Deploy Barbican with the simple_crypto back end

Deploy Barbican with the simple_crypto back end

Warning

The deployment of Barbican with the simple_crypto back end described in this section is intended for testing and evaluation purposes only. For production deployments, use the Dogtag back end. For details, see: Deploy Dogtag.

You can configure and deploy Barbican with the simple_crypto back end.

To deploy Barbican with the simple_crypto back end:

  1. Open the classes/cluster/<cluster_name>/ directory of your Git project repository.

  2. In openstack/database/init.yml, add the following class:

    classes:
    - system.mysql.client.database.barbican
    
  3. In openstack/control/init.yml, add the following class:

    classes:
    - system.keystone.client.service.barbican
    
  4. In infra/openstack/control.yml, modify the parameters section. For example:

    classes:
    - system.apache.server.site.barbican
    - system.barbican.server.cluster
    - service.barbican.server.plugin.simple_crypto
    
    parameters:
      _param:
        barbican:
          server:
            store:
              software:
                crypto_plugin: simple_crypto
                store_plugin: store_crypto
                global_default: True
    
  5. In infra/secret.yml, modify the parameters section. For example:

    parameters:
      _param:
        barbican_version: ${_param:openstack_version}
        barbican_service_host: ${_param:openstack_control_address}
        mysql_barbican_password: password123
        keystone_barbican_password: password123
        barbican_simple_crypto_kek: "base64 encoded 32 bytes as secret key"
    
  6. In openstack/proxy.yml, add the following class:

    classes:
    - system.nginx.server.proxy.openstack.barbican
    
  7. Optional. Enable image verification:

    1. In openstack/compute/init.yml, add the following parameters:

      parameters:
        _param:
          nova:
            compute:
              barbican:
                enabled: ${_param:barbican_integration_enabled}
      
    2. In openstack/control.yml, add the following parameters:

      parameters:
        _param:
          nova:
            controller:
              barbican:
                enabled: ${_param:barbican_integration_enabled}
      

    Note

    This configuration changes the requirement for the Glance image upload procedure. All glance images will have to be updated with signature information. For details, see: OpenStack Nova and OpenStack Glance documentation.

  8. Optional. In openstack/control.yml, enable volume encryption supported by the key manager:

    parameters:
      _param:
         cinder:
           volume:
             barbican:
               enabled: ${_param:barbican_integration_enabled}
    
  9. Optional. In init.yml, add the following parameters if you plan to use a self-signed certificate managed by Salt:

    parameters:
      _param:
        salt:
          minion:
            trusted_ca_minions:
              - cfg01
    
  10. Commit and push the changes to the project Git repository.

  11. Log in to the Salt Master node.

  12. Update your Salt formulas at the system level:

    1. Change the directory to /srv/salt/reclass.

    2. Run the git pull origin master command.

    3. Run the salt-call state.sls salt.master command.

  13. If you enabled the usage of a self-signed certificate managed by Salt, apply the following state:

    salt -C 'I@salt:minion' state.apply salt.minion
    
  14. If you enabled image verification by Nova, apply the following states:

    salt -C 'I@nova:controller' state.sls nova -b 1
    salt -C 'I@nova:compute' state.sls nova
    
  15. If you enabled volume encryption supported by the key manager, apply the following state:

    salt -C 'I@cinder:controller' state.sls cinder -b 1
    
  16. Apply the following states:

    salt -C 'I@keystone:client' state.apply keystone.client
    salt -C 'I@galera:master' state.apply galera.server
    salt -C 'I@galera:slave' state.apply galera
    salt -C 'I@nginx:server' state.apply nginx
    salt -C 'I@haproxy:proxy' state.apply haproxy.proxy
    salt -C 'I@barbican:server and *01*' state.sls barbican.server
    salt -C 'I@barbican:server' state.sls barbican.server
    salt -C 'I@barbican:client' state.sls barbican.client