1852851 – [RFE] DCN - Support for barbican at the edge

Bug 1852851 - [RFE] DCN - Support for barbican at the edge

Summary: [RFE] DCN - Support for barbican at the edge

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	z2
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Alan Bishop
QA Contact:	Tzach Shefi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1802774 1879666
TreeView+	depends on / blocked

Reported:	2020-07-01 12:48 UTC by Gregory Charot
Modified:	2020-11-12 15:18 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-11.3.2-1.20200905153422.e621f61
Doc Type:	Enhancement
Doc Text:	This update adds support for encrypted volumes and images on distributed compute nodes (DCN). + DCN nodes can now access the Key Manager service (barbican) running in the central control plane. + NOTE: This feature adds a new Key Manager client service to all DCN roles. To implement the feature, regenerate the `roles.yaml` file used for the DCN site's deployment. + For example: + ---- $ openstack overcloud roles generate DistributedComputeHCI DistributedComputeHCIScaleOut -o ~/dcn0/roles_data.yaml ---- + Use the appropriate path to the roles data file.
Clone Of:
Environment:
Last Closed:	2020-10-28 15:38:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1886070	None	None	None	2020-07-02 16:40:10 UTC
OpenStack gerrit	743213	None	MERGED	Add BarbicanClient service for configuring edge sites	2021-02-11 15:22:58 UTC
Red Hat Product Errata	RHEA-2020:4284	None	None	None	2020-10-28 15:38:33 UTC

Description Gregory Charot 2020-07-01 12:48:15 UTC

Description of problem:

As a user, I would like to have DCN edge nodes able to use Barbican (hosted in central site).

Support for Barbican in a DCN / Multi stacks context. Currently the central stack is correctly configured (controllers and computes) but the edge stacks are not. 
We need to apply barbican configuration on the edge stacks for nova, cinder and glance services.

Version-Release number of selected component (if applicable):
16.1.0

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Alan Bishop 2020-07-01 13:45:35 UTC

I want to refine the problem description to avoid potential misunderstanding. The goal is not to deploy barbican at the edge, but to allow edge nodes to access the barbican service in the control plane (i.e. running in the central site). The edge services that need access to barbican are cinder-volume, glance-api and nova-compute, and this entails configuring a few parameters the services use to access their Key Manager (e.g. barbican). In the control plane, the barbican THT configures the services at [1],[2],[3].

[1] https://opendev.org/openstack/tripleo-heat-templates/src/branch/stable/train/deployment/barbican/barbican-api-container-puppet.yaml#L281
[2] https://opendev.org/openstack/tripleo-heat-templates/src/branch/stable/train/deployment/barbican/barbican-api-container-puppet.yaml#L288
[3] https://opendev.org/openstack/tripleo-heat-templates/src/branch/stable/train/deployment/barbican/barbican-api-container-puppet.yaml#L274

Unfortunately, the control plane's Key Manager hiera data is not exported to the edge sites. The solution I have in mind is to create a new, lightweight "barbican-api-edge" service that provides the relevant data. This new THT will not actually run the barbican service, it will simply generate the same Key Manager settings so that the edge services will access barbican in the control plane.

Comment 2 Alan Bishop 2020-08-04 12:39:38 UTC

The patch has merged on upstream stable/train, and will be included in the next import for z2.

Comment 12 Luigi Toscano 2020-10-16 12:09:38 UTC

Tested on DCN environment with the latest 16.1.2 candidate, with barbican deployed centrally.

Verified using:
barbican_tempest_plugin.tests.scenario.test_volume_encryption.VolumeEncryptionTest.test_encrypted_cinder_volumes_luks
configured to create volumes using the az-dcn2 availability zone (and the associated dcn2) by changing tempest.conf:
compute.compute_volume_common_az = az-dcn2

openstack-tempest-23.0.0-0.20200609093435.d432237
barbican-tempest-plugin from commit a4523f3572082e6a9eb2611d0f21798bf3c132d5 (basically 1.1.0).

Comment 18 errata-xmlrpc 2020-10-28 15:38:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4284

Note You need to log in before you can comment on or make changes to this bug.