OpenStack Barbican Charm

no way to specify bind_host and host_href

Bug #1642769 reported by james beedy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Barbican Charm
Fix Released
Wishlist
Tiago Pasqualini da Silva
OpenStack Barbican Charm 22.04

Bug Description

Barbican creates the secret and container urls based on the value of 'bind_host' and 'host_ref', these default to grabbing the internal ip of the instance, blocking communication with barbican outside of the private address space. Can we have the option to grab the public ip of the instance here?

Alex Kavanagh (ajkavanagh)
Changed in charm-barbican:
importance: Undecided → Wishlist
status: New → Incomplete
Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Please could you expand a bit on this:

 - which HSM will you be wanting to use? At the moment, the only HSM supported (by the charm) is the SoftHSM, which due to an OpenSSL missing feature, isn't usable yet. However, Barbican on-its-own can be used for testing, etc.
 - How do you see the option being set (i.e. please can you provide an example of the config options that would be most useful to you and what they would configure in Barbican).

Thanks very much!

Revision history for this message
Tiago Pasqualini da Silva (tiago.pasqualini) wrote :

Barbican charm currently sets the host_href config option to the barbican admin endpoint. It would be good to make this configurable to select between public and admin:

$ openstack endpoint list --service barbican
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
 +----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| 94927250b89448b3a6bd6986515df729 | RegionOne | barbican | key-manager | True | internal | https://10.5.0.73:9311 |
| dafcbb5468054e5a9476ebc01f1c4a02 | RegionOne | barbican | key-manager | True | public | https://testdomain.public:9311 |
| e9e11ff75ce44950bd77e54c481dc659 | RegionOne | barbican | key-manager | True | admin | https://testdomain.admin:9312 |
 +----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+

tags: added: sts
Changed in charm-barbican:
assignee: nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-barbican (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-barbican/+/828907

Changed in charm-barbican:
status: Incomplete → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-barbican (master)

Reviewed: https://review.opendev.org/c/openstack/charm-barbican/+/828907
Committed: https://opendev.org/openstack/charm-barbican/commit/c3bb1bb650cc090c24a65b10dab59338a3b7b1bb
Submitter: "Zuul (22348)"
Branch: master

commit c3bb1bb650cc090c24a65b10dab59338a3b7b1bb
Author: tpsilva <email address hidden>
Date: Fri Feb 11 14:20:32 2022 -0300

    Add use-public-endpoint config option

    Currently, this charm sets the host_href config option with the
    admin endpoint. This patch adds a config option to allow it to be
    configured to use the public endpoint, so that the secrets could
    be accessible through this endpoint.

    Closes-bug: #1642769
    Change-Id: Ice7131459753f15e1184c687a24301689df338e2

Changed in charm-barbican:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-barbican (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/charm-barbican/+/836155

Alex Kavanagh (ajkavanagh)
Changed in charm-barbican:
milestone: none → 22.04
Alex Kavanagh (ajkavanagh)
Changed in charm-barbican:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-barbican (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/charm-barbican/+/836155
Committed: https://opendev.org/openstack/charm-barbican/commit/f688b83a7ceab55aa2e32912809a1da4285de778
Submitter: "Zuul (22348)"
Branch: stable/xena

commit f688b83a7ceab55aa2e32912809a1da4285de778
Author: tpsilva <email address hidden>
Date: Fri Feb 11 14:20:32 2022 -0300

    Add use-public-endpoint config option

    Currently, this charm sets the host_href config option with the
    admin endpoint. This patch adds a config option to allow it to be
    configured to use the public endpoint, so that the secrets could
    be accessible through this endpoint.

    Closes-bug: #1642769
    Change-Id: Ice7131459753f15e1184c687a24301689df338e2
    (cherry picked from commit c3bb1bb650cc090c24a65b10dab59338a3b7b1bb)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-barbican (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/charm-barbican/+/848367

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-barbican (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/charm-barbican/+/848368

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-barbican (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/charm-barbican/+/848369

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-barbican (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/charm-barbican/+/848367
Committed: https://opendev.org/openstack/charm-barbican/commit/97fa818412a6bb89c83a465db9ecd88132fe6df7
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 97fa818412a6bb89c83a465db9ecd88132fe6df7
Author: tpsilva <email address hidden>
Date: Fri Feb 11 14:20:32 2022 -0300

    Add use-public-endpoint config option

    Currently, this charm sets the host_href config option with the
    admin endpoint. This patch adds a config option to allow it to be
    configured to use the public endpoint, so that the secrets could
    be accessible through this endpoint.

    Closes-bug: #1642769
    Change-Id: Ice7131459753f15e1184c687a24301689df338e2
    (cherry picked from commit c3bb1bb650cc090c24a65b10dab59338a3b7b1bb)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-barbican (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/charm-barbican/+/848368
Committed: https://opendev.org/openstack/charm-barbican/commit/08e05ad355d081814f0808ff96cf4e04a80206da
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 08e05ad355d081814f0808ff96cf4e04a80206da
Author: tpsilva <email address hidden>
Date: Fri Feb 11 14:20:32 2022 -0300

    Add use-public-endpoint config option

    Currently, this charm sets the host_href config option with the
    admin endpoint. This patch adds a config option to allow it to be
    configured to use the public endpoint, so that the secrets could
    be accessible through this endpoint.

    Closes-bug: #1642769
    Change-Id: Ice7131459753f15e1184c687a24301689df338e2
    (cherry picked from commit c3bb1bb650cc090c24a65b10dab59338a3b7b1bb)

tags: added: in-stable-victoria
tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-barbican (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/charm-barbican/+/848369
Committed: https://opendev.org/openstack/charm-barbican/commit/c3460f0b4ea948ffba1d17c070246c821e050aa4
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit c3460f0b4ea948ffba1d17c070246c821e050aa4
Author: tpsilva <email address hidden>
Date: Fri Feb 11 14:20:32 2022 -0300

    Add use-public-endpoint config option

    Currently, this charm sets the host_href config option with the
    admin endpoint. This patch adds a config option to allow it to be
    configured to use the public endpoint, so that the secrets could
    be accessible through this endpoint.

    Closes-bug: #1642769
    Change-Id: Ice7131459753f15e1184c687a24301689df338e2
    (cherry picked from commit c3bb1bb650cc090c24a65b10dab59338a3b7b1bb)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.