[openstack-dev] [tripleo] [barbican] [tc] key store in base services

Ade Lee alee at redhat.com
Wed May 30 19:58:14 UTC 2018

On Thu, 2018-05-17 at 09:58 +0200, Thierry Carrez wrote:
> Jeremy Stanley wrote:
> > [...]
> > As a community, we're likely to continue to make imbalanced
> > trade-offs against relevant security features if we don't move
> > forward and declare that some sort of standardized key storage
> > solution is a fundamental component on which OpenStack services can
> > rely. Being able to just assume that you can encrypt volumes in
> > Swift, even as a means to further secure a TripleO undercloud,
> > would
> > be a step in the right direction for security-minded deployments.
> > 
> > Unfortunately, I'm unable to find any follow-up summary on the
> > mailing list from the aforementioned session, but recollection from
> > those who were present (I had a schedule conflict at that time) was
> > that a Castellan-compatible key store would at least be a candidate
> > for inclusion in our base services list:
> > 
> > https://governance.openstack.org/tc/reference/base-services.html
> Yes, last time this was discussed, there was lazy consensus that
> adding 
> "a Castellan-compatible secret store" would be a good addition to
> the 
> base services list if we wanted to avoid proliferation of half-baked 
> keystore implementations in various components.
> The two blockers were:
> 1/ castellan had to be made less Barbican-specific, offer at least
> one 
> other secrets store (Vault), and move under Oslo (done)
> 2/ some projects (was it Designate ? Octavia ?) were relying on
> advanced 
> functions of Barbican not generally found in other secrets store,
> like 
> certificate generation, and so would prefer to depend on Barbican 
> itself, which confuses the messaging around the base service addition
> a 
> bit ("any Castellan-supported secret store as long as it's Barbican")

As far as I know, Octavia no longer depends on barbican specific
functions.  Rather, they use castellan now.

And the current oslo-config work provides secrets through a castellan

So it seems that the two blockers above have been resolved. So is it
time to ad a castellan compatible secret store to the base services?


More information about the OpenStack-dev mailing list