apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 creationTimestamp: "2026-04-02T13:56:56Z" generation: 1 name: barbicanworkers.barbican.openstack.org resourceVersion: "36881" uid: 7ab368e3-4a03-49ec-a1ff-0c4a98293740 spec: conversion: strategy: None group: barbican.openstack.org names: kind: BarbicanWorker listKind: BarbicanWorkerList plural: barbicanworkers singular: barbicanworker scope: Namespaced versions: - additionalPrinterColumns: - description: Status jsonPath: .status.conditions[0].status name: Status type: string - description: Message jsonPath: .status.conditions[0].message name: Message type: string name: v1beta1 schema: openAPIV3Schema: description: BarbicanWorker is the Schema for the barbicanworkers API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: BarbicanWorkerSpec defines the desired state of BarbicanWorker properties: containerImage: description: ContainerImage - Barbican Container Image URL (will be set to environmental default if empty) type: string customServiceConfig: description: |- CustomServiceConfig - customize the service config using this parameter to change service defaults, or overwrite rendered information using raw OpenStack config format. The content gets added to to /etc//.conf.d directory as a custom config file. type: string customServiceConfigSecrets: description: |- CustomServiceConfigSecrets - customize the service config using this parameter to specify Secrets that contain sensitive service config data. The content of each Secret gets added to the /etc//.conf.d directory as a custom config file. items: type: string type: array databaseAccount: default: barbican description: DatabaseAccount - optional MariaDBAccount CR name used for barbican DB, defaults to barbican type: string databaseHostname: type: string databaseInstance: description: |- MariaDB instance name Right now required by the maridb-operator to get the credentials from the instance to create the DB Might not be required in future type: string defaultConfigOverwrite: additionalProperties: type: string description: |- ConfigOverwrite - interface to overwrite default config files like e.g. policy.json. But can also be used to add additional files. Those get added to the service config dir in /etc/ . type: object enabledSecretStores: items: description: SecretStore type is used by the EnabledSecretStores variable inside the specification. enum: - simple_crypto - pkcs11 type: string maxItems: 2 minItems: 1 type: array x-kubernetes-list-type: set globalDefaultSecretStore: default: simple_crypto description: SecretStore type is used by the EnabledSecretStores variable inside the specification. enum: - simple_crypto - pkcs11 type: string messagingBus: description: MessagingBus configuration (username, vhost, and cluster) properties: cluster: description: Name of the cluster minLength: 1 type: string user: description: User - RabbitMQ username type: string vhost: description: Vhost - RabbitMQ vhost name type: string required: - cluster type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network items: type: string type: array nodeSelector: additionalProperties: type: string description: |- NodeSelector to target subset of worker nodes running this component. Setting here overrides any global NodeSelector settings within the Barbican CR. type: object notificationsBus: description: NotificationsBus configuration (username, vhost, and cluster) for notifications properties: cluster: description: Name of the cluster minLength: 1 type: string user: description: User - RabbitMQ username type: string vhost: description: Vhost - RabbitMQ vhost name type: string required: - cluster type: object notificationsURLSecret: description: NotificationsURLSecret - Secret containing notifications transport URL type: string passwordSelectors: default: service: BarbicanPassword simplecryptokek: BarbicanSimpleCryptoKEK description: PasswordSelectors - Selectors to identify the ServiceUser password from the Secret properties: pkcs11pin: default: PKCS11Pin type: string service: default: BarbicanPassword description: Service - Selector to get the barbican service user password from the Secret type: string simplecryptoadditionalkeks: description: |- Fields containing additional Key Encryption Keys(KEK) used for the Simple Crypto backend It is expected that these fields will exist in the secret referenced in SimpleCryptoBackendSecret items: type: string type: array x-kubernetes-list-type: set simplecryptokek: default: SimpleCryptoKEK type: string type: object pkcs11: description: BarbicanPKCS11Template - Includes common HSM properties properties: clientDataPath: default: /etc/hsm-client description: Location to which kolla will copy the data in ClientDataSecret. type: string clientDataSecret: description: |- The OpenShift secret that stores the HSM client data. These will be mounted to /var/lib/config-data/hsm type: string loginSecret: description: OpenShift secret that stores the password to login to the PKCS11 session type: string required: - clientDataSecret - loginSecret type: object rabbitMqClusterName: description: |- RabbitMQ instance name Needed to request a transportURL that is created and used in Barbican Deprecated: Use MessagingBus.Cluster instead type: string replicas: default: 1 description: Replicas of Barbican API to run format: int32 maximum: 32 minimum: 0 type: integer resources: description: |- Resources - Compute Resources required by this service (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: description: |- Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: description: |- Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. type: string request: description: |- Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. type: string required: - name type: object type: array x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object secret: default: osp-secret description: Secret containing all passwords / keys needed type: string serviceAccount: description: ServiceAccount - service account name used internally to provide Barbican services the default SA name type: string serviceUser: default: barbican description: ServiceUser - optional username used for this service to register in keystone type: string simpleCryptoBackendSecret: default: osp-secret description: Secret containing the Key Encryption Key (KEK) used for the Simple Crypto backend type: string tls: description: TLS - Parameters related to the TLS properties: caBundleSecretName: description: CaBundleSecretName - holding the CA certs in a pre-created bundle file type: string type: object topologyRef: description: |- TopologyRef to apply the Topology defined by the associated CR referenced by name properties: name: description: Name - The Topology CR name that the Service references type: string namespace: description: |- Namespace - The Namespace to fetch the Topology CR referenced NOTE: Namespace currently points by default to the same namespace where the Service is deployed. Customizing the namespace is not supported and webhooks prevent editing this field to a value different from the current project type: string type: object transportURLSecret: type: string required: - containerImage - databaseHostname - databaseInstance - serviceAccount type: object status: description: BarbicanWorkerStatus defines the observed state of BarbicanWorker properties: conditions: description: Conditions items: description: Condition defines an observation of a API resource operational state. properties: lastTransitionTime: description: |- Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: A human readable message indicating details about the transition. type: string reason: description: The reason for the condition's last transition in CamelCase. type: string severity: description: |- Severity provides a classification of Reason code, so the current situation is immediately understandable and could act accordingly. It is meant for situations where Status=False and it should be indicated if it is just informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue and no actions to automatically resolve the issue can/should be done). For conditions where Status=Unknown or Status=True the Severity should be SeverityNone. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: description: Type of condition in CamelCase. type: string required: - lastTransitionTime - status - type type: object type: array databaseHostname: description: Barbican Database Hostname type: string hash: additionalProperties: type: string description: Map of hashes to track e.g. job status type: object lastAppliedTopology: description: LastAppliedTopology - the last applied Topology properties: name: description: Name - The Topology CR name that the Service references type: string namespace: description: |- Namespace - The Namespace to fetch the Topology CR referenced NOTE: Namespace currently points by default to the same namespace where the Service is deployed. Customizing the namespace is not supported and webhooks prevent editing this field to a value different from the current project type: string type: object networkAttachments: additionalProperties: items: type: string type: array description: NetworkAttachments status of the deployment pods type: object readyCount: description: |- INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file ReadyCount of barbican API instances format: int32 type: integer type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: BarbicanWorker listKind: BarbicanWorkerList plural: barbicanworkers singular: barbicanworker conditions: - lastTransitionTime: "2026-04-02T13:56:56Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-04-02T13:56:56Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1beta1