Enable fernet keys generation

This change effectively enables fernet keys generation and their
usage via the mechanism of k8s secrets. Legacy approach with
pre-generated fernet key is removed.

Change-Id: Ibdf0a0eafb48930d5536f35511be78c1e5df9921
Partial-Bug: #1651392
Partial-Bug: #1651394
Depends-On: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
Depends-On: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37
This commit is contained in:
Dmitry Klenov 2017-01-27 07:08:58 +00:00
parent 80c1725a2f
commit cef1b979ba
4 changed files with 25 additions and 10 deletions

View File

@ -1 +1 @@
%microservices ALL=(root) NOPASSWD: /bin/chown keystone\:keystone /var/log/ccp/keystone
%microservices ALL=(root) NOPASSWD: /bin/chown keystone\:keystone /var/log/ccp/keystone, /bin/chown keystone\:keystone /etc/keystone/fernet-keys

View File

@ -17,8 +17,8 @@ configs:
processes: 6
threads: 1
fernet_secret_name: keystone-fernet-keys
# 100% random default
fernet_key: "ZAabsQIXsSW7Ez52UZRqUXDz87y9+R+mbxVZ38gRmjg="
credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="
notifications:

View File

@ -1 +0,0 @@
{{ keystone.fernet_key }}

View File

@ -1,4 +1,4 @@
dsl_version: 0.4.0
dsl_version: 0.6.0
service:
name: keystone
ports:
@ -24,6 +24,16 @@ service:
pre:
- name: chown-logs-dir
command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
- name: chown-fernet-dir
command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
- name: remove-fernet-dir-sticky-bit
command: /bin/chmod -t /etc/keystone/fernet-keys
- name: generate-fernet-keys
command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
image: keystone
type: single
files:
- fernet-manage
- name: keystone-db-create
dependencies:
- {{ service.database }}
@ -63,8 +73,9 @@ service:
files:
- keystone-conf
- wsgi-keystone-conf
- fernet-key
- credential-key
secrets:
- keystone-fernet
command: daemon.sh
post:
- name: keystone-create-project
@ -78,13 +89,18 @@ files:
wsgi-keystone-conf:
path: /etc/apache2/conf-enabled/wsgi-keystone.conf
content: wsgi-keystone.conf.j2
fernet-key:
path: /etc/keystone/fernet-keys/1
content: fernet-key.j2
perm: "0600"
user: keystone
credential-key:
path: /etc/keystone/credential-keys/1
content: credential-key.j2
perm: "0600"
user: keystone
fernet-manage:
path: /opt/ccp/bin/fernet-manage.py
content: fernet-manage.py
perm: "0400"
user: keystone
secrets:
keystone-fernet:
path: "/etc/keystone/fernet-keys"
secret:
secretName: {{ keystone.fernet_secret_name }}