Add default VIM key for multi-master Tacker

This proposal adds support for a default VIM secret key to share across Tacker nodes in a multi-master cluster. Implements: blueprint vim-key-for-multi-master Change-Id: I2aa6e0d349d7fe3931cf95e0375aafa362a47bd4 Signed-off-by: Hitomi Koba <hi-koba@kddi.com>
2025-07-03 20:06:32 +09:00
parent 869bac7252
commit 5906ae2844
4 changed files with 302 additions and 0 deletions
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -22,6 +22,7 @@ Specifications
   :glob:
   :maxdepth: 2
   specs/2025.2/index
   specs/2025.1/index
   specs/2024.2/index
   specs/2024.1/index
--- a/specs/2025.2/index.rst
+++ b/specs/2025.2/index.rst
@@ -0,0 +1,9 @@
 ============================
 Tacker 2025.2 Specifications
 ============================
 .. toctree::
   :glob:
   :maxdepth: 1
   *
--- a/specs/2025.2/placeholder.rst
+++ b/specs/2025.2/placeholder.rst
@@ -0,0 +1,124 @@
 ..
 This work is licensed under a Creative Commons Attribution 3.0 Unported
 License.
 http://creativecommons.org/licenses/by/3.0/legalcode
 ==================
 (Placeholder Spec)
 ==================
 This file is just a placeholder for the specs directory.
 It will be removed soon after some spec is merged.
 The latest spec template is found at ``specs/template.rst``
 in the ``tacker-specs`` repository.
 Problem description
 ===================
 Sphinx toctree complains if no file exists in a directory
 specified in toctree glob.
 Use Cases
 ---------
 None
 Proposed change
 ===============
 Add this file. Please remove later when the another spec is approved.
 Alternatives
 ------------
 None
 Data model impact
 -----------------
 None
 REST API impact
 ---------------
 None
 Security impact
 ---------------
 None
 Notifications impact
 --------------------
 None
 Other end user impact
 ---------------------
 None
 Performance Impact
 ------------------
 None
 Other deployer impact
 ---------------------
 None
 Developer impact
 ----------------
 None
 Upgrade impact
 --------------
 None
 Implementation
 ==============
 Assignee(s)
 -----------
 None
 Work Items
 ----------
 None
 Dependencies
 ============
 None
 Testing
 =======
 None
 Documentation Impact
 ====================
 None
 References
 ==========
 None
 History
 =======
 None
--- a/specs/2025.2/vim-key-for-multi-master.rst
+++ b/specs/2025.2/vim-key-for-multi-master.rst
@@ -0,0 +1,168 @@
 ..
 This work is licensed under a Creative Commons Attribution 3.0 Unported
 License.
 http://creativecommons.org/licenses/by/3.0/legalcode
 ================================================================
 Add support for a default VIM secret key for multi-master Tacker
 ================================================================
 https://blueprints.launchpad.net/tacker/+spec/vim-key-for-multi-master
 This specification proposes to support a default secret key as a simple feature
 to share the VIM secret key within a multi-master Tacker cluster.
 Problem description
 ===================
 When Tacker is deployed as a multi-master cluster for load balancing, it fails
 to perform VIM operations such as deleting or updating resources created by
 another Tacker node.
 For example, if tacker-0 creates a resource, trying to delete it from tacker-1
 will fail.
 This is because Tacker generates a new `fernet_key` for each VIM registration
 and does not have a way to share or sync keys between nodes.
 To avoid authentication failures, keys must be copied manually between nodes.
 Proposed change
 ===============
 Add an option to specify a common default VIM key across Tacker nodes.
 To enable this, a new `default_secret_key` parameter will be added under
 `[vim_keys]` in `tacker.conf`.
 Administrators will generate a default Fernet key file in advance
 (e.g., `default.key`), place it in the existing `openstack` directory
 (default: `/etc/tacker/vim/fernet_keys`) on each Tacker node, and specify
 the filename using the `default_secret_key` option.
 Example of `tacker.conf`:
 .. code-block:: ini
   [vim_keys]
   default_secret_key = default.key
 This setting allows the Tacker conductor to use the specified default key
 when registering a VIM. The value of `default_secret_key` is interpreted as
 a file located within the `openstack` directory. If the parameter is not set,
 the current behavior (auto-generating a key per VIM) remains unchanged.
 To set up the default key on each Tacker node, administrators generate
 a Fernet key using any method.
 For example:
 .. code-block:: bash
   python3 -c 'from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())' > /etc/tacker/vim/fernet_keys/default.key
 As part of this improvement, we also plan to provide an official utility
 (e.g., a new `tacker-db-manage` option or a script under `tools/`) that
 performs this key generation. While administrators can still generate the key
 manually as shown above, the recommended approach will be to use the provided
 tool to ensure consistency.
 The same key file ("default.key") is placed on each Tacker node.
 This approach is simpler than configuring continuous key synchronization
 (e.g., using rsync or NFS), and is suitable for environments where the key
 does not need to change frequently, such as closed or static deployments.
 Alternatives
 ------------
 Set up an additional method to synchronize VIM keys between Tacker nodes
 (e.g., using rsync or NFS).
 Data model impact
 -----------------
 None
 REST API impact
 ---------------
 None
 Security impact
 ---------------
 This feature has a minor security impact because the shared secret key must be
 securely generated, stored, and distributed between Tacker nodes.
 However, this is optional and generally safe if used in a closed network.
 Notifications impact
 --------------------
 None
 Other end user impact
 ---------------------
 None
 Performance Impact
 ------------------
 None
 Other deployer impact
 ---------------------
 None
 Developer impact
 ----------------
 None
 Upgrade impact
 --------------
 None
 Implementation
 ==============
 Assignee(s)
 -----------
 Primary assignee:
  Hitomi Koba <hi-koba@kddi.com>
 Work Items
 ----------
 * Update Docs (`Documentation Impact`_).
 * Update OpenStack Driver (`tacker/nfvo/drivers/vim/openstack_driver.py`) to
  check the `default_secret_key` config value and branch logic accordingly.
 * Modify other related parts as needed.
 Dependencies
 ============
 None
 Testing
 =======
 Add unit tests.
 Documentation Impact
 ====================
 * Configuration Options [#conf_options]_
 * Manual Installation [#manual_instrallation]_
 References
 ==========
 .. [#conf_options] https://docs.openstack.org/tacker/latest/configuration/config.html#vim-keys
 .. [#manual_instrallation] https://docs.openstack.org/tacker/latest/install/manual_installation.html