Merge "Make replacing fernet keys if they already exist configurable"
This commit is contained in:
commit
40c3dca374
|
@ -438,6 +438,11 @@
|
|||
# Otherwise Puppet will manage keys with File resource.
|
||||
# Defaults to false
|
||||
#
|
||||
# [*fernet_replace_keys*]
|
||||
# (Optional) Whether or not to replace the fernet keys if they are already in
|
||||
# the filesystem
|
||||
# Defaults to true
|
||||
#
|
||||
# [*enable_credential_setup*]
|
||||
# (Optional) Setup keystone for credentials.
|
||||
# In a cluster environment where multiple Keystone nodes are running, you might
|
||||
|
@ -737,6 +742,7 @@ class keystone(
|
|||
$fernet_key_repository = '/etc/keystone/fernet-keys',
|
||||
$fernet_max_active_keys = $::os_service_default,
|
||||
$fernet_keys = false,
|
||||
$fernet_replace_keys = true,
|
||||
$enable_credential_setup = false,
|
||||
$credential_key_repository = '/etc/keystone/credential-keys',
|
||||
$credential_keys = false,
|
||||
|
@ -1159,6 +1165,7 @@ running as a standalone service, or httpd for being run by a httpd server")
|
|||
'owner' => $keystone_user,
|
||||
'group' => $keystone_group,
|
||||
'mode' => '0600',
|
||||
'replace' => $fernet_replace_keys,
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
}
|
||||
)
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
features:
|
||||
- The parameter 'fernet_replace_keys' was added; this tells the manifest to
|
||||
not replace the fernet keys if they have been added already. This is useful
|
||||
in cases where rotation happens outside of puppet, and running puppet again
|
||||
would replace the keys and result in an invalid setup.
|
|
@ -1082,15 +1082,48 @@ describe 'keystone' do
|
|||
it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
|
||||
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
|
||||
'owner' => 'keystone',
|
||||
'owner' => 'keystone',
|
||||
'mode' => '0600',
|
||||
'replace' => true,
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
|
||||
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
|
||||
'owner' => 'keystone',
|
||||
'mode' => '0600',
|
||||
'replace' => true,
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when not replacing fernet_keys and setting fernet_keys parameter' do
|
||||
let :params do
|
||||
default_params.merge({
|
||||
'enable_fernet_setup' => true,
|
||||
'fernet_keys' => {
|
||||
'/etc/keystone/fernet-keys/0' => {
|
||||
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
|
||||
},
|
||||
'/etc/keystone/fernet-keys/1' => {
|
||||
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
|
||||
},
|
||||
},
|
||||
'fernet_replace_keys' => false,
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to_not contain_exec('keystone-manage fernet_setup') }
|
||||
it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
|
||||
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
|
||||
'owner' => 'keystone',
|
||||
'mode' => '0600',
|
||||
'replace' => false,
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
|
||||
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
|
||||
'owner' => 'keystone',
|
||||
'mode' => '0600',
|
||||
'replace' => false,
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue