Key Manager service

MOSK Key Manager service (OpenStack Barbican) provides secure storage, provisioning, and management of cloud application secret data, such as Symmetric Keys, Asymmetric Keys, Certificates, and raw binary data.

Configuring the Vault back end

Parameter

features:barbican:backends:vault

Usage

Specifies the object containing the Vault parameters to connect to Barbican.

The list of supported options includes:

  • enabled - boolean parameter indicating that the Vault back end is enabled

  • approle_role_id 0 - Vault app role ID

  • approle_secret_id 0 - secret ID created for the app role

  • vault_url - URL of the Vault server

  • use_ssl - enables the SSL encryption. Since MOSK does not currently support the Vault SSL encryption, the use_ssl parameter should be set to false

  • kv_mountpoint TechPreview - optional, specifies the mountpoint of a Key-Value store in Vault to use

  • namespace TechPreview - optional, specifies the Vault namespace to use with all requests to Vault

    Note

    The Vault namespaces feature is available only in Vault Enterprise.

    Note

    Vault namespaces are supported only starting from the OpenStack Victoria release.

If the Vault back end is used, configure it properly using the following parameters:

spec:
  features:
    barbican:
      backends:
        vault:
          enabled: true
          approle_role_id: <APPROLE_ROLE_ID>
          approle_secret_id: <APPROLE_SECRET_ID>
          vault_url: <VAULT_SERVER_URL>
          use_ssl: false

Note

Since MOSK does not currently support the Vault SSL encryption, set the use_ssl parameter to false.

0(1,2)

Setting this field in the OpenStackDeployment custom resource has been deprecated. Use OpenStackDeploymentSecret custom resource to define the cloud’s secret parameters.

For the deprecation details, refer to OpenStackDeployment CR fields containing cloud secret parameters.