Keystone Fernet Token implementation

This patchset adds more Fernet token implementation: 1. Adds a cron job to rotate / sync keys to other units. 2. Adds additional tests around gating on config. 3. Adds rotation / syncing with more robust key handling. Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
2018-08-05 17:21:49 +01:00
parent 68d173ff82
commit b813360bf6
13 changed files with 505 additions and 101 deletions
--- a/hooks/keystone_hooks.py
+++ b/hooks/keystone_hooks.py
@@ -66,6 +66,8 @@ from charmhelpers.contrib.openstack.utils import (
    enable_memcache,
 )

+from keystone_context import fernet_enabled
+
 from keystone_utils import (
    add_service_to_keystone,
    add_credentials_to_keystone,
@@ -101,10 +103,9 @@ from keystone_utils import (
    ADMIN_PROJECT,
    create_or_show_domain,
    restart_keystone,
-    fernet_enabled,
-    fernet_leader_set,
-    fernet_setup,
-    fernet_write_keys,
+    key_leader_set,
+    key_setup,
+    key_write,
 )

 from charmhelpers.contrib.hahelpers.cluster import (
@@ -227,8 +228,8 @@ def config_changed_postupgrade():
        apt_install(filter_installed_packages(determine_packages()))

    if is_leader() and fernet_enabled():
-        fernet_setup()
-        fernet_leader_set()
+        key_setup()
+        key_leader_set()

    configure_https()
    open_port(config('service-port'))
@@ -502,7 +503,7 @@ def leader_settings_changed():
        CONFIGS.write(POLICY_JSON)

    if fernet_enabled():
-        fernet_write_keys()
+        key_write()

    update_all_identity_relation_units()