90da23c7d2
Under a multi-region deployment with a single Keystone server, specifying the Keystone auth credentials isn't enough. Indeed, Castellan succeeds when logging-in, but may use the wrong Barbican endpoint (if there are 2 Barbican deployed). This is what happened to us, when deploying our 2nd region. They way to fix it would be to tell Castellan what region to use, unfortunately, there's no such option in Castellan. Though we may specify the barbican_endpoint, which is what this patch allows. Change-Id: Ib7f4219ef5fdef65e9cfd5701e28b5288741783e
130 lines
6.4 KiB
Plaintext
130 lines
6.4 KiB
Plaintext
[keymaster]
|
|
# Over time, the format of crypto metadata on disk may change slightly to resolve
|
|
# ambiguities. In general, you want to be writing the newest version, but to
|
|
# ensure that all writes can still be read during rolling upgrades, there's the
|
|
# option to write older formats as well.
|
|
# Before upgrading from Swift 2.20.0 or earlier, ensure this is set to 1
|
|
# Before upgrading from Swift 2.25.0 or earlier, ensure this is set to at most 2
|
|
# After upgrading all proxy servers, set this to 3 (currently the highest version)
|
|
# meta_version_to_write = 3
|
|
|
|
# Sets the root secret from which encryption keys are derived. This must be set
|
|
# before first use to a value that is a base64 encoding of at least 32 bytes.
|
|
# The security of all encrypted data critically depends on this key, therefore
|
|
# it should be set to a high-entropy value. For example, a suitable value may
|
|
# be obtained by base-64 encoding a 32 byte (or longer) value generated by a
|
|
# cryptographically secure random number generator. Changing the root secret is
|
|
# likely to result in data loss. If this option is set, the root secret MUST
|
|
# NOT be set in proxy-server.conf.
|
|
# encryption_root_secret = changeme
|
|
|
|
[kms_keymaster]
|
|
# The kms_keymaster section is used for configuring a keymaster that retrieves
|
|
# the encryption root secret from an external key management system (kms),
|
|
# using the Castellan abstraction layer. Castellan can support various kms
|
|
# backends that use Keystone for authentication. Currently, the only
|
|
# implemented backend is for Barbican.
|
|
|
|
# Over time, the format of crypto metadata on disk may change slightly to resolve
|
|
# ambiguities. In general, you want to be writing the newest version, but to
|
|
# ensure that all writes can still be read during rolling upgrades, there's the
|
|
# option to write older formats as well.
|
|
# Before upgrading from Swift 2.20.0 or earlier, ensure this is set to 1
|
|
# Before upgrading from Swift 2.25.0 or earlier, ensure this is set to at most 2
|
|
# After upgrading all proxy servers, set this to 3 (currently the highest version)
|
|
# meta_version_to_write = 3
|
|
|
|
# The api_class tells Castellan which key manager to use to access the external
|
|
# key management system. The default value that accesses Barbican is
|
|
# castellan.key_manager.barbican_key_manager.BarbicanKeyManager.
|
|
# api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager
|
|
|
|
# The configuration options below apply to a Barbican KMS being accessed using
|
|
# Castellan. If another KMS type is used (by specifying another value for
|
|
# api_class), then other configuration options may be required.
|
|
|
|
# The key_id is the identifier of the root secret stored in the KMS. For
|
|
# details of how to store an existing root secret in Barbican, or how to
|
|
# generate a new root secret in Barbican, see the 'overview_encryption'
|
|
# documentation.
|
|
# The key_id is the final part of the secret href returned in the
|
|
# output of an 'openstack secret order get' command after an order to store or
|
|
# create a key has been successfully completed. See the 'overview_encryption'
|
|
# documentation for more information on this command.
|
|
# key_id = changeme
|
|
|
|
# The Keystone username of the user used to access the key from the KMS. The
|
|
# username shall be set to match an existing user.
|
|
# username = changeme
|
|
|
|
# The password to go with the Keystone username above.
|
|
# password = changeme
|
|
|
|
# The Keystone project name. For security reasons, it is recommended to set
|
|
# the project_name to a project separate from the service project used by
|
|
# other OpenStack services. Thereby, if another service is compromised, it will
|
|
# not have access to the Swift root encryption secret. It is recommended that
|
|
# the swift user is the only one that has a role in this project.
|
|
# project_name = changeme
|
|
# Instead of the project name, the project id may also be used.
|
|
# project_id = changeme
|
|
|
|
# The Keystone URL to authenticate to. The value of auth_endpoint may be
|
|
# set according to the value of www_authenticate_uri in [filter:authtoken] in
|
|
# proxy-server.conf.
|
|
# auth_endpoint = http://keystonehost/identity
|
|
|
|
# The project and user domain names may optionally be specified. If they are
|
|
# not specified, the default values of 'Default' (for *_domain_name) and
|
|
# 'default' (for *_domain_id) are used (note the capitalization).
|
|
# project_domain_name = Default
|
|
# user_domain_name = Default
|
|
# Instead of the project domain name and user domain name, the project domain
|
|
# id and user domain id may also be specified.
|
|
# project_domain_id = default
|
|
# user_domain_id = default
|
|
|
|
# The following configuration options may also be used in addition to/instead
|
|
# of the above options. Refer to the Keystone documentation for more details
|
|
# on the usage of the options: https://docs.openstack.org/keystone/
|
|
# user_id = changeme
|
|
# trust_id = changeme
|
|
# reauthenticate = changeme
|
|
# domain_id = changeme
|
|
# domain_name = changeme
|
|
|
|
# If running on a multi-region cluster, Castellan may select the wrong
|
|
# endpoint for Barbican. To avoid this, set this to the URL of the
|
|
# correct barbican endpoint. If there is only a single Barbican service
|
|
# in your deployment, it is fine to leave this unconfigured.
|
|
# barbican_endpoint =
|
|
|
|
[kmip_keymaster]
|
|
# The kmip_keymaster section is used to configure a keymaster that fetches an
|
|
# encryption root secret from a KMIP service.
|
|
|
|
# Over time, the format of crypto metadata on disk may change slightly to resolve
|
|
# ambiguities. In general, you want to be writing the newest version, but to
|
|
# ensure that all writes can still be read during rolling upgrades, there's the
|
|
# option to write older formats as well.
|
|
# Before upgrading from Swift 2.20.0 or earlier, ensure this is set to 1
|
|
# Before upgrading from Swift 2.25.0 or earlier, ensure this is set to at most 2
|
|
# After upgrading all proxy servers, set this to 3 (currently the highest version)
|
|
# meta_version_to_write = 3
|
|
|
|
# The value of the ``key_id`` option should be the unique identifier for a
|
|
# secret that will be retrieved from the KMIP service. The secret should be an
|
|
# AES-256 symmetric key.
|
|
# key_id = <unique id of secret to be fetched from the KMIP service>
|
|
|
|
# The remaining options are used to configure a PyKMIP client and are shown
|
|
# below for information. The authoritative definition of these options can be
|
|
# found at: https://pykmip.readthedocs.io/en/latest/client.html.
|
|
# host = <KMIP server host>
|
|
# port = <KMIP server port>
|
|
# certfile = /path/to/client/cert.pem
|
|
# keyfile = /path/to/client/key.pem
|
|
# ca_certs = /path/to/server/cert.pem
|
|
# username = <KMIP username>
|
|
# password = <KMIP password>
|