From c39915e729da88f82a625a97ac1eb17ba5cd8adf Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 20 Jun 2017 10:42:04 +0000 Subject: [PATCH] Add workbook to rotate fernet keys This rotates the fernet keys by using an ansible playbook. bp keystone-fernet-rotation Change-Id: Ief09eb7432359391c07c12b1c352152990e22eaf --- playbooks/rotate-keys.yaml | 19 ++++++++ workbooks/fernet-key-rotate.yaml | 82 ++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 playbooks/rotate-keys.yaml create mode 100644 workbooks/fernet-key-rotate.yaml diff --git a/playbooks/rotate-keys.yaml b/playbooks/rotate-keys.yaml new file mode 100644 index 000000000..c1d6231f0 --- /dev/null +++ b/playbooks/rotate-keys.yaml @@ -0,0 +1,19 @@ +--- +- hosts: keystone + tasks: + - name: Remove previous fernet keys + shell: rm -rf /etc/keystone/fernet-keys/* + + - name: Persist fernet keys to repository + copy: + dest: "{{ item.key }}" + content: "{{ item.value.content }}" + mode: 0600 + owner: keystone + group: keystone + with_dict: "{{ fernet_keys }}" + + - name: Reload apache + service: + name: httpd + state: reloaded diff --git a/workbooks/fernet-key-rotate.yaml b/workbooks/fernet-key-rotate.yaml new file mode 100644 index 000000000..793791a8e --- /dev/null +++ b/workbooks/fernet-key-rotate.yaml @@ -0,0 +1,82 @@ +--- +version: '2.0' +name: tripleo.fernet_keys.v1 +description: TripleO fernet key rotation workflows + +workflows: + + rotate_fernet_keys: + + input: + - container + - queue_name: tripleo + + tasks: + + rotate_keys: + action: tripleo.parameters.rotate_fernet_keys container=<% $.container %> + on-success: deploy_ssh_key + on-error: rotate_keys_set_status_failed + + rotate_keys_set_status_failed: + on-success: notify_zaqar + publish: + status: FAILED + message: <% task(rotate_keys).result %> + + deploy_ssh_key: + workflow: tripleo.validations.v1.copy_ssh_key + on-success: get_privkey + on-error: deploy_ssh_key_failed + + deploy_ssh_key_failed: + on-success: notify_zaqar + publish: + status: FAILED + message: <% task(deploy_ssh_key).result %> + + get_privkey: + action: tripleo.validations.get_privkey + on-success: deploy_keys + on-error: get_privkey_failed + + get_privkey_failed: + on-success: notify_zaqar + publish: + status: FAILED + message: <% task(get_privkey).result %> + + deploy_keys: + action: tripleo.ansible-playbook + input: + hosts: keystone + inventory: /usr/bin/tripleo-ansible-inventory + ssh_private_key: <% task(get_privkey).result %> + ssh_extra_args: '-o StrictHostKeyChecking=no' + remote_user: heat-admin + become: true + extra_vars: + fernet_keys: <% task(rotate_keys).result %> + use_openstack_credentials: true + playbook: /usr/share/tripleo-common/playbooks/rotate-keys.yaml + on-success: rotate_keys_set_status_passed + + rotate_keys_set_status_passed: + on-success: notify_zaqar + publish: + status: SUCCESS + message: <% task(deploy_keys).result %> + + notify_zaqar: + action: zaqar.queue_post + input: + queue_name: <% $.queue_name %> + messages: + body: + type: tripleo.plan_management.v1.get_passwords + payload: + status: <% $.status %> + message: <% $.get('message', '') %> + execution: <% execution() %> + on-success: + - fail: <% $.get('status') = "FAILED" %>