Skip to main content

How to install and configure Barbican on your OpenMetal Cloud

What is Barbican?

Barbican is the OpenStack Key Manager service. It provides secure storage, provisioning and management of secret data. This includes keying material such as Symmetric Keys, Asymmetric Keys, Certificates and raw binary data.

What can I do with a Secret Store?

With Barbican configured the service can be utilized for a number of use cases.

  • Image signature verification
  • Disk and volume encryption
  • SSL/TLS keypair storage
  • Secure password storage

See the OpenStack Security Guide for additional information.

Prerequisites

Step 1 - Modify your kolla-ansible config

The kolla-ansible config file lives in /etc/kolla/globals.yml you will want to modify that file an add the following in a new line within the config.

enable_barbican: 'yes'

## NOTE: The below options are optional. Remove the '# ' in font to use them.
# Valid options are [ simple_crypto, p11_crypto ]
# barbican_crypto_plugin: "simple_crypto"
# barbican_library_path: "/usr/lib/libCryptoki2_64.so"

Step 2 - Reconfigure kolla-ansible

Whenever calling kolla-ansible you will want to note these 2 important files:

  • Kolla Ansible Inventory: /etc/fm-deploy/kolla-ansible-inventory
  • Kolla Ansible Main Configuration: /etc/kolla/globals.yml

Once you have ensured that your configuration and inventory are there you will want to run the following command to install and configure Barbican to your cloud.

kolla-ansible -i /etc/fm-deploy/kolla-ansible-inventory reconfigure

Step 3 - Verify that the Barbican endpoints are there

(.venv) [root@fierce-possum kolla]# openstack endpoint list --service barbican
+----------------------------------+--------+--------------+--------------+---------+-----------+---------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+--------+--------------+--------------+---------+-----------+---------------------------+
| bbebfdc0f6ce4f9895d536785fa3cfea | iad3 | barbican | key-manager | True | public | http://200.225.44.4:9311 |
| c7c9861c34ed44de8a3f65b9d74f80fa | iad3 | barbican | key-manager | True | admin | http://192.168.2.254:9311 |
| da1d9afd031f470d80866256884ef242 | iad3 | barbican | key-manager | True | internal | http://192.168.2.254:9311 |
+----------------------------------+--------+--------------+--------------+---------+-----------+---------------------------+

Step 4 - Install the Barbican OpenStack CLI

While in your virtual environment, install the OpenStack CLI library for secret storage.

(.venv) [root@fierce-possum kolla]# pip install python-barbicanclient

Step 5 - Create a test secret

Just to validate that its working, run the following command to create your first test secret.

(.venv) [root@fierce-possum kolla]# openstack secret store --name my_secret --payload 'This is a secure statement'
+---------------+--------------------------------------------------------------------------+
| Field | Value |
+---------------+--------------------------------------------------------------------------+
| Secret href | http://200.225.44.4:9311/v1/secrets/973cffdb-d4b1-418c-befa-9f67d77a982b |
| Name | my_secret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+--------------------------------------------------------------------------+