Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 490e237)
Enable heat/puppet to manage the fernet keys and make it configurable
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>
Mon, 12 Jun 2017 12:24:32 +0000 (15:24 +0300)
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>
Wed, 14 Jun 2017 07:04:06 +0000 (10:04 +0300)
With the addition of the KeystoneFernetKeys parameter, it's now possible
to do fernet key rotations using mistral, by modifying the
KeystoneFernetKeys variable in mistral; subsequently a rotation could
happen when doing a stack update.

So this re-enables the managing of the key files by puppet. However,
this is left configurable, as folks might want to manage those files
out-of-band.

bp keystone-fernet-rotation
Change-Id: Ic82fb8b8a76481a6e588047acf33a036cf444d7d

puppet/services/keystone.yaml patch | blob | history
releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml [new file with mode: 0644] patch | blob

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 57e3286..af49401 100644 (file)
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -122,6 +122,14 @@ parameters:
   KeystoneFernetKeys:
     type: json
     description: Mapping containing keystone's fernet keys and their paths.
+  ManageKeystoneFernetKeys:
+    type: boolean
+    default: true
+    description: Whether TripleO should manage the keystone fernet keys or not.
+                 If set to true, the fernet keys will get the values from the
+                 saved keys repository in mistral (the KeystoneFernetKeys
+                 variable). If set to false, only the stack creation
+                 initializes the keys, but subsequent updates won't touch them.
   KeystoneLoggingSource:
     type: json
     default:
@@ -258,7 +266,7 @@ outputs:
               '/etc/keystone/credential-keys/1':
                 content: {get_param: KeystoneCredential1}
             keystone::fernet_keys: {get_param: KeystoneFernetKeys}
-            keystone::fernet_replace_keys: false
+            keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
             keystone::debug:
               if:
               - service_debug_unset
diff --git a/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml b/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml
new file mode 100644 (file)
index 0000000..64a4d7e
--- /dev/null
+++ b/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - This introduces the ManageKeystoneFernetKeys parameter, which tells
+    heat/puppet if it should replace the existing fernet keys on a stack
+    deployment or not. This is useful if the deployer wants to do key rotations
+    out of band.