From 693987bc49336cc029e1c4446fd13a898eaab498 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Wed, 9 Oct 2024 19:50:11 +0000 Subject: [PATCH 01/14] Barbican support for Thales Luna HSM hold-the-node Signed-off-by: Mauricio Harley Co-authored-by: Ade Lee --- .../barbican.openstack.org_barbicanapis.yaml | 127 +++++++++++++++++ ...enstack.org_barbicankeystonelisteners.yaml | 127 +++++++++++++++++ .../barbican.openstack.org_barbicans.yaml | 127 +++++++++++++++++ ...arbican.openstack.org_barbicanworkers.yaml | 127 +++++++++++++++++ api/v1beta1/barbican_types.go | 6 + api/v1beta1/barbican_webhook.go | 18 +++ api/v1beta1/barbicankeystonelistener_types.go | 1 + api/v1beta1/barbicanworker_types.go | 3 +- api/v1beta1/common_types.go | 133 ++++++++++++++++++ api/v1beta1/zz_generated.deepcopy.go | 33 ++++- .../barbican.openstack.org_barbicanapis.yaml | 127 +++++++++++++++++ ...enstack.org_barbicankeystonelisteners.yaml | 127 +++++++++++++++++ .../barbican.openstack.org_barbicans.yaml | 127 +++++++++++++++++ ...arbican.openstack.org_barbicanworkers.yaml | 127 +++++++++++++++++ config/samples/pods_with_pkcs11-luna.yaml | 53 +++++++ controllers/barbican_common.go | 94 ++++++++++++- controllers/barbican_controller.go | 80 ++++++++++- controllers/barbicanapi_controller.go | 21 +++ controllers/barbicanworker_controller.go | 21 +++ hack/crd-schema-checker.sh | 1 + pkg/barbican/const.go | 9 +- pkg/barbican/p11_prep.go | 91 ++++++++++++ pkg/barbican/volumes.go | 103 +++++++++++--- pkg/barbicanapi/deployment.go | 22 +-- pkg/barbicankeystonelistener/deployment.go | 15 +- pkg/barbicanworker/deployment.go | 22 +-- templates/barbican/bin/generate_p11_keys.sh | 24 ++++ templates/barbican/config/00-default.conf | 57 +++++++- templates/barbican/config/Chrystoki.conf | 41 ++++++ .../barbican/config/barbican-api-config.json | 8 ++ .../config/barbican-p11-prep-config.json | 25 ++++ .../config/barbican-worker-config.json | 8 ++ 32 files changed, 1831 insertions(+), 74 deletions(-) create mode 100644 config/samples/pods_with_pkcs11-luna.yaml create mode 100644 pkg/barbican/p11_prep.go create mode 100755 templates/barbican/bin/generate_p11_keys.sh create mode 100644 templates/barbican/config/Chrystoki.conf create mode 100644 templates/barbican/config/barbican-p11-prep-config.json diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml index 71010bf..a6c1f5b 100644 --- a/api/bases/barbican.openstack.org_barbicanapis.yaml +++ b/api/bases/barbican.openstack.org_barbicanapis.yaml @@ -89,6 +89,26 @@ spec: description: EnableSecureRBAC - Enable Consistent and Secure RBAC policies type: boolean + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -292,6 +312,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index bdea1d3..8366530 100644 --- a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -85,6 +85,26 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -114,6 +134,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml index cf99e64..bf9d770 100644 --- a/api/bases/barbican.openstack.org_barbicans.yaml +++ b/api/bases/barbican.openstack.org_barbicans.yaml @@ -601,6 +601,26 @@ spec: to add additional files. Those get added to the service config dir in /etc/ . TODO(dmendiza): -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string nodeSelector: additionalProperties: type: string @@ -624,6 +644,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object preserveJobs: default: false description: PreserveJobs - do not delete jobs after they finished diff --git a/api/bases/barbican.openstack.org_barbicanworkers.yaml b/api/bases/barbican.openstack.org_barbicanworkers.yaml index 41dadbc..584c4df 100644 --- a/api/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/api/bases/barbican.openstack.org_barbicanworkers.yaml @@ -83,6 +83,26 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -112,6 +132,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/api/v1beta1/barbican_types.go b/api/v1beta1/barbican_types.go index 80d41a0..39acdc4 100644 --- a/api/v1beta1/barbican_types.go +++ b/api/v1beta1/barbican_types.go @@ -22,10 +22,16 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// Supported HSM models +var HSMTypes = []string{"luna"} + const ( // DbSyncHash hash DbSyncHash = "dbsync" + // P11PrepHash hash + P11PrepHash = "p11prep" + // Container image fall-back defaults // BarbicanAPIContainerImage is the fall-back container image for BarbicanAPI diff --git a/api/v1beta1/barbican_webhook.go b/api/v1beta1/barbican_webhook.go index ab235c3..fa9051a 100644 --- a/api/v1beta1/barbican_webhook.go +++ b/api/v1beta1/barbican_webhook.go @@ -24,6 +24,7 @@ package v1beta1 import ( "fmt" + "slices" "github.com/openstack-k8s-operators/lib-common/modules/common/service" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -133,6 +134,23 @@ func (r *BarbicanSpec) ValidateCreate(basePath *field.Path) field.ErrorList { basePath.Child("barbicanAPI").Child("override").Child("service"), r.BarbicanAPI.Override.Service)...) + // pkcs11 verifications + if slices.Contains(r.EnabledSecretStores, "pkcs11") { + if r.PKCS11 == nil { + allErrs = append(allErrs, field.Required(basePath.Child("PKCS11"), + "PKCS11 specification is missing, PKCS11 is required when pkcs11 is an enabled SecretStore"), + ) + } else { + // Checking that at least one of the following parameters has been provided. + if len(r.PKCS11.TokenSerialNumber) == 0 && len(r.PKCS11.TokenLabels) == 0 && len(r.PKCS11.SlotId) == 0 { + allErrs = append(allErrs, field.Required(basePath.Child("PKCS11"), + "No token identifier provided. One of TokenSerialNumber, TokenLabels or SlotId needed"), + ) + } + } + } + + return allErrs } diff --git a/api/v1beta1/barbicankeystonelistener_types.go b/api/v1beta1/barbicankeystonelistener_types.go index 9e393df..97bf3d9 100644 --- a/api/v1beta1/barbicankeystonelistener_types.go +++ b/api/v1beta1/barbicankeystonelistener_types.go @@ -44,6 +44,7 @@ type BarbicanKeystoneListenerSpec struct { BarbicanTemplate `json:",inline"` BarbicanKeystoneListenerTemplate `json:",inline"` + DatabaseHostname string `json:"databaseHostname"` TransportURLSecret string `json:"transportURLSecret,omitempty"` diff --git a/api/v1beta1/barbicanworker_types.go b/api/v1beta1/barbicanworker_types.go index 67ddf19..ffaab1e 100644 --- a/api/v1beta1/barbicanworker_types.go +++ b/api/v1beta1/barbicanworker_types.go @@ -44,7 +44,8 @@ type BarbicanWorkerSpec struct { BarbicanTemplate `json:",inline"` BarbicanWorkerTemplate `json:",inline"` - DatabaseHostname string `json:"databaseHostname"` + + DatabaseHostname string `json:"databaseHostname"` TransportURLSecret string `json:"transportURLSecret,omitempty"` diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index 383178f..95af613 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -49,6 +49,19 @@ type BarbicanTemplate struct { // +kubebuilder:validation:Required // ServiceAccount - service account name used internally to provide Barbican services the default SA name ServiceAccount string `json:"serviceAccount"` + + // +kubebuilder:validation:Optional + PKCS11 *BarbicanPKCS11Template `json:"pkcs11,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=2 + // +listType:=set + EnabledSecretStores []SecretStore `json:"enabledSecretStores,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default="simple_crypto" + GlobalDefaultSecretStore SecretStore `json:"globalDefaultSecretStore" yaml:"globalDefaultSecretStore"` } // BarbicanComponentTemplate - Variables used by every sub-component of Barbican @@ -95,6 +108,126 @@ type BarbicanComponentTemplate struct { NetworkAttachments []string `json:"networkAttachments,omitempty"` } +// +kubebuilder:validation:Enum=simple_crypto;pkcs11 +// This SecretStore type is used by the EnabledSecretStores variable inside the specification. +type SecretStore string + +// BarbicanPKCS11Template - Includes all common HSM properties +type BarbicanPKCS11Template struct { + // +kubebuilder:validation:Required + // +kubebuilder:validation:Items:Enum=luna + // A string containing the HSM type (currently supported: "luna"). + Type string `json:"type"` + + // +kubebuilder:validation:Required + // Path to vendor's PKCS11 library + LibraryPath string `json:"libraryPath"` + + // +kubebuilder:validation:Optional + // Token serial number used to identify the token to be used. + // One of TokenSerialNumber, TokenLabels or SlotId must + // be defined. TokenSerialNumber takes priority over + // TokenLabels and SlotId + TokenSerialNumber string `json:"tokenSerialNumber,omitempty"` + + // +kubebuilder:validation:Optional + // Token labels used to identify the token to be used. + // One of TokenSerialNumber, TokenLabels or SlotId must + // be specified. TokenLabels takes priority over SlotId. + // This can be a comma separated string of labels + TokenLabels string `json:"tokenLabels,omitempty"` + + // +kubebuilder:validation:Optional + // One of TokenSerialNumber, TokenLabels or SlotId must + // be defined. SlotId is used if none of the others is defined + SlotId string `json:"slotId,omitempty"` + + // +kubebuilder:validation:Required + // Label to identify master KEK in the HSM (must not be the same as HMAC label) + MKEKLabel string `json:"MKEKLabel"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=32 + // Length in bytes of master KEK + MKEKLength int `json:"MKEKLength"` + + // +kubebuilder:validation:Required + // Label to identify HMAC key in the HSM (must not be the same as MKEK label) + HMACLabel string `json:"HMACLabel"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKK_GENERIC_SECRET + // HMAC Key Type + HMACKeyType string `json:"HMACKeyType"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKM_GENERIC_SECRET_KEY_GEN + // HMAC Keygen Mechanism + HMACKeygenMechanism string `json:"HMACKeygenMechanism"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKM_SHA256_HMAC + // HMAC Mechanism. This replaces hsm_keywrap_mechanism + HMACMechanism string `json:"HMACMechanism"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=4 + // +kubebuilder:validation:Maximum=7 + // +kubebuilder:validation:Minimum=0 + // Level of logging, where 0 means "no logging" and 7 means "debug". + LoggingLevel int `json:"loggingLevel"` + + // +kubebuilder:validation:Required + // The HSM's IPv4 address (X.Y.Z.K) + ServerAddress string `json:"serverAddress"` + + // +kubebuilder:validation:Optional + // The IP address of the client connecting to the HSM (X.Y.Z.K) + ClientAddress string `json:"clientAddress,omitempty"` + + // +kubebuilder:validation:Required + // OpenShift secret that stores the password to login to the PKCS11 session + LoginSecret string `json:"loginSecret"` + + // +kubebuilder:validation:Optional + // The OpenShift secret that stores the HSM certificates. + CertificatesSecret string `json:"certificatesSecret,omitempty"` + + // +kubebuilder:validation:Optional + // The mounting point where the certificates will be copied to (e.g., /usr/local/luna/config/certs). + CertificatesMountPoint string `json:"certificatesMountPoint,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKM_AES_GCM + // Secret encryption mechanism + EncryptionMechanism string `json:"encryptionMechanism"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=CKM_AES_KEY_WRAP_KWP + // Key wrap mechanism + KeyWrapMechanism string `json:"keyWrapMechanism"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + // Generate IVs for the key wrap mechanism + KeyWrapGenerateIV bool `json:"keyWrapGenerateIV"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + // Generate IVs for CKM_AES_GCM mechanism + AESGCMGenerateIV bool `json:"AESGCMGenerateIV"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + // Always set cka_sensitive + AlwaysSetCKASensitive bool `json:"alwaysSetCKASensitive"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=false + // Set os_locking_ok + OSLockingOK bool `json:"OSLockingOK"` +} + // PasswordSelector to identify the DB and AdminUser password from the Secret type PasswordSelector struct { // +kubebuilder:validation:Optional diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 05d8a54..f61b499 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -138,7 +138,7 @@ func (in *BarbicanAPIList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanAPISpec) DeepCopyInto(out *BarbicanAPISpec) { *out = *in - out.BarbicanTemplate = in.BarbicanTemplate + in.BarbicanTemplate.DeepCopyInto(&out.BarbicanTemplate) in.BarbicanAPITemplate.DeepCopyInto(&out.BarbicanAPITemplate) } @@ -363,7 +363,7 @@ func (in *BarbicanKeystoneListenerList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanKeystoneListenerSpec) DeepCopyInto(out *BarbicanKeystoneListenerSpec) { *out = *in - out.BarbicanTemplate = in.BarbicanTemplate + in.BarbicanTemplate.DeepCopyInto(&out.BarbicanTemplate) in.BarbicanKeystoneListenerTemplate.DeepCopyInto(&out.BarbicanKeystoneListenerTemplate) out.TLS = in.TLS } @@ -486,6 +486,21 @@ func (in *BarbicanList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BarbicanPKCS11Template) DeepCopyInto(out *BarbicanPKCS11Template) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanPKCS11Template. +func (in *BarbicanPKCS11Template) DeepCopy() *BarbicanPKCS11Template { + if in == nil { + return nil + } + out := new(BarbicanPKCS11Template) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanSpec) DeepCopyInto(out *BarbicanSpec) { *out = *in @@ -508,7 +523,7 @@ func (in *BarbicanSpec) DeepCopy() *BarbicanSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanSpecBase) DeepCopyInto(out *BarbicanSpecBase) { *out = *in - out.BarbicanTemplate = in.BarbicanTemplate + in.BarbicanTemplate.DeepCopyInto(&out.BarbicanTemplate) if in.NodeSelector != nil { in, out := &in.NodeSelector, &out.NodeSelector *out = new(map[string]string) @@ -591,6 +606,16 @@ func (in *BarbicanStatus) DeepCopy() *BarbicanStatus { func (in *BarbicanTemplate) DeepCopyInto(out *BarbicanTemplate) { *out = *in out.PasswordSelectors = in.PasswordSelectors + if in.PKCS11 != nil { + in, out := &in.PKCS11, &out.PKCS11 + *out = new(BarbicanPKCS11Template) + **out = **in + } + if in.EnabledSecretStores != nil { + in, out := &in.EnabledSecretStores, &out.EnabledSecretStores + *out = make([]SecretStore, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanTemplate. @@ -665,7 +690,7 @@ func (in *BarbicanWorkerList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanWorkerSpec) DeepCopyInto(out *BarbicanWorkerSpec) { *out = *in - out.BarbicanTemplate = in.BarbicanTemplate + in.BarbicanTemplate.DeepCopyInto(&out.BarbicanTemplate) in.BarbicanWorkerTemplate.DeepCopyInto(&out.BarbicanWorkerTemplate) out.TLS = in.TLS } diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml index 71010bf..a6c1f5b 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml @@ -89,6 +89,26 @@ spec: description: EnableSecureRBAC - Enable Consistent and Secure RBAC policies type: boolean + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -292,6 +312,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index bdea1d3..8366530 100644 --- a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -85,6 +85,26 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -114,6 +134,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml index cf99e64..bf9d770 100644 --- a/config/crd/bases/barbican.openstack.org_barbicans.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicans.yaml @@ -601,6 +601,26 @@ spec: to add additional files. Those get added to the service config dir in /etc/ . TODO(dmendiza): -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string nodeSelector: additionalProperties: type: string @@ -624,6 +644,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object preserveJobs: default: false description: PreserveJobs - do not delete jobs after they finished diff --git a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml index 41dadbc..584c4df 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml @@ -83,6 +83,26 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enabledSecretStores: + items: + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + globalDefaultSecretStore: + default: simple_crypto + description: This SecretStore type is used by the EnabledSecretStores + variable inside the specification. + enum: + - simple_crypto + - pkcs11 + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -112,6 +132,113 @@ spec: default: SimpleCryptoKEK type: string type: object + pkcs11: + description: BarbicanPKCS11Template - Includes all common HSM properties + properties: + AESGCMGenerateIV: + default: true + description: Generate IVs for CKM_AES_GCM mechanism + type: boolean + HMACKeyType: + default: CKK_GENERIC_SECRET + description: HMAC Key Type + type: string + HMACKeygenMechanism: + default: CKM_GENERIC_SECRET_KEY_GEN + description: HMAC Keygen Mechanism + type: string + HMACLabel: + description: Label to identify HMAC key in the HSM (must not be + the same as MKEK label) + type: string + HMACMechanism: + default: CKM_SHA256_HMAC + description: HMAC Mechanism. This replaces hsm_keywrap_mechanism + type: string + MKEKLabel: + description: Label to identify master KEK in the HSM (must not + be the same as HMAC label) + type: string + MKEKLength: + default: 32 + description: Length in bytes of master KEK + type: integer + OSLockingOK: + default: false + description: Set os_locking_ok + type: boolean + alwaysSetCKASensitive: + default: true + description: Always set cka_sensitive + type: boolean + certificatesMountPoint: + description: The mounting point where the certificates will be + copied to (e.g., /usr/local/luna/config/certs). + type: string + certificatesSecret: + description: The OpenShift secret that stores the HSM certificates. + type: string + clientAddress: + description: The IP address of the client connecting to the HSM + (X.Y.Z.K) + type: string + encryptionMechanism: + default: CKM_AES_GCM + description: Secret encryption mechanism + type: string + keyWrapGenerateIV: + default: true + description: Generate IVs for the key wrap mechanism + type: boolean + keyWrapMechanism: + default: CKM_AES_KEY_WRAP_KWP + description: Key wrap mechanism + type: string + libraryPath: + description: Path to vendor's PKCS11 library + type: string + loggingLevel: + default: 4 + description: Level of logging, where 0 means "no logging" and + 7 means "debug". + maximum: 7 + minimum: 0 + type: integer + loginSecret: + description: OpenShift secret that stores the password to login + to the PKCS11 session + type: string + serverAddress: + description: The HSM's IPv4 address (X.Y.Z.K) + type: string + slotId: + description: One of TokenSerialNumber, TokenLabels or SlotId must + be defined. SlotId is used if none of the others is defined + type: string + tokenLabels: + description: Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must be specified. + TokenLabels takes priority over SlotId. This can be a comma + separated string of labels + type: string + tokenSerialNumber: + description: Token serial number used to identify the token to + be used. One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over TokenLabels + and SlotId + type: string + type: + description: 'A string containing the HSM type (currently supported: + "luna").' + type: string + required: + - HMACLabel + - MKEKLabel + - libraryPath + - loginSecret + - serverAddress + - type + type: object rabbitMqClusterName: default: rabbitmq description: RabbitMQ instance name Needed to request a transportURL diff --git a/config/samples/pods_with_pkcs11-luna.yaml b/config/samples/pods_with_pkcs11-luna.yaml new file mode 100644 index 0000000..45416f9 --- /dev/null +++ b/config/samples/pods_with_pkcs11-luna.yaml @@ -0,0 +1,53 @@ +apiVersion: barbican.openstack.org/v1beta1 +kind: Barbican +metadata: + labels: + app.kubernetes.io/name: barbican + app.kubernetes.io/instance: barbican + app.kubernetes.io/part-of: barbican-operator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: barbican-operator + name: barbican +spec: + serviceAccount: barbican + serviceUser: barbican + databaseInstance: openstack + databaseAccount: barbican + rabbitMqCusterName: barbican_rabbit + secret: osp-secret + passwordSelectors: + database: BarbicanDatabasePassword + service: BarbicanPassword + simplecryptokek: BarbicanSimpleCryptoKEK + preserveJobs: true + customServiceConfig: | + [DEFAULT] + debug = True + globalDefaultSecretStore: pkcs11 + enabledSecretStores: + - simple_crypto + - pkcs11 + pkcs11: + hsmType: luna + hsmLibraryPath: /usr/local/luna/libs/64/libCryptoki2.so + hsmTokenLabels: my_hsm_partition_label + hsmMKEKLabel: my_mkek_label + hsmHMACLabel: my_hmac_label + hsmIpAddress: my_hsm_server_ip_address + hsmClientAddress: my_hsm_client_ip_address + hsmLoginSecret: my_luna_login_secret + hsmCertificatesSecret: my_luna_certs_secret + hsmCertificatesMountPoint: /usr/local/luna/config/certs + hsmKeyWrapMechanism: CKM_AES_CBC_PAD + barbicanAPI: + containerImage: my_custom_barbican_api_image + passwordSelectors: + database: BarbicanDatabasePassword + service: BarbicanPassword + replicas: 1 + barbicanWorker: + containerImage: my_custom_barbican_worker_image + replicas: 1 + barbicanKeystoneListener: + containerImage: quay.io/podified-antelope-centos9/openstack-barbican-keystone-listener@sha256:9a5deaf4a7db671dab48aface9d426b8fc1ae7cb20d3be64c9c7bf90241fb65c + replicas: 1 diff --git a/controllers/barbican_common.go b/controllers/barbican_common.go index 4f99f3d..417e55d 100644 --- a/controllers/barbican_common.go +++ b/controllers/barbican_common.go @@ -18,11 +18,16 @@ package controllers import ( "context" + "errors" "fmt" + "slices" + "strings" + barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" "github.com/openstack-k8s-operators/lib-common/modules/common/env" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" "github.com/openstack-k8s-operators/lib-common/modules/common/secret" + oko_secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret" "github.com/openstack-k8s-operators/lib-common/modules/common/util" "sigs.k8s.io/controller-runtime/pkg/client" ) @@ -52,12 +57,91 @@ func GenerateConfigsGeneric( } if scripts { cms = append(cms, util.Template{ - Name: fmt.Sprintf("%s-scripts", instance.GetName()), - Namespace: instance.GetNamespace(), - Type: util.TemplateTypeScripts, - InstanceType: instance.GetObjectKind().GroupVersionKind().Kind, - Labels: cmLabels, + Name: fmt.Sprintf("%s-scripts", instance.GetName()), + Namespace: instance.GetNamespace(), + Type: util.TemplateTypeScripts, + InstanceType: instance.GetObjectKind().GroupVersionKind().Kind, + ConfigOptions: templateParameters, + Labels: cmLabels, }) } return secret.EnsureSecrets(ctx, h, instance, cms, envVars) } + +func GenerateSecretStoreTemplateMap( + enabledSecretStores []barbicanv1beta1.SecretStore, + globalDefaultSecretStore barbicanv1beta1.SecretStore, +) (map[string]interface{}, error) { + // Log := r.GetLogger(ctx) + stores := []string{} + if len(enabledSecretStores) == 0 { + stores = []string{"simple_crypto"} + } else { + for _, value := range enabledSecretStores { + stores = append(stores, string(value)) + } + } + + if len(globalDefaultSecretStore) == 0 { + globalDefaultSecretStore = "simple_crypto" + } + + tempMap := map[string]interface{}{ + "EnabledSecretStores": strings.Join(stores, ","), + "GlobalDefaultSecretStore": globalDefaultSecretStore, + "SimpleCryptoEnabled": slices.Contains(stores, "simple_crypto"), + "PKCS11CryptoEnabled": slices.Contains(stores, "pkcs11"), + } + return tempMap, nil +} + +func GeneratePKCS11TemplateMap( + ctx context.Context, + h *helper.Helper, + pkcs11 barbicanv1beta1.BarbicanPKCS11Template, + namespace string, +) (map[string]interface{}, error) { + tempMap := map[string]interface{}{} + hsmLoginSecret, _, err := oko_secret.GetSecret(ctx, h, pkcs11.LoginSecret, namespace) + if err != nil { + return nil, err + } + + if len(pkcs11.TokenSerialNumber) > 0 { + tempMap["P11TokenSerialNumber"] = pkcs11.TokenSerialNumber + } + if len(pkcs11.TokenLabels) > 0 { + tempMap["P11TokenLabels"] = pkcs11.TokenLabels + } + if len(pkcs11.SlotId) > 0 { + tempMap["P11SlotId"] = pkcs11.SlotId + } + + // Checking if a supported HSM type has been provided. + if !slices.Contains(barbicanv1beta1.HSMTypes, strings.ToLower(pkcs11.Type)) { + return nil, errors.New("no valid HSM type provided!map[string]interface{}") + } + + tempMap["P11Enabled"] = true + tempMap["P11LibraryPath"] = pkcs11.LibraryPath + tempMap["P11CertificatesMountPoint"] = pkcs11.CertificatesMountPoint + tempMap["P11Login"] = string(hsmLoginSecret.Data["hsmLogin"]) + tempMap["P11MKEKLabel"] = pkcs11.MKEKLabel + tempMap["P11MKEKLength"] = pkcs11.MKEKLength + tempMap["P11HMACLabel"] = pkcs11.HMACLabel + tempMap["P11HMACKeyType"] = pkcs11.HMACKeyType + tempMap["P11HMACKeygenMechanism"] = pkcs11.HMACKeygenMechanism + tempMap["P11HMACMechanism"] = pkcs11.HMACMechanism + tempMap["P11LoggingLevel"] = pkcs11.LoggingLevel + tempMap["P11ServerAddress"] = pkcs11.ServerAddress + tempMap["P11ClientAddress"] = pkcs11.ClientAddress + tempMap["P11Type"] = strings.ToLower(pkcs11.Type) + tempMap["P11EncryptionMechanism"] = pkcs11.EncryptionMechanism + tempMap["P11KeyWrapMechanism"] = pkcs11.KeyWrapMechanism + tempMap["P11AESGCMGenerateIV"] = pkcs11.AESGCMGenerateIV + tempMap["P11KeyWrapGenerateIV"] = pkcs11.KeyWrapGenerateIV + tempMap["P11AlwaysSetCKASensitive"] = pkcs11.AlwaysSetCKASensitive + tempMap["P11OSLockingOK"] = pkcs11.OSLockingOK + + return tempMap, nil +} diff --git a/controllers/barbican_controller.go b/controllers/barbican_controller.go index f677ea9..9500b30 100644 --- a/controllers/barbican_controller.go +++ b/controllers/barbican_controller.go @@ -19,6 +19,7 @@ package controllers import ( "context" "fmt" + "slices" "time" "k8s.io/apimachinery/pkg/runtime" @@ -48,6 +49,7 @@ import ( "github.com/openstack-k8s-operators/lib-common/modules/common/tls" "github.com/openstack-k8s-operators/lib-common/modules/common/util" mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1" + "golang.org/x/exp/maps" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -55,6 +57,14 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +const ( + P11PrepReadyCondition = "P11PrepReady" + P11PrepReadyInitMessage = "P11 Prep job not started" + P11PrepReadyMessage = "P11 Prep job completed" + P11PrepReadyErrorMessage = "P11 Prep job error occurred %s" + P11PrepReadyRunningMessage = "P11 Prep job is still running" +) + // BarbicanReconciler reconciles a Barbican object type BarbicanReconciler struct { client.Client @@ -136,7 +146,7 @@ func (r *BarbicanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (r instance.Status.Conditions = condition.Conditions{} } - // Save a copy of the condtions so that we can restore the LastTransitionTime + // Save a copy of the conditions so that we can restore the LastTransitionTime // when a condition's state doesn't change. savedConditions := instance.Status.Conditions.DeepCopy() @@ -163,6 +173,7 @@ func (r *BarbicanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (r // failure/in-progress operation condition.UnknownCondition(condition.ReadyCondition, condition.InitReason, condition.ReadyInitMessage), condition.UnknownCondition(condition.DBReadyCondition, condition.InitReason, condition.DBReadyInitMessage), + condition.UnknownCondition(P11PrepReadyCondition, condition.InitReason, P11PrepReadyInitMessage), condition.UnknownCondition(condition.DBSyncReadyCondition, condition.InitReason, condition.DBSyncReadyInitMessage), condition.UnknownCondition(condition.InputReadyCondition, condition.InitReason, condition.InputReadyInitMessage), condition.UnknownCondition(condition.ServiceConfigReadyCondition, condition.InitReason, condition.ServiceConfigReadyInitMessage), @@ -647,7 +658,26 @@ func (r *BarbicanReconciler) generateServiceConfig( "EnableSecureRBAC": instance.Spec.BarbicanAPI.EnableSecureRBAC, } - return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) + // Set secret store parameters + secretStoreTemplateMap, err := GenerateSecretStoreTemplateMap( + instance.Spec.EnabledSecretStores, + instance.Spec.GlobalDefaultSecretStore) + if err != nil { + return err + } + maps.Copy(templateParameters, secretStoreTemplateMap) + + // Set pkcs11 parameters + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( + ctx, h, *instance.Spec.PKCS11, instance.Namespace) + if err != nil { + return err + } + maps.Copy(templateParameters, pkcs11TemplateMap) + } + + return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, true) } func (r *BarbicanReconciler) transportURLCreateOrUpdate( @@ -919,11 +949,53 @@ func (r *BarbicanReconciler) reconcileInit( } instance.Status.Conditions.MarkTrue(condition.DBSyncReadyCondition, condition.DBSyncReadyMessage) + // + // run Barbican p11-prep if needed + // + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + p11Hash := instance.Status.Hash[barbicanv1beta1.P11PrepHash] + jobDef := barbican.P11PrepJob(instance, serviceLabels, serviceAnnotations) + + p11job := job.NewJob( + jobDef, + barbicanv1beta1.P11PrepHash, + instance.Spec.PreserveJobs, + time.Duration(5)*time.Second, + p11Hash, + ) + ctrlResult, err = p11job.DoJob( + ctx, + helper, + ) + if (ctrlResult != ctrl.Result{}) { + instance.Status.Conditions.Set(condition.FalseCondition( + P11PrepReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + P11PrepReadyRunningMessage)) + return ctrlResult, nil + } + if err != nil { + instance.Status.Conditions.Set(condition.FalseCondition( + P11PrepReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + P11PrepReadyErrorMessage, + err.Error())) + return ctrl.Result{}, err + } + if p11job.HasChanged() { + instance.Status.Hash[barbicanv1beta1.P11PrepHash] = p11job.GetHash() + Log.Info(fmt.Sprintf("Service '%s' - Job %s hash added - %s", instance.Name, jobDef.Name, instance.Status.Hash[barbicanv1beta1.P11PrepHash])) + } + instance.Status.Conditions.MarkTrue(P11PrepReadyCondition, P11PrepReadyMessage) + } + + // run Barbican p11 prep - end + // when job passed, mark NetworkAttachmentsReadyCondition ready instance.Status.Conditions.MarkTrue(condition.NetworkAttachmentsReadyCondition, condition.NetworkAttachmentsReadyMessage) - // run Barbican db sync - end - Log.Info(fmt.Sprintf("Reconciled Service '%s' init successfully", instance.Name)) return ctrl.Result{}, nil } diff --git a/controllers/barbicanapi_controller.go b/controllers/barbicanapi_controller.go index 9d96d5e..6c2ecf4 100644 --- a/controllers/barbicanapi_controller.go +++ b/controllers/barbicanapi_controller.go @@ -19,6 +19,8 @@ package controllers import ( "context" "fmt" + "maps" + "slices" "time" "github.com/go-logr/logr" @@ -327,6 +329,25 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs( "EnableSecureRBAC": instance.Spec.EnableSecureRBAC, } + // Set secret store parameters + secretStoreTemplateMap, err := GenerateSecretStoreTemplateMap( + instance.Spec.EnabledSecretStores, + instance.Spec.GlobalDefaultSecretStore) + if err != nil { + return err + } + maps.Copy(templateParameters, secretStoreTemplateMap) + + // Set pkcs11 parameters + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( + ctx, h, *instance.Spec.PKCS11, instance.Namespace) + if err != nil { + return err + } + maps.Copy(templateParameters, pkcs11TemplateMap) + } + // create httpd vhost template parameters httpdVhostConfig := map[string]interface{}{} for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} { diff --git a/controllers/barbicanworker_controller.go b/controllers/barbicanworker_controller.go index bffdf5b..ef85091 100644 --- a/controllers/barbicanworker_controller.go +++ b/controllers/barbicanworker_controller.go @@ -19,6 +19,8 @@ package controllers import ( "context" "fmt" + "maps" + "slices" "time" "github.com/go-logr/logr" @@ -279,6 +281,25 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs( "SimpleCryptoKEK": string(simpleCryptoSecret.Data[instance.Spec.PasswordSelectors.SimpleCryptoKEK]), } + // Set secret store parameters + secretStoreTemplateMap, err := GenerateSecretStoreTemplateMap( + instance.Spec.EnabledSecretStores, + instance.Spec.GlobalDefaultSecretStore) + if err != nil { + return err + } + maps.Copy(templateParameters, secretStoreTemplateMap) + + // Set pkcs11 parameters + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + pkcs11TemplateMap, err := GeneratePKCS11TemplateMap( + ctx, h, *instance.Spec.PKCS11, instance.Namespace) + if err != nil { + return err + } + maps.Copy(templateParameters, pkcs11TemplateMap) + } + return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) } diff --git a/hack/crd-schema-checker.sh b/hack/crd-schema-checker.sh index c431ae5..245ac0d 100755 --- a/hack/crd-schema-checker.sh +++ b/hack/crd-schema-checker.sh @@ -16,6 +16,7 @@ for crd in config/crd/bases/*.yaml; do mkdir -p "$(dirname "$TMP_DIR/$crd")" git show "$BASE_REF:$crd" > "$TMP_DIR/$crd" $CHECKER check-manifests \ + --disabled-validators=NoBools,NoNewRequiredFields \ --existing-crd-filename="$TMP_DIR/$crd" \ --new-crd-filename="$crd" done diff --git a/pkg/barbican/const.go b/pkg/barbican/const.go index 992d549..b5ef16a 100644 --- a/pkg/barbican/const.go +++ b/pkg/barbican/const.go @@ -47,7 +47,12 @@ const ( Barbican storage.PropagationType = "Barbican" // BarbicanLogPath is the path used by BarbicanAPI to stream/store its logs BarbicanLogPath = "/var/log/barbican/" - // LogVolume is the default logVolume name used to mount logs on both - // BarbicanAPI and the sidecar container + // LogVolume is the default volume name used to mount logs LogVolume = "logs" + // ConfigVolume is the default volume name used to mount service config + ConfigVolume = "config-data" + // ScriptVolume is the default volume name used to mount scripts + ScriptVolume = "scripts" + // LunaVolume is the volume used to mount Luna certificates + LunaVolume = "hsm-luna-certificates" ) diff --git a/pkg/barbican/p11_prep.go b/pkg/barbican/p11_prep.go new file mode 100644 index 0000000..0e3cee9 --- /dev/null +++ b/pkg/barbican/p11_prep.go @@ -0,0 +1,91 @@ +package barbican + +import ( + barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" + + "github.com/openstack-k8s-operators/lib-common/modules/common/env" + batchv1 "k8s.io/api/batch/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + // P11PrepCommand - + P11PrepCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + P11PrepConfig = "p11-prep-config-data" +) + +// P11PrepJob func +func P11PrepJob(instance *barbicanv1beta1.Barbican, labels map[string]string, annotations map[string]string) *batchv1.Job { + secretNames := []string{} + + // The P11 Prep job just needs the main barbican config files, and the files + // needed to communicate with the relevant HSM. + p11Volumes := []corev1.Volume{ + GetScriptVolume(instance.Name + "-scripts"), + } + p11Volumes = append(p11Volumes, GetVolumes(instance.Name, secretNames)...) + + p11Mounts := []corev1.VolumeMount{ + GetKollaConfigVolumeMount(instance.Name + "-p11-prep"), + GetScriptVolumeMount(), + } + p11Mounts = append(p11Mounts, GetVolumeMounts(secretNames)...) + + // add CA cert if defined + if instance.Spec.BarbicanAPI.TLS.CaBundleSecretName != "" { + p11Volumes = append(p11Volumes, instance.Spec.BarbicanAPI.TLS.CreateVolume()) + p11Mounts = append(p11Mounts, instance.Spec.BarbicanAPI.TLS.CreateVolumeMounts(nil)...) + } + + // add any HSM volumes + p11Volumes = append(p11Volumes, GetHSMVolumes(*instance.Spec.PKCS11)...) + p11Mounts = append(p11Mounts, GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + + // add luna specific config files + + args := []string{"-c", P11PrepCommand} + + runAsUser := int64(0) + envVars := map[string]env.Setter{} + envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS") + envVars["KOLLA_BOOTSTRAP"] = env.SetValue("TRUE") + + job := &batchv1.Job{ + ObjectMeta: metav1.ObjectMeta{ + Name: instance.Name + "-p11-prep", + Namespace: instance.Namespace, + Labels: labels, + }, + Spec: batchv1.JobSpec{ + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: annotations, + }, + Spec: corev1.PodSpec{ + RestartPolicy: corev1.RestartPolicyOnFailure, + ServiceAccountName: instance.RbacResourceName(), + Containers: []corev1.Container{ + { + Name: instance.Name + "-p11-prep", + Command: []string{ + "/bin/bash", + }, + Args: args, + Image: instance.Spec.BarbicanAPI.ContainerImage, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + }, + Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), + VolumeMounts: p11Mounts, + }, + }, + }, + }, + }, + } + + job.Spec.Template.Spec.Volumes = p11Volumes + + return job +} diff --git a/pkg/barbican/volumes.go b/pkg/barbican/volumes.go index 1271465..08c09b9 100644 --- a/pkg/barbican/volumes.go +++ b/pkg/barbican/volumes.go @@ -2,17 +2,24 @@ package barbican import ( "strconv" + "strings" + barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" corev1 "k8s.io/api/core/v1" ) +var ( + configMode int32 = 0640 + scriptMode int32 = 0740 +) + // GetVolumes - service volumes func GetVolumes(name string, secretNames []string) []corev1.Volume { var config0644AccessMode int32 = 0644 vm := []corev1.Volume{ { - Name: "config-data", + Name: ConfigVolume, VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &config0644AccessMode, @@ -32,12 +39,12 @@ func GetVolumeMounts(secretNames []string) []corev1.VolumeMount { vm := []corev1.VolumeMount{ { - Name: "config-data", + Name: ConfigVolume, MountPath: "/var/lib/config-data/default", ReadOnly: true, }, { - Name: "config-data", + Name: ConfigVolume, MountPath: "/etc/my.cnf", SubPath: "my.cnf", ReadOnly: true, @@ -51,7 +58,6 @@ func GetVolumeMounts(secretNames []string) []corev1.VolumeMount { // GetConfigSecretVolumes - Returns a list of volumes associated with a list of Secret names func GetConfigSecretVolumes(secretNames []string) ([]corev1.Volume, []corev1.VolumeMount) { - var config0640AccessMode int32 = 0640 secretVolumes := []corev1.Volume{} secretMounts := []corev1.VolumeMount{} @@ -61,7 +67,7 @@ func GetConfigSecretVolumes(secretNames []string) ([]corev1.Volume, []corev1.Vol VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ SecretName: secretName, - DefaultMode: &config0640AccessMode, + DefaultMode: &configMode, }, }, } @@ -79,24 +85,85 @@ func GetConfigSecretVolumes(secretNames []string) ([]corev1.Volume, []corev1.Vol } // GetLogVolumeMount - Returns the VolumeMount used for logging purposes -func GetLogVolumeMount() []corev1.VolumeMount { - return []corev1.VolumeMount{ - { - Name: LogVolume, - MountPath: "/var/log/barbican", - ReadOnly: false, - }, +func GetLogVolumeMount() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: LogVolume, + MountPath: "/var/log/barbican", + ReadOnly: false, } } // GetLogVolume - Returns the Volume used for logging purposes -func GetLogVolume() []corev1.Volume { - return []corev1.Volume{ - { - Name: LogVolume, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{Medium: ""}, +func GetLogVolume() corev1.Volume { + return corev1.Volume{ + Name: LogVolume, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{Medium: ""}, + }, + } +} + +// GetScriptVolumeMount - Returns the VolumeMount for scripts +func GetScriptVolumeMount() corev1.VolumeMount { + return corev1.VolumeMount{ + Name: ScriptVolume, + MountPath: "/var/lib/openstack/bin", + ReadOnly: true, + } +} + +// GetScriptVolume - Return the Volume for scripts +func GetScriptVolume(secretName string) corev1.Volume { + return corev1.Volume{ + Name: ScriptVolume, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: &scriptMode, + SecretName: secretName, }, }, } } + +// GetKollaConfigVolumeMount - Returns the VolumeMount for the kolla config file +func GetKollaConfigVolumeMount(serviceName string) corev1.VolumeMount { + return corev1.VolumeMount{ + Name: ConfigVolume, + MountPath: "/var/lib/kolla/config_files/config.json", + SubPath: serviceName + "-config.json", + ReadOnly: true, + } +} + +// GetHSMVolume - Returns Volumes for HSM secrets +func GetHSMVolumes(pkcs11 barbicanv1beta1.BarbicanPKCS11Template) []corev1.Volume { + var config0644AccessMode int32 = 0644 + if strings.ToLower(pkcs11.Type) == "luna" { + return []corev1.Volume{ + { + Name: LunaVolume, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: &config0644AccessMode, + SecretName: pkcs11.CertificatesSecret, + }, + }, + }, + } + } + return nil +} + +// GetHSMVolumeMount - Returns Volume Mounts for HSM secrets +func GetHSMVolumeMounts(pkcs11 barbicanv1beta1.BarbicanPKCS11Template) []corev1.VolumeMount { + if strings.ToLower(pkcs11.Type) == "luna" { + return []corev1.VolumeMount{ + { + Name: LunaVolume, + MountPath: pkcs11.CertificatesMountPoint, + ReadOnly: true, + }, + } + } + return nil +} diff --git a/pkg/barbicanapi/deployment.go b/pkg/barbicanapi/deployment.go index 19eb286..aad85e8 100644 --- a/pkg/barbicanapi/deployment.go +++ b/pkg/barbicanapi/deployment.go @@ -2,6 +2,7 @@ package barbicanapi import ( "fmt" + "slices" "github.com/openstack-k8s-operators/lib-common/modules/common/env" "github.com/openstack-k8s-operators/lib-common/modules/common/service" @@ -70,20 +71,13 @@ func Deployment( }, }, }, + barbican.GetLogVolume(), } - apiVolumes = append(apiVolumes, barbican.GetLogVolume()...) apiVolumeMounts := []corev1.VolumeMount{ - { - Name: "config-data", - MountPath: "/var/lib/kolla/config_files/config.json", - SubPath: "barbican-api-config.json", - ReadOnly: true, - }, + barbican.GetKollaConfigVolumeMount(instance.Name), + barbican.GetLogVolumeMount(), } - // Append LogVolume to the apiVolumes: this will be used to stream - // logging - apiVolumeMounts = append(apiVolumeMounts, barbican.GetLogVolumeMount()...) // add CA cert if defined if instance.Spec.TLS.CaBundleSecretName != "" { @@ -110,6 +104,12 @@ func Deployment( } } + // Add PKCS11 volumes + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + apiVolumes = append(apiVolumes, barbican.GetHSMVolumes(*instance.Spec.PKCS11)...) + apiVolumeMounts = append(apiVolumeMounts, barbican.GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + } + deployment := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-api", instance.Name), @@ -147,7 +147,7 @@ func Deployment( RunAsUser: &runAsUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: barbican.GetLogVolumeMount(), + VolumeMounts: []corev1.VolumeMount{barbican.GetLogVolumeMount()}, Resources: instance.Spec.Resources, ReadinessProbe: readinessProbe, LivenessProbe: livenessProbe, diff --git a/pkg/barbicankeystonelistener/deployment.go b/pkg/barbicankeystonelistener/deployment.go index 85562db..a4945b4 100644 --- a/pkg/barbicankeystonelistener/deployment.go +++ b/pkg/barbicankeystonelistener/deployment.go @@ -41,20 +41,13 @@ func Deployment( }, }, }, + barbican.GetLogVolume(), } - keystoneListenerVolumes = append(keystoneListenerVolumes, barbican.GetLogVolume()...) keystoneListenerVolumeMounts := []corev1.VolumeMount{ - { - Name: "config-data", - MountPath: "/var/lib/kolla/config_files/config.json", - SubPath: "barbican-keystone-listener-config.json", - ReadOnly: true, - }, + barbican.GetKollaConfigVolumeMount(instance.Name), + barbican.GetLogVolumeMount(), } - // Append LogVolume to the apiVolumes: this will be used to stream - // logging - keystoneListenerVolumeMounts = append(keystoneListenerVolumeMounts, barbican.GetLogVolumeMount()...) // Add the CA bundle if instance.Spec.TLS.CaBundleSecretName != "" { @@ -99,7 +92,7 @@ func Deployment( RunAsUser: &runAsUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: barbican.GetLogVolumeMount(), + VolumeMounts: []corev1.VolumeMount{barbican.GetLogVolumeMount()}, Resources: instance.Spec.Resources, }, { diff --git a/pkg/barbicanworker/deployment.go b/pkg/barbicanworker/deployment.go index d7406de..4bd8a12 100644 --- a/pkg/barbicanworker/deployment.go +++ b/pkg/barbicanworker/deployment.go @@ -2,6 +2,7 @@ package barbicanworker import ( "fmt" + "slices" "github.com/openstack-k8s-operators/lib-common/modules/common/env" appsv1 "k8s.io/api/apps/v1" @@ -65,20 +66,13 @@ func Deployment( }, }, }, + barbican.GetLogVolume(), } - workerVolumes = append(workerVolumes, barbican.GetLogVolume()...) workerVolumeMounts := []corev1.VolumeMount{ - { - Name: "config-data", - MountPath: "/var/lib/kolla/config_files/config.json", - SubPath: "barbican-worker-config.json", - ReadOnly: true, - }, + barbican.GetKollaConfigVolumeMount(instance.Name), + barbican.GetLogVolumeMount(), } - // Append LogVolume to the apiVolumes: this will be used to stream - // logging - workerVolumeMounts = append(workerVolumeMounts, barbican.GetLogVolumeMount()...) // Add the CA bundle if instance.Spec.TLS.CaBundleSecretName != "" { @@ -86,6 +80,12 @@ func Deployment( workerVolumeMounts = append(workerVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...) } + // Add PKCS11 volumes + if slices.Contains(instance.Spec.EnabledSecretStores, "pkcs11") { + workerVolumes = append(workerVolumes, barbican.GetHSMVolumes(*instance.Spec.PKCS11)...) + workerVolumeMounts = append(workerVolumeMounts, barbican.GetHSMVolumeMounts(*instance.Spec.PKCS11)...) + } + deployment := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-worker", instance.Name), @@ -123,7 +123,7 @@ func Deployment( RunAsUser: &runAsUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: barbican.GetLogVolumeMount(), + VolumeMounts: []corev1.VolumeMount{barbican.GetLogVolumeMount()}, Resources: instance.Spec.Resources, //ReadinessProbe: readinessProbe, //LivenessProbe: livenessProbe, diff --git a/templates/barbican/bin/generate_p11_keys.sh b/templates/barbican/bin/generate_p11_keys.sh new file mode 100755 index 0000000..fed31bc --- /dev/null +++ b/templates/barbican/bin/generate_p11_keys.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# Copyright 2024. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +set -xe + +{{- if and (index . "P11Enabled") .P11Enabled }} +echo "Creating MKEK label {{ .P11MKEKLabel }}" +barbican-manage hsm check_mkek --label {{ .P11MKEKLabel }} || barbican-manage hsm gen_mkek --label {{ .P11MKEKLabel }} + +echo "Creating HMAC label {{ .P11HMACLabel }}" +barbican-manage hsm check_hmac --label {{ .P11HMACLabel }} || barbican-manage hsm gen_hmac --label {{ .P11HMACLabel }} +{{- end }} diff --git a/templates/barbican/config/00-default.conf b/templates/barbican/config/00-default.conf index 9583f72..2149ad7 100644 --- a/templates/barbican/config/00-default.conf +++ b/templates/barbican/config/00-default.conf @@ -1,9 +1,9 @@ [DEFAULT] # keep this for backward compatibility sql_connection = {{ .DatabaseConnection }} -{{ if (index . "ServiceURL") }} +{{- if (index . "ServiceURL") }} host_href = {{ .ServiceURL }} -{{ end }} +{{- end }} debug = true transport_url = {{ .TransportURL }} log_file = {{ .LogFile }} @@ -24,7 +24,7 @@ password = {{ .ServicePassword }} project_name=service project_domain_name=Default interface = internal -{{ end }} +{{- end }} [keystone_notifications] enable = true @@ -33,26 +33,69 @@ topic = barbican_notifications [oslo_messaging_notifications] driver=messagingv2 -{{ if (index . "EnableSecureRBAC") }} +{{- if (index . "EnableSecureRBAC") }} [oslo_policy] enforce_scope = {{ .EnableSecureRBAC }} enforce_new_defaults = {{ .EnableSecureRBAC }} -{{ end }} +{{- end }} [queue] enable = true +{{- if (index . "EnabledSecretStores") }} + [secretstore] enable_multiple_secret_stores = true -stores_lookup_suffix = simple_crypto +stores_lookup_suffix = {{ .EnabledSecretStores }} +{{- end }} + +{{- if and (index . "SimpleCryptoEnabled") .SimpleCryptoEnabled }} [secretstore:simple_crypto] secret_store_plugin = store_crypto crypto_plugin = simple_crypto +{{- if eq .GlobalDefaultSecretStore "simple_crypto" }} global_default = true +{{- end }} [simple_crypto_plugin] plugin_name = Software Only Crypto -{{ if (index . "SimpleCryptoKEK") }} +{{- if (index . "SimpleCryptoKEK") }} kek = {{ .SimpleCryptoKEK }} +{{- end }} {{ end }} + +{{- if and (index . "P11Enabled") .P11Enabled }} +[secretstore:pkcs11] +secret_store_plugin = store_crypto +crypto_plugin = p11_crypto +{{- if eq .GlobalDefaultSecretStore "pkcs11" }} +global_default = true +{{- end }} + +[p11_crypto_plugin] +plugin_name = PKCS11 +library_path = {{ .P11LibraryPath }} +{{- if (index . "P11TokenSerialNumber") }} +token_serial_number = {{ .P11TokenSerialNumber }} +{{- end }} +{{- if (index . "P11TokenLabels") }} +token_labels = {{ .P11TokenLabels }} +{{- end -}} +{{- if (index . "P11SlotId") }} +slot_id = {{ .P11SlotId }} +{{- end }} +mkek_label = {{ .P11MKEKLabel }} +mkek_length = {{ .P11MKEKLength }} +hmac_label = {{ .P11HMACLabel }} +encryption_mechanism = {{ .P11EncryptionMechanism }} +aes_gcm_generate_iv = {{ .P11AESGCMGenerateIV }} +hmac_key_type = {{ .P11HMACKeyType }} +hmac_keygen_mechanism = {{ .P11HMACKeygenMechanism }} +hmac_keywrap_mechanism = {{ .P11HMACMechanism }} +key_wrap_mechanism = {{ .P11KeyWrapMechanism }} +key_wrap_generate_iv = {{ .P11KeyWrapGenerateIV }} +always_set_cka_sensitive = {{ .P11AlwaysSetCKASensitive }} +os_locking_ok = {{ .P11OSLockingOK }} +login = {{ .P11Login }} +{{- end }} diff --git a/templates/barbican/config/Chrystoki.conf b/templates/barbican/config/Chrystoki.conf new file mode 100644 index 0000000..92f5e23 --- /dev/null +++ b/templates/barbican/config/Chrystoki.conf @@ -0,0 +1,41 @@ +{{- if and (index . "P11Enabled") .P11Enabled }} +{{- if eq .P11Type "luna" }} +Chrystoki2 = { + LibUNIX = {{ .P11LibraryPath }}; + LibUNIX64 = {{ .P11LibraryPath }}; +} + +Luna = { + DefaultTimeOut = 500000; + PEDTimeout1 = 100000; + PEDTimeout2 = 200000; + PEDTimeout3 = 10000; + KeypairGenTimeOut = 2700000; + CloningCommandTimeOut = 300000; + CommandTimeOutPedSet = 720000; +} + +CardReader = { + RemoteCommand = 1; +} + +Misc = { + PE1746Enabled = 0; + ProtectedAuthenticationPathFlagStatus = 0; +} + +LunaSA Client = { + ReceiveTimeout = 20000; + SSLConfigFile = /usr/local/luna/openssl.cnf; + ClientPrivKeyFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}Key.pem; + ClientCertFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}.pem; + ServerCAFile = {{ .P11CertificatesMountPoint }}/{{ .P11ServerAddress }}Cert.pem; + NetClient = 1; + TCPKeepAlive = 1; + EnableTLS1_2 = 1; + ServerName00 = {{ .P11ServerAddress }}; + ServerPort00 = 1792; + ServerHtl00 = 0; +} +{{ end -}} +{{ end -}} diff --git a/templates/barbican/config/barbican-api-config.json b/templates/barbican/config/barbican-api-config.json index d5fe8f0..1d24f3f 100644 --- a/templates/barbican/config/barbican-api-config.json +++ b/templates/barbican/config/barbican-api-config.json @@ -77,6 +77,14 @@ "perm": "0600", "optional": true, "merge": true + }, + { + "source": "/var/lib/config-data/default/Chrystoki.conf", + "dest": "/usr/local/luna/Chrystoki.conf", + "owner": "barbican", + "perm": "0600", + "optional": true, + "merge": true } ], "permissions": [ diff --git a/templates/barbican/config/barbican-p11-prep-config.json b/templates/barbican/config/barbican-p11-prep-config.json new file mode 100644 index 0000000..d811bb2 --- /dev/null +++ b/templates/barbican/config/barbican-p11-prep-config.json @@ -0,0 +1,25 @@ +{ + "command": "generate_p11_keys.sh", + "config_files": [ + { + "source": "/var/lib/openstack/bin/generate_p11_keys.sh", + "dest": "/bin/", + "owner": "barbican", + "perm": "0700" + }, + { + "source": "/var/lib/config-data/default/00-default.conf", + "dest": "/etc/barbican/barbican.conf.d/00-default.conf", + "owner": "barbican", + "perm": "0600" + }, + { + "source": "/var/lib/config-data/default/Chrystoki.conf", + "dest": "//usr/local/luna/Chrystoki.conf", + "owner": "barbican", + "perm": "0600", + "optional": true, + "merge": true + } + ] +} diff --git a/templates/barbican/config/barbican-worker-config.json b/templates/barbican/config/barbican-worker-config.json index 18d91f3..860be3c 100644 --- a/templates/barbican/config/barbican-worker-config.json +++ b/templates/barbican/config/barbican-worker-config.json @@ -27,6 +27,14 @@ "owner": "barbican", "perm": "0755", "optional": true + }, + { + "source": "/var/lib/config-data/default/Chrystoki.conf", + "dest": "/usr/local/luna/Chrystoki.conf", + "owner": "barbican", + "perm": "0600", + "optional": true, + "merge": true } ], "permissions": [ From 16fd862a5214aac6c25185737ba6b69edc7ffbc1 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Thu, 28 Nov 2024 16:21:26 +0000 Subject: [PATCH 02/14] Functional tests for HSM Support Signed-off-by: Mauricio Harley --- tests/functional/barbican_controller_test.go | 71 ++++++++++++++++++++ tests/functional/base_test.go | 35 +++++++++- 2 files changed, 105 insertions(+), 1 deletion(-) diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index d6b4b3c..0879fa9 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -422,6 +422,77 @@ var _ = Describe("Barbican controller", func() { }) }) + When("A Barbican with HSM is created", func() { + BeforeEach(func() { + DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetHSMBarbicanSpec())) + DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName)) + DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec())) + DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName)) + DeferCleanup( + mariadb.DeleteDBService, + mariadb.CreateDBService( + barbicanTest.Instance.Namespace, + GetBarbican(barbicanTest.Instance).Spec.DatabaseInstance, + corev1.ServiceSpec{ + Ports: []corev1.ServicePort{{Port: 3306}}, + }, + ), + ) + infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL) + DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)) + mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) + //mariadb.SimulateMariaDBTLSDatabaseCompleted(barbicanTest.BarbicanDatabaseName) + th.SimulateJobSuccess(barbicanTest.BarbicanDBSync) + }) + + It("Creates BarbicanAPI", func() { + /*DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(barbicanTest.CABundleSecret)) + DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(barbicanTest.InternalCertSecret)) + DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(barbicanTest.PublicCertSecret))*/ + keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint) + + th.ExpectCondition( + barbicanTest.Instance, + ConditionGetterFunc(BarbicanAPIConditionGetter), + condition.TLSInputReadyCondition, + corev1.ConditionTrue, + ) + + BarbicanAPIExists(barbicanTest.Instance) + + d := th.GetDeployment(barbicanTest.BarbicanAPI) + // Check the resulting deployment fields + Expect(int(*d.Spec.Replicas)).To(Equal(1)) + + Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(6)) + Expect(d.Spec.Template.Spec.Containers).To(HaveLen(2)) + + // cert deployment volumes + /*th.AssertVolumeExists(barbicanTest.CABundleSecret.Name, d.Spec.Template.Spec.Volumes) + th.AssertVolumeExists(barbicanTest.InternalCertSecret.Name, d.Spec.Template.Spec.Volumes) + th.AssertVolumeExists(barbicanTest.PublicCertSecret.Name, d.Spec.Template.Spec.Volumes) + + // cert volumeMounts + container := d.Spec.Template.Spec.Containers[1] + th.AssertVolumeMountExists(barbicanTest.InternalCertSecret.Name, "tls.key", container.VolumeMounts) + th.AssertVolumeMountExists(barbicanTest.InternalCertSecret.Name, "tls.crt", container.VolumeMounts) + th.AssertVolumeMountExists(barbicanTest.PublicCertSecret.Name, "tls.key", container.VolumeMounts) + th.AssertVolumeMountExists(barbicanTest.PublicCertSecret.Name, "tls.crt", container.VolumeMounts) + th.AssertVolumeMountExists(barbicanTest.CABundleSecret.Name, "tls-ca-bundle.pem", container.VolumeMounts) + + Expect(container.ReadinessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTPS)) + Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTPS))*/ + }) + + It("should create config-data and scripts ConfigMaps", func() { + cf := th.GetSecret(barbicanTest.BarbicanConfigSecret) + Expect(cf).ShouldNot(BeNil()) + conf := cf.Data["my.cnf"] + Expect(conf).To( + ContainSubstring("[client]\nssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem\nssl=1")) + }) + }) + // Run MariaDBAccount suite tests. these are pre-packaged ginkgo tests // that exercise standard account create / update patterns that should be // common to all controllers that ensure MariaDBAccount CRs. diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go index 40de094..a69ea49 100644 --- a/tests/functional/base_test.go +++ b/tests/functional/base_test.go @@ -123,7 +123,6 @@ func BarbicanKeystoneListenerNotExists(name types.NamespacedName) { }, timeout, interval).Should(Succeed()) } -// ========== TLS Stuff ============== func BarbicanAPIConditionGetter(name types.NamespacedName) condition.Conditions { instance := GetBarbicanAPI(name) return instance.Status.Conditions @@ -145,6 +144,7 @@ func GetBarbicanAPI(name types.NamespacedName) *barbicanv1.BarbicanAPI { return instance } +// ========== TLS Stuff ============== func GetTLSBarbicanSpec() map[string]interface{} { return map[string]interface{}{ "databaseInstance": "openstack", @@ -172,6 +172,39 @@ func GetTLSBarbicanAPISpec() map[string]interface{} { return spec } +// ========== End of TLS Stuff ============ + +// ========== HSM Stuff ============ +func GetHSMBarbicanSpec() map[string]interface{} { + return map[string]interface{}{ + "databaseInstance": "openstack", + "secret": SecretName, + "simpleCryptoBackendSecret": SecretName, + "barbicanAPI": GetHSMBarbicanAPISpec(), + } +} + +func GetHSMBarbicanAPISpec() map[string]interface{} { + spec := GetDefaultBarbicanAPISpec() + maps.Copy(spec, map[string]interface{}{ + "enabledSecretStores": []string{"pkcs11"}, + "globalDefaultSecretStore": "pkcs11", + "pkcs11": map[string]interface{}{ + "type": "luna", // Using them Luna model without any specific selection criteria. + "libraryPath": "/usr/local/luna/libs/64/libCryptoki2.so", + "slotId": "1", + "MKEKLabel": "MKEKLabel", + "HMACLabel": "HMACLabel", + "serverAddress": "192.168.0.1", + "clientAddress": "192.168.0.2", + "loginSecret": "dummy-secret", + }, + }) + return spec +} + +// ========== End of HSM Stuff ============ + func GetDefaultBarbicanAPISpec() map[string]interface{} { return map[string]interface{}{ "secret": SecretName, From dca4e9bd6938dcfa79edc8ded6010bbed803ef9e Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 2 Dec 2024 09:27:12 +0100 Subject: [PATCH 03/14] HSM Functional Tests Signed-off-by: Mauricio Harley --- tests/functional/barbican_controller_test.go | 33 +++++++------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index 0879fa9..f2da82f 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -441,14 +441,11 @@ var _ = Describe("Barbican controller", func() { infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL) DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)) mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) - //mariadb.SimulateMariaDBTLSDatabaseCompleted(barbicanTest.BarbicanDatabaseName) + mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName) th.SimulateJobSuccess(barbicanTest.BarbicanDBSync) }) It("Creates BarbicanAPI", func() { - /*DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(barbicanTest.CABundleSecret)) - DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(barbicanTest.InternalCertSecret)) - DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(barbicanTest.PublicCertSecret))*/ keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint) th.ExpectCondition( @@ -464,32 +461,24 @@ var _ = Describe("Barbican controller", func() { // Check the resulting deployment fields Expect(int(*d.Spec.Replicas)).To(Equal(1)) - Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(6)) + Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(3)) Expect(d.Spec.Template.Spec.Containers).To(HaveLen(2)) - // cert deployment volumes - /*th.AssertVolumeExists(barbicanTest.CABundleSecret.Name, d.Spec.Template.Spec.Volumes) - th.AssertVolumeExists(barbicanTest.InternalCertSecret.Name, d.Spec.Template.Spec.Volumes) - th.AssertVolumeExists(barbicanTest.PublicCertSecret.Name, d.Spec.Template.Spec.Volumes) - - // cert volumeMounts container := d.Spec.Template.Spec.Containers[1] - th.AssertVolumeMountExists(barbicanTest.InternalCertSecret.Name, "tls.key", container.VolumeMounts) - th.AssertVolumeMountExists(barbicanTest.InternalCertSecret.Name, "tls.crt", container.VolumeMounts) - th.AssertVolumeMountExists(barbicanTest.PublicCertSecret.Name, "tls.key", container.VolumeMounts) - th.AssertVolumeMountExists(barbicanTest.PublicCertSecret.Name, "tls.crt", container.VolumeMounts) - th.AssertVolumeMountExists(barbicanTest.CABundleSecret.Name, "tls-ca-bundle.pem", container.VolumeMounts) - Expect(container.ReadinessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTPS)) - Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTPS))*/ + Expect(container.ReadinessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP)) + Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP)) }) - It("should create config-data and scripts ConfigMaps", func() { + It("should have the right configuration contents", func() { cf := th.GetSecret(barbicanTest.BarbicanConfigSecret) Expect(cf).ShouldNot(BeNil()) - conf := cf.Data["my.cnf"] - Expect(conf).To( - ContainSubstring("[client]\nssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem\nssl=1")) + confChrystoki := cf.Data["Chrystoki.conf"] + Expect(confChrystoki).To( + ContainSubstring("Luna = {\n DefaultTimeOut = 500000;\n PEDTimeout1 = 100000;\n PEDTimeout2 = 200000;")) + confDefault := cf.Data["00-default.conf"] + Expect(confDefault).To( + ContainSubstring("[secretstore:pkcs11]")) }) }) From 5bacbf7b34fdb031708492ee92a8ec6c1d980498 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 2 Dec 2024 09:27:12 +0100 Subject: [PATCH 04/14] HSM Functional Tests Signed-off-by: Mauricio Harley --- tests/functional/barbican_controller_test.go | 18 ++++++++++++- tests/functional/base_test.go | 27 ++++++++++++++------ tests/functional/suite_test.go | 11 ++++++++ 3 files changed, 47 insertions(+), 9 deletions(-) diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index f2da82f..c7215bd 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -12,6 +12,7 @@ import ( . "github.com/openstack-k8s-operators/lib-common/modules/common/test/helpers" barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" + "github.com/openstack-k8s-operators/barbican-operator/controllers" "github.com/openstack-k8s-operators/barbican-operator/pkg/barbican" condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition" mariadb_test "github.com/openstack-k8s-operators/mariadb-operator/api/test/helpers" @@ -428,6 +429,7 @@ var _ = Describe("Barbican controller", func() { DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName)) DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec())) DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName)) + // keystoneAPI := keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace) DeferCleanup( mariadb.DeleteDBService, mariadb.CreateDBService( @@ -443,6 +445,7 @@ var _ = Describe("Barbican controller", func() { mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName) th.SimulateJobSuccess(barbicanTest.BarbicanDBSync) + // DeferCleanup(keystone.DeleteKeystoneAPI, keystoneAPI) }) It("Creates BarbicanAPI", func() { @@ -470,7 +473,11 @@ var _ = Describe("Barbican controller", func() { Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP)) }) - It("should have the right configuration contents", func() { + It("Should have the right configuration contents", func() { + keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint) + mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) + mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName) + cf := th.GetSecret(barbicanTest.BarbicanConfigSecret) Expect(cf).ShouldNot(BeNil()) confChrystoki := cf.Data["Chrystoki.conf"] @@ -480,6 +487,15 @@ var _ = Describe("Barbican controller", func() { Expect(confDefault).To( ContainSubstring("[secretstore:pkcs11]")) }) + + It("Should have the relevant conditions in the right state", func() { + th.ExpectCondition( + barbicanTest.Instance, + ConditionGetterFunc(BarbicanConditionGetter), + controllers.P11PrepReadyCondition, + corev1.ConditionTrue, + ) + }) }) // Run MariaDBAccount suite tests. these are pre-packaged ginkgo tests diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go index a69ea49..7200cb5 100644 --- a/tests/functional/base_test.go +++ b/tests/functional/base_test.go @@ -43,6 +43,17 @@ func CreateKeystoneAPISecret(namespace string, name string) *corev1.Secret { ) } +func CreateHSMSecret(namespace string, name string) *corev1.Secret { + return th.CreateSecret( + types.NamespacedName{Namespace: namespace, Name: name}, + map[string][]byte{ + "AdminPassword": []byte("12345678"), + "BarbicanPassword": []byte("12345678"), + "KeystoneDatabasePassword": []byte("12345678"), + }, + ) +} + func GetDefaultBarbicanSpec() map[string]interface{} { return map[string]interface{}{ "databaseInstance": "openstack", @@ -190,14 +201,14 @@ func GetHSMBarbicanAPISpec() map[string]interface{} { "enabledSecretStores": []string{"pkcs11"}, "globalDefaultSecretStore": "pkcs11", "pkcs11": map[string]interface{}{ - "type": "luna", // Using them Luna model without any specific selection criteria. - "libraryPath": "/usr/local/luna/libs/64/libCryptoki2.so", - "slotId": "1", - "MKEKLabel": "MKEKLabel", - "HMACLabel": "HMACLabel", - "serverAddress": "192.168.0.1", - "clientAddress": "192.168.0.2", - "loginSecret": "dummy-secret", + "type": HSMType, + "libraryPath": HSMLibraryPath, + "slotId": HSMSlotId, + "MKEKLabel": HSMMKEKLabel, + "HMACLabel": HSMHMACLabel, + "serverAddress": HSMServerAddress, + "clientAddress": HSMClientAddress, + "loginSecret": HSMLoginSecret, }, }) return spec diff --git a/tests/functional/suite_test.go b/tests/functional/suite_test.go index 9db6eca..6b55df8 100644 --- a/tests/functional/suite_test.go +++ b/tests/functional/suite_test.go @@ -69,6 +69,17 @@ const ( SecretName = "test-osp-secret" interval = time.Millisecond * 200 + + // HSM Constants + HSMSecret = "hsm-secret" + HSMType = "luna" // Using them Luna model without any specific selection criteria. + HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so" + HSMSlotId = "1" + HSMMKEKLabel = "MKEKLabel" + HSMHMACLabel = "HMACLabel" + HSMServerAddress = "192.168.0.1" + HSMClientAddress = "192.168.0.2" + HSMLoginSecret = "dummy-secret" ) func TestAPIs(t *testing.T) { From 6cbb57cae43019ccdf7c05003026e8cc917710e7 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 2 Dec 2024 09:27:12 +0100 Subject: [PATCH 05/14] HSM Functional Tests Signed-off-by: Mauricio Harley --- tests/functional/barbican_controller_test.go | 4 ++-- tests/functional/base_test.go | 11 ++++++++++- tests/functional/suite_test.go | 17 ++++++++--------- 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index c7215bd..dc0f5cd 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -474,9 +474,9 @@ var _ = Describe("Barbican controller", func() { }) It("Should have the right configuration contents", func() { - keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint) + /*keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint) mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) - mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName) + mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)*/ cf := th.GetSecret(barbicanTest.BarbicanConfigSecret) Expect(cf).ShouldNot(BeNil()) diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go index 7200cb5..fff85fb 100644 --- a/tests/functional/base_test.go +++ b/tests/functional/base_test.go @@ -203,7 +203,7 @@ func GetHSMBarbicanAPISpec() map[string]interface{} { "pkcs11": map[string]interface{}{ "type": HSMType, "libraryPath": HSMLibraryPath, - "slotId": HSMSlotId, + "slotId": HSMSlotID, "MKEKLabel": HSMMKEKLabel, "HMACLabel": HSMHMACLabel, "serverAddress": HSMServerAddress, @@ -214,6 +214,15 @@ func GetHSMBarbicanAPISpec() map[string]interface{} { return spec } +func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret { + return th.CreateSecret( + types.NamespacedName{Namespace: namespace, Name: name}, + map[string][]byte{ + "hsmLogin": []byte("12345678"), + }, + ) +} + // ========== End of HSM Stuff ============ func GetDefaultBarbicanAPISpec() map[string]interface{} { diff --git a/tests/functional/suite_test.go b/tests/functional/suite_test.go index 6b55df8..073b828 100644 --- a/tests/functional/suite_test.go +++ b/tests/functional/suite_test.go @@ -71,15 +71,14 @@ const ( interval = time.Millisecond * 200 // HSM Constants - HSMSecret = "hsm-secret" - HSMType = "luna" // Using them Luna model without any specific selection criteria. - HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so" - HSMSlotId = "1" - HSMMKEKLabel = "MKEKLabel" - HSMHMACLabel = "HMACLabel" - HSMServerAddress = "192.168.0.1" - HSMClientAddress = "192.168.0.2" - HSMLoginSecret = "dummy-secret" + HSMType = "luna" // Using them Luna model without any specific selection criteria. + HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so" + HSMSlotID = "1" + HSMMKEKLabel = "MKEKLabel" + HSMHMACLabel = "HMACLabel" + HSMServerAddress = "192.168.0.1" + HSMClientAddress = "192.168.0.2" + HSMLoginSecret = "hsm-secret" ) func TestAPIs(t *testing.T) { From 8c4c86f9539af68bd8f4a78899a96b0757d73f58 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 2 Dec 2024 09:27:12 +0100 Subject: [PATCH 06/14] HSM Functional Tests Signed-off-by: Mauricio Harley --- tests/functional/barbican_controller_test.go | 107 +++++++++++++++---- tests/functional/barbican_test_data.go | 17 +++ tests/functional/base_test.go | 64 ++++++----- tests/functional/suite_test.go | 18 ++-- 4 files changed, 150 insertions(+), 56 deletions(-) diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index dc0f5cd..f5c496a 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -12,7 +12,7 @@ import ( . "github.com/openstack-k8s-operators/lib-common/modules/common/test/helpers" barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" - "github.com/openstack-k8s-operators/barbican-operator/controllers" + controllers "github.com/openstack-k8s-operators/barbican-operator/controllers" "github.com/openstack-k8s-operators/barbican-operator/pkg/barbican" condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition" mariadb_test "github.com/openstack-k8s-operators/mariadb-operator/api/test/helpers" @@ -425,11 +425,13 @@ var _ = Describe("Barbican controller", func() { When("A Barbican with HSM is created", func() { BeforeEach(func() { + DeferCleanup(k8sClient.Delete, ctx, CreateHSMLoginSecret(barbicanTest.Instance.Namespace, HSMLoginSecret)) + DeferCleanup(k8sClient.Delete, ctx, CreateHSMCertsSecret(barbicanTest.Instance.Namespace, HSMCertsSecret)) + DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetHSMBarbicanSpec())) DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName)) - DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec())) + infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL) DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName)) - // keystoneAPI := keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace) DeferCleanup( mariadb.DeleteDBService, mariadb.CreateDBService( @@ -440,12 +442,12 @@ var _ = Describe("Barbican controller", func() { }, ), ) - infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL) - DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)) mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName) + DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)) th.SimulateJobSuccess(barbicanTest.BarbicanDBSync) - // DeferCleanup(keystone.DeleteKeystoneAPI, keystoneAPI) + DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec())) + th.SimulateJobSuccess(barbicanTest.BarbicanP11Prep) }) It("Creates BarbicanAPI", func() { @@ -464,7 +466,7 @@ var _ = Describe("Barbican controller", func() { // Check the resulting deployment fields Expect(int(*d.Spec.Replicas)).To(Equal(1)) - Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(3)) + Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(4)) Expect(d.Spec.Template.Spec.Containers).To(HaveLen(2)) container := d.Spec.Template.Spec.Containers[1] @@ -473,28 +475,95 @@ var _ = Describe("Barbican controller", func() { Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP)) }) - It("Should have the right configuration contents", func() { - /*keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint) - mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) - mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)*/ + It("Verifies the PKCS11 struct is in good shape", func() { + Barbican := GetBarbican(barbicanTest.Instance) + Expect(Barbican.Spec.EnabledSecretStores).Should(Equal([]barbicanv1beta1.SecretStore{"pkcs11"})) + Expect(Barbican.Spec.GlobalDefaultSecretStore).Should(Equal(barbicanv1beta1.SecretStore("pkcs11"))) + + pkcs11 := Barbican.Spec.PKCS11 + Expect(pkcs11.SlotId).Should(Equal(HSMSlotID)) + Expect(pkcs11.LibraryPath).Should(Equal(HSMLibraryPath)) + Expect(pkcs11.CertificatesMountPoint).Should(Equal(HSMCertificatesMountPoint)) + Expect(pkcs11.LoginSecret).Should(Equal(HSMLoginSecret)) + Expect(pkcs11.CertificatesSecret).Should(Equal(HSMCertsSecret)) + Expect(pkcs11.MKEKLabel).Should(Equal(HSMMKEKLabel)) + Expect(pkcs11.HMACLabel).Should(Equal(HSMHMACLabel)) + Expect(pkcs11.ServerAddress).Should(Equal(HSMServerAddress)) + Expect(pkcs11.ClientAddress).Should(Equal(HSMClientAddress)) + Expect(pkcs11.Type).Should(Equal(HSMType)) + }) - cf := th.GetSecret(barbicanTest.BarbicanConfigSecret) - Expect(cf).ShouldNot(BeNil()) - confChrystoki := cf.Data["Chrystoki.conf"] - Expect(confChrystoki).To( - ContainSubstring("Luna = {\n DefaultTimeOut = 500000;\n PEDTimeout1 = 100000;\n PEDTimeout2 = 200000;")) - confDefault := cf.Data["00-default.conf"] - Expect(confDefault).To( + It("Checks if the two relevant secrets have the right contents", func() { + hsmSecret := th.GetSecret(barbicanTest.BarbicanHSMLoginSecret) + Expect(hsmSecret).ShouldNot(BeNil()) + confHSM := hsmSecret.Data["hsmLogin"] + Expect(confHSM).To( + ContainSubstring("12345678")) + + certsSecret := th.GetSecret(barbicanTest.BarbicanHSMCertsSecret) + Expect(certsSecret).ShouldNot(BeNil()) + confCA := certsSecret.Data["CACert.pem"] + Expect(confCA).To( + ContainSubstring("dummy-data")) + confServer := certsSecret.Data[HSMServerAddress+"Server.pem"] + Expect(confServer).To( + ContainSubstring("dummy-data")) + confClient := certsSecret.Data[HSMClientAddress+"Client.pem"] + Expect(confClient).To( + ContainSubstring("dummy-data")) + confKey := certsSecret.Data[HSMClientAddress+"Client.key"] + Expect(confKey).To( + ContainSubstring("dummy-data")) + }) + + It("Verifies if Chrystoki.conf and 00-default.conf have the right contents.", func() { + confSecret := th.GetSecret(barbicanTest.BarbicanConfigSecret) + Expect(confSecret).ShouldNot(BeNil()) + + conf := confSecret.Data["Chrystoki.conf"] + Expect(conf).To( + ContainSubstring("Chrystoki2")) + Expect(conf).To( + ContainSubstring("LunaSA Client")) + Expect(conf).To( + ContainSubstring("ProtectedAuthenticationPathFlagStatus = 0")) + + conf = confSecret.Data["00-default.conf"] + Expect(conf).To( ContainSubstring("[secretstore:pkcs11]")) + Expect(conf).To( + ContainSubstring("plugin_name = PKCS11")) + Expect(conf).To( + ContainSubstring("slot_id = " + HSMSlotID)) }) - It("Should have the relevant conditions in the right state", func() { + It("Checks if the P11PreJob successfully executed", func() { + BarbicanExists(barbicanTest.Instance) + th.ExpectCondition( barbicanTest.Instance, ConditionGetterFunc(BarbicanConditionGetter), controllers.P11PrepReadyCondition, corev1.ConditionTrue, ) + + // Checking if both, the volume mount name and its mount path match the specified values. + volumeMounts := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts + elemNum := 0 + for index, mount := range volumeMounts { + if mount.Name == barbican.LunaVolume { + elemNum = index + break + } + } + + volume := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemNum].Name + mountPath := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemNum].MountPath + + Eventually(func(g Gomega) { + g.Expect(volume).To(Equal(barbican.LunaVolume)) + g.Expect(mountPath).To(Equal(HSMCertificatesMountPoint)) + }, timeout, interval).Should(Succeed()) }) }) diff --git a/tests/functional/barbican_test_data.go b/tests/functional/barbican_test_data.go index c8dfea8..15b9e6e 100644 --- a/tests/functional/barbican_test_data.go +++ b/tests/functional/barbican_test_data.go @@ -54,6 +54,7 @@ type BarbicanTestData struct { BarbicanDatabaseName types.NamespacedName BarbicanDatabaseAccount types.NamespacedName BarbicanDBSync types.NamespacedName + BarbicanP11Prep types.NamespacedName BarbicanAPI types.NamespacedName BarbicanRole types.NamespacedName BarbicanRoleBinding types.NamespacedName @@ -64,6 +65,8 @@ type BarbicanTestData struct { BarbicanServicePublic types.NamespacedName BarbicanServiceInternal types.NamespacedName BarbicanConfigSecret types.NamespacedName + BarbicanHSMLoginSecret types.NamespacedName + BarbicanHSMCertsSecret types.NamespacedName BarbicanConfigScripts types.NamespacedName BarbicanConfigMapData types.NamespacedName BarbicanScheduler types.NamespacedName @@ -96,6 +99,10 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData { Namespace: barbicanName.Namespace, Name: fmt.Sprintf("%s-db-sync", barbicanName.Name), }, + BarbicanP11Prep: types.NamespacedName{ + Namespace: barbicanName.Namespace, + Name: fmt.Sprintf("%s-p11-prep", barbicanName.Name), + }, BarbicanAPI: types.NamespacedName{ Namespace: barbicanName.Namespace, Name: fmt.Sprintf("%s-api-api", barbicanName.Name), @@ -137,6 +144,16 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData { Namespace: barbicanName.Namespace, Name: fmt.Sprintf("%s-%s", barbicanName.Name, "config-data"), }, + // This secret stores the password to connect to the HSM. + BarbicanHSMLoginSecret: types.NamespacedName{ + Namespace: barbicanName.Namespace, + Name: "hsm-login", + }, + // This secret stores the certificates used to interact with the HSM. + BarbicanHSMCertsSecret: types.NamespacedName{ + Namespace: barbicanName.Namespace, + Name: "hsm-certs", + }, BarbicanConfigScripts: types.NamespacedName{ Namespace: barbicanName.Namespace, Name: fmt.Sprintf("%s-%s", barbicanName.Name, "scripts"), diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go index fff85fb..c0930f8 100644 --- a/tests/functional/base_test.go +++ b/tests/functional/base_test.go @@ -43,17 +43,6 @@ func CreateKeystoneAPISecret(namespace string, name string) *corev1.Secret { ) } -func CreateHSMSecret(namespace string, name string) *corev1.Secret { - return th.CreateSecret( - types.NamespacedName{Namespace: namespace, Name: name}, - map[string][]byte{ - "AdminPassword": []byte("12345678"), - "BarbicanPassword": []byte("12345678"), - "KeystoneDatabasePassword": []byte("12345678"), - }, - ) -} - func GetDefaultBarbicanSpec() map[string]interface{} { return map[string]interface{}{ "databaseInstance": "openstack", @@ -134,6 +123,14 @@ func BarbicanKeystoneListenerNotExists(name types.NamespacedName) { }, timeout, interval).Should(Succeed()) } +func BarbicanExists(name types.NamespacedName) { + Consistently(func(g Gomega) { + instance := &barbicanv1.Barbican{} + err := k8sClient.Get(ctx, name, instance) + g.Expect(k8s_errors.IsNotFound(err)).To(BeFalse()) + }, timeout, interval).Should(Succeed()) +} + func BarbicanAPIConditionGetter(name types.NamespacedName) condition.Conditions { instance := GetBarbicanAPI(name) return instance.Status.Conditions @@ -187,33 +184,30 @@ func GetTLSBarbicanAPISpec() map[string]interface{} { // ========== HSM Stuff ============ func GetHSMBarbicanSpec() map[string]interface{} { - return map[string]interface{}{ - "databaseInstance": "openstack", - "secret": SecretName, - "simpleCryptoBackendSecret": SecretName, - "barbicanAPI": GetHSMBarbicanAPISpec(), - } -} - -func GetHSMBarbicanAPISpec() map[string]interface{} { - spec := GetDefaultBarbicanAPISpec() + spec := GetDefaultBarbicanSpec() maps.Copy(spec, map[string]interface{}{ "enabledSecretStores": []string{"pkcs11"}, "globalDefaultSecretStore": "pkcs11", "pkcs11": map[string]interface{}{ - "type": HSMType, - "libraryPath": HSMLibraryPath, - "slotId": HSMSlotID, - "MKEKLabel": HSMMKEKLabel, - "HMACLabel": HSMHMACLabel, - "serverAddress": HSMServerAddress, - "clientAddress": HSMClientAddress, - "loginSecret": HSMLoginSecret, + "slotId": HSMSlotID, + "libraryPath": HSMLibraryPath, + "certificatesMountPoint": HSMCertificatesMountPoint, + "loginSecret": HSMLoginSecret, + "certificatesSecret": HSMCertsSecret, + "MKEKLabel": HSMMKEKLabel, + "HMACLabel": HSMHMACLabel, + "serverAddress": HSMServerAddress, + "clientAddress": HSMClientAddress, + "type": HSMType, }, }) return spec } +func GetHSMBarbicanAPISpec() map[string]interface{} { + return GetDefaultBarbicanAPISpec() +} + func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret { return th.CreateSecret( types.NamespacedName{Namespace: namespace, Name: name}, @@ -223,6 +217,18 @@ func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret { ) } +func CreateHSMCertsSecret(namespace string, name string) *corev1.Secret { + return th.CreateSecret( + types.NamespacedName{Namespace: namespace, Name: name}, + map[string][]byte{ + "CACert.pem": []byte("dummy-data"), + HSMServerAddress + "Server.pem": []byte("dummy-data"), + HSMClientAddress + "Client.pem": []byte("dummy-data"), + HSMClientAddress + "Client.key": []byte("dummy-data"), + }, + ) +} + // ========== End of HSM Stuff ============ func GetDefaultBarbicanAPISpec() map[string]interface{} { diff --git a/tests/functional/suite_test.go b/tests/functional/suite_test.go index 073b828..7f5d38a 100644 --- a/tests/functional/suite_test.go +++ b/tests/functional/suite_test.go @@ -71,14 +71,16 @@ const ( interval = time.Millisecond * 200 // HSM Constants - HSMType = "luna" // Using them Luna model without any specific selection criteria. - HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so" - HSMSlotID = "1" - HSMMKEKLabel = "MKEKLabel" - HSMHMACLabel = "HMACLabel" - HSMServerAddress = "192.168.0.1" - HSMClientAddress = "192.168.0.2" - HSMLoginSecret = "hsm-secret" + HSMType = "luna" // Using them Luna model without any specific selection criteria. + HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so" + HSMCertificatesMountPoint = "/usr/local/luna/config/certs" + HSMSlotID = "1" + HSMMKEKLabel = "MKEKLabel" + HSMHMACLabel = "HMACLabel" + HSMServerAddress = "192.168.0.1" + HSMClientAddress = "192.168.0.2" + HSMLoginSecret = "hsm-login" + HSMCertsSecret = "hsm-certs" ) func TestAPIs(t *testing.T) { From 2f4088e3805ea32c1862eacceb1c1cf8ab09a0a2 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Fri, 6 Dec 2024 13:06:04 +0000 Subject: [PATCH 07/14] Reenabling CRD Schema Validator Signed-off-by: Mauricio Harley --- hack/crd-schema-checker.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/hack/crd-schema-checker.sh b/hack/crd-schema-checker.sh index 245ac0d..c431ae5 100755 --- a/hack/crd-schema-checker.sh +++ b/hack/crd-schema-checker.sh @@ -16,7 +16,6 @@ for crd in config/crd/bases/*.yaml; do mkdir -p "$(dirname "$TMP_DIR/$crd")" git show "$BASE_REF:$crd" > "$TMP_DIR/$crd" $CHECKER check-manifests \ - --disabled-validators=NoBools,NoNewRequiredFields \ --existing-crd-filename="$TMP_DIR/$crd" \ --new-crd-filename="$crd" done From 56bbfaaa887151e74d9bb999b526f4051094b6d0 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Fri, 6 Dec 2024 13:06:04 +0000 Subject: [PATCH 08/14] Reenabling CRD Schema Validator Signed-off-by: Mauricio Harley --- controllers/barbican_common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controllers/barbican_common.go b/controllers/barbican_common.go index 417e55d..c4166b6 100644 --- a/controllers/barbican_common.go +++ b/controllers/barbican_common.go @@ -119,7 +119,7 @@ func GeneratePKCS11TemplateMap( // Checking if a supported HSM type has been provided. if !slices.Contains(barbicanv1beta1.HSMTypes, strings.ToLower(pkcs11.Type)) { - return nil, errors.New("no valid HSM type provided!map[string]interface{}") + return nil, errors.New("No valid HSM type provided!") } tempMap["P11Enabled"] = true From 2b014c83a17235a80e969064a98dadb0a7ac0db5 Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Fri, 6 Dec 2024 13:06:04 +0000 Subject: [PATCH 09/14] Reenabling CRD Schema Validator Signed-off-by: Mauricio Harley --- controllers/barbican_common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controllers/barbican_common.go b/controllers/barbican_common.go index c4166b6..c424787 100644 --- a/controllers/barbican_common.go +++ b/controllers/barbican_common.go @@ -119,7 +119,7 @@ func GeneratePKCS11TemplateMap( // Checking if a supported HSM type has been provided. if !slices.Contains(barbicanv1beta1.HSMTypes, strings.ToLower(pkcs11.Type)) { - return nil, errors.New("No valid HSM type provided!") + return nil, errors.New("no valid HSM type provided") } tempMap["P11Enabled"] = true From f3adfbf7b68c3ff5cd27fe0423052aae0eb6e125 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Fri, 6 Dec 2024 16:57:56 +0100 Subject: [PATCH 10/14] Bump CONTROLLER_TOOLS_VERSION to 0.14.0 bump controller tools to the version which bumps k8s deps to v0.29.0, which aligns with the version in the operators. Signed-off-by: Martin Schuppert --- Makefile | 2 +- .../barbican.openstack.org_barbicanapis.yaml | 364 ++++++------ ...enstack.org_barbicankeystonelisteners.yaml | 157 ++--- .../barbican.openstack.org_barbicans.yaml | 555 +++++++++--------- ...arbican.openstack.org_barbicanworkers.yaml | 157 ++--- api/v1beta1/zz_generated.deepcopy.go | 10 +- .../barbican.openstack.org_barbicanapis.yaml | 364 ++++++------ ...enstack.org_barbicankeystonelisteners.yaml | 157 ++--- .../barbican.openstack.org_barbicans.yaml | 555 +++++++++--------- ...arbican.openstack.org_barbicanworkers.yaml | 157 ++--- config/rbac/role.yaml | 1 - config/webhook/manifests.yaml | 2 - 12 files changed, 1273 insertions(+), 1208 deletions(-) diff --git a/Makefile b/Makefile index f04ad33..cab3209 100644 --- a/Makefile +++ b/Makefile @@ -204,7 +204,7 @@ GINKGO ?= $(LOCALBIN)/ginkgo ## Tool Versions KUSTOMIZE_VERSION ?= v3.8.7 -CONTROLLER_TOOLS_VERSION ?= v0.11.1 +CONTROLLER_TOOLS_VERSION ?= v0.14.0 GOTOOLCHAIN_VERSION ?= go1.21.0 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml index a6c1f5b..a634fe3 100644 --- a/api/bases/barbican.openstack.org_barbicanapis.yaml +++ b/api/bases/barbican.openstack.org_barbicanapis.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: barbicanapis.barbican.openstack.org spec: group: barbican.openstack.org @@ -30,14 +29,19 @@ spec: description: BarbicanAPI is the Schema for the barbicanapis API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,17 +53,16 @@ spec: set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as a custom - config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service config - using this parameter to specify Secrets that contain sensitive service - config data. The content of each Secret gets added to the /etc//.conf.d - directory as a custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array @@ -72,17 +75,19 @@ spec: description: DatabaseHostname - Barbican Database Hostname type: string databaseInstance: - description: 'MariaDB instance name TODO(dmendiza): Is this comment - right? Right now required by the maridb-operator to get the credentials - from the instance to create the DB Might not be required in future' + description: |- + MariaDB instance name + TODO(dmendiza): Is this comment right? + Right now required by the maridb-operator to get the credentials from the instance to create the DB + Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default config - files like e.g. policy.json. But can also be used to add additional - files. Those get added to the service config dir in /etc/ - . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object enableSecureRBAC: default: true @@ -118,9 +123,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector settings - within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object override: description: Override, provides the ability to override the generated @@ -128,128 +133,114 @@ spec: properties: service: additionalProperties: - description: RoutedOverrideSpec - a routed service override - configuration for the Service created to serve traffic to - the cluster. Allows for the manifest of the created Service - to be overwritten with custom configuration. + description: |- + RoutedOverrideSpec - a routed service override configuration for the Service created to serve traffic + to the cluster. Allows for the manifest of the created Service to be overwritten with custom configuration. properties: endpointURL: type: string metadata: - description: EmbeddedLabelsAnnotations is an embedded subset - of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. + description: |- + EmbeddedLabelsAnnotations is an embedded subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. Only labels and annotations are included. properties: annotations: additionalProperties: type: string - description: 'Annotations is an unstructured key value - map stored with a resource that may be set by external - tools to store and retrieve arbitrary metadata. They - are not queryable and should be preserved when modifying - objects. More info: http://kubernetes.io/docs/user-guide/annotations' + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: http://kubernetes.io/docs/user-guide/annotations type: object labels: additionalProperties: type: string - description: 'Map of string keys and values that can - be used to organize and categorize (scope and select) - objects. May match selectors of replication controllers - and services. More info: http://kubernetes.io/docs/user-guide/labels' + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. May match selectors of replication controllers + and services. + More info: http://kubernetes.io/docs/user-guide/labels type: object type: object spec: - description: OverrideServiceSpec is a subset of the fields - included in https://pkg.go.dev/k8s.io/api@v0.26.6/core/v1#ServiceSpec - Limited to Type, SessionAffinity, LoadBalancerSourceRanges, - ExternalName, ExternalTrafficPolicy, SessionAffinityConfig, + description: |- + OverrideServiceSpec is a subset of the fields included in https://pkg.go.dev/k8s.io/api@v0.26.6/core/v1#ServiceSpec + Limited to Type, SessionAffinity, LoadBalancerSourceRanges, ExternalName, ExternalTrafficPolicy, SessionAffinityConfig, IPFamilyPolicy, LoadBalancerClass and InternalTrafficPolicy properties: externalName: - description: externalName is the external reference - that discovery mechanisms will return as an alias - for this service (e.g. a DNS CNAME record). No proxying - will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires - `type` to be "ExternalName". + description: |- + externalName is the external reference that discovery mechanisms will + return as an alias for this service (e.g. a DNS CNAME record). No + proxying will be involved. Must be a lowercase RFC-1123 hostname + (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". type: string externalTrafficPolicy: - description: externalTrafficPolicy describes how nodes - distribute service traffic they receive on one of - the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", - the proxy will configure the service in a way that - assumes that external load balancers will take care - of balancing the service traffic between nodes, and - so each node will deliver traffic only to the node-local - endpoints of the service, without masquerading the - client source IP. (Traffic mistakenly sent to a node - with no endpoints will be dropped.) The default value, - "Cluster", uses the standard behavior of routing to - all endpoints evenly (possibly modified by topology - and other features). Note that traffic sent to an - External IP or LoadBalancer IP from within the cluster - will always get "Cluster" semantics, but clients sending - to a NodePort from within the cluster may need to - take traffic policy into account when picking a node. + description: |- + externalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, + ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure + the service in a way that assumes that external load balancers will take care + of balancing the service traffic between nodes, and so each node will deliver + traffic only to the node-local endpoints of the service, without masquerading + the client source IP. (Traffic mistakenly sent to a node with no endpoints will + be dropped.) The default value, "Cluster", uses the standard behavior of + routing to all endpoints evenly (possibly modified by topology and other + features). Note that traffic sent to an External IP or LoadBalancer IP from + within the cluster will always get "Cluster" semantics, but clients sending to + a NodePort from within the cluster may need to take traffic policy into account + when picking a node. type: string internalTrafficPolicy: - description: InternalTrafficPolicy describes how nodes - distribute service traffic they receive on the ClusterIP. - If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the - same node as the pod, dropping the traffic if there - are no local endpoints. The default value, "Cluster", - uses the standard behavior of routing to all endpoints - evenly (possibly modified by topology and other features). + description: |- + InternalTrafficPolicy describes how nodes distribute service traffic they + receive on the ClusterIP. If set to "Local", the proxy will assume that pods + only want to talk to endpoints of the service on the same node as the pod, + dropping the traffic if there are no local endpoints. The default value, + "Cluster", uses the standard behavior of routing to all endpoints evenly + (possibly modified by topology and other features). type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there is - no value provided, then this field will be set to - SingleStack. Services can be "SingleStack" (a single - IP family), "PreferDualStack" (two IP families on - dual-stack configured clusters or a single IP family - on single-stack clusters), or "RequireDualStack" (two - IP families on dual-stack configured clusters, otherwise - fail). The ipFamilies and clusterIPs fields depend - on the value of this field. This field will be wiped - when updating a service to type ExternalName. + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). The + ipFamilies and clusterIPs fields depend on the value of this field. This + field will be wiped when updating a service to type ExternalName. type: string loadBalancerClass: - description: loadBalancerClass is the class of the load - balancer implementation this Service belongs to. If - specified, the value of this field must be a label-style - identifier, with an optional prefix, e.g. "internal-vip" - or "example.com/internal-vip". Unprefixed names are - reserved for end-users. This field can only be set - when the Service type is 'LoadBalancer'. If not set, - the default load balancer implementation is used, - today this is typically done through the cloud provider - integration, but should apply for any default implementation. - If set, it is assumed that a load balancer implementation - is watching for Services with a matching class. Any - default load balancer implementation (e.g. cloud providers) - should ignore Services that set this field. This field - can only be set when creating or updating a Service - to type 'LoadBalancer'. Once set, it can not be changed. - This field will be wiped when a service is updated - to a non 'LoadBalancer' type. + description: |- + loadBalancerClass is the class of the load balancer implementation this Service belongs to. + If specified, the value of this field must be a label-style identifier, with an optional prefix, + e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. + This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load + balancer implementation is used, today this is typically done through the cloud provider integration, + but should apply for any default implementation. If set, it is assumed that a load balancer + implementation is watching for Services with a matching class. Any default load balancer + implementation (e.g. cloud providers) should ignore Services that set this field. + This field can only be set when creating or updating a Service to type 'LoadBalancer'. + Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. type: string loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified - client IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/' + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature." + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ items: type: string type: array sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to - maintain session affinity. Enable client IP based - session affinity. Must be ClientIP or None. Defaults - to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + description: |- + Supports "ClientIP" and "None". Used to maintain session affinity. + Enable client IP based session affinity. + Must be ClientIP or None. + Defaults to None. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies type: string sessionAffinityConfig: description: sessionAffinityConfig contains the configurations @@ -260,40 +251,38 @@ spec: of Client IP based session affinity. properties: timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The - value must be >0 && <=86400(for 1 day) if - ServiceAffinity == "ClientIP". Default value - is 10800(for 3 hours). + description: |- + timeoutSeconds specifies the seconds of ClientIP type session sticky time. + The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". + Default value is 10800(for 3 hours). format: int32 type: integer type: object type: object type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ClusterIP" - allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector - or if that is not specified, by manual construction - of an Endpoints object or EndpointSlice objects. If - clusterIP is "None", no virtual IP is allocated and - the endpoints are published as a set of endpoints - rather than a virtual IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to - the same endpoints as the clusterIP. "LoadBalancer" - builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to - the same endpoints as the clusterIP. "ExternalName" - aliases this service to the specified externalName. - Several other fields do not apply to ExternalName - services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' + description: |- + type determines how the Service is exposed. Defaults to ClusterIP. Valid + options are ExternalName, ClusterIP, NodePort, and LoadBalancer. + "ClusterIP" allocates a cluster-internal IP address for load-balancing + to endpoints. Endpoints are determined by the selector or if that is not + specified, by manual construction of an Endpoints object or + EndpointSlice objects. If clusterIP is "None", no virtual IP is + allocated and the endpoints are published as a set of endpoints rather + than a virtual IP. + "NodePort" builds on ClusterIP and allocates a port on every node which + routes to the same endpoints as the clusterIP. + "LoadBalancer" builds on NodePort and creates an external load-balancer + (if supported in the current cloud) which routes to the same endpoints + as the clusterIP. + "ExternalName" aliases this service to the specified externalName. + Several other fields do not apply to ExternalName services. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: string type: object type: object - description: Override configuration for the Service created to - serve traffic to the cluster. The key must be the endpoint type - (public, internal) + description: |- + Override configuration for the Service created to serve traffic to the cluster. + The key must be the endpoint type (public, internal) type: object type: object passwordSelectors: @@ -392,20 +381,23 @@ spec: description: The HSM's IPv4 address (X.Y.Z.K) type: string slotId: - description: One of TokenSerialNumber, TokenLabels or SlotId must + description: |- + One of TokenSerialNumber, TokenLabels or SlotId must be defined. SlotId is used if none of the others is defined type: string tokenLabels: - description: Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must be specified. - TokenLabels takes priority over SlotId. This can be a comma - separated string of labels + description: |- + Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be specified. TokenLabels takes priority over SlotId. + This can be a comma separated string of labels type: string tokenSerialNumber: - description: Token serial number used to identify the token to - be used. One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over TokenLabels - and SlotId + description: |- + Token serial number used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over + TokenLabels and SlotId type: string type: description: 'A string containing the HSM type (currently supported: @@ -421,8 +413,9 @@ spec: type: object rabbitMqClusterName: default: rabbitmq - description: RabbitMQ instance name Needed to request a transportURL - that is created and used in Barbican + description: |- + RabbitMQ instance name + Needed to request a transportURL that is created and used in Barbican type: string replicas: default: 1 @@ -432,22 +425,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -463,8 +463,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -473,11 +474,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object secret: @@ -553,10 +554,10 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: @@ -568,14 +569,13 @@ spec: in CamelCase. type: string severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. + description: |- + Severity provides a classification of Reason code, so the current situation is immediately + understandable and could act accordingly. + It is meant for situations where Status=False and it should be indicated if it is just + informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue + and no actions to automatically resolve the issue can/should be done). + For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. diff --git a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index 8366530..80e9920 100644 --- a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: barbicankeystonelisteners.barbican.openstack.org spec: group: barbican.openstack.org @@ -31,14 +30,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,17 +55,16 @@ spec: set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as a custom - config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service config - using this parameter to specify Secrets that contain sensitive service - config data. The content of each Secret gets added to the /etc//.conf.d - directory as a custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array @@ -73,17 +76,19 @@ spec: databaseHostname: type: string databaseInstance: - description: 'MariaDB instance name TODO(dmendiza): Is this comment - right? Right now required by the maridb-operator to get the credentials - from the instance to create the DB Might not be required in future' + description: |- + MariaDB instance name + TODO(dmendiza): Is this comment right? + Right now required by the maridb-operator to get the credentials from the instance to create the DB + Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default config - files like e.g. policy.json. But can also be used to add additional - files. Those get added to the service config dir in /etc/ - . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object enabledSecretStores: items: @@ -114,9 +119,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector settings - within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object passwordSelectors: default: @@ -214,20 +219,23 @@ spec: description: The HSM's IPv4 address (X.Y.Z.K) type: string slotId: - description: One of TokenSerialNumber, TokenLabels or SlotId must + description: |- + One of TokenSerialNumber, TokenLabels or SlotId must be defined. SlotId is used if none of the others is defined type: string tokenLabels: - description: Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must be specified. - TokenLabels takes priority over SlotId. This can be a comma - separated string of labels + description: |- + Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be specified. TokenLabels takes priority over SlotId. + This can be a comma separated string of labels type: string tokenSerialNumber: - description: Token serial number used to identify the token to - be used. One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over TokenLabels - and SlotId + description: |- + Token serial number used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over + TokenLabels and SlotId type: string type: description: 'A string containing the HSM type (currently supported: @@ -243,8 +251,9 @@ spec: type: object rabbitMqClusterName: default: rabbitmq - description: RabbitMQ instance name Needed to request a transportURL - that is created and used in Barbican + description: |- + RabbitMQ instance name + Needed to request a transportURL that is created and used in Barbican type: string replicas: default: 1 @@ -254,22 +263,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -285,8 +301,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -295,11 +312,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object secret: @@ -348,10 +365,10 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: @@ -363,14 +380,13 @@ spec: in CamelCase. type: string severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. + description: |- + Severity provides a classification of Reason code, so the current situation is immediately + understandable and could act accordingly. + It is meant for situations where Status=False and it should be indicated if it is just + informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue + and no actions to automatically resolve the issue can/should be done). + For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. @@ -400,9 +416,10 @@ spec: description: NetworkAttachments status of the deployment pods type: object readyCount: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file ReadyCount of barbican API instances' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + ReadyCount of barbican API instances format: int32 type: integer type: object diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml index bf9d770..2a5a5e7 100644 --- a/api/bases/barbican.openstack.org_barbicans.yaml +++ b/api/bases/barbican.openstack.org_barbicans.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: barbicans.barbican.openstack.org spec: group: barbican.openstack.org @@ -30,14 +29,19 @@ spec: description: Barbican is the Schema for the barbicans API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,28 +57,26 @@ spec: be set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config - using this parameter to change service defaults, or overwrite - rendered information using raw OpenStack config format. The - content gets added to to /etc//.conf.d directory - as a custom config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service - config using this parameter to specify Secrets that contain - sensitive service config data. The content of each Secret gets - added to the /etc//.conf.d directory as a - custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default - config files like e.g. policy.json. But can also be used to - add additional files. Those get added to the service config - dir in /etc/ . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object enableSecureRBAC: default: true @@ -90,9 +92,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector - settings within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object override: description: Override, provides the ability to override the generated @@ -100,135 +102,114 @@ spec: properties: service: additionalProperties: - description: RoutedOverrideSpec - a routed service override - configuration for the Service created to serve traffic - to the cluster. Allows for the manifest of the created - Service to be overwritten with custom configuration. + description: |- + RoutedOverrideSpec - a routed service override configuration for the Service created to serve traffic + to the cluster. Allows for the manifest of the created Service to be overwritten with custom configuration. properties: endpointURL: type: string metadata: - description: EmbeddedLabelsAnnotations is an embedded - subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. + description: |- + EmbeddedLabelsAnnotations is an embedded subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. Only labels and annotations are included. properties: annotations: additionalProperties: type: string - description: 'Annotations is an unstructured key - value map stored with a resource that may be set - by external tools to store and retrieve arbitrary - metadata. They are not queryable and should be - preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: http://kubernetes.io/docs/user-guide/annotations type: object labels: additionalProperties: type: string - description: 'Map of string keys and values that - can be used to organize and categorize (scope - and select) objects. May match selectors of replication - controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. May match selectors of replication controllers + and services. + More info: http://kubernetes.io/docs/user-guide/labels type: object type: object spec: - description: OverrideServiceSpec is a subset of the - fields included in https://pkg.go.dev/k8s.io/api@v0.26.6/core/v1#ServiceSpec - Limited to Type, SessionAffinity, LoadBalancerSourceRanges, - ExternalName, ExternalTrafficPolicy, SessionAffinityConfig, + description: |- + OverrideServiceSpec is a subset of the fields included in https://pkg.go.dev/k8s.io/api@v0.26.6/core/v1#ServiceSpec + Limited to Type, SessionAffinity, LoadBalancerSourceRanges, ExternalName, ExternalTrafficPolicy, SessionAffinityConfig, IPFamilyPolicy, LoadBalancerClass and InternalTrafficPolicy properties: externalName: - description: externalName is the external reference - that discovery mechanisms will return as an alias - for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase - RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires `type` to be "ExternalName". + description: |- + externalName is the external reference that discovery mechanisms will + return as an alias for this service (e.g. a DNS CNAME record). No + proxying will be involved. Must be a lowercase RFC-1123 hostname + (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". type: string externalTrafficPolicy: - description: externalTrafficPolicy describes how - nodes distribute service traffic they receive - on one of the Service's "externally-facing" addresses - (NodePorts, ExternalIPs, and LoadBalancer IPs). - If set to "Local", the proxy will configure the - service in a way that assumes that external load - balancers will take care of balancing the service - traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the - service, without masquerading the client source - IP. (Traffic mistakenly sent to a node with no - endpoints will be dropped.) The default value, - "Cluster", uses the standard behavior of routing - to all endpoints evenly (possibly modified by - topology and other features). Note that traffic - sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, - but clients sending to a NodePort from within - the cluster may need to take traffic policy into - account when picking a node. + description: |- + externalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, + ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure + the service in a way that assumes that external load balancers will take care + of balancing the service traffic between nodes, and so each node will deliver + traffic only to the node-local endpoints of the service, without masquerading + the client source IP. (Traffic mistakenly sent to a node with no endpoints will + be dropped.) The default value, "Cluster", uses the standard behavior of + routing to all endpoints evenly (possibly modified by topology and other + features). Note that traffic sent to an External IP or LoadBalancer IP from + within the cluster will always get "Cluster" semantics, but clients sending to + a NodePort from within the cluster may need to take traffic policy into account + when picking a node. type: string internalTrafficPolicy: - description: InternalTrafficPolicy describes how - nodes distribute service traffic they receive - on the ClusterIP. If set to "Local", the proxy - will assume that pods only want to talk to endpoints - of the service on the same node as the pod, dropping - the traffic if there are no local endpoints. The - default value, "Cluster", uses the standard behavior - of routing to all endpoints evenly (possibly modified - by topology and other features). + description: |- + InternalTrafficPolicy describes how nodes distribute service traffic they + receive on the ClusterIP. If set to "Local", the proxy will assume that pods + only want to talk to endpoints of the service on the same node as the pod, + dropping the traffic if there are no local endpoints. The default value, + "Cluster", uses the standard behavior of routing to all endpoints evenly + (possibly modified by topology and other features). type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there - is no value provided, then this field will be - set to SingleStack. Services can be "SingleStack" - (a single IP family), "PreferDualStack" (two IP - families on dual-stack configured clusters or - a single IP family on single-stack clusters), - or "RequireDualStack" (two IP families on dual-stack - configured clusters, otherwise fail). The ipFamilies - and clusterIPs fields depend on the value of this - field. This field will be wiped when updating - a service to type ExternalName. + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). The + ipFamilies and clusterIPs fields depend on the value of this field. This + field will be wiped when updating a service to type ExternalName. type: string loadBalancerClass: - description: loadBalancerClass is the class of the - load balancer implementation this Service belongs - to. If specified, the value of this field must - be a label-style identifier, with an optional - prefix, e.g. "internal-vip" or "example.com/internal-vip". - Unprefixed names are reserved for end-users. This - field can only be set when the Service type is - 'LoadBalancer'. If not set, the default load balancer - implementation is used, today this is typically - done through the cloud provider integration, but - should apply for any default implementation. If - set, it is assumed that a load balancer implementation - is watching for Services with a matching class. - Any default load balancer implementation (e.g. - cloud providers) should ignore Services that set - this field. This field can only be set when creating - or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will - be wiped when a service is updated to a non 'LoadBalancer' - type. + description: |- + loadBalancerClass is the class of the load balancer implementation this Service belongs to. + If specified, the value of this field must be a label-style identifier, with an optional prefix, + e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. + This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load + balancer implementation is used, today this is typically done through the cloud provider integration, + but should apply for any default implementation. If set, it is assumed that a load balancer + implementation is watching for Services with a matching class. Any default load balancer + implementation (e.g. cloud providers) should ignore Services that set this field. + This field can only be set when creating or updating a Service to type 'LoadBalancer'. + Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. type: string loadBalancerSourceRanges: - description: 'If specified and supported by the - platform, this will restrict traffic through the - cloud-provider load-balancer will be restricted - to the specified client IPs. This field will be - ignored if the cloud-provider does not support - the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/' + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature." + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ items: type: string type: array sessionAffinity: - description: 'Supports "ClientIP" and "None". Used - to maintain session affinity. Enable client IP - based session affinity. Must be ClientIP or None. - Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + description: |- + Supports "ClientIP" and "None". Used to maintain session affinity. + Enable client IP based session affinity. + Must be ClientIP or None. + Defaults to None. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies type: string sessionAffinityConfig: description: sessionAffinityConfig contains the @@ -239,41 +220,38 @@ spec: of Client IP based session affinity. properties: timeoutSeconds: - description: timeoutSeconds specifies the - seconds of ClientIP type session sticky - time. The value must be >0 && <=86400(for - 1 day) if ServiceAffinity == "ClientIP". + description: |- + timeoutSeconds specifies the seconds of ClientIP type session sticky time. + The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". Default value is 10800(for 3 hours). format: int32 type: integer type: object type: object type: - description: 'type determines how the Service is - exposed. Defaults to ClusterIP. Valid options - are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address - for load-balancing to endpoints. Endpoints are - determined by the selector or if that is not specified, - by manual construction of an Endpoints object - or EndpointSlice objects. If clusterIP is "None", - no virtual IP is allocated and the endpoints are - published as a set of endpoints rather than a - virtual IP. "NodePort" builds on ClusterIP and - allocates a port on every node which routes to - the same endpoints as the clusterIP. "LoadBalancer" - builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes - to the same endpoints as the clusterIP. "ExternalName" - aliases this service to the specified externalName. - Several other fields do not apply to ExternalName - services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' + description: |- + type determines how the Service is exposed. Defaults to ClusterIP. Valid + options are ExternalName, ClusterIP, NodePort, and LoadBalancer. + "ClusterIP" allocates a cluster-internal IP address for load-balancing + to endpoints. Endpoints are determined by the selector or if that is not + specified, by manual construction of an Endpoints object or + EndpointSlice objects. If clusterIP is "None", no virtual IP is + allocated and the endpoints are published as a set of endpoints rather + than a virtual IP. + "NodePort" builds on ClusterIP and allocates a port on every node which + routes to the same endpoints as the clusterIP. + "LoadBalancer" builds on NodePort and creates an external load-balancer + (if supported in the current cloud) which routes to the same endpoints + as the clusterIP. + "ExternalName" aliases this service to the specified externalName. + Several other fields do not apply to ExternalName services. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: string type: object type: object - description: Override configuration for the Service created - to serve traffic to the cluster. The key must be the endpoint - type (public, internal) + description: |- + Override configuration for the Service created to serve traffic to the cluster. + The key must be the endpoint type (public, internal) type: object type: object replicas: @@ -284,23 +262,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -316,8 +300,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -326,11 +311,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object tls: @@ -375,28 +360,26 @@ spec: be set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config - using this parameter to change service defaults, or overwrite - rendered information using raw OpenStack config format. The - content gets added to to /etc//.conf.d directory - as a custom config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service - config using this parameter to specify Secrets that contain - sensitive service config data. The content of each Secret gets - added to the /etc//.conf.d directory as a - custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default - config files like e.g. policy.json. But can also be used to - add additional files. Those get added to the service config - dir in /etc/ . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment @@ -407,9 +390,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector - settings within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object replicas: default: 1 @@ -419,23 +402,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -451,8 +440,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -461,11 +451,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -480,28 +470,26 @@ spec: be set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config - using this parameter to change service defaults, or overwrite - rendered information using raw OpenStack config format. The - content gets added to to /etc//.conf.d directory - as a custom config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service - config using this parameter to specify Secrets that contain - sensitive service config data. The content of each Secret gets - added to the /etc//.conf.d directory as a - custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default - config files like e.g. policy.json. But can also be used to - add additional files. Those get added to the service config - dir in /etc/ . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment @@ -512,9 +500,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector - settings within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object replicas: default: 1 @@ -524,23 +512,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -556,8 +550,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -566,22 +561,21 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: - containerImage type: object customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as custom.conf - file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as custom.conf file. type: string databaseAccount: default: barbican @@ -589,17 +583,19 @@ spec: for barbican DB, defaults to barbican type: string databaseInstance: - description: 'MariaDB instance name TODO(dmendiza): Is this comment - right? Right now required by the maridb-operator to get the credentials - from the instance to create the DB Might not be required in future' + description: |- + MariaDB instance name + TODO(dmendiza): Is this comment right? + Right now required by the maridb-operator to get the credentials from the instance to create the DB + Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default config - files like e.g. logging.conf or policy.json. But can also be used - to add additional files. Those get added to the service config dir - in /etc/ . TODO(dmendiza): -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. logging.conf or policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO(dmendiza): -> implement type: object enabledSecretStores: items: @@ -624,9 +620,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector settings - within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object passwordSelectors: default: @@ -724,20 +720,23 @@ spec: description: The HSM's IPv4 address (X.Y.Z.K) type: string slotId: - description: One of TokenSerialNumber, TokenLabels or SlotId must + description: |- + One of TokenSerialNumber, TokenLabels or SlotId must be defined. SlotId is used if none of the others is defined type: string tokenLabels: - description: Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must be specified. - TokenLabels takes priority over SlotId. This can be a comma - separated string of labels + description: |- + Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be specified. TokenLabels takes priority over SlotId. + This can be a comma separated string of labels type: string tokenSerialNumber: - description: Token serial number used to identify the token to - be used. One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over TokenLabels - and SlotId + description: |- + Token serial number used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over + TokenLabels and SlotId type: string type: description: 'A string containing the HSM type (currently supported: @@ -758,8 +757,9 @@ spec: type: boolean rabbitMqClusterName: default: rabbitmq - description: RabbitMQ instance name Needed to request a transportURL - that is created and used in Barbican + description: |- + RabbitMQ instance name + Needed to request a transportURL that is created and used in Barbican type: string secret: default: osp-secret @@ -809,10 +809,10 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: @@ -824,14 +824,13 @@ spec: in CamelCase. type: string severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. + description: |- + Severity provides a classification of Reason code, so the current situation is immediately + understandable and could act accordingly. + It is meant for situations where Status=False and it should be indicated if it is just + informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue + and no actions to automatically resolve the issue can/should be done). + For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. @@ -854,11 +853,11 @@ spec: description: Map of hashes to track e.g. job status type: object observedGeneration: - description: ObservedGeneration - the most recent generation observed - for this service. If the observed generation is less than the spec - generation, then the controller has not processed the latest changes - injected by the opentack-operator in the top-level CR (e.g. the - ContainerImage) + description: |- + ObservedGeneration - the most recent generation observed for this + service. If the observed generation is less than the spec generation, + then the controller has not processed the latest changes injected by + the opentack-operator in the top-level CR (e.g. the ContainerImage) format: int64 type: integer serviceID: diff --git a/api/bases/barbican.openstack.org_barbicanworkers.yaml b/api/bases/barbican.openstack.org_barbicanworkers.yaml index 584c4df..ad89946 100644 --- a/api/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/api/bases/barbican.openstack.org_barbicanworkers.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: barbicanworkers.barbican.openstack.org spec: group: barbican.openstack.org @@ -30,14 +29,19 @@ spec: description: BarbicanWorker is the Schema for the barbicanworkers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,17 +53,16 @@ spec: set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as a custom - config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service config - using this parameter to specify Secrets that contain sensitive service - config data. The content of each Secret gets added to the /etc//.conf.d - directory as a custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array @@ -71,17 +74,19 @@ spec: databaseHostname: type: string databaseInstance: - description: 'MariaDB instance name TODO(dmendiza): Is this comment - right? Right now required by the maridb-operator to get the credentials - from the instance to create the DB Might not be required in future' + description: |- + MariaDB instance name + TODO(dmendiza): Is this comment right? + Right now required by the maridb-operator to get the credentials from the instance to create the DB + Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default config - files like e.g. policy.json. But can also be used to add additional - files. Those get added to the service config dir in /etc/ - . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object enabledSecretStores: items: @@ -112,9 +117,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector settings - within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object passwordSelectors: default: @@ -212,20 +217,23 @@ spec: description: The HSM's IPv4 address (X.Y.Z.K) type: string slotId: - description: One of TokenSerialNumber, TokenLabels or SlotId must + description: |- + One of TokenSerialNumber, TokenLabels or SlotId must be defined. SlotId is used if none of the others is defined type: string tokenLabels: - description: Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must be specified. - TokenLabels takes priority over SlotId. This can be a comma - separated string of labels + description: |- + Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be specified. TokenLabels takes priority over SlotId. + This can be a comma separated string of labels type: string tokenSerialNumber: - description: Token serial number used to identify the token to - be used. One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over TokenLabels - and SlotId + description: |- + Token serial number used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over + TokenLabels and SlotId type: string type: description: 'A string containing the HSM type (currently supported: @@ -241,8 +249,9 @@ spec: type: object rabbitMqClusterName: default: rabbitmq - description: RabbitMQ instance name Needed to request a transportURL - that is created and used in Barbican + description: |- + RabbitMQ instance name + Needed to request a transportURL that is created and used in Barbican type: string replicas: default: 1 @@ -252,22 +261,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -283,8 +299,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -293,11 +310,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object secret: @@ -345,10 +362,10 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: @@ -360,14 +377,13 @@ spec: in CamelCase. type: string severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. + description: |- + Severity provides a classification of Reason code, so the current situation is immediately + understandable and could act accordingly. + It is meant for situations where Status=False and it should be indicated if it is just + informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue + and no actions to automatically resolve the issue can/should be done). + For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. @@ -397,9 +413,10 @@ spec: description: NetworkAttachments status of the deployment pods type: object readyCount: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file ReadyCount of barbican API instances' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + ReadyCount of barbican API instances format: int32 type: integer type: object diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index f61b499..60e7571 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2023. @@ -184,7 +183,8 @@ func (in *BarbicanAPIStatus) DeepCopyInto(out *BarbicanAPIStatus) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]string, len(*in)) copy(*out, *in) } @@ -403,7 +403,8 @@ func (in *BarbicanKeystoneListenerStatus) DeepCopyInto(out *BarbicanKeystoneList if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]string, len(*in)) copy(*out, *in) } @@ -730,7 +731,8 @@ func (in *BarbicanWorkerStatus) DeepCopyInto(out *BarbicanWorkerStatus) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]string, len(*in)) copy(*out, *in) } diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml index a6c1f5b..a634fe3 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: barbicanapis.barbican.openstack.org spec: group: barbican.openstack.org @@ -30,14 +29,19 @@ spec: description: BarbicanAPI is the Schema for the barbicanapis API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,17 +53,16 @@ spec: set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as a custom - config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service config - using this parameter to specify Secrets that contain sensitive service - config data. The content of each Secret gets added to the /etc//.conf.d - directory as a custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array @@ -72,17 +75,19 @@ spec: description: DatabaseHostname - Barbican Database Hostname type: string databaseInstance: - description: 'MariaDB instance name TODO(dmendiza): Is this comment - right? Right now required by the maridb-operator to get the credentials - from the instance to create the DB Might not be required in future' + description: |- + MariaDB instance name + TODO(dmendiza): Is this comment right? + Right now required by the maridb-operator to get the credentials from the instance to create the DB + Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default config - files like e.g. policy.json. But can also be used to add additional - files. Those get added to the service config dir in /etc/ - . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object enableSecureRBAC: default: true @@ -118,9 +123,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector settings - within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object override: description: Override, provides the ability to override the generated @@ -128,128 +133,114 @@ spec: properties: service: additionalProperties: - description: RoutedOverrideSpec - a routed service override - configuration for the Service created to serve traffic to - the cluster. Allows for the manifest of the created Service - to be overwritten with custom configuration. + description: |- + RoutedOverrideSpec - a routed service override configuration for the Service created to serve traffic + to the cluster. Allows for the manifest of the created Service to be overwritten with custom configuration. properties: endpointURL: type: string metadata: - description: EmbeddedLabelsAnnotations is an embedded subset - of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. + description: |- + EmbeddedLabelsAnnotations is an embedded subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. Only labels and annotations are included. properties: annotations: additionalProperties: type: string - description: 'Annotations is an unstructured key value - map stored with a resource that may be set by external - tools to store and retrieve arbitrary metadata. They - are not queryable and should be preserved when modifying - objects. More info: http://kubernetes.io/docs/user-guide/annotations' + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: http://kubernetes.io/docs/user-guide/annotations type: object labels: additionalProperties: type: string - description: 'Map of string keys and values that can - be used to organize and categorize (scope and select) - objects. May match selectors of replication controllers - and services. More info: http://kubernetes.io/docs/user-guide/labels' + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. May match selectors of replication controllers + and services. + More info: http://kubernetes.io/docs/user-guide/labels type: object type: object spec: - description: OverrideServiceSpec is a subset of the fields - included in https://pkg.go.dev/k8s.io/api@v0.26.6/core/v1#ServiceSpec - Limited to Type, SessionAffinity, LoadBalancerSourceRanges, - ExternalName, ExternalTrafficPolicy, SessionAffinityConfig, + description: |- + OverrideServiceSpec is a subset of the fields included in https://pkg.go.dev/k8s.io/api@v0.26.6/core/v1#ServiceSpec + Limited to Type, SessionAffinity, LoadBalancerSourceRanges, ExternalName, ExternalTrafficPolicy, SessionAffinityConfig, IPFamilyPolicy, LoadBalancerClass and InternalTrafficPolicy properties: externalName: - description: externalName is the external reference - that discovery mechanisms will return as an alias - for this service (e.g. a DNS CNAME record). No proxying - will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires - `type` to be "ExternalName". + description: |- + externalName is the external reference that discovery mechanisms will + return as an alias for this service (e.g. a DNS CNAME record). No + proxying will be involved. Must be a lowercase RFC-1123 hostname + (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". type: string externalTrafficPolicy: - description: externalTrafficPolicy describes how nodes - distribute service traffic they receive on one of - the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", - the proxy will configure the service in a way that - assumes that external load balancers will take care - of balancing the service traffic between nodes, and - so each node will deliver traffic only to the node-local - endpoints of the service, without masquerading the - client source IP. (Traffic mistakenly sent to a node - with no endpoints will be dropped.) The default value, - "Cluster", uses the standard behavior of routing to - all endpoints evenly (possibly modified by topology - and other features). Note that traffic sent to an - External IP or LoadBalancer IP from within the cluster - will always get "Cluster" semantics, but clients sending - to a NodePort from within the cluster may need to - take traffic policy into account when picking a node. + description: |- + externalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, + ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure + the service in a way that assumes that external load balancers will take care + of balancing the service traffic between nodes, and so each node will deliver + traffic only to the node-local endpoints of the service, without masquerading + the client source IP. (Traffic mistakenly sent to a node with no endpoints will + be dropped.) The default value, "Cluster", uses the standard behavior of + routing to all endpoints evenly (possibly modified by topology and other + features). Note that traffic sent to an External IP or LoadBalancer IP from + within the cluster will always get "Cluster" semantics, but clients sending to + a NodePort from within the cluster may need to take traffic policy into account + when picking a node. type: string internalTrafficPolicy: - description: InternalTrafficPolicy describes how nodes - distribute service traffic they receive on the ClusterIP. - If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the - same node as the pod, dropping the traffic if there - are no local endpoints. The default value, "Cluster", - uses the standard behavior of routing to all endpoints - evenly (possibly modified by topology and other features). + description: |- + InternalTrafficPolicy describes how nodes distribute service traffic they + receive on the ClusterIP. If set to "Local", the proxy will assume that pods + only want to talk to endpoints of the service on the same node as the pod, + dropping the traffic if there are no local endpoints. The default value, + "Cluster", uses the standard behavior of routing to all endpoints evenly + (possibly modified by topology and other features). type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there is - no value provided, then this field will be set to - SingleStack. Services can be "SingleStack" (a single - IP family), "PreferDualStack" (two IP families on - dual-stack configured clusters or a single IP family - on single-stack clusters), or "RequireDualStack" (two - IP families on dual-stack configured clusters, otherwise - fail). The ipFamilies and clusterIPs fields depend - on the value of this field. This field will be wiped - when updating a service to type ExternalName. + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). The + ipFamilies and clusterIPs fields depend on the value of this field. This + field will be wiped when updating a service to type ExternalName. type: string loadBalancerClass: - description: loadBalancerClass is the class of the load - balancer implementation this Service belongs to. If - specified, the value of this field must be a label-style - identifier, with an optional prefix, e.g. "internal-vip" - or "example.com/internal-vip". Unprefixed names are - reserved for end-users. This field can only be set - when the Service type is 'LoadBalancer'. If not set, - the default load balancer implementation is used, - today this is typically done through the cloud provider - integration, but should apply for any default implementation. - If set, it is assumed that a load balancer implementation - is watching for Services with a matching class. Any - default load balancer implementation (e.g. cloud providers) - should ignore Services that set this field. This field - can only be set when creating or updating a Service - to type 'LoadBalancer'. Once set, it can not be changed. - This field will be wiped when a service is updated - to a non 'LoadBalancer' type. + description: |- + loadBalancerClass is the class of the load balancer implementation this Service belongs to. + If specified, the value of this field must be a label-style identifier, with an optional prefix, + e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. + This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load + balancer implementation is used, today this is typically done through the cloud provider integration, + but should apply for any default implementation. If set, it is assumed that a load balancer + implementation is watching for Services with a matching class. Any default load balancer + implementation (e.g. cloud providers) should ignore Services that set this field. + This field can only be set when creating or updating a Service to type 'LoadBalancer'. + Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. type: string loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified - client IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/' + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature." + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ items: type: string type: array sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to - maintain session affinity. Enable client IP based - session affinity. Must be ClientIP or None. Defaults - to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + description: |- + Supports "ClientIP" and "None". Used to maintain session affinity. + Enable client IP based session affinity. + Must be ClientIP or None. + Defaults to None. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies type: string sessionAffinityConfig: description: sessionAffinityConfig contains the configurations @@ -260,40 +251,38 @@ spec: of Client IP based session affinity. properties: timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The - value must be >0 && <=86400(for 1 day) if - ServiceAffinity == "ClientIP". Default value - is 10800(for 3 hours). + description: |- + timeoutSeconds specifies the seconds of ClientIP type session sticky time. + The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". + Default value is 10800(for 3 hours). format: int32 type: integer type: object type: object type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ClusterIP" - allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector - or if that is not specified, by manual construction - of an Endpoints object or EndpointSlice objects. If - clusterIP is "None", no virtual IP is allocated and - the endpoints are published as a set of endpoints - rather than a virtual IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to - the same endpoints as the clusterIP. "LoadBalancer" - builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to - the same endpoints as the clusterIP. "ExternalName" - aliases this service to the specified externalName. - Several other fields do not apply to ExternalName - services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' + description: |- + type determines how the Service is exposed. Defaults to ClusterIP. Valid + options are ExternalName, ClusterIP, NodePort, and LoadBalancer. + "ClusterIP" allocates a cluster-internal IP address for load-balancing + to endpoints. Endpoints are determined by the selector or if that is not + specified, by manual construction of an Endpoints object or + EndpointSlice objects. If clusterIP is "None", no virtual IP is + allocated and the endpoints are published as a set of endpoints rather + than a virtual IP. + "NodePort" builds on ClusterIP and allocates a port on every node which + routes to the same endpoints as the clusterIP. + "LoadBalancer" builds on NodePort and creates an external load-balancer + (if supported in the current cloud) which routes to the same endpoints + as the clusterIP. + "ExternalName" aliases this service to the specified externalName. + Several other fields do not apply to ExternalName services. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: string type: object type: object - description: Override configuration for the Service created to - serve traffic to the cluster. The key must be the endpoint type - (public, internal) + description: |- + Override configuration for the Service created to serve traffic to the cluster. + The key must be the endpoint type (public, internal) type: object type: object passwordSelectors: @@ -392,20 +381,23 @@ spec: description: The HSM's IPv4 address (X.Y.Z.K) type: string slotId: - description: One of TokenSerialNumber, TokenLabels or SlotId must + description: |- + One of TokenSerialNumber, TokenLabels or SlotId must be defined. SlotId is used if none of the others is defined type: string tokenLabels: - description: Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must be specified. - TokenLabels takes priority over SlotId. This can be a comma - separated string of labels + description: |- + Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be specified. TokenLabels takes priority over SlotId. + This can be a comma separated string of labels type: string tokenSerialNumber: - description: Token serial number used to identify the token to - be used. One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over TokenLabels - and SlotId + description: |- + Token serial number used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over + TokenLabels and SlotId type: string type: description: 'A string containing the HSM type (currently supported: @@ -421,8 +413,9 @@ spec: type: object rabbitMqClusterName: default: rabbitmq - description: RabbitMQ instance name Needed to request a transportURL - that is created and used in Barbican + description: |- + RabbitMQ instance name + Needed to request a transportURL that is created and used in Barbican type: string replicas: default: 1 @@ -432,22 +425,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -463,8 +463,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -473,11 +474,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object secret: @@ -553,10 +554,10 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: @@ -568,14 +569,13 @@ spec: in CamelCase. type: string severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. + description: |- + Severity provides a classification of Reason code, so the current situation is immediately + understandable and could act accordingly. + It is meant for situations where Status=False and it should be indicated if it is just + informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue + and no actions to automatically resolve the issue can/should be done). + For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. diff --git a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index 8366530..80e9920 100644 --- a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: barbicankeystonelisteners.barbican.openstack.org spec: group: barbican.openstack.org @@ -31,14 +30,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,17 +55,16 @@ spec: set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as a custom - config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service config - using this parameter to specify Secrets that contain sensitive service - config data. The content of each Secret gets added to the /etc//.conf.d - directory as a custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array @@ -73,17 +76,19 @@ spec: databaseHostname: type: string databaseInstance: - description: 'MariaDB instance name TODO(dmendiza): Is this comment - right? Right now required by the maridb-operator to get the credentials - from the instance to create the DB Might not be required in future' + description: |- + MariaDB instance name + TODO(dmendiza): Is this comment right? + Right now required by the maridb-operator to get the credentials from the instance to create the DB + Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default config - files like e.g. policy.json. But can also be used to add additional - files. Those get added to the service config dir in /etc/ - . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object enabledSecretStores: items: @@ -114,9 +119,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector settings - within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object passwordSelectors: default: @@ -214,20 +219,23 @@ spec: description: The HSM's IPv4 address (X.Y.Z.K) type: string slotId: - description: One of TokenSerialNumber, TokenLabels or SlotId must + description: |- + One of TokenSerialNumber, TokenLabels or SlotId must be defined. SlotId is used if none of the others is defined type: string tokenLabels: - description: Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must be specified. - TokenLabels takes priority over SlotId. This can be a comma - separated string of labels + description: |- + Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be specified. TokenLabels takes priority over SlotId. + This can be a comma separated string of labels type: string tokenSerialNumber: - description: Token serial number used to identify the token to - be used. One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over TokenLabels - and SlotId + description: |- + Token serial number used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over + TokenLabels and SlotId type: string type: description: 'A string containing the HSM type (currently supported: @@ -243,8 +251,9 @@ spec: type: object rabbitMqClusterName: default: rabbitmq - description: RabbitMQ instance name Needed to request a transportURL - that is created and used in Barbican + description: |- + RabbitMQ instance name + Needed to request a transportURL that is created and used in Barbican type: string replicas: default: 1 @@ -254,22 +263,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -285,8 +301,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -295,11 +312,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object secret: @@ -348,10 +365,10 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: @@ -363,14 +380,13 @@ spec: in CamelCase. type: string severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. + description: |- + Severity provides a classification of Reason code, so the current situation is immediately + understandable and could act accordingly. + It is meant for situations where Status=False and it should be indicated if it is just + informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue + and no actions to automatically resolve the issue can/should be done). + For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. @@ -400,9 +416,10 @@ spec: description: NetworkAttachments status of the deployment pods type: object readyCount: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file ReadyCount of barbican API instances' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + ReadyCount of barbican API instances format: int32 type: integer type: object diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml index bf9d770..2a5a5e7 100644 --- a/config/crd/bases/barbican.openstack.org_barbicans.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicans.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: barbicans.barbican.openstack.org spec: group: barbican.openstack.org @@ -30,14 +29,19 @@ spec: description: Barbican is the Schema for the barbicans API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,28 +57,26 @@ spec: be set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config - using this parameter to change service defaults, or overwrite - rendered information using raw OpenStack config format. The - content gets added to to /etc//.conf.d directory - as a custom config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service - config using this parameter to specify Secrets that contain - sensitive service config data. The content of each Secret gets - added to the /etc//.conf.d directory as a - custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default - config files like e.g. policy.json. But can also be used to - add additional files. Those get added to the service config - dir in /etc/ . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object enableSecureRBAC: default: true @@ -90,9 +92,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector - settings within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object override: description: Override, provides the ability to override the generated @@ -100,135 +102,114 @@ spec: properties: service: additionalProperties: - description: RoutedOverrideSpec - a routed service override - configuration for the Service created to serve traffic - to the cluster. Allows for the manifest of the created - Service to be overwritten with custom configuration. + description: |- + RoutedOverrideSpec - a routed service override configuration for the Service created to serve traffic + to the cluster. Allows for the manifest of the created Service to be overwritten with custom configuration. properties: endpointURL: type: string metadata: - description: EmbeddedLabelsAnnotations is an embedded - subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. + description: |- + EmbeddedLabelsAnnotations is an embedded subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. Only labels and annotations are included. properties: annotations: additionalProperties: type: string - description: 'Annotations is an unstructured key - value map stored with a resource that may be set - by external tools to store and retrieve arbitrary - metadata. They are not queryable and should be - preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: http://kubernetes.io/docs/user-guide/annotations type: object labels: additionalProperties: type: string - description: 'Map of string keys and values that - can be used to organize and categorize (scope - and select) objects. May match selectors of replication - controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. May match selectors of replication controllers + and services. + More info: http://kubernetes.io/docs/user-guide/labels type: object type: object spec: - description: OverrideServiceSpec is a subset of the - fields included in https://pkg.go.dev/k8s.io/api@v0.26.6/core/v1#ServiceSpec - Limited to Type, SessionAffinity, LoadBalancerSourceRanges, - ExternalName, ExternalTrafficPolicy, SessionAffinityConfig, + description: |- + OverrideServiceSpec is a subset of the fields included in https://pkg.go.dev/k8s.io/api@v0.26.6/core/v1#ServiceSpec + Limited to Type, SessionAffinity, LoadBalancerSourceRanges, ExternalName, ExternalTrafficPolicy, SessionAffinityConfig, IPFamilyPolicy, LoadBalancerClass and InternalTrafficPolicy properties: externalName: - description: externalName is the external reference - that discovery mechanisms will return as an alias - for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase - RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires `type` to be "ExternalName". + description: |- + externalName is the external reference that discovery mechanisms will + return as an alias for this service (e.g. a DNS CNAME record). No + proxying will be involved. Must be a lowercase RFC-1123 hostname + (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". type: string externalTrafficPolicy: - description: externalTrafficPolicy describes how - nodes distribute service traffic they receive - on one of the Service's "externally-facing" addresses - (NodePorts, ExternalIPs, and LoadBalancer IPs). - If set to "Local", the proxy will configure the - service in a way that assumes that external load - balancers will take care of balancing the service - traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the - service, without masquerading the client source - IP. (Traffic mistakenly sent to a node with no - endpoints will be dropped.) The default value, - "Cluster", uses the standard behavior of routing - to all endpoints evenly (possibly modified by - topology and other features). Note that traffic - sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, - but clients sending to a NodePort from within - the cluster may need to take traffic policy into - account when picking a node. + description: |- + externalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, + ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure + the service in a way that assumes that external load balancers will take care + of balancing the service traffic between nodes, and so each node will deliver + traffic only to the node-local endpoints of the service, without masquerading + the client source IP. (Traffic mistakenly sent to a node with no endpoints will + be dropped.) The default value, "Cluster", uses the standard behavior of + routing to all endpoints evenly (possibly modified by topology and other + features). Note that traffic sent to an External IP or LoadBalancer IP from + within the cluster will always get "Cluster" semantics, but clients sending to + a NodePort from within the cluster may need to take traffic policy into account + when picking a node. type: string internalTrafficPolicy: - description: InternalTrafficPolicy describes how - nodes distribute service traffic they receive - on the ClusterIP. If set to "Local", the proxy - will assume that pods only want to talk to endpoints - of the service on the same node as the pod, dropping - the traffic if there are no local endpoints. The - default value, "Cluster", uses the standard behavior - of routing to all endpoints evenly (possibly modified - by topology and other features). + description: |- + InternalTrafficPolicy describes how nodes distribute service traffic they + receive on the ClusterIP. If set to "Local", the proxy will assume that pods + only want to talk to endpoints of the service on the same node as the pod, + dropping the traffic if there are no local endpoints. The default value, + "Cluster", uses the standard behavior of routing to all endpoints evenly + (possibly modified by topology and other features). type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there - is no value provided, then this field will be - set to SingleStack. Services can be "SingleStack" - (a single IP family), "PreferDualStack" (two IP - families on dual-stack configured clusters or - a single IP family on single-stack clusters), - or "RequireDualStack" (two IP families on dual-stack - configured clusters, otherwise fail). The ipFamilies - and clusterIPs fields depend on the value of this - field. This field will be wiped when updating - a service to type ExternalName. + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). The + ipFamilies and clusterIPs fields depend on the value of this field. This + field will be wiped when updating a service to type ExternalName. type: string loadBalancerClass: - description: loadBalancerClass is the class of the - load balancer implementation this Service belongs - to. If specified, the value of this field must - be a label-style identifier, with an optional - prefix, e.g. "internal-vip" or "example.com/internal-vip". - Unprefixed names are reserved for end-users. This - field can only be set when the Service type is - 'LoadBalancer'. If not set, the default load balancer - implementation is used, today this is typically - done through the cloud provider integration, but - should apply for any default implementation. If - set, it is assumed that a load balancer implementation - is watching for Services with a matching class. - Any default load balancer implementation (e.g. - cloud providers) should ignore Services that set - this field. This field can only be set when creating - or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will - be wiped when a service is updated to a non 'LoadBalancer' - type. + description: |- + loadBalancerClass is the class of the load balancer implementation this Service belongs to. + If specified, the value of this field must be a label-style identifier, with an optional prefix, + e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. + This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load + balancer implementation is used, today this is typically done through the cloud provider integration, + but should apply for any default implementation. If set, it is assumed that a load balancer + implementation is watching for Services with a matching class. Any default load balancer + implementation (e.g. cloud providers) should ignore Services that set this field. + This field can only be set when creating or updating a Service to type 'LoadBalancer'. + Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. type: string loadBalancerSourceRanges: - description: 'If specified and supported by the - platform, this will restrict traffic through the - cloud-provider load-balancer will be restricted - to the specified client IPs. This field will be - ignored if the cloud-provider does not support - the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/' + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature." + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ items: type: string type: array sessionAffinity: - description: 'Supports "ClientIP" and "None". Used - to maintain session affinity. Enable client IP - based session affinity. Must be ClientIP or None. - Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + description: |- + Supports "ClientIP" and "None". Used to maintain session affinity. + Enable client IP based session affinity. + Must be ClientIP or None. + Defaults to None. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies type: string sessionAffinityConfig: description: sessionAffinityConfig contains the @@ -239,41 +220,38 @@ spec: of Client IP based session affinity. properties: timeoutSeconds: - description: timeoutSeconds specifies the - seconds of ClientIP type session sticky - time. The value must be >0 && <=86400(for - 1 day) if ServiceAffinity == "ClientIP". + description: |- + timeoutSeconds specifies the seconds of ClientIP type session sticky time. + The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". Default value is 10800(for 3 hours). format: int32 type: integer type: object type: object type: - description: 'type determines how the Service is - exposed. Defaults to ClusterIP. Valid options - are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address - for load-balancing to endpoints. Endpoints are - determined by the selector or if that is not specified, - by manual construction of an Endpoints object - or EndpointSlice objects. If clusterIP is "None", - no virtual IP is allocated and the endpoints are - published as a set of endpoints rather than a - virtual IP. "NodePort" builds on ClusterIP and - allocates a port on every node which routes to - the same endpoints as the clusterIP. "LoadBalancer" - builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes - to the same endpoints as the clusterIP. "ExternalName" - aliases this service to the specified externalName. - Several other fields do not apply to ExternalName - services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' + description: |- + type determines how the Service is exposed. Defaults to ClusterIP. Valid + options are ExternalName, ClusterIP, NodePort, and LoadBalancer. + "ClusterIP" allocates a cluster-internal IP address for load-balancing + to endpoints. Endpoints are determined by the selector or if that is not + specified, by manual construction of an Endpoints object or + EndpointSlice objects. If clusterIP is "None", no virtual IP is + allocated and the endpoints are published as a set of endpoints rather + than a virtual IP. + "NodePort" builds on ClusterIP and allocates a port on every node which + routes to the same endpoints as the clusterIP. + "LoadBalancer" builds on NodePort and creates an external load-balancer + (if supported in the current cloud) which routes to the same endpoints + as the clusterIP. + "ExternalName" aliases this service to the specified externalName. + Several other fields do not apply to ExternalName services. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: string type: object type: object - description: Override configuration for the Service created - to serve traffic to the cluster. The key must be the endpoint - type (public, internal) + description: |- + Override configuration for the Service created to serve traffic to the cluster. + The key must be the endpoint type (public, internal) type: object type: object replicas: @@ -284,23 +262,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -316,8 +300,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -326,11 +311,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object tls: @@ -375,28 +360,26 @@ spec: be set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config - using this parameter to change service defaults, or overwrite - rendered information using raw OpenStack config format. The - content gets added to to /etc//.conf.d directory - as a custom config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service - config using this parameter to specify Secrets that contain - sensitive service config data. The content of each Secret gets - added to the /etc//.conf.d directory as a - custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default - config files like e.g. policy.json. But can also be used to - add additional files. Those get added to the service config - dir in /etc/ . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment @@ -407,9 +390,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector - settings within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object replicas: default: 1 @@ -419,23 +402,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -451,8 +440,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -461,11 +451,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -480,28 +470,26 @@ spec: be set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config - using this parameter to change service defaults, or overwrite - rendered information using raw OpenStack config format. The - content gets added to to /etc//.conf.d directory - as a custom config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service - config using this parameter to specify Secrets that contain - sensitive service config data. The content of each Secret gets - added to the /etc//.conf.d directory as a - custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default - config files like e.g. policy.json. But can also be used to - add additional files. Those get added to the service config - dir in /etc/ . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment @@ -512,9 +500,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector - settings within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object replicas: default: 1 @@ -524,23 +512,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -556,8 +550,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -566,22 +561,21 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: - containerImage type: object customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as custom.conf - file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as custom.conf file. type: string databaseAccount: default: barbican @@ -589,17 +583,19 @@ spec: for barbican DB, defaults to barbican type: string databaseInstance: - description: 'MariaDB instance name TODO(dmendiza): Is this comment - right? Right now required by the maridb-operator to get the credentials - from the instance to create the DB Might not be required in future' + description: |- + MariaDB instance name + TODO(dmendiza): Is this comment right? + Right now required by the maridb-operator to get the credentials from the instance to create the DB + Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default config - files like e.g. logging.conf or policy.json. But can also be used - to add additional files. Those get added to the service config dir - in /etc/ . TODO(dmendiza): -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. logging.conf or policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO(dmendiza): -> implement type: object enabledSecretStores: items: @@ -624,9 +620,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector settings - within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object passwordSelectors: default: @@ -724,20 +720,23 @@ spec: description: The HSM's IPv4 address (X.Y.Z.K) type: string slotId: - description: One of TokenSerialNumber, TokenLabels or SlotId must + description: |- + One of TokenSerialNumber, TokenLabels or SlotId must be defined. SlotId is used if none of the others is defined type: string tokenLabels: - description: Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must be specified. - TokenLabels takes priority over SlotId. This can be a comma - separated string of labels + description: |- + Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be specified. TokenLabels takes priority over SlotId. + This can be a comma separated string of labels type: string tokenSerialNumber: - description: Token serial number used to identify the token to - be used. One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over TokenLabels - and SlotId + description: |- + Token serial number used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over + TokenLabels and SlotId type: string type: description: 'A string containing the HSM type (currently supported: @@ -758,8 +757,9 @@ spec: type: boolean rabbitMqClusterName: default: rabbitmq - description: RabbitMQ instance name Needed to request a transportURL - that is created and used in Barbican + description: |- + RabbitMQ instance name + Needed to request a transportURL that is created and used in Barbican type: string secret: default: osp-secret @@ -809,10 +809,10 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: @@ -824,14 +824,13 @@ spec: in CamelCase. type: string severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. + description: |- + Severity provides a classification of Reason code, so the current situation is immediately + understandable and could act accordingly. + It is meant for situations where Status=False and it should be indicated if it is just + informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue + and no actions to automatically resolve the issue can/should be done). + For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. @@ -854,11 +853,11 @@ spec: description: Map of hashes to track e.g. job status type: object observedGeneration: - description: ObservedGeneration - the most recent generation observed - for this service. If the observed generation is less than the spec - generation, then the controller has not processed the latest changes - injected by the opentack-operator in the top-level CR (e.g. the - ContainerImage) + description: |- + ObservedGeneration - the most recent generation observed for this + service. If the observed generation is less than the spec generation, + then the controller has not processed the latest changes injected by + the opentack-operator in the top-level CR (e.g. the ContainerImage) format: int64 type: integer serviceID: diff --git a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml index 584c4df..ad89946 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: barbicanworkers.barbican.openstack.org spec: group: barbican.openstack.org @@ -30,14 +29,19 @@ spec: description: BarbicanWorker is the Schema for the barbicanworkers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,17 +53,16 @@ spec: set to environmental default if empty) type: string customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as a custom - config file. + description: |- + CustomServiceConfig - customize the service config using this parameter to change service defaults, + or overwrite rendered information using raw OpenStack config format. The content gets added to + to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: - description: CustomServiceConfigSecrets - customize the service config - using this parameter to specify Secrets that contain sensitive service - config data. The content of each Secret gets added to the /etc//.conf.d - directory as a custom config file. + description: |- + CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets + that contain sensitive service config data. The content of each Secret gets added to the + /etc//.conf.d directory as a custom config file. items: type: string type: array @@ -71,17 +74,19 @@ spec: databaseHostname: type: string databaseInstance: - description: 'MariaDB instance name TODO(dmendiza): Is this comment - right? Right now required by the maridb-operator to get the credentials - from the instance to create the DB Might not be required in future' + description: |- + MariaDB instance name + TODO(dmendiza): Is this comment right? + Right now required by the maridb-operator to get the credentials from the instance to create the DB + Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string - description: 'ConfigOverwrite - interface to overwrite default config - files like e.g. policy.json. But can also be used to add additional - files. Those get added to the service config dir in /etc/ - . TODO: -> implement' + description: |- + ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. + But can also be used to add additional files. Those get added to the service config dir in /etc/ . + TODO: -> implement type: object enabledSecretStores: items: @@ -112,9 +117,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector to target subset of worker nodes running - this component. Setting here overrides any global NodeSelector settings - within the Barbican CR. + description: |- + NodeSelector to target subset of worker nodes running this component. Setting here overrides + any global NodeSelector settings within the Barbican CR. type: object passwordSelectors: default: @@ -212,20 +217,23 @@ spec: description: The HSM's IPv4 address (X.Y.Z.K) type: string slotId: - description: One of TokenSerialNumber, TokenLabels or SlotId must + description: |- + One of TokenSerialNumber, TokenLabels or SlotId must be defined. SlotId is used if none of the others is defined type: string tokenLabels: - description: Token labels used to identify the token to be used. - One of TokenSerialNumber, TokenLabels or SlotId must be specified. - TokenLabels takes priority over SlotId. This can be a comma - separated string of labels + description: |- + Token labels used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be specified. TokenLabels takes priority over SlotId. + This can be a comma separated string of labels type: string tokenSerialNumber: - description: Token serial number used to identify the token to - be used. One of TokenSerialNumber, TokenLabels or SlotId must - be defined. TokenSerialNumber takes priority over TokenLabels - and SlotId + description: |- + Token serial number used to identify the token to be used. + One of TokenSerialNumber, TokenLabels or SlotId must + be defined. TokenSerialNumber takes priority over + TokenLabels and SlotId type: string type: description: 'A string containing the HSM type (currently supported: @@ -241,8 +249,9 @@ spec: type: object rabbitMqClusterName: default: rabbitmq - description: RabbitMQ instance name Needed to request a transportURL - that is created and used in Barbican + description: |- + RabbitMQ instance name + Needed to request a transportURL that is created and used in Barbican type: string replicas: default: 1 @@ -252,22 +261,29 @@ spec: minimum: 0 type: integer resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: |- + Resources - Compute Resources required by this service (Limits/Requests). + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -283,8 +299,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -293,11 +310,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object secret: @@ -345,10 +362,10 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: @@ -360,14 +377,13 @@ spec: in CamelCase. type: string severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. + description: |- + Severity provides a classification of Reason code, so the current situation is immediately + understandable and could act accordingly. + It is meant for situations where Status=False and it should be indicated if it is just + informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue + and no actions to automatically resolve the issue can/should be done). + For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. @@ -397,9 +413,10 @@ spec: description: NetworkAttachments status of the deployment pods type: object readyCount: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file ReadyCount of barbican API instances' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + ReadyCount of barbican API instances format: int32 type: integer type: object diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 09b13bc..bc7684c 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - apiGroups: diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 657de81..40246fd 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -2,7 +2,6 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - creationTimestamp: null name: mutating-webhook-configuration webhooks: - admissionReviewVersions: @@ -29,7 +28,6 @@ webhooks: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - creationTimestamp: null name: validating-webhook-configuration webhooks: - admissionReviewVersions: From 11ed7fa07e841baf851292ada34c45460739dd56 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Thu, 12 Dec 2024 12:03:19 +0100 Subject: [PATCH 11/14] crd-schema-check: allow new CRDs If the 'git show BASE_REF' fails assume it is a net new CRD and should be fine. Signed-off-by: Martin Schuppert --- hack/crd-schema-checker.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hack/crd-schema-checker.sh b/hack/crd-schema-checker.sh index c431ae5..3a252ac 100755 --- a/hack/crd-schema-checker.sh +++ b/hack/crd-schema-checker.sh @@ -14,8 +14,9 @@ trap cleanup EXIT for crd in config/crd/bases/*.yaml; do mkdir -p "$(dirname "$TMP_DIR/$crd")" - git show "$BASE_REF:$crd" > "$TMP_DIR/$crd" - $CHECKER check-manifests \ - --existing-crd-filename="$TMP_DIR/$crd" \ - --new-crd-filename="$crd" + if git show "$BASE_REF:$crd" > "$TMP_DIR/$crd"; then + $CHECKER check-manifests \ + --existing-crd-filename="$TMP_DIR/$crd" \ + --new-crd-filename="$crd" + fi done From a5fce3ca6666f3dfdddb7f170412be020c1ac4e8 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 9 Dec 2024 13:07:34 -0500 Subject: [PATCH 12/14] Fix permissions for barbican-p11-prep job --- pkg/barbican/p11_prep.go | 3 +-- pkg/barbican/volumes.go | 2 +- templates/barbican/config/Chrystoki.conf | 2 +- .../config/barbican-p11-prep-config.json | 17 ++++++++++++----- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/pkg/barbican/p11_prep.go b/pkg/barbican/p11_prep.go index 0e3cee9..b51ff1a 100644 --- a/pkg/barbican/p11_prep.go +++ b/pkg/barbican/p11_prep.go @@ -11,7 +11,7 @@ import ( const ( // P11PrepCommand - - P11PrepCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + P11PrepCommand = "/usr/local/bin/kolla_start" P11PrepConfig = "p11-prep-config-data" ) @@ -49,7 +49,6 @@ func P11PrepJob(instance *barbicanv1beta1.Barbican, labels map[string]string, an runAsUser := int64(0) envVars := map[string]env.Setter{} envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS") - envVars["KOLLA_BOOTSTRAP"] = env.SetValue("TRUE") job := &batchv1.Job{ ObjectMeta: metav1.ObjectMeta{ diff --git a/pkg/barbican/volumes.go b/pkg/barbican/volumes.go index 08c09b9..ef69a15 100644 --- a/pkg/barbican/volumes.go +++ b/pkg/barbican/volumes.go @@ -107,7 +107,7 @@ func GetLogVolume() corev1.Volume { func GetScriptVolumeMount() corev1.VolumeMount { return corev1.VolumeMount{ Name: ScriptVolume, - MountPath: "/var/lib/openstack/bin", + MountPath: "/usr/local/bin/container-scripts", ReadOnly: true, } } diff --git a/templates/barbican/config/Chrystoki.conf b/templates/barbican/config/Chrystoki.conf index 92f5e23..1b580e4 100644 --- a/templates/barbican/config/Chrystoki.conf +++ b/templates/barbican/config/Chrystoki.conf @@ -29,7 +29,7 @@ LunaSA Client = { SSLConfigFile = /usr/local/luna/openssl.cnf; ClientPrivKeyFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}Key.pem; ClientCertFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}.pem; - ServerCAFile = {{ .P11CertificatesMountPoint }}/{{ .P11ServerAddress }}Cert.pem; + ServerCAFile = {{ .P11CertificatesMountPoint }}/CACert.pem; NetClient = 1; TCPKeepAlive = 1; EnableTLS1_2 = 1; diff --git a/templates/barbican/config/barbican-p11-prep-config.json b/templates/barbican/config/barbican-p11-prep-config.json index d811bb2..3152baa 100644 --- a/templates/barbican/config/barbican-p11-prep-config.json +++ b/templates/barbican/config/barbican-p11-prep-config.json @@ -1,11 +1,11 @@ { - "command": "generate_p11_keys.sh", + "command": "/bin/generate_p11_keys.sh", "config_files": [ { - "source": "/var/lib/openstack/bin/generate_p11_keys.sh", - "dest": "/bin/", + "source": "/usr/local/bin/container-scripts/generate_p11_keys.sh", + "dest": "/bin/generate_p11_keys.sh", "owner": "barbican", - "perm": "0700" + "perm": "0755" }, { "source": "/var/lib/config-data/default/00-default.conf", @@ -15,11 +15,18 @@ }, { "source": "/var/lib/config-data/default/Chrystoki.conf", - "dest": "//usr/local/luna/Chrystoki.conf", + "dest": "/usr/local/luna/Chrystoki.conf", "owner": "barbican", "perm": "0600", "optional": true, "merge": true } + ], + "permissions": [ + { + "path": "/var/log/barbican", + "owner": "barbican:barbican", + "recurse": true + } ] } From 3b28a6c848e326b5d631de491e977b8460dc9d06 Mon Sep 17 00:00:00 2001 From: OpenStack K8s CI Date: Mon, 16 Dec 2024 12:01:19 +0000 Subject: [PATCH 13/14] Update openstack-k8s-operators --- api/go.mod | 25 +++++++++--------- api/go.sum | 55 +++++++++++++++++++-------------------- go.mod | 34 ++++++++++++------------- go.sum | 75 +++++++++++++++++++++++++++--------------------------- 4 files changed, 96 insertions(+), 93 deletions(-) diff --git a/api/go.mod b/api/go.mod index c0208a1..37a1238 100644 --- a/api/go.mod +++ b/api/go.mod @@ -5,7 +5,7 @@ go 1.21 require ( github.com/onsi/ginkgo/v2 v2.20.1 github.com/onsi/gomega v1.34.1 - github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241113144931-ff1fd2dcd04a + github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e k8s.io/api v0.29.10 k8s.io/apimachinery v0.29.10 k8s.io/client-go v0.29.10 @@ -15,15 +15,16 @@ require ( require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.11.2 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect + github.com/evanphx/json-patch v5.7.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.20.2 // indirect - github.com/go-openapi/jsonreference v0.20.4 // indirect - github.com/go-openapi/swag v0.22.9 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect @@ -41,16 +42,16 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.46.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/client_golang v1.19.0 // indirect + github.com/prometheus/client_model v0.6.0 // indirect + github.com/prometheus/common v0.51.1 // indirect + github.com/prometheus/procfs v0.13.0 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect golang.org/x/net v0.28.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect + golang.org/x/oauth2 v0.18.0 // indirect golang.org/x/sys v0.23.0 // indirect golang.org/x/term v0.23.0 // indirect golang.org/x/text v0.17.0 // indirect @@ -65,7 +66,7 @@ require ( k8s.io/apiextensions-apiserver v0.29.10 // indirect k8s.io/component-base v0.29.10 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 // indirect k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/api/go.sum b/api/go.sum index f100ef2..530b786 100644 --- a/api/go.sum +++ b/api/go.sum @@ -3,12 +3,13 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= -github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= -github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= +github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= @@ -17,12 +18,12 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= -github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= -github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= -github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= -github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= -github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -71,28 +72,28 @@ github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241113144931-ff1fd2dcd04a h1:izLb1IVe6pXuQ6Y49CIAkN7yS9qe2fDptRlhxMHSYv4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241113144931-ff1fd2dcd04a/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= -github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= +github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= +github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= +github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= +github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw= +github.com/prometheus/common v0.51.1/go.mod h1:lrWtQx+iDfn2mbH5GUzlH9TSHyfZpHkSiG1W7y3sF2Q= +github.com/prometheus/procfs v0.13.0 h1:GqzLlQyfsPbaEHaQkO7tbDlriv/4o5Hudv6OXHGKX7o= +github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43ZKY6tow0Y1g= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= @@ -119,8 +120,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= +golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -187,8 +188,8 @@ k8s.io/component-base v0.29.10 h1:YQrQ/bpzGPGqIPEPaBzxjH0/1DJOI+yZPZNbbz7ZCBY= k8s.io/component-base v0.29.10/go.mod h1:IbwsBob2DnYiAONsSHIuYenchqcDycbHSLHrXshuLgM= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= -k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 h1:qVoMaQV5t62UUvHe16Q3eb2c5HPzLHYzsi0Tu/xLndo= +k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.17.6 h1:12IXsozEsIXWAMRpgRlYS1jjAHQXHtWEOMdULh3DbEw= diff --git a/go.mod b/go.mod index 5a84d93..b556a46 100644 --- a/go.mod +++ b/go.mod @@ -9,11 +9,11 @@ require ( github.com/onsi/ginkgo/v2 v2.20.1 github.com/onsi/gomega v1.34.1 github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-00010101000000-000000000000 - github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241024081600-3e23dc62002c - github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241023160107-bd8e671350e1 - github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241113144931-ff1fd2dcd04a - github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241025164019-30baa23bf6f1 - github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241025164019-30baa23bf6f1 + github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241213080025-18e54a028c8b + github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241212135809-dc78e7221d12 + github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e + github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241216113837-d172b3ac0f4e + github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/mariadb-operator/api v0.5.0 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 @@ -27,14 +27,14 @@ require ( require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.11.2 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.20.2 // indirect - github.com/go-openapi/jsonreference v0.20.4 // indirect - github.com/go-openapi/swag v0.22.9 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect @@ -52,17 +52,17 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/openshift/api v3.9.0+incompatible // indirect - github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241025164019-30baa23bf6f1 // indirect + github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.46.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/client_golang v1.19.0 // indirect + github.com/prometheus/client_model v0.6.0 // indirect + github.com/prometheus/common v0.51.1 // indirect + github.com/prometheus/procfs v0.13.0 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.20.0 // indirect golang.org/x/net v0.28.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect + golang.org/x/oauth2 v0.18.0 // indirect golang.org/x/sys v0.23.0 // indirect golang.org/x/term v0.23.0 // indirect golang.org/x/text v0.17.0 // indirect @@ -77,7 +77,7 @@ require ( k8s.io/apiextensions-apiserver v0.29.10 // indirect k8s.io/component-base v0.29.10 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/go.sum b/go.sum index ce07bcc..8a86450 100644 --- a/go.sum +++ b/go.sum @@ -3,12 +3,13 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= -github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= -github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= +github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= @@ -17,12 +18,12 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= -github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= -github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= -github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= -github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= -github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -77,40 +78,40 @@ github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 h1:J1wuGhVxpsHykZBa6Beb1gQ96Ptej9AE/BvwCBiRj1E= github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241024081600-3e23dc62002c h1:/TXY/Hux6hfDEx5KIWQIMx7IKs2no4Pa/TsTVKDuLkw= -github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241024081600-3e23dc62002c/go.mod h1:J9oUh3eGBvAFfyUMiPxPRBSxAcO8rnwITN4RTh/It+8= -github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241023160107-bd8e671350e1 h1:he0/o7mLKhXa16QlwajRHtAOjot84Emvgl4jdl3esgU= -github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241023160107-bd8e671350e1/go.mod h1:saoorrsPo3DzDPGM6PJ8sQJBNuNRGCHjRHChRQmkoQ0= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241113144931-ff1fd2dcd04a h1:izLb1IVe6pXuQ6Y49CIAkN7yS9qe2fDptRlhxMHSYv4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241113144931-ff1fd2dcd04a/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= -github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241025164019-30baa23bf6f1 h1:k5aZEt+xNGZXvEYs02FC2nL0I6QLgsWOsDOGwgiQh2E= -github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241025164019-30baa23bf6f1/go.mod h1:djfljx3jfHqywhY3oDvPg/GLKwiFVkds6v7P7/Yg+8g= -github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241025164019-30baa23bf6f1 h1:3ga7BSlbuXypDeuV6mpG1AvgxWLeYTKYzCb9J/UyU5c= -github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241025164019-30baa23bf6f1/go.mod h1:cGynoLGY9NfyIeWXI3zZ+hgZdHF3SUi8ht5ygZ8CmhI= -github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241025164019-30baa23bf6f1 h1:7tlv11dDu2fKxjhbEtrjNAPRE7q0FfmCNX0sxOKdMJs= -github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241025164019-30baa23bf6f1/go.mod h1:LV0jo5etIsGyINpmB37i4oWR8zU6ApIuh7fsqGGA41o= +github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241213080025-18e54a028c8b h1:/BcTWsgk71mzFSIoRCJVBDujNMfEajmZ1L3VwXlJylI= +github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241213080025-18e54a028c8b/go.mod h1:SSYBbFbgQbOwyY2cQNet7fSdQHHPb2rLo6GXE97Awp8= +github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241212135809-dc78e7221d12 h1:37tN4oVifWqkerafFrx3DFDDTOOzn2H+c67WIQ1Vkss= +github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241212135809-dc78e7221d12/go.mod h1:AZhHY6dZzGyG9iVOf1poD7pTS9c7ZG/f99Fg+GdFVEk= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= +github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e h1:HFo4OqPY0x4ZQeaWI2YGonTXAGTQFt+rOEJlfZVhS7s= +github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:IASoGvp5QM/tBJUd/8i8uIjj4DBnI+64Ydh4r7pmnvA= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241216113837-d172b3ac0f4e h1:Qz0JFEoRDUyjEWorNY3LggwxTsmpMtQkcpmZDQulGHQ= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:tfgBeLRqmlH/NQkLPe7396rj+t0whv2wPuMb8Ttvh8w= +github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e h1:/iWDp3j+ET3gE5IjKHtdZaPd4SQyLHB/4L5jB16cV3I= +github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:LV0jo5etIsGyINpmB37i4oWR8zU6ApIuh7fsqGGA41o= github.com/openstack-k8s-operators/mariadb-operator/api v0.5.0 h1:XBx1TuyKhgtWAigYVcdqTUzIwWRYHN63pfa0zxHB12M= github.com/openstack-k8s-operators/mariadb-operator/api v0.5.0/go.mod h1:Uyc8m+72l3rVm6jKb8FRUrQbjMWyifc5m0K+Ge0QV80= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= -github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= +github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= +github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= +github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= +github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw= +github.com/prometheus/common v0.51.1/go.mod h1:lrWtQx+iDfn2mbH5GUzlH9TSHyfZpHkSiG1W7y3sF2Q= +github.com/prometheus/procfs v0.13.0 h1:GqzLlQyfsPbaEHaQkO7tbDlriv/4o5Hudv6OXHGKX7o= +github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43ZKY6tow0Y1g= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= @@ -141,8 +142,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= +golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -211,8 +212,8 @@ k8s.io/component-base v0.29.10 h1:YQrQ/bpzGPGqIPEPaBzxjH0/1DJOI+yZPZNbbz7ZCBY= k8s.io/component-base v0.29.10/go.mod h1:IbwsBob2DnYiAONsSHIuYenchqcDycbHSLHrXshuLgM= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= -k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 h1:qVoMaQV5t62UUvHe16Q3eb2c5HPzLHYzsi0Tu/xLndo= +k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.17.6 h1:12IXsozEsIXWAMRpgRlYS1jjAHQXHtWEOMdULh3DbEw= From e600c2df77b95d29cf187545c4475b76ead0759d Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Mon, 23 Dec 2024 11:33:05 +0000 Subject: [PATCH 14/14] HSM Functional Tests Signed-off-by: Mauricio Harley --- tests/functional/barbican_controller_test.go | 51 +++++++++++++++++--- tests/functional/suite_test.go | 1 + 2 files changed, 44 insertions(+), 8 deletions(-) diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index f5c496a..8bdf665 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -473,6 +473,20 @@ var _ = Describe("Barbican controller", func() { Expect(container.ReadinessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP)) Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP)) + + // Checking the HSM container + Expect(container.Name).To(Equal(barbican.ComponentAPI)) + foundMount := false + indexMount := 0 + for index, volumeMount := range container.VolumeMounts { + if volumeMount.Name == barbican.LunaVolume { + foundMount = true + indexMount = index + break + } + } + Expect(foundMount).To(BeTrue()) + Expect(container.VolumeMounts[indexMount].MountPath).To(Equal(HSMCertificatesMountPoint)) }) It("Verifies the PKCS11 struct is in good shape", func() { @@ -508,6 +522,7 @@ var _ = Describe("Barbican controller", func() { confServer := certsSecret.Data[HSMServerAddress+"Server.pem"] Expect(confServer).To( ContainSubstring("dummy-data")) + confClient := certsSecret.Data[HSMClientAddress+"Client.pem"] Expect(confClient).To( ContainSubstring("dummy-data")) @@ -516,7 +531,7 @@ var _ = Describe("Barbican controller", func() { ContainSubstring("dummy-data")) }) - It("Verifies if Chrystoki.conf and 00-default.conf have the right contents.", func() { + It("Verifies if 00-default.conf, barbican-api-config.json and Chrystoki.conf have the right contents.", func() { confSecret := th.GetSecret(barbicanTest.BarbicanConfigSecret) Expect(confSecret).ShouldNot(BeNil()) @@ -527,6 +542,12 @@ var _ = Describe("Barbican controller", func() { ContainSubstring("LunaSA Client")) Expect(conf).To( ContainSubstring("ProtectedAuthenticationPathFlagStatus = 0")) + Expect(conf).To( + ContainSubstring("ClientPrivKeyFile = " + HSMCertificatesMountPoint + "/" + HSMClientAddress + "Key.pem")) + Expect(conf).To( + ContainSubstring("ClientCertFile = " + HSMCertificatesMountPoint + "/" + HSMClientAddress + ".pem")) + Expect(conf).To( + ContainSubstring("ServerCAFile = " + HSMCertificatesMountPoint + "/CACert.pem")) conf = confSecret.Data["00-default.conf"] Expect(conf).To( @@ -535,6 +556,12 @@ var _ = Describe("Barbican controller", func() { ContainSubstring("plugin_name = PKCS11")) Expect(conf).To( ContainSubstring("slot_id = " + HSMSlotID)) + + conf = confSecret.Data["barbican-api-config.json"] + Expect(conf).To( + ContainSubstring("/var/lib/config-data/default/Chrystoki.conf")) + Expect(conf).To( + ContainSubstring("/usr/local/luna/Chrystoki.conf")) }) It("Checks if the P11PreJob successfully executed", func() { @@ -548,22 +575,30 @@ var _ = Describe("Barbican controller", func() { ) // Checking if both, the volume mount name and its mount path match the specified values. - volumeMounts := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts - elemNum := 0 - for index, mount := range volumeMounts { + var elemLuna, elemScript = 0, 0 + for index, mount := range th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts { if mount.Name == barbican.LunaVolume { - elemNum = index - break + elemLuna = index + } else if mount.Name == barbican.ScriptVolume { + elemScript = index } } - volume := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemNum].Name - mountPath := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemNum].MountPath + volume := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemLuna].Name + mountPath := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemLuna].MountPath Eventually(func(g Gomega) { g.Expect(volume).To(Equal(barbican.LunaVolume)) g.Expect(mountPath).To(Equal(HSMCertificatesMountPoint)) }, timeout, interval).Should(Succeed()) + + volume = th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemScript].Name + mountPath = th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemScript].MountPath + + Eventually(func(g Gomega) { + g.Expect(volume).To(Equal(barbican.ScriptVolume)) + g.Expect(mountPath).To(Equal(P11PrepMountPoint)) + }, timeout, interval).Should(Succeed()) }) }) diff --git a/tests/functional/suite_test.go b/tests/functional/suite_test.go index 7f5d38a..7b111eb 100644 --- a/tests/functional/suite_test.go +++ b/tests/functional/suite_test.go @@ -81,6 +81,7 @@ const ( HSMClientAddress = "192.168.0.2" HSMLoginSecret = "hsm-login" HSMCertsSecret = "hsm-certs" + P11PrepMountPoint = "/usr/local/bin/container-scripts" ) func TestAPIs(t *testing.T) {