From 90da23c7d232ba443b0814fd71c39f4585d30e4c Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Thu, 13 Jun 2024 11:27:55 +0200 Subject: [PATCH] kms_keymaster: allow specifying barbican_endpoint Under a multi-region deployment with a single Keystone server, specifying the Keystone auth credentials isn't enough. Indeed, Castellan succeeds when logging-in, but may use the wrong Barbican endpoint (if there are 2 Barbican deployed). This is what happened to us, when deploying our 2nd region. They way to fix it would be to tell Castellan what region to use, unfortunately, there's no such option in Castellan. Though we may specify the barbican_endpoint, which is what this patch allows. Change-Id: Ib7f4219ef5fdef65e9cfd5701e28b5288741783e --- etc/keymaster.conf-sample | 6 ++++++ swift/common/middleware/crypto/kms_keymaster.py | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/etc/keymaster.conf-sample b/etc/keymaster.conf-sample index c413df7792..85f5e0e926 100644 --- a/etc/keymaster.conf-sample +++ b/etc/keymaster.conf-sample @@ -93,6 +93,12 @@ # domain_id = changeme # domain_name = changeme +# If running on a multi-region cluster, Castellan may select the wrong +# endpoint for Barbican. To avoid this, set this to the URL of the +# correct barbican endpoint. If there is only a single Barbican service +# in your deployment, it is fine to leave this unconfigured. +# barbican_endpoint = + [kmip_keymaster] # The kmip_keymaster section is used to configure a keymaster that fetches an # encryption root secret from a KMIP service. diff --git a/swift/common/middleware/crypto/kms_keymaster.py b/swift/common/middleware/crypto/kms_keymaster.py index f9a542e1a4..408e420f84 100644 --- a/swift/common/middleware/crypto/kms_keymaster.py +++ b/swift/common/middleware/crypto/kms_keymaster.py @@ -34,7 +34,7 @@ class KmsKeyMaster(BaseKeyMaster): 'domain_id', 'domain_name', 'project_id', 'project_domain_id', 'reauthenticate', 'auth_endpoint', 'api_class', 'key_id*', - 'active_root_secret_id') + 'barbican_endpoint', 'active_root_secret_id') keymaster_conf_section = 'kms_keymaster' def _get_root_secret(self, conf): @@ -67,6 +67,7 @@ class KmsKeyMaster(BaseKeyMaster): oslo_conf = cfg.ConfigOpts() options.set_defaults( oslo_conf, auth_endpoint=conf.get('auth_endpoint'), + barbican_endpoint=conf.get('barbican_endpoint'), api_class=conf.get('api_class') ) options.enable_logging()