Barbican secret deletion support

Registered by Brian Rosmaita on 2019-08-16

The Block Storage Service (Cinder) offers end users the ability to create images from encrypted volume types. When it does this, Cinder stores a secret in Barbican in a 1-1 relation to the image and puts the Barbican ID of the secret as an image property,
 `cinder_encryption_key_id``. When a user deletes such an image, the Barbican secret is no longer applicable to any resource, but it persists in Barbican. As a result, deployers have a situation where useless secrets are piling up in Barbican. This would be mitigated if Glance deleted the unique Barbican secret of an image at the time of image deletion.

Blueprint information

Status:
Started
Approver:
None
Priority:
Undefined
Drafter:
Brian Rosmaita
Direction:
Needs approval
Assignee:
Cyril Roelandt
Definition:
Pending Approval
Series goal:
Accepted for train
Implementation:
Good progress
Milestone target:
None
Started by
Brian Rosmaita on 2019-08-16

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.opendev.org/#/q/topic:bp/barbican-secret-deletion-support

Addressed by: https://review.opendev.org/671503
    Delete secret key on image deletion

Addressed by: https://review.opendev.org/680786
    dd release notes for secret key deletion

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.