Barbican Charm¶
Provide a charm for deploying Barbican with support for associated HSM modules/devices.
Problem Description¶
OpenStack services and users often need a repository to store sensitive information like passwords, cryptographic keys etc. The Barbican service provides an interface on top of an HSM for doing that.
Proposed Change¶
One new charm - Barbican; Charm needs to take into account potential use of backed hardware security modules (HSM) - this might be nicely done using the cinder-backend approach as a subordinate charm to avoid polluting the main charm with details of every HSM possible.
The new charm, as a minimum, should include the following features:
Deployable in a highly available configuration
Allow clients and services to interact using SSL encryption
Charm progress displayed via workload status
Alternatives¶
Secrets stored via other means outside of OpenStack.
Implementation¶
Assignee(s)¶
- Primary assignee:
ajkavanagh gnuoy
Gerrit Topic¶
Use Gerrit topic “barbican” for all patches related to this spec.
git-review -t barbican
Work Items¶
Provide base and interface layers required for OpenStack charms¶
Provide rabbitmq interface layer
Provide mysql-shared interface layer
Provide pgsql interface layer
Provide keystone interface layer
Provide hacluster interface layer
Provide nrpe-external-master interface layer
Provide OpenStack base layer with all common hook code that is not already covered by an interface layer.
Provide OpenStack base layer with support for HA deployments
Provide OpenStack base layer with support for SSL communication
Provide OpenStack base layer with support for workload status
Provide Barbican charm¶
Create skeleton charm layer based on OpenStack base layer and available interface layers to deploy Barbican.
Add support for upgrading Barbican
Add config option and accompanying support to enable barbicans use of configurable storage backends: ie. HSM (hardware security module) NOTE: configuration without HSM is not secure and is for testing purposes only.
Add config option and accompanying support for upgrades via action-managed-upgrade.
Add support for deploying Barbican in a highly available configuration
Add support for the Barbican to display workload status
Add support SSL endpoints
Charm should have unit and functional tests.
Mojo specification deploying and testing Barbican¶
Write Mojo spec for deploying Mojo in an HA configuration and testing storage and retrieval of secrets.
Repositories¶
A new git repository will be required for the Barbican charm:
https://git.openstack.org/openstack/charm-barbican
Documentation¶
The Barbican charm should contain a README with instructions on deploying the charm. A blog post is optional but would be a useful addition.
Security¶
Given the purpose of Barbican is to store and manage secrets a review of the charm by the security team may be appropriate.
Testing¶
Code changes will be covered by unit tests; functional testing will be done using a combination of Amulet, Bundle tester and Mojo specification.
Dependencies¶
None