openstack/openstack-ansible-os_glance
Code Issues Proposed changes

Enable Barbican Secrets Support for Glance in OpenStack Compute

Browse Source 
Glance was not being configured to use Barbican for secret management when Barbican support was enabled. This patch ensures that Glance is efficiently configured to interact with Barbican, allowing proper handling of secrets (such as image encryption keys) in OpenStack compute environments.

Related-Bug: #2118763

Co-authored-by: Jobin Jospeh <jobinathirampuzha@gmail.com>
Change-Id: I205386b6f8394f86b84d753682b1259fe5db102a
Signed-off-by: Nilesh Chandekar <nilesh.c85@gmail.com>
This commit is contained in:
nileshchandekar
2025-07-25 17:23:52 +05:30
parent c51c845231
commit 6e3053489e
3 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
defaults/main.yml
View File

@@ -205,6 +205,9 @@ glance_service_adminurl: "{{ glance_service_adminuri }}"
## load balancer.
glance_proxy_headers_parsing: true
# Enable/Disable barbican configurations
glance_barbican_enabled: "{{ (groups['barbican_all'] is defined) and (groups['barbican_all'] | length > 0) }}"
## Swift Options
glance_swift_store_auth_address: "{{ keystone_service_internalurl }}"
glance_swift_store_auth_insecure: "{{ keystone_service_internaluri_insecure }}"

6
releasenotes/notes/glance_barbican_integration-f493d11d6343e3c0.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
features:
- |
Enable Barbican Secrets Support for Glance in OpenStack-Ansible.
Glance was not being configured to use Barbican for secret management when Barbican support was enabled.
This patch ensures that Glance is efficiently configured to interact with Barbican and allowing proper handling of secrets (such as image encryption keys) in OpenStack environments.

13
templates/glance-api.conf.j2
View File

@@ -47,6 +47,19 @@ max_pool_size = {{ glance_db_max_pool_size }}
pool_timeout = {{ glance_db_pool_timeout }}
connection_recycle_time = {{ glance_db_connection_recycle_time }}
{% if glance_barbican_enabled %}
[barbican]
auth_endpoint = {{ keystone_service_internaluri }}/v3
barbican_endpoint_type = internal
send_service_user_token = {{ glance_service_token_roles_required | bool }}
[barbican_service_user]
auth_section = keystone_authtoken
[key_manager]
backend = barbican
{% endif %}
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_type = {{ glance_keystone_auth_plugin }}