From 7a803e4946b4eb7b9b6eced8848887cebda924ca Mon Sep 17 00:00:00 2001 From: "Kyle L. Henderson" Date: Thu, 23 Mar 2017 15:36:24 -0500 Subject: [PATCH] Add RPC encryption key support In the Ocata release, trove added support for encrypting the rpc communication between the guest instances and the control plane. These settings allow the user to specify installation specific keys versus using the default keys. This cherry pick includes: I4d34b7e68b69ce30ee1fb08e7495cd22fa157495 Change-Id: Ie42d754d58e983a15b553ad8a399813c9a700344 --- defaults/main.yml | 14 +++++++++++++- doc/source/index.rst | 17 ++++++++++++++++- extras/user_secrets.yml | 14 ++++++++------ .../notes/rpc-encryption-b75fb0d08579a7dd.yaml | 7 +++++++ tasks/main.yml | 8 ++++++++ templates/trove-conductor.conf.j2 | 2 ++ templates/trove-taskmanager.conf.j2 | 4 ++++ templates/trove.conf.j2 | 4 ++++ tests/os_trove-overrides.yml | 2 ++ 9 files changed, 64 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml diff --git a/defaults/main.yml b/defaults/main.yml index acf8cb4..2738293 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -109,7 +109,6 @@ trove_ssl_self_signed_regen: false trove_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" # Database vars - trove_galera_database_name: trove trove_galera_user: trove trove_galera_address: "{{ internal_lb_vip_address }}" @@ -126,6 +125,19 @@ trove_rabbitmq_use_ssl: False trove_rabbitmq_port: 5672 trove_rabbitmq_servers: "{{ rabbitmq_servers }}" +# RPC encryption keys +# See the Trove documentation as to the significance of the rpc encryption keys +# Trove supplies default values but we enforce they not be left to their default values +trove_enable_secure_rpc_messaging: "True" +trove_required_secrets: + - trove_galera_password + - trove_rabbitmq_password + - trove_service_password + - trove_admin_user_password + - trove_regular_user_password + - trove_taskmanager_rpc_encr_key + - trove_inst_rpc_key_encr_key + # Keystone AuthToken/Middleware trove_keystone_auth_plugin: password trove_service_project_domain_name: Default diff --git a/doc/source/index.rst b/doc/source/index.rst index b22a8bb..7b0cccd 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -17,7 +17,22 @@ Default variables Required variables ~~~~~~~~~~~~~~~~~~ -None. +This list is not exhaustive at present. See role internals for further +details. + +.. code-block:: yaml + + # Service and user passwords + trove_galera_password: + trove_rabbitmq_password: + trove_service_password: + trove_admin_user_password: + trove_regular_user_password: + + # Trove RPC encryption keys. + trove_taskmanager_rpc_encr_key: + trove_inst_rpc_key_encr_key: + Dependencies ~~~~~~~~~~~~ diff --git a/extras/user_secrets.yml b/extras/user_secrets.yml index 816147c..5641043 100755 --- a/extras/user_secrets.yml +++ b/extras/user_secrets.yml @@ -1,6 +1,8 @@ ---- -trove_galera_password: -trove_rabbitmq_password: -trove_service_password: -trove_admin_user_password: -trove_regular_user_password: +--- +trove_galera_password: +trove_rabbitmq_password: +trove_service_password: +trove_admin_user_password: +trove_regular_user_password: +trove_taskmanager_rpc_encr_key: +trove_inst_rpc_key_encr_key: diff --git a/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml b/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml new file mode 100644 index 0000000..289323b --- /dev/null +++ b/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml @@ -0,0 +1,7 @@ +--- +features: + - In the Ocata release, Trove added support for encrypting the rpc + communication between the guest DBaaS instances and the control plane. + The default values for ``trove_taskmanager_rpc_encr_key`` and + ``trove_inst_rpc_key_encr_key`` should be overridden to specify + installation specific values. diff --git a/tasks/main.yml b/tasks/main.yml index 8e7610a..f07d1e7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -27,6 +27,14 @@ tags: - always +- name: Fail if our required secrets are not present + fail: + msg: "Please set the {{ item }} variable prior to applying this role." + when: (item is undefined) or (item is none) + with_items: "{{ trove_required_secrets }}" + tags: + - always + - include: trove_pre_install.yml tags: - trove-install diff --git a/templates/trove-conductor.conf.j2 b/templates/trove-conductor.conf.j2 index c5e385e..0ff7745 100644 --- a/templates/trove-conductor.conf.j2 +++ b/templates/trove-conductor.conf.j2 @@ -10,6 +10,8 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} [profiler] enabled = {{ trove_profiler_enabled }} diff --git a/templates/trove-taskmanager.conf.j2 b/templates/trove-taskmanager.conf.j2 index 2a70726..8a41973 100644 --- a/templates/trove-taskmanager.conf.j2 +++ b/templates/trove-taskmanager.conf.j2 @@ -8,6 +8,10 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +taskmanager_rpc_encr_key = {{ trove_taskmanager_rpc_encr_key }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} + db_api_implementation = trove.db.sqlalchemy.api trove_auth_url = {{ trove_auth_url }} nova_compute_url = {{ trove_nova_compute_url }} diff --git a/templates/trove.conf.j2 b/templates/trove.conf.j2 index 334543b..f5a1d5b 100644 --- a/templates/trove.conf.j2 +++ b/templates/trove.conf.j2 @@ -9,6 +9,10 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} +taskmanager_rpc_encr_key = {{ trove_taskmanager_rpc_encr_key }} + db_api_implementation = "trove.db.sqlalchemy.api" trove_auth_url = {{ trove_auth_url }} os_region_name = {{ trove_service_region }} diff --git a/tests/os_trove-overrides.yml b/tests/os_trove-overrides.yml index 833712a..bcc968d 100644 --- a/tests/os_trove-overrides.yml +++ b/tests/os_trove-overrides.yml @@ -31,6 +31,8 @@ trove_requirements_git_install_branch: master trove_service_password: "secrete" trove_regular_user_password: "secrete" trove_admin_user_password: "secrete" +trove_taskmanager_rpc_encr_key: bzH6y0SGmjuoY0FNSTptrhgieGXNDX6PIhvz +trove_inst_rpc_key_encr_key: emYjgHFqfXNB1NGehAFIUeoyw4V4XwWHEaKP trove_service_project_domain_id: default trove_service_project_name: service trove_service_region: RegionOne