Allow multiple Barbican Key Encryption Key

Barbican moved to support multiple keks instead of just one. OpenStack-helm is failing if run againist Barbican after commit [1]. This patch allows specify multiple and fix compatible issue. [1] cfba1c1ba8f3659e6de727c3f1c274052e9ccace Closes-Bug: 2103757 Change-Id: I438ee144b2a0a089dfffedf59961c155d9815889
2025-03-19 17:29:55 +08:00 · 2025-03-19 17:29:55 +08:00 · 73cdac6019
commit 73cdac6019
parent b6fa5ad3dc
5 changed files with 32 additions and 14 deletions
--- a/barbican/templates/bin/_db-sync.sh.tpl
+++ b/barbican/templates/bin/_db-sync.sh.tpl
@ -23,5 +23,5 @@ barbican-db-manage upgrade
 {{- if and (not (empty $old_kek)) (not (empty $kek)) }}
 set +x
 echo "Ensuring that project KEKs are wrapped with the target global KEK"
-/tmp/simple_crypto_kek_rewrap.py --old-kek="$(cat /tmp/old_kek)"
+/tmp/simple_crypto_kek_rewrap.py --old-keks="$(cat /tmp/old_keks)"
 {{- end }}
--- a/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
+++ b/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
@ -31,7 +31,7 @@ CONF = simple_crypto.CONF

 class KekRewrap(object):

-    def __init__(self, conf, old_kek):
+    def __init__(self, conf, old_keks):
        self.dry_run = False
        self.db_engine = session.create_engine(conf.database.connection or conf.sql_connection)
        self._session_creator = scoping.scoped_session(
@ -42,8 +42,16 @@ class KekRewrap(object):
        )
        self.crypto_plugin = simple_crypto.SimpleCryptoPlugin(conf)
        self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
-        self.decryptor = fernet.Fernet(old_kek.encode('utf-8'))
-        self.encryptor = fernet.Fernet(self.crypto_plugin.master_kek)
+
+        if hasattr(self.crypto_plugin, 'master_kek'):
+            self.encryptor = fernet.Fernet(self.crypto_plugin.master_kek)
+        else:
+            self.encryptor = fernet.MultiFernet(
+                [fernet.Fernet(x) for x in self.crypto_plugin.master_keys]
+            )
+        self.decryptor = fernet.MultiFernet(
+            [fernet.Fernet(x.encode('utf-8')) for x in old_keks]
+        )

    def rewrap_kek(self, project, kek):
        with self.db_session.begin():
@ -143,14 +151,17 @@ def main():
        help='Displays changes that will be made (Non-destructive)'
    )
    parser.add_argument(
-        '--old-kek',
-        default='dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=',
-        help='Old key encryption key previously used by Simple Crypto Plugin. '
-             '(32 bytes, base64-encoded)'
+        '--old-keks',
+        default="dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=",
+        help='Old key encryption keys previously used by Simple Crypto Plugin. '
+             'A comma separated string of list contain keys '
+             '( with formate 32 bytes and base64-encoded ). '
+             'First key in list is used for ecnrypting new data. '
+             'Additional keys used for decrypting existing data.'
    )
    args = parser.parse_args()

-    rewrapper = KekRewrap(CONF, args.old_kek)
+    rewrapper = KekRewrap(CONF, args.old_keks.split(","))
    rewrapper.execute(args.dry_run)


--- a/barbican/templates/configmap-etc.yaml
+++ b/barbican/templates/configmap-etc.yaml
@ -98,5 +98,5 @@ data:
  api_audit_map.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.audit_map | b64enc }}
  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
  barbican-api-uwsgi.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api_uwsgi | b64enc }}
-  old_kek: {{ index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default "" | b64enc | quote }}
+  old_keks: {{ index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default "" | b64enc | quote }}
 {{- end }}
--- a/barbican/templates/job-db-sync.yaml
+++ b/barbican/templates/job-db-sync.yaml
@ -21,7 +21,7 @@ helm.sh/hook-weight: "-4"

 {{- $podVolMounts := .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumeMounts | default list }}
 {{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-sh" "mountPath" "/tmp/simple_crypto_kek_rewrap.py" "subPath" "simple_crypto_kek_rewrap.py" "readOnly" true) }}
-{{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-conf" "mountPath" "/tmp/old_kek" "subPath" "old_kek" "readOnly" true) }}
+{{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-conf" "mountPath" "/tmp/old_keks" "subPath" "old_keks" "readOnly" true) }}

 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "barbican" "podVolMounts" $podVolMounts "podVols" .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -413,7 +413,7 @@ conf:
    # When using the simple_crypto_plugin, a kek must be provided as:
    #   .conf.barbican.simple_crypto_plugin.kek
    # If no kek is provided, barbican will use a well-known default.
-    # If upgrading the chart with a new kek, the old kek must be provided as:
+    # If upgrading the chart with a new kek, the old kek must be provided in:
    #   .conf.simple_crypto_plugin_rewrap.old_kek
    # Please refer to the .conf.simple_crypto_key_rewrap section below.
    # The barbican defaults are included here as a reference:
@ -425,11 +425,13 @@ conf:
    #       - simple_crypto
    #   simple_crypto_plugin:
    #     # The kek should be a 32-byte value which is base64 encoded.
+    #     # First key is used for ecnrypting new data
    #     kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
+    #     # Additional keys used for decrypting existing data
+    #     kek: "xCDpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
  # KEK rotation for the simple_crypto plugin
  simple_crypto_kek_rewrap:
-
-    # To allow for chart upgrades when modifying the Key Encryption Key, the
+    # To allow for chart upgrades when modifying the Key Encryption Keys, the
    # db-sync job can rewrap the existing project keys with the new kek, leaving
    # each secret’s encrypted data unchanged.

@ -447,6 +449,11 @@ conf:
    # The KEK value "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" matches the
    # plugin default, and is retained here for convenience, in case the chart was
    # previously installed without explicitly specifying a kek.
+    # old_kek allows commna-separated string for keks
+    # old_kek:
+    #   # First key is used for ecnrypting new data
+    #   # Additional keys used for decrypting existing data
+    #   - "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=,dDDpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
    old_kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
  logging:
    loggers: