Bug 1852851

Summary: [RFE] DCN - Support for barbican at the edge
Product: Red Hat OpenStack Reporter: Gregory Charot <gcharot>
Component: openstack-tripleo-heat-templatesAssignee: Alan Bishop <abishop>
Status: CLOSED ERRATA QA Contact: Tzach Shefi <tshefi>
Severity: high Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: abishop, alee, gcharot, gregraka, hrybacki, jamsmith, johfulto, ltoscano, mburns, nwolf, spower, tvignaud
Target Milestone: z2Keywords: FutureFeature, Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20200905153422.e621f61 Doc Type: Enhancement
Doc Text:
This update adds support for encrypted volumes and images on distributed compute nodes (DCN). + DCN nodes can now access the Key Manager service (barbican) running in the central control plane. + NOTE: This feature adds a new Key Manager client service to all DCN roles. To implement the feature, regenerate the `roles.yaml` file used for the DCN site's deployment. + For example: + ---- $ openstack overcloud roles generate DistributedComputeHCI DistributedComputeHCIScaleOut -o ~/dcn0/roles_data.yaml ---- + Use the appropriate path to the roles data file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-28 15:38:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1802774, 1879666    

Description Gregory Charot 2020-07-01 12:48:15 UTC 
Description of problem:

As a user, I would like to have DCN edge nodes able to use Barbican (hosted in central site).

Support for Barbican in a DCN / Multi stacks context. Currently the central stack is correctly configured (controllers and computes) but the edge stacks are not. 
We need to apply barbican configuration on the edge stacks for nova, cinder and glance services.

Version-Release number of selected component (if applicable):
16.1.0

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Alan Bishop 2020-07-01 13:45:35 UTC 
I want to refine the problem description to avoid potential misunderstanding. The goal is not to deploy barbican at the edge, but to allow edge nodes to access the barbican service in the control plane (i.e. running in the central site). The edge services that need access to barbican are cinder-volume, glance-api and nova-compute, and this entails configuring a few parameters the services use to access their Key Manager (e.g. barbican). In the control plane, the barbican THT configures the services at [1],[2],[3].

[1] https://opendev.org/openstack/tripleo-heat-templates/src/branch/stable/train/deployment/barbican/barbican-api-container-puppet.yaml#L281
[2] https://opendev.org/openstack/tripleo-heat-templates/src/branch/stable/train/deployment/barbican/barbican-api-container-puppet.yaml#L288
[3] https://opendev.org/openstack/tripleo-heat-templates/src/branch/stable/train/deployment/barbican/barbican-api-container-puppet.yaml#L274

Unfortunately, the control plane's Key Manager hiera data is not exported to the edge sites. The solution I have in mind is to create a new, lightweight "barbican-api-edge" service that provides the relevant data. This new THT will not actually run the barbican service, it will simply generate the same Key Manager settings so that the edge services will access barbican in the control plane.
Comment 2 Alan Bishop 2020-08-04 12:39:38 UTC 
The patch has merged on upstream stable/train, and will be included in the next import for z2.
Comment 12 Luigi Toscano 2020-10-16 12:09:38 UTC 
Tested on DCN environment with the latest 16.1.2 candidate, with barbican deployed centrally.

Verified using:
barbican_tempest_plugin.tests.scenario.test_volume_encryption.VolumeEncryptionTest.test_encrypted_cinder_volumes_luks
configured to create volumes using the az-dcn2 availability zone (and the associated dcn2) by changing tempest.conf:
compute.compute_volume_common_az = az-dcn2

openstack-tempest-23.0.0-0.20200609093435.d432237
barbican-tempest-plugin from commit a4523f3572082e6a9eb2611d0f21798bf3c132d5 (basically 1.1.0).
Comment 18 errata-xmlrpc 2020-10-28 15:38:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4284