Don't rotate keystone fernet keys during deploy
When running deploy or reconfigure for Keystone, ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml, which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage fernet_rotate. This means that a token can become invalid if the operator runs deploy or reconfigure too often. This change splits out fernet-push.sh from the fernet-rotate.sh script, then calls fernet-push.sh after the fernet bootstrap performed in deploy. Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e Closes-Bug: #1833729
This commit is contained in:
parent
bc7dea58c2
commit
09e29d0db9
@ -200,6 +200,7 @@
|
||||
- { src: "crontab.j2", dest: "crontab" }
|
||||
- { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" }
|
||||
- { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" }
|
||||
- { src: "fernet-push.sh.j2", dest: "fernet-push.sh" }
|
||||
- { src: "id_rsa", dest: "id_rsa" }
|
||||
- { src: "ssh_config.j2", dest: "ssh_config" }
|
||||
when:
|
||||
|
@ -22,6 +22,6 @@
|
||||
|
||||
- name: Run key distribution
|
||||
become: true
|
||||
command: docker exec -t keystone_fernet /usr/bin/fernet-rotate.sh
|
||||
command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh
|
||||
run_once: True
|
||||
delegate_to: "{{ groups['keystone'][0] }}"
|
||||
|
7
ansible/roles/keystone/templates/fernet-push.sh.j2
Normal file
7
ansible/roles/keystone/templates/fernet-push.sh.j2
Normal file
@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
{% for host in groups['keystone'] %}
|
||||
{% if inventory_hostname != host %}
|
||||
/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host]['keystone_ssh_port'] }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:/etc/keystone/fernet-keys
|
||||
{% endif %}
|
||||
{% endfor %}
|
@ -2,8 +2,4 @@
|
||||
|
||||
keystone-manage --config-file /etc/keystone/keystone.conf fernet_rotate --keystone-user {{ keystone_username }} --keystone-group {{ keystone_groupname }}
|
||||
|
||||
{% for host in groups['keystone'] %}
|
||||
{% if inventory_hostname != host %}
|
||||
/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host]['keystone_ssh_port'] }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:/etc/keystone/fernet-keys
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
/usr/bin/fernet-push.sh
|
||||
|
@ -26,6 +26,12 @@
|
||||
"owner": "root",
|
||||
"perm": "0755"
|
||||
},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/fernet-push.sh",
|
||||
"dest": "/usr/bin/fernet-push.sh",
|
||||
"owner": "root",
|
||||
"perm": "0755"
|
||||
},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/ssh_config",
|
||||
"dest": "/var/lib/keystone/.ssh/config",
|
||||
|
Loading…
x
Reference in New Issue
Block a user