We jubilantly announce the release of: barbican 20.0.0 This release is part of the epoxy release series. The source is available from: https://opendev.org/openstack/barbican Download the package from: https://tarballs.openstack.org/barbican/ Please report issues through: https://bugs.launchpad.net/barbican/+bugs For more details, please see below. 20.0.0 ^^^^^^ New Features * Key-encryption-key rotation has been implemented for for the Simple Crypto plugin backend. A new symmetric Fernet key can be created and added to the configuration file at any time. The *kek* option in the *[simple_crypto_plugin]* section can now be specified multiple times. When more than one KEK is configured, the first key is used to encrypt new project-specific keys (pKEKs) and the rest of the keys are only used to decrypt existing data. A new sub-command has been added to *barbican-manage* to re-encrypt existing pKEKs using the first *kek* in the config file. This command can be executed to ensure that all pKEKs in the database are re-encrypted with a specific key. To fully rotate an existing KEK, you can now generate a new KEK to replace ane existing key. You can add the new key as the first *kek* in the configuration file, and keep the existing key as the second *kek*. Then you can execute *barbican-manage simple_crypto rewrap_pkek* to re-encrypt all existing pKEKs with the new key. After the command executes, you can remove any previous keys from the config file. Changes in barbican 19.0.0..20.0.0 ---------------------------------- 4500d9f4 Enable pKEK rewrap with SimpleCrypto cfba1c1b Use MultiFernet to enable more than one KEK bf788731 Imported Translations from Zanata acd76fba Updating tox runtimes for 2025.1 16685c9e Enable new default 16ff9bc2 reno: Update master for unmaintained/2023.1 bae6737c Increase unit testing coverage for PKCS#11 ccaa1039 Update gate jobs as per the 2025.1 cycle testing runtime 7b36764c Fix typo in wrap_key function 0d4101fa Configure mechanism for wrapping pKEKs b365afcd Replace deprecated datetime.utcnow() 4110cd8a Remove default override for config options policy_file 52f4d5ca Add note about requirements lower bounds 72b2d693 Remove Python 3.8 support e1f7b30e Imported Translations from Zanata 45b01d35 Drop SQLALCHEMY_WARN_20 1321a2ab Update master for stable/2024.2 1046886f Imported Translations from Zanata 3d961ae1 Remove unused versionbuild script Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 1 + barbican/cmd/barbican_manage.py | 31 ++++- barbican/cmd/kek_rewrap.py | 77 +++++++++++ barbican/cmd/pkcs11_kek_rewrap.py | 58 +------- barbican/cmd/simple_crypto_kek_rewrap.py | 46 +++++++ barbican/common/config.py | 11 -- barbican/common/policy.py | 4 - barbican/locale/en_GB/LC_MESSAGES/barbican.po | 24 ++-- barbican/locale/zh_CN/LC_MESSAGES/barbican.po | 5 +- barbican/plugin/crypto/p11_crypto.py | 98 ++++++++----- barbican/plugin/crypto/pkcs11.py | 151 +++++++++++++-------- barbican/plugin/crypto/simple_crypto.py | 21 ++- barbican/queue/retry_scheduler.py | 4 +- barbican/queue/server.py | 3 +- .../test_repositories_certificate_authorities.py | 14 +- .../test_repositories_order_retry_tasks.py | 6 +- .../repositories/test_repositories_secrets.py | 3 +- bin/versionbuild.py | 85 ------------ bindep.txt | 1 + .../notes/fix-bug-2036506-bf171b5949495457.yaml | 22 +++ .../notes/remove-py38-ecd3b5c9b6799e75.yaml | 5 + ...imple-crypto-kek-rotation-b8fe76b32aa76190.yaml | 22 +++ ...imple-crypto-multiple-kek-939d7fae5657ca8e.yaml | 18 +++ releasenotes/source/2023.1.rst | 2 +- releasenotes/source/2024.2.rst | 6 + releasenotes/source/index.rst | 1 + .../locale/en_GB/LC_MESSAGES/releasenotes.po | 120 +++++++++++++++- requirements.txt | 8 +- setup.cfg | 4 +- tox.ini | 4 +- 41 files changed, 739 insertions(+), 373 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 945e81f3..44d7be0d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -0,0 +1,4 @@ +# Requirements lower bounds listed here are our best effort to keep them up to +# date but we do not test them so no guarantee of having them all correct. If +# you find any incorrect lower bounds, let us know or propose a fix. + @@ -13 +17 @@ oslo.log>=4.3.0 # Apache-2.0 -oslo.policy>=3.11.0 # Apache-2.0 +oslo.policy>=4.5.0 # Apache-2.0 @@ -17 +21 @@ oslo.upgradecheck>=1.3.0 # Apache-2.0 -oslo.utils>=3.33.0 # Apache-2.0 +oslo.utils>=7.0.0 # Apache-2.0