Looks like I missed this so I'm late to the party, but:<div><br></div><div>Ade is technically correct, Octavia doesn't explicitly depend on Barbican, as we do support castellan generically.</div><div><br></div><div>*HOWEVER*: we don't just store and retrieve our own secrets -- we rely on loading up user created secrets. This means that for Octavia to work, even if we use castellan, we still need some way for users to interact with the secret store via an API, and what that means in openstack in still Barbican. So I would still say that Barbican is a dependency for us logistically, if not technically.</div><div><br></div><div>For example, internally at GoDaddy we were investigating deploying Vault with a custom user-facing API/UI for allowing users to store secrets that could be consumed by Octavia with castellan (don't get me started on how dumb that is, but it's what we were investigating).</div><div>The correct way to do this in an openstack environment is the openstack secret store API, which is Barbican. So, while I am personally dealing with an example of very painfully avoiding Barbican (which may have been a non-issue if Barbican were a base service), I have a tough time reconciling not including Barbican itself as a requirement.</div><div><br></div><div> --Adam (rm_work)<br><br><div class="gmail_quote"><div dir="ltr">On Wed, Jun 20, 2018, 11:37 Jeremy Stanley <<a href="mailto:fungi@yuggoth.org">fungi@yuggoth.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2018-06-06 01:29:49 +0000 (+0000), Jeremy Stanley wrote:<br>
[...]<br>
> Seeing no further objections, I give you<br>
> <a href="https://review.openstack.org/572656" rel="noreferrer" target="_blank">https://review.openstack.org/572656</a> for the next step.<br>
<br>
That change merged just a few minutes ago, and<br>
<a href="https://governance.openstack.org/tc/reference/base-services.html#current-list-of-base-services" rel="noreferrer" target="_blank">https://governance.openstack.org/tc/reference/base-services.html#current-list-of-base-services</a><br>
now includes:<br>
<br>
A Castellan-compatible key store<br>
<br>
OpenStack components may keep secrets in a key store, using<br>
Oslo’s Castellan library as an indirection layer. While<br>
OpenStack provides a Castellan-compatible key store service,<br>
Barbican, other key store backends are also available for<br>
Castellan. Note that in the context of the base services set<br>
Castellan is intended only to provide an interface for services<br>
to interact with a key store, and it should not be treated as a<br>
means to proxy API calls from users to that key store. In order<br>
to reduce unnecessary exposure risks, any user interaction with<br>
secret material should be left to a dedicated API instead<br>
(preferably as provided by Barbican).<br>
<br>
Thanks to everyone who helped brainstorming/polishing, and here's<br>
looking forward to a ubiquity of default security features and<br>
functionality in future OpenStack releases!<br>
-- <br>
Jeremy Stanley<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div></div>