Deploy Barbican
OpenStack Barbican is the dedicated security service within the OpenStack ecosystem, focused on the secure storage, management, and provisioning of sensitive data such as encryption keys, certificates, and passwords. Barbican plays a crucial role in enhancing the security posture of cloud environments by providing a centralized and controlled repository for cryptographic secrets, ensuring that sensitive information is protected and accessible only to authorized services and users. It integrates seamlessly with other OpenStack services to offer encryption and secure key management capabilities, which are essential for maintaining data confidentiality and integrity. In this document, we will explore the deployment of OpenStack Barbican using Genestack. With Genestack, the deployment of Barbican is optimized, ensuring that cloud infrastructures are equipped with strong and scalable security measures for managing critical secrets.
Create secrets
Information about the secretes used
Manual secret generation is only required if you haven't run the create-secrets.sh script located in /opt/genestack/bin.
Example secret generation
kubectl --namespace openstack \
create secret generic barbican-rabbitmq-password \
--type Opaque \
--from-literal=username="barbican" \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
kubectl --namespace openstack \
create secret generic barbican-db-password \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
create secret generic barbican-admin \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
Run the package deployment
Run the Barbican deployment Script bin/install-barbican.sh
#!/bin/bash
pushd /opt/genestack/submodules/openstack-helm || exit
helm upgrade --install barbican ./barbican \
--namespace=openstack \
--timeout 120m \
-f /opt/genestack/base-helm-configs/barbican/barbican-helm-overrides.yaml \
-f /etc/genestack/helm-configs/barbican/barbican-helm-overrides.yaml \
--set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.identity.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-admin -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
--set endpoints.oslo_db.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-db-password -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_messaging.auth.barbican.password="$(kubectl --namespace openstack get secret barbican-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
--set conf.barbican.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
--post-renderer /etc/genestack/kustomize/kustomize.sh \
--post-renderer-args barbican/overlay "$@"
popd || exit
Tip
You may need to provide custom values to configure your openstack services, for a simple single region or lab deployment you can supply an additional overrides flag using the example found at base-helm-configs/aio-example-openstack-overrides.yaml.
In other cases such as a multi-region deployment you may want to view the Multi-Region Support guide to for a workflow solution.
Custom Listeners
This step is not needed if all listeners were applied when the Gateway API was deployed
Example listener patch file found in /opt/genestack/etc/gateway-api/listeners
[
{
"op": "add",
"path": "/spec/listeners/-",
"value": {
"name": "barbican-https",
"port": 443,
"protocol": "HTTPS",
"hostname": "barbican.your.domain.tld",
"allowedRoutes": {
"namespaces": {
"from": "All"
}
},
"tls": {
"certificateRefs": [
{
"group": "",
"kind": "Secret",
"name": "barbican-gw-tls-secret"
}
],
"mode": "Terminate"
}
}
}
]
Modify the Listener Patch
This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway documentation
for more information on listener types.
mkdir -p /etc/genestack/gateway-api/listeners
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
/opt/genestack/etc/gateway-api/listeners/barbican-https.json \
> /etc/genestack/gateway-api/listeners/barbican-https.json
Apply the Listener Patch
kubectl patch -n nginx-gateway gateway flex-gateway \
--type='json' \
--patch-file /etc/genestack/gateway-api/listeners/barbican-https.json
Custom Routes
This step is not needed if all routes were applied when the Gateway API was deployed
A custom gateway route can be used when setting up the service. The custom route make it possible to for a domain like your.domain.tld to be used for the service.
Example routes file found in /opt/genestack/etc/gateway-api/routes
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: custom-barbican-gateway-route
namespace: openstack
spec:
parentRefs:
- name: flex-gateway
sectionName: barbican-https
namespace: nginx-gateway
hostnames:
- "barbican.your.domain.tld"
rules:
- backendRefs:
- name: barbican-api
port: 9311
Modify the Route
This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway route documentation
for more information on route types.
mkdir -p /etc/genestack/gateway-api/routes
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
/opt/genestack/etc/gateway-api/routes/custom-barbican-gateway-route.yaml \
> /etc/genestack/gateway-api/routes/custom-barbican-gateway-route.yaml