Glance

Barbican secret deletion support

Registered by Brian Rosmaita on 2019-08-16

The Block Storage Service (Cinder) offers end users the ability to create images from encrypted volume types. When it does this, Cinder stores a secret in Barbican in a 1-1 relation to the image and puts the Barbican ID of the secret as an image property,
`cinder_encryption_key_id``. When a user deletes such an image, the Barbican secret is no longer applicable to any resource, but it persists in Barbican. As a result, deployers have a situation where useless secrets are piling up in Barbican. This would be mitigated if Glance deleted the unique Barbican secret of an image at the time of image deletion.

Blueprint information

Status:: Started

Approver:: None

Priority:: Undefined

Drafter:: Brian Rosmaita

Direction:: Needs approval

Assignee:: Cyril Roelandt

Definition:: Pending Approval

Series goal:: Accepted for train

Implementation:: Good progress

Milestone target:: None

Started by: Brian Rosmaita on 2019-08-16

Related branches

Related bugs

Sprints

Whiteboard

Gerrit topic: https://review.opendev.org/#/q/topic:bp/barbican-secret-deletion-support

Addressed by: https://review.opendev.org/671503
Delete secret key on image deletion

Addressed by: https://review.opendev.org/680786
dd release notes for secret key deletion

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.