Deploy Barbican with the simple_crypto back end¶

You can configure and deploy Barbican with the simple_crypto back end.

To deploy Barbican with the simple_crypto back end:

1. Open the classes/cluster/<cluster_name>/ directory of your Git project repository.

2. In openstack/database/init.yml, add the following class:

   classes:
   - system.mysql.client.database.barbican
   

3. In openstack/control/init.yml, add the following class:

   classes:
   - system.keystone.client.service.barbican
   

4. In infra/openstack/control.yml, modify the parameters section. For example:

   classes:
   - system.apache.server.site.barbican
   - system.barbican.server.cluster
   - service.barbican.server.plugin.simple_crypto
   
   parameters:
     _param:
       barbican:
         server:
           store:
             software:
               crypto_plugin: simple_crypto
               store_plugin: store_crypto
               global_default: True
   

5. In infra/secret.yml, modify the parameters section. For example:

   parameters:
     _param:
       barbican_version: ${_param:openstack_version}
       barbican_service_host: ${_param:openstack_control_address}
       mysql_barbican_password: password123
       keystone_barbican_password: password123
       barbican_simple_crypto_kek: "base64 encoded 32 bytes as secret key"
   

6. In openstack/proxy.yml, add the following class:

   classes:
   - system.nginx.server.proxy.openstack.barbican
   

7. Optional. Enable image verification:

   1. In openstack/compute/init.yml, add the following parameters:

      parameters:
        _param:
          nova:
            compute:
              barbican:
                enabled: ${_param:barbican_integration_enabled}
      

   2. In openstack/control.yml, add the following parameters:

      parameters:
        _param:
          nova:
            controller:
              barbican:
                enabled: ${_param:barbican_integration_enabled}
      

   Note

   This configuration changes the requirement for the Glance image upload procedure. All glance images will have to be updated with signature information. For details, see: OpenStack Nova and OpenStack Glance documentation.

8. Optional. In openstack/control.yml, enable volume encryption supported by the key manager:

   parameters:
     _param:
        cinder:
          volume:
            barbican:
              enabled: ${_param:barbican_integration_enabled}
   

9. Optional. In init.yml, add the following parameters if you plan to use a self-signed certificate managed by Salt:

   parameters:
     _param:
       salt:
         minion:
           trusted_ca_minions:
             - cfg01
   

10. Commit and push the changes to the project Git repository.

11. Log in to the Salt Master node.

12. Update your Salt formulas at the system level:

    1. Change the directory to /srv/salt/reclass.
    2. Run the git pull origin master command.
    3. Run the salt-call state.sls salt.master command.

13. If you enabled the usage of a self-signed certificate managed by Salt, apply the following state:

    salt -C 'I@salt:minion' state.apply salt.minion
    

14. If you enabled image verification by Nova, apply the following states:

    salt -C 'I@nova:controller' state.sls nova -b 1
    salt -C 'I@nova:compute' state.sls nova
    

15. If you enabled volume encryption supported by the key manager, apply the following state:

    salt -C 'I@cinder:controller' state.sls cinder -b 1
    

16. Apply the following states:

    salt -C 'I@keystone:client' state.apply keystone.client
    salt -C 'I@galera:master' state.apply galera.server
    salt -C 'I@galera:slave' state.apply galera
    salt -C 'I@nginx:server' state.apply nginx
    salt -C 'I@haproxy:proxy' state.apply haproxy.proxy
    salt -C 'I@barbican:server and *01*' state.sls barbican.server
    salt -C 'I@barbican:server' state.sls barbican.server
    salt -C 'I@barbican:client' state.sls barbican.client