From: Juan Antonio Osorio Robles Date: Mon, 12 Jun 2017 12:24:32 +0000 (+0300) Subject: Enable heat/puppet to manage the fernet keys and make it configurable X-Git-Tag: opnfv-6.0.0~541^2 X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=350e1a81dd559581bcf643e5a87ad89d6a9c0e5d;p=apex-tripleo-heat-templates.git Enable heat/puppet to manage the fernet keys and make it configurable With the addition of the KeystoneFernetKeys parameter, it's now possible to do fernet key rotations using mistral, by modifying the KeystoneFernetKeys variable in mistral; subsequently a rotation could happen when doing a stack update. So this re-enables the managing of the key files by puppet. However, this is left configurable, as folks might want to manage those files out-of-band. bp keystone-fernet-rotation Change-Id: Ic82fb8b8a76481a6e588047acf33a036cf444d7d --- diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 57e3286a..af494016 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -122,6 +122,14 @@ parameters: KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. + ManageKeystoneFernetKeys: + type: boolean + default: true + description: Whether TripleO should manage the keystone fernet keys or not. + If set to true, the fernet keys will get the values from the + saved keys repository in mistral (the KeystoneFernetKeys + variable). If set to false, only the stack creation + initializes the keys, but subsequent updates won't touch them. KeystoneLoggingSource: type: json default: @@ -258,7 +266,7 @@ outputs: '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} keystone::fernet_keys: {get_param: KeystoneFernetKeys} - keystone::fernet_replace_keys: false + keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys} keystone::debug: if: - service_debug_unset diff --git a/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml b/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml new file mode 100644 index 00000000..64a4d7e7 --- /dev/null +++ b/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml @@ -0,0 +1,6 @@ +--- +features: + - This introduces the ManageKeystoneFernetKeys parameter, which tells + heat/puppet if it should replace the existing fernet keys on a stack + deployment or not. This is useful if the deployer wants to do key rotations + out of band.