Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-2251

[Dev] Add secret consumers support to castellan - vault implementation

XMLWordPrintable

    • OSPPlanningCycle3

      As a developer of an openstack service, I want to be able to use castellan to add or delete a consumer to a secret. I would expect the list of consumers for a secret to be returned as part of the secret's metadata.

      Summary

      Castellan is used by the other services to interact with a key manager (barbican or vault). We need to add consumers to castellan to take advantage of the the consumers API that has been added to barbican, so that features like image encryption can move forward.

      As castellan is an interface with two different implementations, we will need to implement consumers in both the barbican and vault implementations. This particular story is concerned with making changes to the vault implementation.

      Definition of Ready

      There is already a set of patches for adding secret consumers to castellan. These need to merge so that the key_manager interface changes are available. (https://review.opendev.org/q/topic:add-consumers)

      There has been a longstanding need to update the vault implementation with something that uses the vault HVAC library. This should be done first, so that the consumers work can be done using this mechanism instead. That work is tracked in a separate story – <<link needed >>.
      This work is ultimately also needed for the secret management feature.

      When all the above is complete, the work for this story can be started.

      Acceptance Criteria

      • Functionality added to the vault key_manager implementation to add a list of consumers to each secret. This should be returned as part of the metadata
        for the secret.
      • Functionality added to the vault key_manager implementation to add/remove consumers
      • Functional and unit tests modified and pass (tests add/remove/list consumers). With the above castellan patches, the behavior of
        the implementations (barbican and vault) differs and so separate tests were needed. The tests should be unified again.
      • Castellan documentation updated.
      • Castellan released

      Definition of Done

      Acceptance criteria completed.

            Unassigned Unassigned
            rhn-gps-alee Ade Lee
            rhos-dfg-security
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: