This change effectively enables fernet keys generation and their
usage via the mechanism of k8s secrets. Legacy approach with
pre-generated fernet key is removed.
Change-Id: Ibdf0a0eafb48930d5536f35511be78c1e5df9921
Partial-Bug: #1651392
Partial-Bug: #1651394
Depends-On: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
Depends-On: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37
Mechanism to rotate fernet keys is added. CCP operator can use one
of two ways to rotate keys:
1. Manual rotation.
Pre-generate keys manually and distribute them to keystone pod(s).
To do it, operator needs to put generated keys to the ccp config file
in the following format:
configs:
keystone:
fernet_keys:
"0": <key-0>
"2": <key-2>
"3": <key-3>
Then, execute custom action 'fernet-rotate'. The keys will be placed
to the k8s secret.
2. Automatic rotation.
Do not put keys to config, just execute 'fernet-rotate'. Keys will be
automatically rotated and put to proper secret.
Partial-Bug: #1651392
Partial-Bug: #1651394
Change-Id: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37
In venv --upgrade does nothing good since venv have constraints-bound
versions of everything installed. It does bad thing though: it tries to
upgrade setuptools (they are not mentioned in upstream constraints.txt)
and break further building.
Change-Id: I93607580fbf74f1570909bc51daacee67ea8ebeb
--no-cache-dir is now default for microservices venv and there's no need
to pass requirements.txt to pip directly, especially as constraints
file.
Change-Id: I17ee4acfb19586a323510ecb675355e026ddd271
Tokens are propagated from config for now, no additional security.
Rotation is not supported, at all.
Change-Id: Ifa67cc3f98f1316dd61c132c0b1d662ee6ea9b0a
Images will be built with sources from master branch of
https://github.com/openstack/keystone.git repository by default.
Change-Id: I97c2a309f2025aebcff90ea1326c2a2eb1c848ee
Depends-On: I4d91aa8632fcd55735d791300fde475696b435b5
Andreas Jaeger