Puppet Class: profile::openstack::base::keystone::fernet_keys

Defined in:
modules/profile/manifests/openstack/base/keystone/fernet_keys.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • openstack_control_nodes (Array[OpenStack::ControlNode]) (defaults to: lookup('profile::openstack::base::openstack_control_nodes'))
  • cred_key_0 (String) (defaults to: lookup('profile::openstack::base::keystone::credential_key_0'))
  • cred_key_1 (String) (defaults to: lookup('profile::openstack::base::keystone::credential_key_1'))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# File 'modules/profile/manifests/openstack/base/keystone/fernet_keys.pp', line 2

class profile::openstack::base::keystone::fernet_keys(
    Array[OpenStack::ControlNode] $openstack_control_nodes = lookup('profile::openstack::base::openstack_control_nodes'),
    String $cred_key_0 = lookup('profile::openstack::base::keystone::credential_key_0'),
    String $cred_key_1 = lookup('profile::openstack::base::keystone::credential_key_1'),
) {
    file { '/etc/keystone/fernet-keys':
        ensure => directory,
        owner  => 'keystone',
        group  => 'keystone',
        mode   => '0770',
    }

    rsync::server::module { 'keystonefernetkeys':
        path          => '/etc/keystone/fernet-keys',
        uid           => 'keystone',
        gid           => 'keystone',
        hosts_allow   => $openstack_control_nodes.map |$node| { $node['cloud_private_fqdn'] },
        auto_firewall => true,
        read_only     => 'yes',
    }

    # It's important to do these steps in the right order: a host should rotate its keys, and immediately
    #  after that each other host should rsync to pick up the changes.
    # Rotations happen on the hour, and syncing on the half.
    #
    # Note that if the order of hosts in $keystone_hosts is not consistent across all
    #  hosts this will cause chaos.
    #
    $hostcount = count($openstack_control_nodes)
    $staggerhours = 24/$hostcount

    $openstack_control_nodes.each |$index, OpenStack::ControlNode $node| {
        $activehour = $index * $staggerhours
        $is_this_host = $::facts['networking']['fqdn'] == $node['host_fqdn']
        $fqdn = $node['cloud_private_fqdn']

        systemd::timer::job { "keystone_sync_keys_from_${fqdn}":
            ensure             => $is_this_host.bool2str('absent', 'present'),
            description        => "Sync keys for Keystone fernet tokens to ${fqdn}",
            command            => "/usr/bin/rsync -a --delete rsync://${fqdn}/keystonefernetkeys/ /etc/keystone/fernet-keys/",
            interval           => {
                'start'    => 'OnCalendar',
                'interval' => "*-*-* ${activehour}:30:00",
            },
            logging_enabled    => true,
            monitoring_enabled => false,
            user               => 'keystone',
        }

        if $is_this_host {
            systemd::timer::job { 'keystone_rotate_keys':
                description        => 'Rotate keys for Keystone fernet tokens',
                command            => '/usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone',
                interval           => {
                    'start'    => 'OnCalendar',
                    'interval' => "*-*-* ${activehour}:00:00",
                },
                logging_enabled    => true,
                user               => 'root',
                monitoring_enabled => false,
            }
        }
    }

    # Credential keys
    #
    #  These don't need to rotate but we do need to call credential_migrate
    #  any time they change.
    #
    #  See https://docs.openstack.org/keystone/zed/admin/credential-encryption.html
    file { '/etc/keystone/credential-keys':
        ensure => directory,
        owner  => 'keystone',
        group  => 'keystone',
        mode   => '0700',
    }

    file { '/etc/keystone/credential-keys/credential-key-0':
        ensure  => directory,
        owner   => 'keystone',
        group   => 'keystone',
        mode    => '0400',
        content => $cred_key_0,
    }

    # Strictly speaking this key isn't needed but keystone-manage
    #  creates it so I'm installing it to avoid future confusion
    file { '/etc/keystone/credential-keys/credential-key-1':
        ensure  => directory,
        owner   => 'keystone',
        group   => 'keystone',
        mode    => '0400',
        content => $cred_key_1,
    }

    exec { 'migrate_credential_keys':
        command     => '/usr/bin/keystone-manage credential_migrate --keystone-user keystone --keystone-group keystone',
        subscribe   => [File['/etc/keystone/credential-keys/credential-key-0'],
                        File['/etc/keystone/credential-keys/credential-key-1']],
        refreshonly => true,
    }
}