Use KeystoneFernetKeys instead of individual parameters

This uses the newly introduced dict with the keys and paths instead of
the individual keys. Having the advantage that rotation will be
possible on stack update, as we no longer have a limit on how many keys
we can pass (as we did with the individual parameters).

bp keystone-fernet-rotation
Change-Id: I7d224595b731d9f3390fce5a9d002282b2b4b8f2
Depends-On: I63ae158fa8cb33ac857dcf9434e9fbef07ecb68d
This commit is contained in:
Juan Antonio Osorio Robles 2017-06-12 15:17:28 +03:00
parent 4c78689966
commit 490e237f09
2 changed files with 29 additions and 7 deletions

View File

@ -113,10 +113,15 @@ parameters:
description: The second Keystone credential key. Must be a valid key. description: The second Keystone credential key. Must be a valid key.
KeystoneFernetKey0: KeystoneFernetKey0:
type: string type: string
description: The first Keystone fernet key. Must be a valid key. default: ''
description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
KeystoneFernetKey1: KeystoneFernetKey1:
type: string type: string
description: The second Keystone fernet key. Must be a valid key. default: ''
description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
KeystoneFernetKeys:
type: json
description: Mapping containing keystone's fernet keys and their paths.
KeystoneLoggingSource: KeystoneLoggingSource:
type: json type: json
default: default:
@ -187,6 +192,17 @@ parameters:
default: {} default: {}
hidden: true hidden: true
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- KeystoneFernetKey0
- KeystoneFernetKey1
resources: resources:
ApacheServiceBase: ApacheServiceBase:
@ -241,11 +257,7 @@ outputs:
content: {get_param: KeystoneCredential0} content: {get_param: KeystoneCredential0}
'/etc/keystone/credential-keys/1': '/etc/keystone/credential-keys/1':
content: {get_param: KeystoneCredential1} content: {get_param: KeystoneCredential1}
keystone::fernet_keys: keystone::fernet_keys: {get_param: KeystoneFernetKeys}
'/etc/keystone/fernet-keys/0':
content: {get_param: KeystoneFernetKey0}
'/etc/keystone/fernet-keys/1':
content: {get_param: KeystoneFernetKey1}
keystone::fernet_replace_keys: false keystone::fernet_replace_keys: false
keystone::debug: keystone::debug:
if: if:

View File

@ -0,0 +1,10 @@
---
features:
- The KeystoneFernetKeys parameter was introduced, which is able to take any
amount of keys as long as it's in the right format. It's generated by the
same mechanism as the rest of the passwords; so it's value is also
available via mistral's "password" environment variable. This will also
allow for rotations to be made via mistral and via stack updates.
deprecations:
- The individual keystone fernet key parameters (KeystoneFernetKey0 and
KeystoneFernetKey1) were deprecated in favor of KeystoneFernetKeys.