Warning
The deployment of Barbican with the simple_crypto
backend
described in this section is intended for testing and evaluation
purposes only.
For production deployments, use the Dogtag backend.
For details, see: Deploy Dogtag.
You can configure and deploy Barbican with the simple_crypto
backend.
To deploy Barbican with the simple_crypto backend:
Open the classes/cluster/<cluster_name>/
directory of your Git project
repository.
In openstack/database/init.yml
, add the following class:
classes:
- system.mysql.client.database.barbican
In openstack/control/init.yml
, add the following class:
classes:
- system.keystone.client.service.barbican
In infra/openstack/control.yml
, modify the parameters
section.
For example:
classes:
- system.apache.server.site.barbican
- system.barbican.server.cluster
- service.barbican.server.plugin.simple_crypto
parameters:
_param:
barbican:
server:
store:
software:
crypto_plugin: simple_crypto
store_plugin: store_crypto
global_default: True
In infra/secret.yml
, modify the parameters
section.
For example:
parameters:
_param:
barbican_version: ${_param:openstack_version}
barbican_service_host: ${_param:openstack_control_address}
mysql_barbican_password: password123
keystone_barbican_password: password123
barbican_simple_crypto_kek: "base64 encoded 32 bytes as secret key"
In openstack/proxy.yml
, add the following class:
classes:
- system.nginx.server.proxy.openstack.barbican
Optional. Enable image verification:
In openstack/compute/init.yml
, add the following parameters:
parameters:
_param:
nova:
compute:
barbican:
enabled: ${_param:barbican_integration_enabled}
In openstack/control.yml
, add the following parameters:
parameters:
_param:
nova:
controller:
barbican:
enabled: ${_param:barbican_integration_enabled}
Note
This configuration changes the requirement for the Glance image upload procedure. All glance images will have to be updated with signature information. For details, see: OpenStack Nova and OpenStack Glance documentation.
Optional. In openstack/control.yml
, enable volume encryption supported
by the key manager:
parameters:
_param:
cinder:
volume:
barbican:
enabled: ${_param:barbican_integration_enabled}
Optional. In init.yml
, add the following parameters if you plan
to use a self-signed certificate managed by Salt:
parameters:
_param:
salt:
minion:
trusted_ca_minions:
- cfg01
Commit and push the changes to the project Git repository.
Log in to the Salt Master node.
Update your Salt formulas at the system level:
/srv/salt/reclass
.If you enabled the usage of a self-signed certificate managed by Salt, apply the following state:
salt -C 'I@salt:minion' state.apply salt.minion
If you enabled image verification by Nova, apply the following states:
salt -C 'I@nova:controller' state.sls nova -b 1
salt -C 'I@nova:compute' state.sls nova
If you enabled volume encryption supported by the key manager, apply the following state:
salt -C 'I@cinder:controller' state.sls cinder -b 1
Apply the following states:
salt -C 'I@keystone:client' state.apply keystone.client
salt -C 'I@galera:master' state.apply galera.server
salt -C 'I@galera:slave' state.apply galera
salt -C 'I@nginx:server' state.apply nginx
salt -C 'I@haproxy:proxy' state.apply haproxy.proxy
salt -C 'I@barbican:server and *01*' state.sls barbican.server
salt -C 'I@barbican:server' state.sls barbican.server
salt -C 'I@barbican:client' state.sls barbican.client