openstack
/
charm-specs
Code Issues Proposed changes
charm-specs/specs/newton/approved/barbican.rst

4.5 KiB
Raw Blame History

Barbican Charm

Provide a charm for deploying Barbican with support for associated HSM modules/devices.

Problem Description

OpenStack services and users often need a repository to store sensitive information like passwords, cryptographic keys etc. The Barbican service provides an interface on top of an HSM for doing that.

Proposed Change

Barbican will need to undergo MIR review for main inclusion; this process should include stripping of all debconf/dbconfig related code from the packaging.

One new charm - Barbican; Charm needs to take into account potential use of backed hardware security modules (HSM) - this might be nicely done using the cinder-backend approach as a subordinate charm to avoid polluting the main charm with details of every HSM possible.

The new charm, as a minimum, should include the following features:

  • Deployable in a highly available configuration
  • Allow clients and services to interact using SSL encryption
  • Charm progress displayed via workload status

Alternatives

Secrets stored via other means outside of OpenStack.

Implementation

Assignee(s)

Primary assignee:

ajkavanagh gnuoy

Gerrit Topic

Use Gerrit topic "barbican" for all patches related to this spec.

git-review -t barbican

Work Items

Provide fully supported packages for Ubuntu

  • Package updates for Barbican to strip all debconf/dbconfig related code from the packaging.
  • MIR review for Barbican - Evaluate package and source according to https://wiki.ubuntu.com/MainInclusionProcess, open corresponding bug, work with Ubuntu MIR team and make any other necessary package changes to get package into main.

Provide base and interface layers required for OpenStack charms

  • Provide rabbitmq interface layer
  • Provide mysql-shared interface layer
  • Provide pgsql interface layer
  • Provide keystone interface layer
  • Provide hacluster interface layer
  • Provide nrpe-external-master interface layer
  • Provide OpenStack base layer with all common hook code that is not already covered by an interface layer.
  • Provide OpenStack base layer with support for HA deployments
  • Provide OpenStack base layer with support for SSL communication
  • Provide OpenStack base layer with support for workload status

Provide Barbican charm

  • Create skeleton charm layer based on OpenStack base layer and available interface layers to deploy Barbican.
  • Add support for upgrading Barbican
  • Add config option and accompanying support to enable barbicans use of configurable storage backends: ie. HSM (hardware security module) NOTE: configuration without HSM is not secure and is for testing purposes only.
  • Add config option and accompanying support for upgrades via action-managed-upgrade.
  • Add support for deploying Barbican in a highly available configuration
  • Add support for the Barbican to display workload status
  • Add support SSL endpoints
  • Charm should have unit and functional tests.

Mojo specification deploying and testing Barbican

  • Write Mojo spec for deploying Mojo in an HA configuration and testing storage and retrieval of secrets.

Repositories

A new git repository will be required for the Barbican charm:

git://git.openstack.org/openstack/charm-barbican

Documentation

The Barbican charm should contain a README with instructions on deploying the charm. A blog post is optional but would be a useful addition.

Security

Given the purpose of Barbican is to store and manage secrets a review of the charm by the security team may be appropriate.

Testing

Code changes will be covered by unit tests; functional testing will be done using a combination of Amulet, Bundle tester and Mojo specification.

Dependencies

None