Skip to content

Latest commit

 

History

History
162 lines (108 loc) · 2.98 KB

11-barbican.md

File metadata and controls

162 lines (108 loc) · 2.98 KB

Barbican install

Barbican logo

1. CONTROLLER NODE

Database setup

  1. Access database as root:
mysql
  1. Create barbican database:
CREATE DATABASE barbican;
  1. Grant proper access to barbican user:
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' identified by 'password123';
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' identified by 'password123';
exit

Create Openstack objects

  1. Source .adminrc
source .adminrc
  1. Create service and creds
  • Create barbican user and add role:
openstack user create --domain default --password password123 barbican

openstack role add --project service --user barbican admin
  • Create creator role and add to user:
openstack role create creator

openstack role add --project service --user barbican creator
  • Create barbican service:
openstack service create --name barbican \
  --description "Key  Manager" key-manager
  1. Create service API endpoints:
for i in public internal admin; \
  do openstack endpoint create --region RegionOne \
  key-manager $i http://controller:9311; \
  done

Install and configure componenets

  1. Install packages:
apt install barbican-api barbican-keystone-listener barbican-worker python3-barbicanclient -y
  1. Backup an sanitize /etc/barbican/barbican.conf:
cp -p /etc/barbican/barbican.conf /etc/barbican/barbican.conf.bak
grep -Ev '^(#|$)' /etc/barbican/barbican.conf.bak|sed '/^\[.*]/i \ '|tail -n +2 > /etc/barbican/barbican.conf
  1. Create kek value
date|sha256sum|head -c 32|base64
  1. Edit /etc/barbican/barbican.conf sections:
[DEFAULT]
# ...
sql_connection = mysql+pymysql://barbican:password123@controller/barbican
transport_url = rabbit://openstack:password123@controller

[keystone_authtoken]
#...
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = password123

[secretstore]
#...
enabled_secretstore_plugins = store_crypto

[crypto]
#...
enabled_crypto_plugins = simple_crypto

[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='

populate database

su -s /bin/sh -c "barbican-manage db upgrade" barbican

finalize install

systemctl enable barbican-keystone-listener
systemctl enable barbican-worker
service barbican-keystone-listener restart
service barbican-worker restart
service apache2 restart

verify ops

openstack secret store --name mysecret --payload j4=]d21

export SECRET_HREF=$(openstack secret list --name mysecret -c 'Secret href' -f value)

openstack secret get $SECRET_HREF

openstack secret get $SECRET_HREF --payload

openstack secret delete $SECRET_HREF

unset SECRET_HREF