From 490e237f09d2c685903b173d3fd94efc450a9cb2 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Mon, 12 Jun 2017 15:17:28 +0300 Subject: [PATCH] Use KeystoneFernetKeys instead of individual parameters This uses the newly introduced dict with the keys and paths instead of the individual keys. Having the advantage that rotation will be possible on stack update, as we no longer have a limit on how many keys we can pass (as we did with the individual parameters). bp keystone-fernet-rotation Change-Id: I7d224595b731d9f3390fce5a9d002282b2b4b8f2 Depends-On: I63ae158fa8cb33ac857dcf9434e9fbef07ecb68d --- puppet/services/keystone.yaml | 26 ++++++++++++++----- ...FernetKeys-parameter-bd635a106bb8e00f.yaml | 10 +++++++ 2 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/Use-KeystoneFernetKeys-parameter-bd635a106bb8e00f.yaml diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index f3a9cbc494..57e3286a6d 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -113,10 +113,15 @@ parameters: description: The second Keystone credential key. Must be a valid key. KeystoneFernetKey0: type: string - description: The first Keystone fernet key. Must be a valid key. + default: '' + description: (DEPRECATED) The first Keystone fernet key. Must be a valid key. KeystoneFernetKey1: type: string - description: The second Keystone fernet key. Must be a valid key. + default: '' + description: (DEPRECATED) The second Keystone fernet key. Must be a valid key. + KeystoneFernetKeys: + type: json + description: Mapping containing keystone's fernet keys and their paths. KeystoneLoggingSource: type: json default: @@ -187,6 +192,17 @@ parameters: default: {} hidden: true +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - KeystoneFernetKey0 + - KeystoneFernetKey1 + resources: ApacheServiceBase: @@ -241,11 +257,7 @@ outputs: content: {get_param: KeystoneCredential0} '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} - keystone::fernet_keys: - '/etc/keystone/fernet-keys/0': - content: {get_param: KeystoneFernetKey0} - '/etc/keystone/fernet-keys/1': - content: {get_param: KeystoneFernetKey1} + keystone::fernet_keys: {get_param: KeystoneFernetKeys} keystone::fernet_replace_keys: false keystone::debug: if: diff --git a/releasenotes/notes/Use-KeystoneFernetKeys-parameter-bd635a106bb8e00f.yaml b/releasenotes/notes/Use-KeystoneFernetKeys-parameter-bd635a106bb8e00f.yaml new file mode 100644 index 0000000000..1e2673f188 --- /dev/null +++ b/releasenotes/notes/Use-KeystoneFernetKeys-parameter-bd635a106bb8e00f.yaml @@ -0,0 +1,10 @@ +--- +features: + - The KeystoneFernetKeys parameter was introduced, which is able to take any + amount of keys as long as it's in the right format. It's generated by the + same mechanism as the rest of the passwords; so it's value is also + available via mistral's "password" environment variable. This will also + allow for rotations to be made via mistral and via stack updates. +deprecations: + - The individual keystone fernet key parameters (KeystoneFernetKey0 and + KeystoneFernetKey1) were deprecated in favor of KeystoneFernetKeys.