Add playbook to configure lunasa access for barbican

[vakwetu]

This playbook will configure the barbican pods on the test system to use a luna HSM as a crypto backend to store and generate keys.

In particular, we need to:

1. Create modified barbican-api and barbican-worker images that contain the HSM client software. The new images will be published locally on the crc node with a special tag ("cifmw_update_barbican_custom_tag") appended.
2. Create a secret to store certificates to access the HSM (server and client certs).
3. Create a secret to store the password needed to access the HSM partition.
4. Use the update-containers role to modify openstackversion to use the updated barbican images. This PR makes a small modification to that role to account for the extra tag ("cifmw_update_barbican_custom_tag")
5. Modify the control plane CR to add the needed config to Barbican to use the HSM as a backend.

Steps 1-3 are done by a separate ansible role (https://github.com/openstack-k8s-operators/ansible-role-rhoso-luna-hsm/). This is useful because we'll be able to modify and branch this role as appropriate as the HSM software changes.

Jira: https://issues.redhat.com/browse/OSPRH-11019

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign viroel for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

Thanks for the PR! ❤️
I'm marking it as a draft, once your happy with it merging and the PR is passing CI, click the "Ready for review" button below.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/740cca6a43014e3e85924701c1903ead

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 30m 35s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 18m 02s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 24m 47s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 03s
✔️ cifmw-pod-pre-commit SUCCESS in 7m 06s
✔️ build-push-container-cifmw-client SUCCESS in 36m 33s
✔️ cifmw-molecule-update_containers SUCCESS in 5m 09s

[lewisdenny]

Hi @vakwetu, do you have a Jira card tracking this work so I can fully understand the context of what you are implementing?

Also, if this is ready to review, please remove the draft status.

[vakwetu]

@lewisdenny Thanks. I added more details to the PR description and also a link to the Jira.

I've been testing this in testproject, and haven't gotten a completely successful run yet - but we're close. When that happens, I'll remove the draft status.

Its very close to final though, so please feel free to review.

[vakwetu]

The testproject patch for this passed - ie. the config was set correctly and we got all green for the barbican tests.

https://sf.apps.int.gpc.ocp-hub.prod.psi.redhat.com/logs/16/816/92fbf911ccd2bc7e334bf4e7fe0de8dcfb19de69/check-gitlab-cee/component-barbican-edpm-update-rhel9-rhoso18.0-crc/1a91dc3/controller/ci-framework-data/tests/test_operator/tempest-tests-tempest/stestr_results.html

The update test failed , but I suspect that I need to fix something in the test to account for the updated images. Will work on that separately.

Accordingly, going to remove the draft tag