--- - name: Create kustomization to update Barbican to use proteccio hosts: "{{ cifmw_target_hook_host | default('localhost') }}" tasks: - name: Create file to customize barbican resource deployed in the control plane vars: client_data_secret: "{{ cifmw_hsm_proteccio_client_data_secret | default('barbican-proteccio-client-data', true) }}" login_secret: "{{ cifmw_hsm_login_secret | default('barbican-proteccio-login', true) }}" ansible.builtin.copy: mode: '0644' dest: "{{ cifmw_manifests_dir }}/kustomizations/controlplane/93-barbican-proteccio.yaml" content: |- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: namespace: {{ namespace }} patches: - target: kind: OpenStackControlPlane name: .* patch: |- - op: add path: /spec/barbican/template/globalDefaultSecretStore value: pkcs11 - op: add path: /spec/barbican/template/enabledSecretStores value: - pkcs11 - op: add path: /spec/barbican/template/pkcs11 value: loginSecret: {{ login_secret }} clientDataSecret: {{ client_data_secret }} clientDataPath: /etc/proteccio - op: add path: /spec/barbican/template/customServiceConfig value: | [p11_crypto_plugin] plugin_name = PKCS11 library_path = {{ cifmw_hsm_proteccio_library_path | default('/usr/lib64/libnethsm.so', true) }} token_labels = {{ cifmw_hsm_proteccio_partition }} mkek_label = {{ cifmw_hsm_mkek_label }} hmac_label = {{ cifmw_hsm_hmac_label }} encryption_mechanism = CKM_AES_CBC hmac_key_type = CKK_GENERIC_SECRET hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN hmac_mechanism = CKM_SHA256_HMAC key_wrap_mechanism = {{ cifmw_hsm_key_wrap_mechanism }} key_wrap_generate_iv = true always_set_cka_sensitive = true os_locking_ok = false