| *** mhen_ is now known as mhen | 02:36 | |
| opendevreview | Robert Jansen proposed openstack/barbican master: add cka_token https://review.opendev.org/c/openstack/barbican/+/967704 | 15:27 |
|---|---|---|
| AbiPerinparasa[m] | Hi folks, just bringing this PR up again: https://review.opendev.org/c/openstack/castellan/+/962726 | 15:35 |
| AbiPerinparasa[m] | Could maybe one of the maintainers provide some insight on when these kinds of changes would be merged? Reason I ask is because afaict, using the barbican backend with castellan should be broken currently for anyone that tries it without the fix proposed above. | 15:35 |
| tkajinam | from my view there is no real blocker (except for review bandwidth), though I still don't know how it can be really useful to support barbican backend | 15:53 |
| tkajinam | especially because I guess you may need barbican to launch barbican | 15:53 |
| tkajinam | or do you attempt to use it in an external software ? | 15:54 |
| tkajinam | which is ON OpenStack | 15:54 |
| AbiPerinparasa[m] | The scenario I was testing was first to deploy openstack with barbican. After initial deployment, I am storing certain secrets in barbican which are normally stored in plaintext in the service config files (e.g. netapp-password in cinder.conf). After creating the secret in barbican we are using castellan to resolve certain config options. This will always fail when using castellan with the barbican backend because there | 16:05 |
| AbiPerinparasa[m] | is no valid context which can be used to authenticate with keystone. The issue is described in more detail here: https://bugs.launchpad.net/castellan/+bug/2126436 | 16:05 |
| tkajinam | AbiPerinparasa[m], what's the secret you aim to store there ? Do you want any secret for barbican configuration ? Then how do you store it "in barbican" ? | 16:07 |
| tkajinam | for example if you want to store password of barbican keystone user, which is usually set in [keystone_authtoken] password, it's not possible to use barbican backend unless you have external barbican | 16:08 |
| tkajinam | (I'm not against fixing it. I'm just trying to understand its real usage | 16:09 |
| tkajinam | also if you want to offload any secret in keystone.conf then again it's not possible unless your barbican is external or standalone | 16:09 |
| tkajinam | maybe rolling restart can help though you can't stop and start the whole cluster with that circular dependencies | 16:11 |
| tkajinam | s/that/these/ | 16:11 |
| AbiPerinparasa[m] | The use case I am talking about is storing secrets which are external to any credentials in openstack. Take for example when you integrate cinder with netapp. In the cinder.conf, you will need to have the netapp credentials in plaintext. What I am trying to do is instead store the netapp credentials in barbican and do the necessary castellan config updates to cinder.conf so that when cinder starts, it will resolve the | 17:21 |
| AbiPerinparasa[m] | netapp credentials from barbican instead of having it in plain text. | 17:21 |
| AbiPerinparasa[m] | This is definitely not an ideal solution for the above problem, but it will avoid just having the netapp credentials in plaintext and provides some obfuscation. | 17:21 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!