Previously in configs "default" value was used as domain_id, but now we
use domain name and as result value should be changed to "Default".
Change-Id: Iee433f968b96f1c3b023bf984b9c886efe52da88
Leaving access to fernet dir for owner only. This improves security
and resolves 'fernet dir is world-readable' warning.
Change-Id: I463a56d41697b8c4c1454758267e906665187b15
Kubernetes client merges old and new values. To erase
old keys, it is needed to clean all the data first.
Change-Id: I0b65cb00260114c1260ef89a8768fed055bbfb0e
- Add files for certificates
- Add config file for nginx service
- Update service definition by adding new container for nginx
- Update wsgi to use localhost
This patch requires patches in other repos:
- fuel-ccp
- fuel-ccp-entrypoint
- fuel-ccp-nginx
Co-Authored-By: Artur Zarzycki <azarzycki@mirantis.com>
Depends-On: I65002b7ff9cfa2faf9d5bce470334aae95334d00
Depends-On: I88bc21571589dcd4c31bb5ce5015a75676ed2d85
Depends-On: I0660cc3ca2723bc06871b61f859adfed42c0d807
Change-Id: If796ea145c0a6b1bcb711496a4ad97a0a4ac2fb2
This change effectively enables fernet keys generation and their
usage via the mechanism of k8s secrets. Legacy approach with
pre-generated fernet key is removed.
Change-Id: Ibdf0a0eafb48930d5536f35511be78c1e5df9921
Partial-Bug: #1651392
Partial-Bug: #1651394
Depends-On: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
Depends-On: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37
Mechanism to rotate fernet keys is added. CCP operator can use one
of two ways to rotate keys:
1. Manual rotation.
Pre-generate keys manually and distribute them to keystone pod(s).
To do it, operator needs to put generated keys to the ccp config file
in the following format:
configs:
keystone:
fernet_keys:
"0": <key-0>
"2": <key-2>
"3": <key-3>
Then, execute custom action 'fernet-rotate'. The keys will be placed
to the k8s secret.
2. Automatic rotation.
Do not put keys to config, just execute 'fernet-rotate'. Keys will be
automatically rotated and put to proper secret.
Partial-Bug: #1651392
Partial-Bug: #1651394
Change-Id: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37
In venv --upgrade does nothing good since venv have constraints-bound
versions of everything installed. It does bad thing though: it tries to
upgrade setuptools (they are not mentioned in upstream constraints.txt)
and break further building.
Change-Id: I93607580fbf74f1570909bc51daacee67ea8ebeb
The change does not enable notifications, just configure right
transport url for it via oslo_messaging template.
Change-Id: I466404295a34fd7f4232e728469280b188ccf9af
By this option (disabled by default), user can enable notifications in keystone
and configure their format (basic or CADF: Cloud Auditing Data Federation
standard).
Change-Id: I8dd5c2a24851d71db18399a709794d6c514e02b6
Also remove liveness one as it does nothing
Depends-On: I8b74906ba3b5cc358f51831d1f87a8a7f0335f02
Depends-On: I2e8aaeeabcb0c2ddfcf605008763a7a938a578b4
Change-Id: I6a59b65966369f2e08e1b3ff3de9ceda703cd26e