1c68ae389b
This addresses the ansible aspects of fernet key bootstrapping as well as distributed key rotation. - Bootstrapping is handled in the same way as keystone bootstrap. - A new keystone-fernet and keystone-ssh container is created to allow the nodes to communicate with each other (taken from nova-ssh). - The keystone-fernet is a keystone container with crontab installed. This will handle key rotations through keystone-manage and trigger an rsync to push new tokens to other nodes. - Key rotation is setup to be balanced across the keystone nodes using a round-robbin style. This ensures that any node failures will not stop the keys from rotating. This is configured by a desired token expiration time which then determines the cron scheduling for each node as well as the number of fernet tokens in rotation. - Ability for recovered node to resync with the cluster. When a node starts it will run sanity checks to ensure that its fernet tokens are not stale. If they are it will rsync with other nodes to ensure its tokens are up to date. The Docker component is implemented in: https://review.openstack.org/#/c/349366 Change-Id: I15052c25a1d1149d364236f10ced2e2346119738 Implements: blueprint keystone-fernet-token
215 lines
7.3 KiB
YAML
215 lines
7.3 KiB
YAML
---
|
|
# You can use this file to override _any_ variable throughout Kolla.
|
|
# Additional options can be found in the 'kolla/ansible/group_vars/all.yml' file.
|
|
# Default value of all the commented parameters are shown here, To override
|
|
# the default value uncomment the parameter and change its value.
|
|
|
|
###################
|
|
# Kolla options
|
|
###################
|
|
# Valid options are [ COPY_ONCE, COPY_ALWAYS ]
|
|
#config_strategy: "COPY_ALWAYS"
|
|
|
|
# Valid options are [ centos, fedora, oraclelinux, ubuntu ]
|
|
#kolla_base_distro: "centos"
|
|
|
|
# Valid options are [ binary, source ]
|
|
#kolla_install_type: "binary"
|
|
|
|
# Valid option is Docker repository tag
|
|
#openstack_release: "3.0.0"
|
|
|
|
# This should be a VIP, an unused IP on your network that will float between
|
|
# the hosts running keepalived for high-availability. When running an All-In-One
|
|
# without haproxy and keepalived, this should be the first IP on your
|
|
# 'network_interface' as set in the Networking section below.
|
|
kolla_internal_vip_address: "10.10.10.254"
|
|
|
|
# This is the DNS name that maps to the kolla_internal_vip_address VIP. By
|
|
# default it is the same as kolla_internal_vip_address.
|
|
#kolla_internal_fqdn: "{{ kolla_internal_vip_address }}"
|
|
|
|
# This should be a VIP, an unused IP on your network that will float between
|
|
# the hosts running keepalived for high-availability. It defaults to the
|
|
# kolla_internal_vip_address, allowing internal and external communication to
|
|
# share the same address. Specify a kolla_external_vip_address to separate
|
|
# internal and external requests between two VIPs.
|
|
#kolla_external_vip_address: "{{ kolla_internal_vip_address }}"
|
|
|
|
# The Public address used to communicate with OpenStack as set in the public_url
|
|
# for the endpoints that will be created. This DNS name should map to
|
|
# kolla_external_vip_address.
|
|
#kolla_external_fqdn: "{{ kolla_external_vip_address }}"
|
|
|
|
####################
|
|
# Docker options
|
|
####################
|
|
### Example: Private repository with authentication
|
|
|
|
#docker_registry: "172.16.0.10:4000"
|
|
#docker_namespace: "companyname"
|
|
#docker_registry_username: "sam"
|
|
#docker_registry_password: "correcthorsebatterystaple"
|
|
|
|
|
|
####################
|
|
# Networking options
|
|
####################
|
|
# This interface is what all your api services will be bound to by default.
|
|
# Additionally, all vxlan/tunnel and storage network traffic will go over this
|
|
# interface by default. This interface must contain an IPv4 address.
|
|
network_interface: "eth0"
|
|
|
|
# These can be adjusted for even more customization. The default is the same as
|
|
# the 'network_interface'. These interfaces must contain an IPv4 address.
|
|
#kolla_external_vip_interface: "{{ network_interface }}"
|
|
#api_interface: "{{ network_interface }}"
|
|
#storage_interface: "{{ network_interface }}"
|
|
#cluster_interface: "{{ network_interface }}"
|
|
#tunnel_interface: "{{ network_interface }}"
|
|
|
|
# This is the raw interface given to neutron as its external network port. Even
|
|
# though an IP address can exist on this interface, it will be unusable in most
|
|
# configurations. It is recommended this interface not be configured with any IP
|
|
# addresses for that reason.
|
|
neutron_external_interface: "eth1"
|
|
|
|
# Valid options are [ openvswitch, linuxbridge ]
|
|
#neutron_plugin_agent: "openvswitch"
|
|
|
|
|
|
####################
|
|
# keepalived options
|
|
####################
|
|
# Arbitrary unique number from 0..255
|
|
#keepalived_virtual_router_id: "51"
|
|
|
|
|
|
####################
|
|
# TLS options
|
|
####################
|
|
# To provide encryption and authentication on the kolla_external_vip_interface,
|
|
# TLS can be enabled. When TLS is enabled, certificates must be provided to
|
|
# allow clients to perform authentication.
|
|
#kolla_enable_tls_external: "no"
|
|
#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
|
|
|
|
|
|
####################
|
|
# OpenStack options
|
|
####################
|
|
# Use these options to set the various log levels across all OpenStack projects
|
|
# Valid options are [ True, False ]
|
|
#openstack_logging_debug: "False"
|
|
|
|
# Valid options are [ novnc, spice ]
|
|
#nova_console: "novnc"
|
|
|
|
# Valid options are [ uuid, fernet ]
|
|
#keystone_token_provider: 'uuid'
|
|
# Interval to rotate fernet keys by (in seconds). Must be an interval of
|
|
# 60(1 min), 120(2 min), 180(3 min), 240(4 min), 300(5 min), 360(6 min),
|
|
# 600(10 min), 720(12 min), 900(15 min), 1200(20 min), 1800(30 min),
|
|
# 3600(1 hour), 7200(2 hour), 10800(3 hour), 14400(4 hour), 21600(6 hour),
|
|
# 28800(8 hour), 43200(12 hour), 86400(1 day), 604800(1 week).
|
|
#fernet_token_expiry: 86400
|
|
|
|
# OpenStack services can be enabled or disabled with these options
|
|
#enable_ceilometer: "no"
|
|
#enable_central_logging: "no"
|
|
#enable_ceph: "no"
|
|
#enable_ceph_rgw: "no"
|
|
#enable_cinder: "no"
|
|
#enable_cinder_backend_lvm: "no"
|
|
#enable_heat: "yes"
|
|
#enable_horizon: "yes"
|
|
#enable_ironic: "no"
|
|
#enable_magnum: "no"
|
|
#enable_manila: "no"
|
|
#enable_mistral: "no"
|
|
#enable_mongodb: "no"
|
|
#enable_murano: "no"
|
|
#enable_multipathd: "no"
|
|
#enable_neutron_lbaas: "no"
|
|
#enable_neutron_qos: "no"
|
|
#enable_swift: "no"
|
|
#enable_tempest: "no"
|
|
#enable_watcher: "no"
|
|
|
|
|
|
###################
|
|
# Ceph options
|
|
###################
|
|
# Ceph can be setup with a caching to improve performance. To use the cache you
|
|
# must provide separate disks than those for the OSDs
|
|
#ceph_enable_cache: "no"
|
|
# Valid options are [ forward, none, writeback ]
|
|
#ceph_cache_mode: "writeback"
|
|
|
|
# A requirement for using the erasure-coded pools is you must setup a cache tier
|
|
# Valid options are [ erasure, replicated ]
|
|
#ceph_pool_type: "replicated"
|
|
|
|
#######################
|
|
# Glance options
|
|
#######################
|
|
# Configure image backend.
|
|
glance_backend_file: "yes"
|
|
#glance_backend_ceph: "no"
|
|
|
|
|
|
#######################
|
|
# Cinder options
|
|
#######################
|
|
# Enable / disable Cinder backends
|
|
#cinder_backend_ceph: "{{ enable_ceph }}"
|
|
|
|
# Cinder's iSCSI backend !!!REQUIRES!!! two parameters:
|
|
# 1 - IP address of the server hosting LVM Volume group
|
|
# 2 - The name of Volume group which Cinder will use.
|
|
#cinder_volume_group:
|
|
|
|
|
|
#######################
|
|
# Nova options
|
|
#######################
|
|
nova_backend_ceph: "{{ enable_ceph }}"
|
|
|
|
|
|
#######################################
|
|
# Manila - Shared File Systems Options
|
|
#######################################
|
|
#manila_enable_dhss: "yes"
|
|
|
|
|
|
##################################
|
|
# Swift - Object Storage Options
|
|
##################################
|
|
# Swift expects block devices to be available for storage. Two types of storage
|
|
# are supported: 1 - storage device with a special partition name and filesystem
|
|
# label, 2 - unpartitioned disk with a filesystem. The label of this filesystem
|
|
# is used to detect the disk which Swift will be using.
|
|
|
|
# Swift support two mathcing modes, valid options are [ prefix, strict ]
|
|
#swift_devices_match_mode: "strict"
|
|
|
|
# This parameter defines matching pattern: if "strict" mode was selected,
|
|
# for swift_devices_match_mode then swift_device_name should specify the name of
|
|
# the special swift partition for example: "KOLLA_SWIFT_DATA", if "prefix" mode was
|
|
# selected then swift_devices_name should specify a pattern which would match to
|
|
# filesystems' labels prepared for swift.
|
|
#swift_devices_name: "KOLLA_SWIFT_DATA"
|
|
|
|
|
|
################################################
|
|
# Tempest - The OpenStack Integration Test Suite
|
|
################################################
|
|
# following value must be set when enable tempest
|
|
tempest_image_id:
|
|
tempest_flavor_ref_id:
|
|
tempest_public_network_id:
|
|
tempest_floating_network_name:
|
|
|
|
# tempest_image_alt_id: "{{ tempest_image_id }}"
|
|
# tempest_flavor_ref_alt_id: "{{ tempest_flavor_ref_id }}"
|