Barbican key manager settings not applied to DCN/Edge nodes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Alan Bishop |
Bug Description
Consider a split stack deployment, with barbican deployed in the control plane. When cinder, glance or nova services are deployed in secondary stacks (e.g. at edge sites), their Key Manager settings are not being configured at all, and so those services are unable to reach the barbican service running in the control plane.
Here is an example of the consequence to cinder. When an encrypted volume is created, the original encryption key is created by the cinder-api service running in the control plane. But when the volume is created at an edge site, attempts to clone the volume will fail. That's because the cinder-volume service running at the edge site needs to be able to clone the volume's encryption key, but that fails because the barbican Key Manager settings are missing from the edge site's cinder.conf file.
The problem is due to how the barbican THT controls the Key Manager parameters in its service_
tags: | added: ussuri-backport-potential |
Fix proposed to branch: master /review. opendev. org/739098
Review: https:/