search

blueboxgroup / ursula

Ansible playbooks for operating OpenStack - Powering Blue Box Cloud.
https://www.blueboxcloud.com
204 stars 5 forks source link

Integrate Nova and Cinder with Barbican #2816

Closed edtubillara closed 7 years ago

edtubillara commented 7 years ago

This sets Barbican to be the key manager for nova-compute and cinder-api. This moves the fixed_key variable into cinder.encryption The REQUESTS_CA_BUNDLE is set for cinder-api and nova-compute because Castellan has an issue with verifying a Keystone with a self signed certificate.

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

lihkin213 commented 7 years ago

Barbican support in RHOSP is Technology Preview and is not recommended for production. https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/product_guide/ch-rhosp-software Do we still want to add this in and test it?

edtubillara commented 7 years ago

After talking with Niraj, I'm going to go ahead put support in for RHOSP because it will be easier to do so now than later.

Need to do:

nirajdp76 commented 7 years ago

ok to test

edtubillara commented 7 years ago

Thanks for the review @nirajdp76 @chengtcli . I'll move this back to WIP.

edtubillara commented 7 years ago

After talking to Niraj, I've updated the PR to keep fixed_key and move it into cinder.encryption...

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

nirajdp76 commented 7 years ago

we should use |bool to protect from one accidentally entering a string that is not True or False which var.enabled will resutl in True. With var.enabled|bool any string will result in false.

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

chengtcli commented 7 years ago

We may don't need encryption config on cinder-data node, let me test it out on tardis. Will let you know the test result.

edtubillara commented 7 years ago

@chengtcli installing cinder-data would only be for fixed key. I tried testing out fixed key and seems to not really work. but @nirajdp76 told me to leave fixed key in. @nirajdp76 what do you think?

nirajdp76 commented 7 years ago

@chengtcli will wait for your +1 before i merge this.

chengtcli commented 7 years ago

I have made the tests on tardis by using VMs: All of the cinder-control, cinder-data, compute nodes need encyption configuration(either barbican or fixed_key) cinder-data nodes need it to create volume from image, compute nodes need it so that we can attach volume on VM. So I think we can setup encryption configuration in cinder-common role instead of for both cinder-control and cinder-data role, just like other cinder configuration files.

edtubillara commented 7 years ago

Thanks @chengtli, I'll update the PR to move the configuration to cinder-common.

nirajdp76 commented 7 years ago

retest

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

bbc-jenkins commented 7 years ago

Can one of the admins verify this patch?

edtubillara commented 7 years ago

Thanks @chengtli for the review. I've updated the PR.

chengtcli commented 7 years ago

Looks good to me, Thanks @edtubillara