From 09e29d0db9b895b97470c9c8a60442b980a3eb3c Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 21 Jun 2019 16:52:18 +0100 Subject: [PATCH] Don't rotate keystone fernet keys during deploy When running deploy or reconfigure for Keystone, ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml, which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage fernet_rotate. This means that a token can become invalid if the operator runs deploy or reconfigure too often. This change splits out fernet-push.sh from the fernet-rotate.sh script, then calls fernet-push.sh after the fernet bootstrap performed in deploy. Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e Closes-Bug: #1833729 --- ansible/roles/keystone/tasks/config.yml | 1 + ansible/roles/keystone/tasks/init_fernet.yml | 2 +- ansible/roles/keystone/templates/fernet-push.sh.j2 | 7 +++++++ ansible/roles/keystone/templates/fernet-rotate.sh.j2 | 6 +----- ansible/roles/keystone/templates/keystone-fernet.json.j2 | 6 ++++++ 5 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 ansible/roles/keystone/templates/fernet-push.sh.j2 diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index 49bfe6bec8..395c97af3c 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -200,6 +200,7 @@ - { src: "crontab.j2", dest: "crontab" } - { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" } - { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" } + - { src: "fernet-push.sh.j2", dest: "fernet-push.sh" } - { src: "id_rsa", dest: "id_rsa" } - { src: "ssh_config.j2", dest: "ssh_config" } when: diff --git a/ansible/roles/keystone/tasks/init_fernet.yml b/ansible/roles/keystone/tasks/init_fernet.yml index 09602a6bbf..9fa0769468 100644 --- a/ansible/roles/keystone/tasks/init_fernet.yml +++ b/ansible/roles/keystone/tasks/init_fernet.yml @@ -22,6 +22,6 @@ - name: Run key distribution become: true - command: docker exec -t keystone_fernet /usr/bin/fernet-rotate.sh + command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh run_once: True delegate_to: "{{ groups['keystone'][0] }}" diff --git a/ansible/roles/keystone/templates/fernet-push.sh.j2 b/ansible/roles/keystone/templates/fernet-push.sh.j2 new file mode 100644 index 0000000000..cd77375812 --- /dev/null +++ b/ansible/roles/keystone/templates/fernet-push.sh.j2 @@ -0,0 +1,7 @@ +#!/bin/bash + +{% for host in groups['keystone'] %} +{% if inventory_hostname != host %} +/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host]['keystone_ssh_port'] }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:/etc/keystone/fernet-keys +{% endif %} +{% endfor %} diff --git a/ansible/roles/keystone/templates/fernet-rotate.sh.j2 b/ansible/roles/keystone/templates/fernet-rotate.sh.j2 index 9f6cf8c955..3ef7a0e63c 100644 --- a/ansible/roles/keystone/templates/fernet-rotate.sh.j2 +++ b/ansible/roles/keystone/templates/fernet-rotate.sh.j2 @@ -2,8 +2,4 @@ keystone-manage --config-file /etc/keystone/keystone.conf fernet_rotate --keystone-user {{ keystone_username }} --keystone-group {{ keystone_groupname }} -{% for host in groups['keystone'] %} -{% if inventory_hostname != host %} -/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host]['keystone_ssh_port'] }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:/etc/keystone/fernet-keys -{% endif %} -{% endfor %} +/usr/bin/fernet-push.sh diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2 index b0695c25e9..05fa9cda53 100644 --- a/ansible/roles/keystone/templates/keystone-fernet.json.j2 +++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2 @@ -26,6 +26,12 @@ "owner": "root", "perm": "0755" }, + { + "source": "{{ container_config_directory }}/fernet-push.sh", + "dest": "/usr/bin/fernet-push.sh", + "owner": "root", + "perm": "0755" + }, { "source": "{{ container_config_directory }}/ssh_config", "dest": "/var/lib/keystone/.ssh/config",