df3edca7a6
This change makes the use of fernet tokens production ready. The changes are
as follows:
* Ensures that the keys are rotated on every playbook execution
* Removes the need to sync keys back to a deployment host when distributing
them to other keystone hosts.
* Creates an autonomous key rotation process that can rotate on the following
intervals [reboot, yearly, annually, monthly, weekly, daily, hourly] to all
hosts from any keystone fernet host.
* Fixes the section in `keystone.conf` which was named "fernet_key" instead
of "fernet_token".
Change-Id: I50f6a852930728631f5c681a8aa0f1321d7424ac
Related-Bug: #1463569
Closes-Bug: #1468256
34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Retrieve authorized keys
|
|
memcached:
|
|
name: "{{ item.name }}"
|
|
file_path: "{{ item.src }}"
|
|
state: "retrieve"
|
|
file_mode: "{{ item.file_mode }}"
|
|
dir_mode: "{{ item.dir_mode }}"
|
|
server: "{{ memcached_servers }}"
|
|
encrypt_string: "{{ memcached_encryption_key }}"
|
|
with_items:
|
|
- { src: "{{ keystone_system_user_home }}/.ssh/authorized_keys", name: "authorized_keys", file_mode: "0640", dir_mode: "0750" }
|
|
register: memcache_keys
|
|
until: memcache_keys|success
|
|
retries: 5
|
|
delay: 2
|
|
tags:
|
|
- keystone-key
|
|
- keystone-key-distribute
|