:_mod-docs-content-type: PROCEDURE [id="adopting-the-key-manager-service_{context}"] = Adopting the {key_manager} [role="_abstract"] To adopt the {key_manager_first_ref}, you patch an existing `OpenStackControlPlane` custom resource (CR) where {key_manager} is disabled. The patch starts the service with the configuration parameters that are provided by the {rhos_prev_long} ({OpenStackShort}) environment. The {key_manager} adoption is complete if you see the following results: * The `BarbicanAPI`, `BarbicanWorker`, and `BarbicanKeystoneListener` services are up and running. * Keystone endpoints are updated, and the same crypto plugin of the source cloud is available. [NOTE] This procedure configures the {key_manager} to use the `simple_crypto` back end. Additional back ends, such as PKCS11 and DogTag, are currently not supported in {rhos_long}. .Procedure . Add the kek secret: + ---- $ oc set data secret/osp-secret "BarbicanSimpleCryptoKEK=$($CONTROLLER1_SSH "python3 -c \"import configparser; c = configparser.ConfigParser(); c.read('/var/lib/config-data/puppet-generated/barbican/etc/barbican/barbican.conf'); print(c['simple_crypto_plugin']['kek'])\"")" ---- . Patch the `OpenStackControlPlane` CR to deploy the {key_manager}: + ---- $ oc patch openstackcontrolplane openstack --type=merge --patch ' spec: barbican: enabled: true apiOverride: route: {} template: databaseInstance: openstack databaseAccount: barbican rabbitMqClusterName: rabbitmq secret: osp-secret simpleCryptoBackendSecret: osp-secret serviceAccount: barbican serviceUser: barbican passwordSelectors: service: BarbicanPassword simplecryptokek: BarbicanSimpleCryptoKEK barbicanAPI: replicas: 1 override: service: internal: metadata: annotations: metallb.universe.tf/address-pool: internalapi metallb.universe.tf/allow-shared-ip: internalapi metallb.universe.tf/loadBalancerIPs: 172.17.0.80 <1> spec: type: LoadBalancer barbicanWorker: replicas: 1 barbicanKeystoneListener: replicas: 1 ' ---- + <1> If you use IPv6, change the load balancer IP to the load balancer IP in your environment, for example, `metallb.universe.tf/loadBalancerIPs: fd00:bbbb::80`. .Verification * Ensure that the {identity_service_first_ref} endpoints are defined and are pointing to the control plane FQDNs: + ---- $ openstack endpoint list | grep key-manager ---- * Ensure that Barbican API service is registered in the {identity_service}: + ---- $ openstack service list | grep key-manager ---- + ---- $ openstack endpoint list | grep key-manager ---- * List the secrets: + ---- $ openstack secret list ---- //**TODO: Once different crypto plugins are supported, additional lines test those should be added.