Barbican Charm

Provide a charm for deploying Barbican with support for associated HSM modules/devices.

Problem Description

OpenStack services and users often need a repository to store sensitive information like passwords, cryptographic keys etc. The Barbican service provides an interface on top of an HSM for doing that.

Proposed Change

One new charm - Barbican; Charm needs to take into account potential use of backed hardware security modules (HSM) - this might be nicely done using the cinder-backend approach as a subordinate charm to avoid polluting the main charm with details of every HSM possible.

The new charm, as a minimum, should include the following features:

  • Deployable in a highly available configuration

  • Allow clients and services to interact using SSL encryption

  • Charm progress displayed via workload status

Alternatives

Secrets stored via other means outside of OpenStack.

Implementation

Assignee(s)

Primary assignee:

ajkavanagh gnuoy

Gerrit Topic

Use Gerrit topic “barbican” for all patches related to this spec.

git-review -t barbican

Work Items

Provide base and interface layers required for OpenStack charms

  • Provide rabbitmq interface layer

  • Provide mysql-shared interface layer

  • Provide pgsql interface layer

  • Provide keystone interface layer

  • Provide hacluster interface layer

  • Provide nrpe-external-master interface layer

  • Provide OpenStack base layer with all common hook code that is not already covered by an interface layer.

  • Provide OpenStack base layer with support for HA deployments

  • Provide OpenStack base layer with support for SSL communication

  • Provide OpenStack base layer with support for workload status

Provide Barbican charm

  • Create skeleton charm layer based on OpenStack base layer and available interface layers to deploy Barbican.

  • Add support for upgrading Barbican

  • Add config option and accompanying support to enable barbicans use of configurable storage backends: ie. HSM (hardware security module) NOTE: configuration without HSM is not secure and is for testing purposes only.

  • Add config option and accompanying support for upgrades via action-managed-upgrade.

  • Add support for deploying Barbican in a highly available configuration

  • Add support for the Barbican to display workload status

  • Add support SSL endpoints

  • Charm should have unit and functional tests.

Mojo specification deploying and testing Barbican

  • Write Mojo spec for deploying Mojo in an HA configuration and testing storage and retrieval of secrets.

Repositories

A new git repository will be required for the Barbican charm:

https://git.openstack.org/openstack/charm-barbican

Documentation

The Barbican charm should contain a README with instructions on deploying the charm. A blog post is optional but would be a useful addition.

Security

Given the purpose of Barbican is to store and manage secrets a review of the charm by the security team may be appropriate.

Testing

Code changes will be covered by unit tests; functional testing will be done using a combination of Amulet, Bundle tester and Mojo specification.

Dependencies

None