From 73cdac6019ebd0363e14d05f2655b243519afeed Mon Sep 17 00:00:00 2001
From: ricolin <rlin@vexxhost.com>
Date: Wed, 19 Mar 2025 17:29:55 +0800
Subject: [PATCH] Allow multiple Barbican Key Encryption Key

Barbican moved to support multiple keks instead of just one.
OpenStack-helm is failing if run againist Barbican after commit [1].
This patch allows specify multiple and fix compatible issue.

[1] cfba1c1ba8f3659e6de727c3f1c274052e9ccace

Closes-Bug: 2103757

Change-Id: I438ee144b2a0a089dfffedf59961c155d9815889
---
 barbican/templates/bin/_db-sync.sh.tpl        |  2 +-
 .../bin/_simple_crypto_kek_rewrap.py.tpl      | 27 +++++++++++++------
 barbican/templates/configmap-etc.yaml         |  2 +-
 barbican/templates/job-db-sync.yaml           |  2 +-
 barbican/values.yaml                          | 13 ++++++---
 5 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/barbican/templates/bin/_db-sync.sh.tpl b/barbican/templates/bin/_db-sync.sh.tpl
index 3fa5da53e3..c3e0bbcbb9 100644
--- a/barbican/templates/bin/_db-sync.sh.tpl
+++ b/barbican/templates/bin/_db-sync.sh.tpl
@@ -23,5 +23,5 @@ barbican-db-manage upgrade
 {{- if and (not (empty $old_kek)) (not (empty $kek)) }}
 set +x
 echo "Ensuring that project KEKs are wrapped with the target global KEK"
-/tmp/simple_crypto_kek_rewrap.py --old-kek="$(cat /tmp/old_kek)"
+/tmp/simple_crypto_kek_rewrap.py --old-keks="$(cat /tmp/old_keks)"
 {{- end }}
diff --git a/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl b/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
index efc05fcc77..11ea3d01c0 100644
--- a/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
+++ b/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
@@ -31,7 +31,7 @@ CONF = simple_crypto.CONF
 
 class KekRewrap(object):
 
-    def __init__(self, conf, old_kek):
+    def __init__(self, conf, old_keks):
         self.dry_run = False
         self.db_engine = session.create_engine(conf.database.connection or conf.sql_connection)
         self._session_creator = scoping.scoped_session(
@@ -42,8 +42,16 @@ class KekRewrap(object):
         )
         self.crypto_plugin = simple_crypto.SimpleCryptoPlugin(conf)
         self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
-        self.decryptor = fernet.Fernet(old_kek.encode('utf-8'))
-        self.encryptor = fernet.Fernet(self.crypto_plugin.master_kek)
+
+        if hasattr(self.crypto_plugin, 'master_kek'):
+            self.encryptor = fernet.Fernet(self.crypto_plugin.master_kek)
+        else:
+            self.encryptor = fernet.MultiFernet(
+                [fernet.Fernet(x) for x in self.crypto_plugin.master_keys]
+            )
+        self.decryptor = fernet.MultiFernet(
+            [fernet.Fernet(x.encode('utf-8')) for x in old_keks]
+        )
 
     def rewrap_kek(self, project, kek):
         with self.db_session.begin():
@@ -143,14 +151,17 @@ def main():
         help='Displays changes that will be made (Non-destructive)'
     )
     parser.add_argument(
-        '--old-kek',
-        default='dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=',
-        help='Old key encryption key previously used by Simple Crypto Plugin. '
-             '(32 bytes, base64-encoded)'
+        '--old-keks',
+        default="dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=",
+        help='Old key encryption keys previously used by Simple Crypto Plugin. '
+             'A comma separated string of list contain keys '
+             '( with formate 32 bytes and base64-encoded ). '
+             'First key in list is used for ecnrypting new data. '
+             'Additional keys used for decrypting existing data.'
     )
     args = parser.parse_args()
 
-    rewrapper = KekRewrap(CONF, args.old_kek)
+    rewrapper = KekRewrap(CONF, args.old_keks.split(","))
     rewrapper.execute(args.dry_run)
 
 
diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml
index fba29565b5..2b9762e824 100644
--- a/barbican/templates/configmap-etc.yaml
+++ b/barbican/templates/configmap-etc.yaml
@@ -98,5 +98,5 @@ data:
   api_audit_map.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.audit_map | b64enc }}
   policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
   barbican-api-uwsgi.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api_uwsgi | b64enc }}
-  old_kek: {{ index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default "" | b64enc | quote }}
+  old_keks: {{ index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default "" | b64enc | quote }}
 {{- end }}
diff --git a/barbican/templates/job-db-sync.yaml b/barbican/templates/job-db-sync.yaml
index 587be68ab0..bf964e8d0c 100644
--- a/barbican/templates/job-db-sync.yaml
+++ b/barbican/templates/job-db-sync.yaml
@@ -21,7 +21,7 @@ helm.sh/hook-weight: "-4"
 
 {{- $podVolMounts := .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumeMounts | default list }}
 {{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-sh" "mountPath" "/tmp/simple_crypto_kek_rewrap.py" "subPath" "simple_crypto_kek_rewrap.py" "readOnly" true) }}
-{{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-conf" "mountPath" "/tmp/old_kek" "subPath" "old_kek" "readOnly" true) }}
+{{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-conf" "mountPath" "/tmp/old_keks" "subPath" "old_keks" "readOnly" true) }}
 
 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "barbican" "podVolMounts" $podVolMounts "podVols" .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 2547f50b7d..63ee8f3c2d 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -413,7 +413,7 @@ conf:
     # When using the simple_crypto_plugin, a kek must be provided as:
     #   .conf.barbican.simple_crypto_plugin.kek
     # If no kek is provided, barbican will use a well-known default.
-    # If upgrading the chart with a new kek, the old kek must be provided as:
+    # If upgrading the chart with a new kek, the old kek must be provided in:
     #   .conf.simple_crypto_plugin_rewrap.old_kek
     # Please refer to the .conf.simple_crypto_key_rewrap section below.
     # The barbican defaults are included here as a reference:
@@ -425,11 +425,13 @@ conf:
     #       - simple_crypto
     #   simple_crypto_plugin:
     #     # The kek should be a 32-byte value which is base64 encoded.
+    #     # First key is used for ecnrypting new data
     #     kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
+    #     # Additional keys used for decrypting existing data
+    #     kek: "xCDpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
   # KEK rotation for the simple_crypto plugin
   simple_crypto_kek_rewrap:
-
-    # To allow for chart upgrades when modifying the Key Encryption Key, the
+    # To allow for chart upgrades when modifying the Key Encryption Keys, the
     # db-sync job can rewrap the existing project keys with the new kek, leaving
     # each secret’s encrypted data unchanged.
 
@@ -447,6 +449,11 @@ conf:
     # The KEK value "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" matches the
     # plugin default, and is retained here for convenience, in case the chart was
     # previously installed without explicitly specifying a kek.
+    # old_kek allows commna-separated string for keks
+    # old_kek:
+    #   # First key is used for ecnrypting new data
+    #   # Additional keys used for decrypting existing data
+    #   - "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=,dDDpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
     old_kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
   logging:
     loggers: