03543a3d53
Keystone supports (and that's a default setting since Ocata) using non-persistent fernet tokens instead of UUID tokens written into the DB. This setting is in some cases better in terms of performance and manageability (no more tokens DB table cleanups). OpenStack-Helm should be able to support it. General issue with fernet tokens is that keys used to encrypt them need to be persistent and shared accross the cluster. Moreover "rotate" operation generates a new key, so key repository will change over time. This commit implements fernet tokens support by: * A 'keystone-fernet-keys' secret is created to serve as keys repository. * New fernet-setup Job will populate secret with initial keys. * New fernet-rotate CronJob will be run periodically (weekly by default) and perform key rotation operation and update the secret. * Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens directory. Turns out k8s is updating secrets attached to pods automatically, so because of Keystone's fernet tokens implementation, we don't need to worry about synchronization of the key repository. Everything should be fine unless fernet-rotate job will run before all of the pods will notice the change in the secret. As in real-world scenario you would rotate your keys no more often than once an hour, this should be totally fine. Implements: blueprint keystone-fernet-tokens Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a |
||
---|---|---|
.. | ||
etc | ||
opt | ||
usr | ||
kubeadm-aio |