From cef1b979ba6ca4dba34e815e860d28cc7f6440c6 Mon Sep 17 00:00:00 2001
From: Dmitry Klenov <dklenov@mirantis.com>
Date: Fri, 27 Jan 2017 07:08:58 +0000
Subject: [PATCH] Enable fernet keys generation

This change effectively enables fernet keys generation and their
usage via the mechanism of k8s secrets. Legacy approach with
pre-generated fernet key is removed.

Change-Id: Ibdf0a0eafb48930d5536f35511be78c1e5df9921
Partial-Bug: #1651392
Partial-Bug: #1651394
Depends-On: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
Depends-On: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37
---
 docker/keystone/keystone_sudoers |  2 +-
 service/files/defaults.yaml      |  2 +-
 service/files/fernet-key.j2      |  1 -
 service/keystone.yaml            | 30 +++++++++++++++++++++++-------
 4 files changed, 25 insertions(+), 10 deletions(-)
 delete mode 100644 service/files/fernet-key.j2

diff --git a/docker/keystone/keystone_sudoers b/docker/keystone/keystone_sudoers
index aab9325..fa9e0c8 100644
--- a/docker/keystone/keystone_sudoers
+++ b/docker/keystone/keystone_sudoers
@@ -1 +1 @@
-%microservices ALL=(root) NOPASSWD: /bin/chown keystone\:keystone /var/log/ccp/keystone
+%microservices ALL=(root) NOPASSWD: /bin/chown keystone\:keystone /var/log/ccp/keystone, /bin/chown keystone\:keystone /etc/keystone/fernet-keys
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index dbfb2bc..94f718e 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -17,8 +17,8 @@ configs:
       processes: 6
       threads: 1
 
+    fernet_secret_name: keystone-fernet-keys
     # 100% random default
-    fernet_key: "ZAabsQIXsSW7Ez52UZRqUXDz87y9+R+mbxVZ38gRmjg="
     credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="
 
     notifications:
diff --git a/service/files/fernet-key.j2 b/service/files/fernet-key.j2
deleted file mode 100644
index 7570c6d..0000000
--- a/service/files/fernet-key.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ keystone.fernet_key }}
diff --git a/service/keystone.yaml b/service/keystone.yaml
index e96451a..3ed22da 100644
--- a/service/keystone.yaml
+++ b/service/keystone.yaml
@@ -1,4 +1,4 @@
-dsl_version: 0.4.0
+dsl_version: 0.6.0
 service:
   name: keystone
   ports:
@@ -24,6 +24,16 @@ service:
       pre:
         - name: chown-logs-dir
           command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
+        - name: chown-fernet-dir
+          command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
+        - name: remove-fernet-dir-sticky-bit
+          command: /bin/chmod -t /etc/keystone/fernet-keys
+        - name: generate-fernet-keys
+          command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
+          image: keystone
+          type: single
+          files:
+            - fernet-manage
         - name: keystone-db-create
           dependencies:
             - {{ service.database }}
@@ -63,8 +73,9 @@ service:
         files:
           - keystone-conf
           - wsgi-keystone-conf
-          - fernet-key
           - credential-key
+        secrets:
+          - keystone-fernet
         command: daemon.sh
       post:
         - name: keystone-create-project
@@ -78,13 +89,18 @@ files:
   wsgi-keystone-conf:
     path: /etc/apache2/conf-enabled/wsgi-keystone.conf
     content: wsgi-keystone.conf.j2
-  fernet-key:
-    path: /etc/keystone/fernet-keys/1
-    content: fernet-key.j2
-    perm: "0600"
-    user: keystone
   credential-key:
     path: /etc/keystone/credential-keys/1
     content: credential-key.j2
     perm: "0600"
     user: keystone
+  fernet-manage:
+    path: /opt/ccp/bin/fernet-manage.py
+    content: fernet-manage.py
+    perm: "0400"
+    user: keystone
+secrets:
+  keystone-fernet:
+    path: "/etc/keystone/fernet-keys"
+    secret:
+      secretName: {{ keystone.fernet_secret_name }}