Add new encryption middleware to swift proxy

Enabling data-at-rest encryption and integration
with barbican to swift proxy

Related-Change-Id: I78c6003f5f599a422193dc47422ee607ce05c715
Related-Change-Id: I1ceda973733acb081967ab04a5fd57eb1609c9a7
Change-Id: I26cf063fe410689530ee507cc2f79e93b5e71732
Signed-off-by: Thiago da Silva <thiago@redhat.com>
This commit is contained in:
Thiago da Silva 2017-12-04 16:30:06 -05:00
parent d05b39d149
commit ab1a421cc6
2 changed files with 123 additions and 3 deletions

View File

@ -36,6 +36,10 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
SwiftEncryptionEnabled:
description: Set to True to enable data-at-rest encryption in Swift
default: false
type: boolean
EnableInternalTLS:
type: boolean
default: false
@ -47,6 +51,7 @@ parameters:
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]}
resources:
@ -75,7 +80,7 @@ outputs:
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: swift
puppet_tags: swift_config,swift_proxy_config
puppet_tags: swift_config,swift_proxy_config,swift_keymaster_config
step_config:
get_attr: [SwiftProxyBase, role_data, step_config]
config_image: {get_param: DockerSwiftConfigImage}
@ -94,11 +99,100 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
docker_config_scripts:
create_swift_secret.sh:
mode: "0700"
content: |
#!/bin/bash
export OS_PROJECT_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_domain_id)
export OS_USER_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster user_domain_id)
export OS_PROJECT_NAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_name)
export OS_USERNAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster username)
export OS_PASSWORD=$(crudini --get /etc/swift/keymaster.conf kms_keymaster password)
export OS_AUTH_URL=$(crudini --get /etc/swift/keymaster.conf kms_keymaster auth_endpoint)
export OS_AUTH_TYPE=password
export OS_IDENTITY_API_VERSION=3
echo "Check if secret already exists"
secret_href=$(openstack secret list --name swift_root_secret_uuid)
rc=$?
if [[ $rc != 0 ]]; then
echo "Failed to check secrets, check if Barbican in enabled and responding properly"
exit $rc;
fi
if [ -z "$secret_href" ]; then
echo "Create new secret"
order_href=$(openstack secret order create --name swift_root_secret_uuid --payload-content-type="application/octet-stream" --algorithm aes --bit-length 256 --mode ctr key -f value -c "Order href")
fi
set_swift_keymaster_key_id.sh:
mode: "0700"
content: |
#!/bin/bash
export OS_PROJECT_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_domain_id)
export OS_USER_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster user_domain_id)
export OS_PROJECT_NAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_name)
export OS_USERNAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster username)
export OS_PASSWORD=$(crudini --get /etc/swift/keymaster.conf kms_keymaster password)
export OS_AUTH_URL=$(crudini --get /etc/swift/keymaster.conf kms_keymaster auth_endpoint)
export OS_AUTH_TYPE=password
export OS_IDENTITY_API_VERSION=3
echo "retrieve key_id"
loop_wait=2
for i in {0..5}; do
#TODO update uuid from mistral here too
secret_href=$(openstack secret list --name swift_root_secret_uuid)
if [ "$secret_href" ]; then
echo "set key_id in keymaster.conf"
secret_href=$(openstack secret list --name swift_root_secret_uuid -f value -c "Secret href")
crudini --set /etc/swift/keymaster.conf kms_keymaster key_id ${secret_href##*/}
exit 0
else
echo "no key, wait for $loop_wait and check again"
sleep $loop_wait
((loop_wait++))
fi
done
echo "Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly"
exit 1
docker_config:
step_4:
map_merge:
- if:
- swift_encryption_enabled
- create_swift_secret:
# NOTE: Barbican should be started before creating secrets
start_order: 0
image: &swift_proxy_image {get_param: DockerSwiftProxyImage}
net: host
detach: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:ro
- /var/lib/docker-config-scripts/create_swift_secret.sh:/create_swift_secret.sh:ro
user: root
command: "/usr/bin/bootstrap_host_exec swift_proxy /create_swift_secret.sh"
- {}
- if:
- swift_encryption_enabled
- set_swift_secret:
start_order: 1
image: *swift_proxy_image
net: host
detach: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw
- /var/lib/docker-config-scripts/set_swift_keymaster_key_id.sh:/set_swift_keymaster_key_id.sh:ro
user: root
command: "/set_swift_keymaster_key_id.sh"
- {}
- swift_proxy:
image: &swift_proxy_image {get_param: DockerSwiftProxyImage}
image: *swift_proxy_image
start_order: 2
net: host
user: swift
restart: always

View File

@ -69,6 +69,10 @@ parameters:
default: ['service']
description: Comma-seperated list of project names to ignore.
type: comma_delimited_list
SwiftEncryptionEnabled:
description: Set to True to enable data-at-rest encryption in Swift
default: false
type: boolean
RabbitClientPort:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
@ -87,6 +91,7 @@ conditions:
ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, true]}
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]}
resources:
SwiftBase:
@ -151,7 +156,18 @@ outputs:
- swiftoperator
- ResellerAdmin
swift::proxy::versioned_writes::allow_versioned_writes: true
swift::proxy::pipeline:
- if:
- swift_encryption_enabled
-
swift::keymaster::key_id: 'test_id'
swift::keymaster::username: 'swift'
swift::keymaster::password: {get_param: SwiftPassword}
swift::keymaster::project_name: 'service'
swift::keymaster::project_domain_id: 'default'
swift::keymaster::user_domain_id: 'default'
swift::keymaster::auth_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri]}
- {}
- swift::proxy::pipeline:
yaql:
expression: $.data.pipeline.where($ != '')
data:
@ -178,6 +194,16 @@ outputs:
- ceilometer_pipeline_enabled
- 'ceilometer'
- ''
-
if:
- swift_encryption_enabled
- 'kms_keymaster'
- ''
-
if:
- swift_encryption_enabled
- 'encryption'
- ''
- 'proxy-logging'
- 'proxy-server'
swift::proxy::account_autocreate: true