openstack-helm/tools/kubeadm-aio/assets
Michał Dulko 03543a3d53 Add support for Keystone's fernet tokens
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.

General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.

This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
  and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
  directory.

Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.

Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
2017-08-02 13:22:05 +02:00
..
etc Add support for Keystone's fernet tokens 2017-08-02 13:22:05 +02:00
opt Update deployment for kubernetes 1.6 2017-06-02 08:45:08 -05:00
usr Add support for Keystone's fernet tokens 2017-08-02 13:22:05 +02:00
kubeadm-aio KubeADM-AIO: Update Image to support Multinode Operation Natively 2017-06-05 18:09:16 -05:00