Skip to content

Add Barbican HSM custom image support #1087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add Barbican HSM custom image support #1087

wants to merge 2 commits into from
+33 −1

Conversation

@mauricioharley
Copy link

@mauricioharley mauricioharley commented Aug 28, 2025

This PR introduces support for deploying Barbican with Hardware Security Module (HSM) capabilities using custom container images.

Changes

Makefile Updates

  • New Variables: Added BARBICAN_API_IMAGE, BARBICAN_WORKER_IMAGE, and BARBICAN_HSM_ENABLED to control HSM deployments
  • Conditional Image Logic: When BARBICAN_HSM_ENABLED=true, custom images are used if provided via the new variables
  • Deploy Preparation: Updated barbican_deploy_prep target to properly handle custom image deployment with correct image paths
  • Environment Export: Added HSM-related variables to openstack_init target exports

Standalone Script Updates

  • Backend Selection: Modified devsetup/standalone/openstack.sh to conditionally select between:
    • barbican-backend-pkcs11.yaml when HSM is enabled
    • barbican-backend-simple-crypto.yaml for standard deployments

Usage

To deploy Barbican with HSM support:

make openstack BARBICAN_HSM_ENABLED=true \
    BARBICAN_API_IMAGE=<your-hsm-api-image> \
    BARBICAN_WORKER_IMAGE=<your-hsm-worker-image>

@openshift-ci openshift-ci bot requested review from raukadah and slagle August 28, 2025 10:36
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 28, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mauricioharley
Once this PR has been reviewed and has the lgtm label, please assign fmount for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mauricioharley mauricioharley requested a review from abays August 28, 2025 10:36
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Aug 28, 2025

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/1b53de6c9a2849c79dc4aa80b085abf9

openstack-k8s-operators-content-provider TIMED_OUT in 30m 50s
⚠️ install-yamls-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ adoption-standalone-to-crc-ceph-provider SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ adoption-standalone-to-crc-no-ceph-provider SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

@mauricioharley mauricioharley marked this pull request as draft August 28, 2025 11:11
@mauricioharley mauricioharley force-pushed the add_barbican_hsm_custom_images branch from 930ce8c to 5cab4b9 Compare November 19, 2025 13:45
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Nov 19, 2025

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/878e4bc064754b5b9c13143ccbaeb73c

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 52m 49s
install-yamls-crc-podified-edpm-baremetal FAILURE in 45m 18s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 38m 24s
adoption-standalone-to-crc-ceph-provider FAILURE in 55m 49s
adoption-standalone-to-crc-no-ceph-provider FAILURE in 1h 15m 24s

@mauricioharley mauricioharley force-pushed the add_barbican_hsm_custom_images branch from 5cab4b9 to 6bdd302 Compare November 19, 2025 17:17
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Nov 19, 2025

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/2ddd43e605d04fafb4837dc118d6190b

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 40m 48s
install-yamls-crc-podified-edpm-baremetal RETRY_LIMIT in 11m 24s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 21m 37s
✔️ adoption-standalone-to-crc-ceph-provider SUCCESS in 3h 10m 36s
✔️ adoption-standalone-to-crc-no-ceph-provider SUCCESS in 3h 19m 54s

Mauricio Harley added 2 commits November 20, 2025 10:23
Add support for custom environment files in deployments
d004e0b 
Introduces additional parameter support for both TripleO and
Standalone deployments to enable users to provide custom environment
configurations without modifying deployment scripts.

Changes:
- Export TRIPLEO_ADDITIONAL_ENV and STANDALONE_ADDITIONAL_ENV variables
  in respective deployment scripts
- Copy additional environment files to target systems when specified
- Conditionally include additional environment files in openstack-tripleo
  deployment commands using -e flag

Signed-off-by: Mauricio Harley <[email protected]>
Add Barbican HSM custom image support
8966724 
- Add new Makefile variables for HSM-enabled Barbican deployments:
  BARBICAN_API_IMAGE, BARBICAN_WORKER_IMAGE, BARBICAN_HSM_ENABLED
- Add conditional logic to use custom images when HSM is enabled
- Update barbican_deploy_prep target to handle custom image deployment
- Add HSM backend selection in standalone openstack.sh script
- Support PKCS#11 backend when BARBICAN_HSM_ENABLED=true

Signed-off-by: Mauricio Harley <[email protected]>
@mauricioharley mauricioharley force-pushed the add_barbican_hsm_custom_images branch from 6bdd302 to 8966724 Compare November 20, 2025 10:30
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Nov 20, 2025

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/8cecff0901ab4f7ab66cda2593291936

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 39m 34s
install-yamls-crc-podified-edpm-baremetal RETRY_LIMIT in 17m 51s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 32m 04s
✔️ adoption-standalone-to-crc-ceph-provider SUCCESS in 3h 20m 51s
✔️ adoption-standalone-to-crc-no-ceph-provider SUCCESS in 3h 12m 10s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raukadah raukadah Awaiting requested review from raukadah

@slagle slagle Awaiting requested review from slagle

@abays abays Awaiting requested review from abays

Assignees

No one assigned

Labels

do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mauricioharley