From 6e3053489e265c2398d02e7215ec620030a7338d Mon Sep 17 00:00:00 2001
From: nileshchandekar <nilesh.c85@gmail.com>
Date: Fri, 25 Jul 2025 17:23:52 +0530
Subject: [PATCH] Enable Barbican Secrets Support for Glance in OpenStack
 Compute

Glance was not being configured to use Barbican for secret management when Barbican support was enabled. This patch ensures that Glance is efficiently configured to interact with Barbican, allowing proper handling of secrets (such as image encryption keys) in OpenStack compute environments.

Related-Bug: #2118763

Co-authored-by: Jobin Jospeh <jobinathirampuzha@gmail.com>
Change-Id: I205386b6f8394f86b84d753682b1259fe5db102a
Signed-off-by: Nilesh Chandekar <nilesh.c85@gmail.com>
---
 defaults/main.yml                                   |  3 +++
 ...lance_barbican_integration-f493d11d6343e3c0.yaml |  6 ++++++
 templates/glance-api.conf.j2                        | 13 +++++++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 releasenotes/notes/glance_barbican_integration-f493d11d6343e3c0.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 8c242074..0a2a5b53 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -205,6 +205,9 @@ glance_service_adminurl: "{{ glance_service_adminuri }}"
 ## load balancer.
 glance_proxy_headers_parsing: true
 
+# Enable/Disable barbican configurations
+glance_barbican_enabled: "{{ (groups['barbican_all'] is defined) and (groups['barbican_all'] | length > 0) }}"
+
 ## Swift Options
 glance_swift_store_auth_address: "{{ keystone_service_internalurl }}"
 glance_swift_store_auth_insecure: "{{ keystone_service_internaluri_insecure }}"
diff --git a/releasenotes/notes/glance_barbican_integration-f493d11d6343e3c0.yaml b/releasenotes/notes/glance_barbican_integration-f493d11d6343e3c0.yaml
new file mode 100644
index 00000000..e0006a6d
--- /dev/null
+++ b/releasenotes/notes/glance_barbican_integration-f493d11d6343e3c0.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Enable Barbican Secrets Support for Glance in OpenStack-Ansible.
+    Glance was not being configured to use Barbican for secret management when Barbican support was enabled.
+    This patch ensures that Glance is efficiently configured to interact with Barbican and allowing proper handling of secrets (such as image encryption keys) in OpenStack environments.
diff --git a/templates/glance-api.conf.j2 b/templates/glance-api.conf.j2
index 09fdcdfe..6292e22c 100644
--- a/templates/glance-api.conf.j2
+++ b/templates/glance-api.conf.j2
@@ -47,6 +47,19 @@ max_pool_size = {{ glance_db_max_pool_size }}
 pool_timeout = {{ glance_db_pool_timeout }}
 connection_recycle_time = {{ glance_db_connection_recycle_time }}
 
+{% if glance_barbican_enabled %}
+[barbican]
+auth_endpoint = {{ keystone_service_internaluri }}/v3
+barbican_endpoint_type = internal
+send_service_user_token = {{ glance_service_token_roles_required | bool }}
+
+[barbican_service_user]
+auth_section = keystone_authtoken
+
+[key_manager]
+backend = barbican
+{% endif %}
+
 [keystone_authtoken]
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 auth_type = {{ glance_keystone_auth_plugin }}