Description: kms_keymaster: allow specifying barbican_endpoint Under a multi-region deployment with a single Keystone server, specifying the Keystone auth credentials isn't enough. Indeed, Castellan succeeds when logging-in, but may use the wrong Barbican endpoint (if there are 2 Barbican deployed). This is what happened to us, when deploying our 2nd region. . They way to fix it would be to tell Castellan what region to use, unfortunately, there's no such option in Castellan. Though we may specify the barbican_endpoint, which is what this patch allows. Author: Thomas Goirand Date: Thu, 13 Jun 2024 11:27:55 +0200 Change-Id: Ib7f4219ef5fdef65e9cfd5701e28b5288741783e Forwarded: https://review.opendev.org/c/openstack/swift/+/921927 Last-Update: 2024-06-13 diff --git a/swift/common/middleware/crypto/kms_keymaster.py b/swift/common/middleware/crypto/kms_keymaster.py index f9a542e..4c0b250 100644 --- a/swift/common/middleware/crypto/kms_keymaster.py +++ b/swift/common/middleware/crypto/kms_keymaster.py @@ -34,7 +34,7 @@ 'domain_id', 'domain_name', 'project_id', 'project_domain_id', 'reauthenticate', 'auth_endpoint', 'api_class', 'key_id*', - 'active_root_secret_id') + 'barbican_endpoint', 'active_root_secret_id') keymaster_conf_section = 'kms_keymaster' def _get_root_secret(self, conf): @@ -65,10 +65,17 @@ project_domain_id=conf.get('project_domain_id'), reauthenticate=conf.get('reauthenticate')) oslo_conf = cfg.ConfigOpts() - options.set_defaults( - oslo_conf, auth_endpoint=conf.get('auth_endpoint'), - api_class=conf.get('api_class') - ) + if conf.get('barbican_endpoint'): + options.set_defaults( + oslo_conf, auth_endpoint=conf.get('auth_endpoint'), + barbican_endpoint=conf.get('barbican_endpoint'), + api_class=conf.get('api_class') + ) + else: + options.set_defaults( + oslo_conf, auth_endpoint=conf.get('auth_endpoint'), + api_class=conf.get('api_class') + ) options.enable_logging() manager = key_manager.API(oslo_conf)