jobs patch, you key off of file name - though actually you appear to be looking for something called proteccio-heat-vars.yaml in that patch.

I think ultimately you are probably going to want to set some generic parameter extra_tripleo_template or somesuch - and set that to the filename here.

Or you could create a directory {{ansible_user_dir}}/extra-heat-templates or some such and include the file there - and modify the rdo-jobs to read all files in that directory and add to the THT deploy command.

vakwetu
vakwetu requested changes Oct 6, 2025
View reviewed changes
Copy link
Contributor

@vakwetu vakwetu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unclear yet as to which of these changes will be needed. The playbook will definitely be needed, but not sure about the rest.

@github-actions
Copy link

github-actions bot commented Oct 22, 2025

This PR is stale because it has been for over 15 days with no activity.
Remove stale label or comment or this will be closed in 7 days.

@github-actions github-actions bot added the Stale label Oct 22, 2025
Mauricio Harley added 2 commits October 29, 2025 14:11
Add Barbican adoption support with Proteccio HSM integration
2295d97 
Implements comprehensive Barbican service adoption from OSP 17.1 to RHOSO 18
with optional Proteccio Hardware Security Module (HSM) integration.

Features:
- Base scenario for Barbican adoption without HSM (barbican.yaml)
- Extended scenario with Proteccio HSM support (barbican-proteccio.yaml)
- OSP 17.1 HSM configuration hook (barbican-osp17-proteccio-setup.yml)
- Conditional HSM environment file inclusion in adoption workflow

Implements: OSPRH-18874

Signed-off-by: Mauricio Harley <[email protected]>
Fix delegate_to target for adoption undercloud
da90ca5 
Change delegate_to from 'undercloud-0' to 'standalone' to match
the actual hostname used in adoption scenarios.

Signed-off-by: Mauricio Harley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vakwetu vakwetu vakwetu requested changes

@xek xek Awaiting requested review from xek

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mauricioharley @vakwetu