kms_keymaster: allow specifying barbican_endpoint

Under a multi-region deployment with a single Keystone server,
specifying the Keystone auth credentials isn't enough. Indeed,
Castellan succeeds when logging-in, but may use the wrong
Barbican endpoint (if there are 2 Barbican deployed). This is
what happened to us, when deploying our 2nd region.

They way to fix it would be to tell Castellan what region to use,
unfortunately, there's no such option in Castellan. Though we may
specify the barbican_endpoint, which is what this patch allows.

Change-Id: Ib7f4219ef5fdef65e9cfd5701e28b5288741783e

Author: thomasgoirand

etc/keymaster.conf-sample

@@ -93,6 +93,12 @@
 # domain_id = changeme
 # domain_name = changeme
 
+# If running on a multi-region cluster, Castellan may select the wrong
+# endpoint for Barbican. To avoid this, set this to the URL of the
+# correct barbican endpoint. If there is only a single Barbican service
+# in your deployment, it is fine to leave this unconfigured.
+# barbican_endpoint =
+
 [kmip_keymaster]
 # The kmip_keymaster section is used to configure a keymaster that fetches an
 # encryption root secret from a KMIP service.

swift/common/middleware/crypto/kms_keymaster.py

@@ -34,7 +34,7 @@ class KmsKeyMaster(BaseKeyMaster):
                       'domain_id', 'domain_name', 'project_id',
                       'project_domain_id', 'reauthenticate',
                       'auth_endpoint', 'api_class', 'key_id*',
-                      'active_root_secret_id')
+                      'barbican_endpoint', 'active_root_secret_id')
     keymaster_conf_section = 'kms_keymaster'
 
     def _get_root_secret(self, conf):
@@ -67,6 +67,7 @@ def _get_root_secret(self, conf):
         oslo_conf = cfg.ConfigOpts()
         options.set_defaults(
             oslo_conf, auth_endpoint=conf.get('auth_endpoint'),
+            barbican_endpoint=conf.get('barbican_endpoint'),
             api_class=conf.get('api_class')
         )
         options.enable_logging()