Fix token handling for keystone

In order to avoid errors when deploying multiple controller nodes, we need to deploy credential-tokens from data bags just like we already do for fernet-tokens. Otherwise each controller would use a different set of tokens generated locally. Drop the corresponding calls to keystone-manage, as they are a) not idempotent and b) generate files that are never used anyway. Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16 Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
2018-06-28 10:49:55 +00:00 · 2018-06-28 10:49:55 +00:00 · 7d8b8b5c27
parent 7e9d7c9966
commit 7d8b8b5c27
4 changed files with 65 additions and 22 deletions
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -132,11 +132,21 @@ default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack'][
 # 'fernet_key0' and 'fernet_key1' will be read from the databag/vault
 # 'keystone).
 # For more information please read:
-# http://docs.openstack.org/admin-guide-cloud/keystone_fernet_token_faq.html
+# https://docs.openstack.org/keystone/queens/admin/identity-fernet-token-faq.html
 default['openstack']['identity']['fernet']['keys'] = [0, 1]
 default['openstack']['identity']['conf']['fernet_tokens']['key_repository'] =
  '/etc/keystone/fernet-tokens'

+# Credential keys to read from databags/vaults. This should be changed in the
+# environment when rotating keys (with the defaults below, the items
+# 'credential_key0' and 'credential_key1' will be read from the databag/vault
+# 'keystone).
+# For more information please read:
+# https://docs.openstack.org/keystone/queens/admin/identity-credential-encryption.html
+default['openstack']['identity']['credential']['keys'] = [0, 1]
+default['openstack']['identity']['conf']['credential']['key_repository'] =
+  '/etc/keystone/credential-tokens'
+
 # The external (REMOTE_USER) auth plugin module. (String value)
 default['openstack']['identity']['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain'
 # Default auth methods. (List value)
--- a/recipes/_credential_tokens.rb
+++ b/recipes/_credential_tokens.rb
@ -0,0 +1,46 @@
+# encoding: UTF-8
+#
+# Cookbook Name:: openstack-identity
+# Recipe:: _credential_tokens
+#
+# Licensed under the Apache License, Version 2.0 (the 'License');
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an 'AS IS' BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This recipe is automatically included in openstack-identity::service-apache.
+# It will add the needed configuration options to the keystone.conf and create
+# the needed credential keys from predefined secrets (e.g. encrypted data
+# bags or vaults).
+
+class ::Chef::Recipe
+  include ::Openstack
+end
+
+key_repository =
+  node['openstack']['identity']['conf']['credential']['key_repository']
+
+directory key_repository do
+  owner node['openstack']['identity']['user']
+  group node['openstack']['identity']['group']
+  mode 0o0700
+end
+
+node['openstack']['identity']['credential']['keys'].each do |key_index|
+  key = secret(node['openstack']['secret']['secrets_data_bag'],
+               "credential_key#{key_index}")
+  file File.join(key_repository, key_index.to_s) do
+    content key
+    owner node['openstack']['identity']['user']
+    group node['openstack']['identity']['group']
+    mode 0o0400
+    sensitive true
+  end
+end
--- a/recipes/server-apache.rb
+++ b/recipes/server-apache.rb
@ -120,29 +120,10 @@ file '/var/lib/keystone/keystone.db' do
  not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' }
 end

-# include the recipe to setup fernet tokens
+# include the recipes to setup tokens
+include_recipe 'openstack-identity::_credential_tokens'
 include_recipe 'openstack-identity::_fernet_tokens'

-# initialize fernet tokens
-execute 'fernet setup' do
-  user 'root'
-  command <<-EOH.gsub(/\s+/, ' ').strip!
-        keystone-manage fernet_setup
-      --keystone-user #{keystone_user}
-      --keystone-group #{keystone_group}
-  EOH
-  notifies :run, 'execute[credential setup]', :immediately
-end
-
-execute 'credential setup' do
-  user 'root'
-  command <<-EOH.gsub(/\s+/, ' ').strip!
-        keystone-manage credential_setup
-      --keystone-user #{keystone_user}
-      --keystone-group #{keystone_group}
-  EOH
-end
-
 # define the address to bind the keystone apache public service to
 public_bind_service = node['openstack']['bind_service']['public']['identity']
 public_bind_address = bind_address public_bind_service
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -64,6 +64,12 @@ shared_context 'identity_stubs' do
    allow_any_instance_of(Chef::Recipe).to receive(:get_password)
      .with('user', 'admin')
      .and_return('admin')
+    allow_any_instance_of(Chef::Recipe).to receive(:secret)
+      .with('secrets', 'credential_key0')
+      .and_return('thisiscredentialkey0')
+    allow_any_instance_of(Chef::Recipe).to receive(:secret)
+      .with('secrets', 'credential_key1')
+      .and_return('thisiscredentialkey1')
    allow_any_instance_of(Chef::Recipe).to receive(:secret)
      .with('secrets', 'fernet_key0')
      .and_return('thisisfernetkey0')