Skip to content

feat(barbican): add policy options for vTPM secret access #3441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
yaguangtang wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat(barbican): add policy options for vTPM secret access #3441

yaguangtang wants to merge 2 commits into from

Conversation

@yaguangtang
Copy link
Member

@yaguangtang yaguangtang commented Jan 13, 2026

Add configuration options to allow Nova and admin users to access Barbican secrets for vTPM operations:

  • Add barbican_policy_nova_secret_access option to allow Nova service account to access Barbican secrets for vTPM operations
  • Add barbican_policy_admin_secret_access option to allow admin users to access all Barbican secrets
  • Both options are disabled by default for security
  • Add documentation with security warnings to the emulated-tpm admin guide
  • Add release note documenting the feature and security implications

This enables automatic vTPM VM restart after compute node reboots.

Resolves: A8E-82

@yaguangtang yaguangtang marked this pull request as draft January 13, 2026 01:32
@yaguangtang @claude
feat(barbican): add policy options for vTPM secret access
4746dcf 
Add configuration options to allow Nova and admin users to access
Barbican secrets for vTPM operations:

- Add barbican_policy_nova_secret_access option to allow Nova service
  account to access Barbican secrets for vTPM operations
- Add barbican_policy_admin_secret_access option to allow admin users
  to access all Barbican secrets
- Both options are disabled by default for security
- Add documentation with security warnings to the emulated-tpm admin guide
- Add release note documenting the feature and security implications

This enables automatic vTPM VM restart after compute node reboots.

Resolves: A8E-82

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: yaguang tang <yaguang.tang@vexxhost.com>
@yaguangtang yaguangtang force-pushed the feat/vtpm-nova-barbican-access branch 2 times, most recently from 97e6ac2 to 5a449df Compare January 15, 2026 13:50
@yaguangtang
feat(nova): add Barbican auth configuration for vTPM secret access
d420bf4 
Signed-off-by: yaguang tang <yaguang.tang@vexxhost.com>
@yaguangtang yaguangtang force-pushed the feat/vtpm-nova-barbican-access branch from 03686e9 to d420bf4 Compare January 15, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yaguangtang