Browse Source

Replace keystone db flush cron job with a Fernet key rotation job

Previously, we had a cron job to flush removed keystone tokens. Since
[1] this is not required anymore, but we need to add a cron job to
rotate Fernet keys.

[1] - https://review.openstack.org/544547

Change-Id: I331788ea08322a6f982c87eb195a619bab1c4d2e
Javier Pena 1 year ago
parent
commit
1b7a931fd1

+ 2
- 2
docs/packstack.rst View File

@@ -308,8 +308,8 @@ Keystone Config parameters
308 308
 **CONFIG_KEYSTONE_DB_PW**
309 309
     Password to use for the Identity service (keystone) to access the database.
310 310
 
311
-**CONFIG_KEYSTONE_DB_PURGE_ENABLE**
312
-    Enter y if cron job for removing soft deleted DB rows should be created.
311
+**CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE**
312
+    Enter y if cron job to rotate Fernet tokens should be created.
313 313
 
314 314
 **CONFIG_KEYSTONE_REGION**
315 315
     Default region name to use when creating tenants in the Identity service.

+ 4
- 4
packstack/plugins/keystone_100.py View File

@@ -47,10 +47,10 @@ def initConfig(controller):
47 47
              "NEED_CONFIRM": True,
48 48
              "CONDITION": False},
49 49
 
50
-            {"CMD_OPTION": 'keystone-db-purge-enable',
50
+            {"CMD_OPTION": 'keystone-fernet-token-rotate-enable',
51 51
              "PROMPT": (
52
-                 "Enter y if cron job for removing soft deleted DB rows "
53
-                 "should be created"
52
+                 "Enter y if cron job to rotate Fernet tokens should be "
53
+                 "created"
54 54
              ),
55 55
              "OPTION_LIST": ['y', 'n'],
56 56
              "VALIDATORS": [validators.validate_not_empty],
@@ -58,7 +58,7 @@ def initConfig(controller):
58 58
              "DEFAULT_VALUE": 'y',
59 59
              "MASK_INPUT": False,
60 60
              "LOOSE_VALIDATION": False,
61
-             "CONF_NAME": 'CONFIG_KEYSTONE_DB_PURGE_ENABLE',
61
+             "CONF_NAME": 'CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',
62 62
              "USE_DEFAULT": False,
63 63
              "NEED_CONFIRM": True,
64 64
              "CONDITION": False},

+ 2
- 4
packstack/puppet/modules/packstack/manifests/keystone.pp View File

@@ -17,11 +17,9 @@ class packstack::keystone ()
17 17
 
18 18
     class { '::keystone::client': }
19 19
 
20
-    if hiera('CONFIG_KEYSTONE_DB_PURGE_ENABLE',false) {
21
-      class { '::keystone::cron::token_flush':
22
-        minute      => '*/1',
20
+    if hiera('CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',false) {
21
+      class { '::keystone::cron::fernet_rotate':
23 22
         require     => Service['crond'],
24
-        destination => '/dev/null',
25 23
       }
26 24
       service { 'crond':
27 25
         ensure => 'running',

+ 12
- 0
releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml View File

@@ -0,0 +1,12 @@
1
+---
2
+upgrade:
3
+  - |
4
+    A new CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE option has been added to
5
+    the answer file. When enabled (default), it will create a cron job to
6
+    rotate Fernet keys.
7
+deprecations:
8
+  - |
9
+    Since Keystone has deprecated token formats requiring storage in the DB,
10
+    the CONFIG_KEYSTONE_DB_PURGE_ENABLE option has been removed. Instead, we
11
+    are implementing a cron job to rotate Fernet keys.
12
+

Loading…
Cancel
Save