openstack/puppet-keystone
Code Issues Proposed changes

Make replacing fernet keys if they already exist configurable

Browse Source 
When setting up fernet keys, the file resource will replace the contents
of the keys (if they exist already) by default. This is not necessarily
what all deployments want, since some might do the key-rotation out of
band.

So this makes the replacing of these keys configurable, so it won't
affect already existing deployments if the keys were already set,
rotation happened at some point and one runs puppet again.

Change-Id: I8a56d1154dae1c7c53e3b9a997505156859b2826
This commit is contained in:
Juan Antonio Osorio Robles 2017-03-15 15:54:50 +02:00
parent c92454d239
commit 8513563c39
3 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
manifests/init.pp
View File

@ -438,6 +438,11 @@
# Otherwise Puppet will manage keys with File resource.
# Defaults to false
#
# [*fernet_replace_keys*]
# (Optional) Whether or not to replace the fernet keys if they are already in
# the filesystem
# Defaults to true
#
# [*enable_credential_setup*]
# (Optional) Setup keystone for credentials.
# In a cluster environment where multiple Keystone nodes are running, you might
@ -737,6 +742,7 @@ class keystone(
$fernet_key_repository = '/etc/keystone/fernet-keys',
$fernet_max_active_keys = $::os_service_default,
$fernet_keys = false,
$fernet_replace_keys = true,
$enable_credential_setup = false,
$credential_key_repository = '/etc/keystone/credential-keys',
$credential_keys = false,
@ -1159,6 +1165,7 @@ running as a standalone service, or httpd for being run by a httpd server")
'owner' => $keystone_user,
'group' => $keystone_group,
'mode' => '0600',
'replace' => $fernet_replace_keys,
'subscribe' => 'Anchor[keystone::install::end]',
}
)

6
releasenotes/notes/make-replacing-fernet-keys-configurable-4e8f342f4a8ec67a.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- The parameter 'fernet_replace_keys' was added; this tells the manifest to
not replace the fernet keys if they have been added already. This is useful
in cases where rotation happens outside of puppet, and running puppet again
would replace the keys and result in an invalid setup.

35
spec/classes/keystone_init_spec.rb
View File

@ -1082,15 +1082,48 @@ describe 'keystone' do
it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
'owner' => 'keystone',
'owner' => 'keystone',
'mode' => '0600',
'replace' => true,
'subscribe' => 'Anchor[keystone::install::end]',
)}
it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
'owner' => 'keystone',
'mode' => '0600',
'replace' => true,
'subscribe' => 'Anchor[keystone::install::end]',
)}
end
describe 'when not replacing fernet_keys and setting fernet_keys parameter' do
let :params do
default_params.merge({
'enable_fernet_setup' => true,
'fernet_keys' => {
'/etc/keystone/fernet-keys/0' => {
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
},
'/etc/keystone/fernet-keys/1' => {
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
},
},
'fernet_replace_keys' => false,
})
end
it { is_expected.to_not contain_exec('keystone-manage fernet_setup') }
it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
'owner' => 'keystone',
'mode' => '0600',
'replace' => false,
'subscribe' => 'Anchor[keystone::install::end]',
)}
it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
'owner' => 'keystone',
'mode' => '0600',
'replace' => false,
'subscribe' => 'Anchor[keystone::install::end]',
)}
end