You can deploy and configure Barbican to work with the private Key Recovery Agent (KRA) Dogtag backend.
Before you proceed with the deployment, make sure that you have a running Dogtag backend. If you do not have a Dogtag backend yet, deploy it as described in Deploy Dogtag.
To deploy Barbican with the Dogtag backend:
Open the classes/cluster/<cluster_name>/
directory of your Git project
repository.
In infra/config/init.yml
, add the following class:
classes:
- system.keystone.client.service.barbican
In openstack/control.yml
, modify the classes
and
parameters
sections:
classes:
- system.apache.server.site.barbican
- system.galera.server.database.barbican
- system.barbican.server.cluster
- service.barbican.server.plugin.dogtag
...
parameters:
_param:
apache_barbican_api_address: ${_param:cluster_local_address}
apache_barbican_api_host: ${_param:single_address}
apache_barbican_ssl: ${_param:nginx_proxy_ssl}
barbican_dogtag_nss_password: workshop
barbican_dogtag_host: ${_param:cluster_vip_address}
...
barbican:
server:
enabled: true
dogtag_admin_cert:
engine: mine
minion: ${_param:dogtag_master_host}
ks_notifications_enable: True
store:
software:
store_plugin: dogtag_crypto
global_default: True
plugin:
dogtag:
port: ${_param:haproxy_dogtag_bind_port}
nova:
controller:
barbican:
enabled: ${_param:barbican_integration_enabled}
cinder:
controller:
barbican:
enabled: ${_param:barbican_integration_enabled}
glance:
server:
barbican:
enabled: ${_param:barbican_integration_enabled}
In openstack/init.yml
, modify the parameters
section. For example:
parameters:
_param:
...
barbican_service_protocol: ${_param:cluster_internal_protocol}
barbican_service_host: ${_param:openstack_control_address}
barbican_version: ${_param:openstack_version}
mysql_barbican_password: workshop
keystone_barbican_password: workshop
barbican_dogtag_host: "dogtag.example.com"
barbican_dogtag_nss_password: workshop
barbican_integration_enabled: true
In openstack/proxy.yml
, add the following class:
classes:
- system.nginx.server.proxy.openstack.barbican
Optional. Enable image verification:
In openstack/compute/init.yml
, add the following parameters:
parameters:
_param:
nova:
compute:
barbican:
enabled: ${_param:barbican_integration_enabled}
In openstack/control.yml
, add the following parameters:
parameters:
_param:
nova:
controller:
barbican:
enabled: ${_param:barbican_integration_enabled}
Note
This configuration changes the requirement to the Glance image upload procedure. All glance images will have to be updated with signature information. For details, see: OpenStack Nova and OpenStack Glance documentation.
Optional. In openstack/control.yml
, enable volume encryption supported
by the key manager:
parameters:
_param:
cinder:
volume:
barbican:
enabled: ${_param:barbican_integration_enabled}
Optional. In init.yml
, add the following parameters if you plan
to use a self-signed certificate managed by Salt:
parameters:
_param:
salt:
minion:
trusted_ca_minions:
- cfg01
Distribute the Dogtag KRA certificate from the Dogtag node to the Barbican nodes. Select from the following options (engines):
Define the KRA admin certificate manually in pillar by editing the
infra/openstack/control.yml
file:
barbican:
server:
dogtag_admin_cert:
engine: manual
key: |
<key_data>
Receive the Dogtag certificate from Salt Mine. The Dogtag formula
sends the KRA certificate to the dogtag_admin_cert
Mine function.
Add the following to infra/openstack/control.yml
:
barbican:
server:
dogtag_admin_cert:
engine: mine
minion: <dogtag_minion_node_name>
If some additional steps were applied to install the KRA certificate
and these steps are out of scope of the Barbican formula, the formula has
the noop
engine to perform no operations. If the noop
engine is
defined in infra/openstack/control.yml
, the Barbican formula does
nothing to install the KRA admin certificate.
barbican:
server:
dogtag_admin_cert:
engine: noop
In this case, manually populate the Dogtag KRA certificate
in /etc/barbican/kra_admin_cert.pem
on the Barbican nodes.
Commit and push the changes to the project Git repository.
Log in to the Salt Master node.
Update your Salt formulas at the system level:
/srv/salt/reclass
.If you enabled the usage of a self-signed certificate managed by Salt, apply the following state:
salt -C 'I@salt:minion' state.apply salt.minion
Apply the following states:
salt -C 'I@keystone:client' state.sls keystone.client
salt -C 'I@galera:master' state.sls galera.server
salt -C 'I@galera:slave' state.apply galera
salt -C 'I@nginx:server' state.sls nginx
salt -C 'I@barbican:server and *01*' state.sls barbican.server
salt -C 'I@barbican:server' state.sls barbican.server
salt -C 'I@barbican:client' state.sls barbican.client
If you enabled image verification by Nova, apply the following states:
salt -C 'I@nova:controller' state.sls nova -b 1
salt -C 'I@nova:compute' state.sls nova
If you enabled volume encryption supported by the key manager, apply the following state:
salt -C 'I@cinder:controller' state.sls cinder -b 1
If you have async workers enabled, restart the Barbican worker service:
salt -C 'I@barbican:server' service.restart barbican-worker
Restart the Barbican API server:
salt -C 'I@barbican:server' service.restart apache2
Verify that Barbican works correctly. For example:
openstack secret store --name mysecret --payload j4=]d21