Add Barbican HSM custom image support

Mauricio Harley · Mauricio Harley · commit 930ce8c11fb3 · 2025-08-28T10:28:11.000Z
- Add new Makefile variables for HSM-enabled Barbican deployments:
  BARBICAN_API_IMAGE, BARBICAN_WORKER_IMAGE, BARBICAN_HSM_ENABLED
- Add conditional logic to use custom images when HSM is enabled
- Update barbican_deploy_prep target to handle custom image deployment
- Add HSM backend selection in standalone openstack.sh script
- Support PKCS#11 backend when BARBICAN_HSM_ENABLED=true

Signed-off-by: Mauricio Harley &lt;mharley@redhat.com&gt;
diff --git a/Makefile b/Makefile
@@ -174,6 +174,10 @@ BARBICAN_DEPL_IMG        ?= unused
 BARBICAN_KUTTL_CONF      ?= ${OPERATOR_BASE_DIR}/barbican-operator/kuttl-test.yaml
 BARBICAN_KUTTL_DIR       ?= ${OPERATOR_BASE_DIR}/barbican-operator/tests/kuttl/tests
 BARBICAN_KUTTL_NAMESPACE ?= barbican-kuttl-tests
+# HSM-enabled Barbican image overrides
+BARBICAN_API_IMAGE       ?=
+BARBICAN_WORKER_IMAGE    ?=
+BARBICAN_HSM_ENABLED     ?= false
 
 # Mariadb
 MARIADB_IMG             ?= quay.io/openstack-k8s-operators/mariadb-operator-index:${OPENSTACK_K8S_TAG}
@@ -583,6 +587,15 @@ ${1}: export OPERATOR_SOURCE=$(OPERATOR_SOURCE)
 ${1}: export OPERATOR_SOURCE_NAMESPACE=$(OPERATOR_SOURCE_NAMESPACE)
 endef
 
+ifeq ($(BARBICAN_HSM_ENABLED),true)
+    ifneq ($(BARBICAN_API_IMAGE),)
+        BARBICAN_API_IMG := $(BARBICAN_API_IMAGE)
+    endif
+    ifneq ($(BARBICAN_WORKER_IMAGE),)
+        BARBICAN_WORKER_IMG := $(BARBICAN_WORKER_IMAGE)
+    endif
+endif
+
 .PHONY: all
 all: operator_namespace keystone mariadb placement neutron
 
@@ -771,6 +784,9 @@ openstack_wait: ## waits openstack CSV to succeed.
 
 # creates the new initialization resource for our operators
 .PHONY: openstack_init
+openstack_init: export BARBICAN_API_IMAGE:=$(BARBICAN_API_IMAGE)
+openstack_init: export BARBICAN_WORKER_IMAGE:=$(BARBICAN_WORKER_IMAGE)
+openstack_init: export BARBICAN_HSM_ENABLED:=$(BARBICAN_HSM_ENABLED)
 openstack_init: openstack_wait
 	bash -c 'test -f ${OPERATOR_BASE_DIR}/openstack-operator/config/samples/operator_v1beta1_openstack.yaml || make openstack_repo'
 	oc apply -f ${OPERATOR_BASE_DIR}/openstack-operator/config/samples/operator_v1beta1_openstack.yaml
@@ -1250,6 +1266,8 @@ barbican_cleanup: ## deletes the operator, but does not cleanup the service reso
 
 .PHONY: barbican_deploy_prep
 barbican_deploy_prep: export KIND=Barbican
+barbican_deploy_prep: export IMAGE=${BARBICAN_API_IMG:-unused},${BARBICAN_WORKER_IMG:-unused}
+barbican_deploy_prep: export IMAGE_PATH=barbicanAPI/containerImage,barbicanWorker/containerImage
 barbican_deploy_prep: export REPO=${BARBICAN_REPO}
 barbican_deploy_prep: export BRANCH=${BARBICAN_BRANCH}
 barbican_deploy_prep: export HASH=${BARBICAN_COMMIT_HASH}
diff --git a/devsetup/standalone/openstack.sh b/devsetup/standalone/openstack.sh
@@ -118,7 +118,11 @@ EOF
 fi
 if [ "$BARBICAN_ENABLED" = "true" ]; then
     ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/services/barbican.yaml"
-    ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml"
+    if [ "$BARBICAN_HSM_ENABLED" = "true" ]; then
+        ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-pkcs11.yaml"
+    else
+        ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml"
+    fi
 fi
 if [ "$MANILA_ENABLED" = "true" ]; then
     ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/manila-cephfsnative-config.yaml"
