Key Manager service¶

MOSK Key Manager service (OpenStack Barbican) provides secure storage, provisioning, and management of cloud application secret data, such as Symmetric Keys, Asymmetric Keys, Certificates, and raw binary data.

Configuring the Vault back end¶

Parameter	`features:barbican:backends:vault`
Usage	Specifies the object containing the Vault parameters to connect to Barbican. The list of supported options includes: `enabled` - boolean parameter indicating that the Vault back end is enabled `approle_role_id` 0 - Vault app role ID `approle_secret_id` 0 - secret ID created for the app role `vault_url` - URL of the Vault server `use_ssl` - enables the SSL encryption. Since MOSK does not currently support the Vault SSL encryption, the `use_ssl` parameter should be set to `false` `kv_mountpoint` ^TechPreview - optional, specifies the mountpoint of a Key-Value store in Vault to use `namespace` ^TechPreview - optional, specifies the Vault namespace to use with all requests to Vault Note The Vault namespaces feature is available only in Vault Enterprise. Note Vault namespaces are supported only starting from the OpenStack Victoria release. If the Vault back end is used, configure it properly using the following parameters: spec: features: barbican: backends: vault: enabled: true approle_role_id: <APPROLE_ROLE_ID> approle_secret_id: <APPROLE_SECRET_ID> vault_url: <VAULT_SERVER_URL> use_ssl: false Note Since MOSK does not currently support the Vault SSL encryption, set the `use_ssl` parameter to `false`.

Parameter

features:barbican:backends:vault

Usage

Specifies the object containing the Vault parameters to connect to Barbican.

The list of supported options includes:

enabled - boolean parameter indicating that the Vault back end is enabled
approle_role_id 0 - Vault app role ID
approle_secret_id 0 - secret ID created for the app role
vault_url - URL of the Vault server
use_ssl - enables the SSL encryption. Since MOSK does not currently support the Vault SSL encryption, the use_ssl parameter should be set to false
kv_mountpoint ^TechPreview - optional, specifies the mountpoint of a Key-Value store in Vault to use
namespace ^TechPreview - optional, specifies the Vault namespace to use with all requests to Vault

Note

The Vault namespaces feature is available only in Vault Enterprise.

Note

Vault namespaces are supported only starting from the OpenStack Victoria release.

If the Vault back end is used, configure it properly using the following parameters:

spec:
  features:
    barbican:
      backends:
        vault:
          enabled: true
          approle_role_id: <APPROLE_ROLE_ID>
          approle_secret_id: <APPROLE_SECRET_ID>
          vault_url: <VAULT_SERVER_URL>
          use_ssl: false

Note

Since MOSK does not currently support the Vault SSL encryption, set the use_ssl parameter to false.

0(1,2)

Setting this field in the OpenStackDeployment custom resource has been deprecated. Use OpenStackDeploymentSecret custom resource to define the cloud’s secret parameters.

For the deprecation details, refer to OpenStackDeployment CR fields containing cloud secret parameters.