glance/releasenotes/notes/bp-barbican-secret-deletion-support-40cffa5ffa33447e.yaml
Cyril Roelandt defc01042f Add release notes for secret key deletion
Change-Id: Ie7961ed0fab4af0208a9add0bf06a08cc12d0b4d
Implements: blueprint barbican-secret-deletion-support
2019-09-11 18:40:57 -04:00

41 lines
2.2 KiB
YAML

---
features:
- |
To support the Block Storage service (Cinder) upload-volume-to-image action
when the volume is an encrypted volume type, when such an image is deleted,
Glance will now contact the OpenStack Key Management service (Barbican) and
request it to delete the associated encryption key. Two extra properties
must be set on the image for this to work: ``cinder_encryption_key_id``
(whose value is the identifier in the OpenStack Key Management service for
the encryption key used to encrypt the volume) and
``cinder_encryption_key_deletion_policy`` (whose value may be either
``on_image_deletion`` or ``do_not_delete``). Please note the following:
* An image created by the Block Storage service will have these properties
set automatically, with the deletion policy set to ``on_image_deletion``.
* The Block Storage service *always* creates a new secret in Barbican when
it uploads a volume as an image, keeping a 1-1 relation between each
secret stored in the Key Management Service and each image of an
encrypted volume stored in Glance. Thus, deleting the Barbican secret
*at the time when the image is deleted* will not cause data loss *as long
as the secret is not being used for any other purpose*.
* The Block Storage service will not use the secret associated with an
image for any other purpose.
* If you choose to use the Barbican secret identified by the value of
``cinder_encryption_key_id`` for any other purpose, you risk data loss.
* Manual use of the ``cinder_encryption_key_*`` properties is *not*
recommended.
* If the ``cinder_encryption_key_deletion_policy`` image property is
missing or has any value other than ``on_image_deletion``, Glance will
**not** attempt to delete the key whose identifier is the value of
``cinder_encryption_key_id``.
upgrade:
- |
The properties ``cinder_encryption_key_id`` and
``cinder_encryption_key_deletion_policy`` have been added to the *common
image properties* and appear in the image schema. See the "New Features"
section of these notes for information about these image properties.