Merge "Enable fernet keys generation"

2017-02-14 10:17:29 +00:00 · 2017-02-14 10:17:29 +00:00 · efb0046354
parent ec570f0dc5 cef1b979ba
commit efb0046354
4 changed files with 25 additions and 10 deletions
--- a/docker/keystone/keystone_sudoers
+++ b/docker/keystone/keystone_sudoers
@ -1 +1 @@
-%microservices ALL=(root) NOPASSWD: /bin/chown keystone\:keystone /var/log/ccp/keystone
+%microservices ALL=(root) NOPASSWD: /bin/chown keystone\:keystone /var/log/ccp/keystone, /bin/chown keystone\:keystone /etc/keystone/fernet-keys
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@ -17,8 +17,8 @@ configs:
      processes: 6
      threads: 1

+    fernet_secret_name: keystone-fernet-keys
    # 100% random default
-    fernet_key: "ZAabsQIXsSW7Ez52UZRqUXDz87y9+R+mbxVZ38gRmjg="
    credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="

    notifications:
--- a/service/files/fernet-key.j2
+++ b/service/files/fernet-key.j2
@ -1 +0,0 @@
-{{ keystone.fernet_key }}
--- a/service/keystone.yaml
+++ b/service/keystone.yaml
@ -1,4 +1,4 @@
-dsl_version: 0.4.0
+dsl_version: 0.6.0
 service:
  name: keystone
  ports:
@ -24,6 +24,16 @@ service:
      pre:
        - name: chown-logs-dir
          command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
+        - name: chown-fernet-dir
+          command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
+        - name: remove-fernet-dir-sticky-bit
+          command: /bin/chmod -t /etc/keystone/fernet-keys
+        - name: generate-fernet-keys
+          command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
+          image: keystone
+          type: single
+          files:
+            - fernet-manage
        - name: keystone-db-create
          dependencies:
            - {{ service.database }}
@ -63,8 +73,9 @@ service:
        files:
          - keystone-conf
          - wsgi-keystone-conf
-          - fernet-key
          - credential-key
+        secrets:
+          - keystone-fernet
        command: daemon.sh
      post:
        - name: keystone-create-project
@ -78,13 +89,18 @@ files:
  wsgi-keystone-conf:
    path: /etc/apache2/conf-enabled/wsgi-keystone.conf
    content: wsgi-keystone.conf.j2
-  fernet-key:
-    path: /etc/keystone/fernet-keys/1
-    content: fernet-key.j2
-    perm: "0600"
-    user: keystone
  credential-key:
    path: /etc/keystone/credential-keys/1
    content: credential-key.j2
    perm: "0600"
    user: keystone
+  fernet-manage:
+    path: /opt/ccp/bin/fernet-manage.py
+    content: fernet-manage.py
+    perm: "0400"
+    user: keystone
+secrets:
+  keystone-fernet:
+    path: "/etc/keystone/fernet-keys"
+    secret:
+      secretName: {{ keystone.fernet_secret_name }}