From 4cc698e75895de58b8209a2c4457d4f7f7dd85f5 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 3 Dec 2024 19:57:12 +0000
Subject: [PATCH] more changes

---
 hooks/playbooks/barbican-enable-luna.yml      |  5 +--
 roles/hsm_prep/defaults/main.yml              |  6 +++
 .../files/image_add_luna_minimal_client.sh    | 11 +++---
 roles/hsm_prep/tasks/cleanup.yml              | 37 +++++++++++++++++++
 roles/hsm_prep/tasks/luna.yml                 | 35 ------------------
 5 files changed, 49 insertions(+), 45 deletions(-)
 create mode 100644 roles/hsm_prep/tasks/cleanup.yml

diff --git a/hooks/playbooks/barbican-enable-luna.yml b/hooks/playbooks/barbican-enable-luna.yml
index 7a854dbc85..6a9fd40bca 100644
--- a/hooks/playbooks/barbican-enable-luna.yml
+++ b/hooks/playbooks/barbican-enable-luna.yml
@@ -14,15 +14,12 @@
         ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.ssh/lunaclient"
         ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
 
-- name: Create cert secret and login secret
+- name: Create modified barbican image and get secrets
   hosts: "{{ cifmw_hsm_lunaclient_vm }}"
   tasks:
     - name: Include hsm_prep role
       ansible.builtin.include_role:
         name: hsm_prep
-      tags:
-        - cert_prep
-        - secret_prep
       vars:
         cifmw_hsm_client_ip: "{{ hostvars[ cifmw_hsm_client_machine ].ansible_host }}"
 
diff --git a/roles/hsm_prep/defaults/main.yml b/roles/hsm_prep/defaults/main.yml
index 6aecb225e1..ea5c6daad7 100644
--- a/roles/hsm_prep/defaults/main.yml
+++ b/roles/hsm_prep/defaults/main.yml
@@ -39,3 +39,9 @@ cifmw_hsm_luna_server_cert_src: "/usr/safenet/lunaclient/cert/server"
 cifmw_hsm_luna_client_cert_src: "/usr/safenet/lunaclient/cert/client"
 cifmw_hsm_luna_cert_secret: "barbican-luna-certs"
 cifmw_hsm_luna_cert_secret_namespace: "openstack"
+
+## Image details
+cifmv_hsm_barbican_image_registry: "quay.io"
+cifmv_hsm_barbican_image_namespace: "podified-antelope-centos9"
+cifmw_hsm_barbican_image_tag: "current-podified"
+cifmw_hsm_barbican_final_image_tag: "current-podified-luna"
diff --git a/roles/hsm_prep/files/image_add_luna_minimal_client.sh b/roles/hsm_prep/files/image_add_luna_minimal_client.sh
index a1415c9c9e..a73793799b 100755
--- a/roles/hsm_prep/files/image_add_luna_minimal_client.sh
+++ b/roles/hsm_prep/files/image_add_luna_minimal_client.sh
@@ -5,7 +5,7 @@
 # This script adds the Linux Minimal Client for Thales Luna Network HSM
 # to both the API and Worker images so that the HSM can be used as a PKCS#11
 # backend for Barbican.
-
+set -x
 set -o errexit
 set -o pipefail
 
@@ -14,10 +14,9 @@ BARBICAN_IMAGE_NAMESPACE=${BARBICAN_IMAGE_NAMESPACE:-"podified-antelope-centos9"
 BARBICAN_IMAGE_TAG=${BARBICAN_IMAGE_TAG:-"current-podified"}
 BARBICAN_API_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_IMAGE_TAG"
 BARBICAN_WORKER_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_IMAGE_TAG"
-
-BARBICAM_FINAL_IMAGE_TAG=${BARBICAN_FINAL_IMAGE_TAG:-"current-podified-luna"}
-BARBICAN_API_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:$BARBICAN_FINAL_IMAGE_TAG"
-BARBICAN_WORKER_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:$BARBICAN_FINAL_IMAGE_TAG"
+BARBICAM_FINAL_IMAGE_TAG_X=${BARBICAN_FINAL_IMAGE_TAG:-"current-podified-luna"}
+BARBICAN_API_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-api:${BARBICAM_FINAL_IMAGE_TAG_X}"
+BARBICAN_WORKER_FINAL_IMAGE="$BARBICAM_IMAGE_REGISTRY/$BARBICAN_IMAGE_NAMESPACE/openstack-barbican-worker:${BARBICAM_FINAL_IMAGE_TAG_X}"
 
 # LUNA_LINUX_MINIMAL_CLIENT_DIR - location of the "linux-minimal" directory
 # in your client media.  This could be a path to a mounted ISO or a path to
@@ -45,7 +44,7 @@ function install_client() {
   buildah add --chown root:root $container $LUNA_CLIENT_BIN/multitoken /usr/local/bin/
   buildah add --chown root:root $container $LUNA_CLIENT_BIN/ckdemo /usr/local/bin/
 
-  buildah commit $container ${2}
+  buildah commit $container $2
   buildah rm $container
 }
 
diff --git a/roles/hsm_prep/tasks/cleanup.yml b/roles/hsm_prep/tasks/cleanup.yml
new file mode 100644
index 0000000000..94b173dfbe
--- /dev/null
+++ b/roles/hsm_prep/tasks/cleanup.yml
@@ -0,0 +1,37 @@
+---
+- name: Perform cleanup tasks
+  tags: cleanup
+  when:
+    - cifmw_hsm_cleanup | bool
+    - cifmw_hsm_hsmtype == "luna"
+  block:
+    - name: Log debug tasks
+      ansible.builtin.debug:
+        msg: "Running cleanup tasks here"
+
+    - name: Set fact for client_name
+      ansible.builtin.set_fact:
+        client_name: "{{ cifmw_hsm_client_ip }}"
+
+    - name: Check for existing HSM client
+      ansible.builtin.shell: >
+        sshpass -p '{{ cifmw_hsm_admin_password }}'
+        ssh -o StrictHostKeyChecking=false -c aes256-cbc
+        {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
+        -C client list
+      register: client_list
+
+    - name: Delete existing client when rotating certs
+      ansible.builtin.shell: >
+        sshpass -p '{{ cifmw_hsm_admin_password }}'
+        ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
+        -C "client delete -f -c {{ client_name }}"
+      when:
+        - client_name in client_list.stdout
+
+    - name: Remove the working directory
+      delegate_to: localhost
+      become: true
+      ansible.builtin.file:
+        path: "{{ cifmw_hsm_working_dir }}"
+        state: absent
diff --git a/roles/hsm_prep/tasks/luna.yml b/roles/hsm_prep/tasks/luna.yml
index 334be9d823..9df6c48116 100644
--- a/roles/hsm_prep/tasks/luna.yml
+++ b/roles/hsm_prep/tasks/luna.yml
@@ -150,38 +150,3 @@
     KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
     PATH: "{{ cifmw_path }}"
   ansible.builtin.command: "oc apply -f {{ cifmw_hsm_working_dir }}/login_secret.yml"
-
-- name: Perform cleanup tasks
-  tags: cleanup
-  when: cifmw_hsm_cleanup | bool
-  block:
-    - name: Log debug tasks
-      ansible.builtin.debug:
-        msg: "Running cleanup tasks here"
-
-    - name: Set fact for client_name
-      ansible.builtin.set_fact:
-        client_name: "{{ cifmw_hsm_client_ip }}"
-
-    - name: Check for existing HSM client
-      ansible.builtin.shell: >
-        sshpass -p '{{ cifmw_hsm_admin_password }}'
-        ssh -o StrictHostKeyChecking=false -c aes256-cbc
-        {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-        -C client list
-      register: client_list
-
-    - name: Delete existing client when rotating certs
-      ansible.builtin.shell: >
-        sshpass -p '{{ cifmw_hsm_admin_password }}'
-        ssh -c aes256-cbc {{ cifmw_hsm_admin_user }}@{{ cifmw_hsm_server_ip }}
-        -C "client delete -f -c {{ client_name }}"
-      when:
-        - client_name in client_list.stdout
-
-    - name: Remove the working directory
-      delegate_to: localhost
-      become: true
-      ansible.builtin.file:
-        path: "{{ cifmw_hsm_working_dir }}"
-        state: absent