Replace keystone db flush cron job with a Fernet key rotation job

Previously, we had a cron job to flush removed keystone tokens. Since [1] this is not required anymore, but we need to add a cron job to rotate Fernet keys. [1] - https://review.openstack.org/544547 Change-Id: I331788ea08322a6f982c87eb195a619bab1c4d2e
2018-03-20 15:33:49 +01:00 · 2018-03-20 15:33:49 +01:00 · 1b7a931fd1
commit 1b7a931fd1
parent 73e0b07200
4 changed files with 20 additions and 10 deletions
--- a/docs/packstack.rst
+++ b/docs/packstack.rst
@ -308,8 +308,8 @@ Keystone Config parameters
 **CONFIG_KEYSTONE_DB_PW**
    Password to use for the Identity service (keystone) to access the database.

-**CONFIG_KEYSTONE_DB_PURGE_ENABLE**
-    Enter y if cron job for removing soft deleted DB rows should be created.
+**CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE**
+    Enter y if cron job to rotate Fernet tokens should be created.

 **CONFIG_KEYSTONE_REGION**
    Default region name to use when creating tenants in the Identity service.
--- a/packstack/plugins/keystone_100.py
+++ b/packstack/plugins/keystone_100.py
@ -47,10 +47,10 @@ def initConfig(controller):
             "NEED_CONFIRM": True,
             "CONDITION": False},

-            {"CMD_OPTION": 'keystone-db-purge-enable',
+            {"CMD_OPTION": 'keystone-fernet-token-rotate-enable',
             "PROMPT": (
-                 "Enter y if cron job for removing soft deleted DB rows "
-                 "should be created"
+                 "Enter y if cron job to rotate Fernet tokens should be "
+                 "created"
             ),
             "OPTION_LIST": ['y', 'n'],
             "VALIDATORS": [validators.validate_not_empty],
@ -58,7 +58,7 @@ def initConfig(controller):
             "DEFAULT_VALUE": 'y',
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
-             "CONF_NAME": 'CONFIG_KEYSTONE_DB_PURGE_ENABLE',
+             "CONF_NAME": 'CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',
             "USE_DEFAULT": False,
             "NEED_CONFIRM": True,
             "CONDITION": False},
--- a/packstack/puppet/modules/packstack/manifests/keystone.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone.pp
@ -17,11 +17,9 @@ class packstack::keystone ()

    class { '::keystone::client': }

-    if hiera('CONFIG_KEYSTONE_DB_PURGE_ENABLE',false) {
-      class { '::keystone::cron::token_flush':
-        minute      => '*/1',
+    if hiera('CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',false) {
+      class { '::keystone::cron::fernet_rotate':
        require     => Service['crond'],
-        destination => '/dev/null',
      }
      service { 'crond':
        ensure => 'running',
--- a/releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml
+++ b/releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml
@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    A new CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE option has been added to
+    the answer file. When enabled (default), it will create a cron job to
+    rotate Fernet keys.
+deprecations:
+  - |
+    Since Keystone has deprecated token formats requiring storage in the DB,
+    the CONFIG_KEYSTONE_DB_PURGE_ENABLE option has been removed. Instead, we
+    are implementing a cron job to rotate Fernet keys.
+