openstack/puppet-keystone
Code Issues Proposed changes

Implement crontab to perform Fernet keys rotations

Browse Source 
This crontab is useful to run keystone-manage fernet_rotate command in a
scheduled way.
It doesn't take care of the distribution of keys when deploying Keystone
on multinode environment but it's still useful to use it on single-node
keystone deployments or when we have an external system to distribute
the keys after running this command.

Change-Id: I125e81d8cd130fadb8271f1b7bcdcf9794c79f47
This commit is contained in:
Emilien Macchi
2017-03-21 21:13:24 -04:00
parent 92144af37f
commit c92454d239
3 changed files with 193 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
manifests/cron/fernet_rotate.pp Normal file
View File

@@ -0,0 +1,81 @@
# Copyright 2017 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: keystone::cron::fernet_rotate
#
# Installs a cron job that rotates fernet keys.
#
# === Parameters
#
# [*ensure*]
# (optional) Defaults to present.
# Valid values are present, absent.
#
# [*minute*]
# (optional) Defaults to '1'.
#
# [*hour*]
# (optional) Defaults to '0'.
#
# [*monthday*]
# (optional) Defaults to '*'.
#
# [*month*]
# (optional) Defaults to '*'.
#
# [*weekday*]
# (optional) Defaults to '*'.
#
# [*maxdelay*]
# (optional) Seconds. Defaults to 0. Should be a positive integer.
# Induces a random delay before running the cronjob to avoid running all
# cron jobs at the same time on all hosts this job is configured.
#
# [*user*]
# (optional) Defaults to 'keystone'.
# Allow to run the crontab on behalf any user.
#
class keystone::cron::fernet_rotate (
$ensure = present,
$minute = 1,
$hour = 0,
$monthday = '*',
$month = '*',
$weekday = '*',
$maxdelay = 0,
$user = 'keystone',
) {
include ::keystone::deps
if $maxdelay == 0 {
$sleep = ''
} else {
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
}
cron { 'keystone-manage fernet_rotate':
ensure => $ensure,
command => "${sleep}keystone-manage fernet_rotate",
environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
user => $user,
minute => $minute,
hour => $hour,
monthday => $monthday,
month => $month,
weekday => $weekday,
require => Anchor['keystone::service::end'],
}
}

7
releasenotes/notes/fernet_rotate_crontab-aad7ddda61d8ee31.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
features:
- |
Implement a basic crontab that does fernet keys rotations with
keystone::cron::fernet_rotate class. This crontab won't take
care of the key distribution but just run `keystone-manage fernet_rotate`
command in a scheduled way.

105
spec/classes/keystone_cron_fernet_rotate_spec.rb Normal file
View File

@@ -0,0 +1,105 @@
require 'spec_helper'
describe 'keystone::cron::fernet_rotate' do
let :facts do
OSDefaults.get_facts({ :osfamily => 'Debian' })
end
let :params do
{ :ensure => 'present',
:minute => 1,
:hour => 0,
:monthday => '*',
:month => '*',
:weekday => '*',
:maxdelay => 0,
}
end
describe 'with default parameters' do
it 'configures a cron' do
is_expected.to contain_cron('keystone-manage fernet_rotate').with(
:ensure => params[:ensure],
:command => "keystone-manage fernet_rotate",
:environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
:user => 'keystone',
:minute => params[:minute],
:hour => params[:hour],
:monthday => params[:monthday],
:month => params[:month],
:weekday => params[:weekday],
:require => 'Anchor[keystone::service::end]',
)
end
end
describe 'when specifying a maxdelay param' do
before :each do
params.merge!(
:maxdelay => 600
)
end
it 'configures a cron with delay' do
is_expected.to contain_cron('keystone-manage fernet_rotate').with(
:ensure => params[:ensure],
:command => "sleep `expr ${RANDOM} \\% #{params[:maxdelay]}`; keystone-manage fernet_rotate",
:environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
:user => 'keystone',
:minute => params[:minute],
:hour => params[:hour],
:monthday => params[:monthday],
:month => params[:month],
:weekday => params[:weekday],
:require => 'Anchor[keystone::service::end]',
)
end
end
describe 'when specifying a user param' do
let :params do
{
:user => 'keystonecustom'
}
end
it 'configures a cron with delay' do
is_expected.to contain_cron('keystone-manage fernet_rotate').with(
:ensure => 'present',
:command => 'keystone-manage fernet_rotate',
:environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
:user => 'keystonecustom',
:minute => 1,
:hour => 0,
:monthday => '*',
:month => '*',
:weekday => '*',
:require => 'Anchor[keystone::service::end]',
)
end
end
describe 'when disabling cron job' do
before :each do
params.merge!(
:ensure => 'absent'
)
end
it 'configures a cron with delay' do
is_expected.to contain_cron('keystone-manage fernet_rotate').with(
:ensure => params[:ensure],
:command => "keystone-manage fernet_rotate",
:environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
:user => 'keystone',
:minute => params[:minute],
:hour => params[:hour],
:monthday => params[:monthday],
:month => params[:month],
:weekday => params[:weekday],
:require => 'Anchor[keystone::service::end]',
)
end
end
end