Secrets

Overview

SysEleven Stack uses the OpenStack component Barbican for secret storage. We introduced the Barbican secret storage first of all to provide a safe way to store SSL certificates and private keys for Octavia Load balancer as a Service.

Barbican is part of the Octavia public beta phase. This means we invite you to test the Barbican secret storage, but we do not recommend you to use it for production workloads yet.

The barbican secret storage is part of our global region. This means, similar to Keystone (Identity and Access) and Designate (DNSaaS), there is one API for all regions.

Barbican feature Supported
Secret storage and metadata Yes
Containers Yes
Consumers Yes
Access control lists Yes
Certificate orders No

Secret storage and metadata

All secrets are transferred and stored fully encrypted at all times. Metadata may not be stored fully encrypted.

Containers

Containers represent a set of secrets, for a certain purpose.

Containers can be of type generic, RSA, or Certificate.

Type Accompanied secret names
Generic No restrictions
RSA public_key, private_key, and private_key_passphrase
Certificate certificate and optionally private_key, private_key_passphrase, and intermediates

Consumers

Barbican can be used to persist a list of consumers for any given container. The consumer consists of a consumer name, a URL and a reference to the container.

Access control lists

By default, secrets and containers are accessible for all users of a project (See the identity and access reference guide for more information about users, groups and projects).

Using access control lists, you can reduce access to certain users or groups.

Currently the access control list (ACL) settings defined for a container are not propagated down to associated secrets.

Known issues