fuel-ccp

There should be a way to rotate fernet keys

Bug #1651394 reported by Boris Bobrov on 2016-12-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	fuel-ccp	Fix Committed	High	Dmitry Klenov

Bug Description

Today a single Fernet key is generated for a deployment. Since the encrypted information is publicly accessible, the keys need to be rotated once in a while. Containers are considered immutable and we cannot rotate the keys the way we would do it in a usual unix environment. Some other way to rotate the keys needs to be implemented.

For example, kubernetes secrets are intended to hold sensitive information and could be used for that.

Sergey Reshetnyak (sreshetniak) on 2016-12-20

Changed in fuel-ccp:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Fuel CCP Bug Team (fuel-ccp-bugs)

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-12-20:

For a secure Fernet key rotation consider using HashiCorp Vault.
Use cases for configuration management tools are described here:
https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html

Sergey Reshetnyak (sreshetniak) on 2017-01-13

Changed in fuel-ccp:
assignee:	Fuel CCP Bug Team (fuel-ccp-bugs) → Dmitry Klenov (dklenov)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-20: Fix proposed to fuel-ccp (master)

Fix proposed to branch: master
Review: https://review.openstack.org/423234

Changed in fuel-ccp:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-02:

Fix proposed to branch: master
Review: https://review.openstack.org/428055

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-02: Change abandoned on fuel-ccp (master)

Change abandoned by Dmitry Klenov (<email address hidden>) on branch: master
Review: https://review.openstack.org/423234
Reason: Abandoning due to decision to change implementation approach.
New review: https://review.openstack.org/#/c/428055/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-02: Fix proposed to fuel-ccp-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/428074

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-14: Fix merged to fuel-ccp (master)

Reviewed: https://review.openstack.org/428055
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp/commit/?id=80447e7411fb446f6265d60bdc4c9d772fe15e0b
Submitter: Jenkins
Branch: master

commit 80447e7411fb446f6265d60bdc4c9d772fe15e0b
Author: Dmitry Klenov <email address hidden>
Date: Fri Jan 20 09:42:08 2017 +0000

Secret support

    Support of k8s secrets is introduced. To create a secret, put
    an additional section 'secrets' to the definition
    of the service:

    secrets:
      name-for-reference:
        type: "Opaque"
        data:
          "file1": "some content"
          "file2": "another one"
        secret:
            secretName: name-in-k8s
        path: /where/to/mount

You can reference to this secret from the container definition:

    daemon:
      secrets:
        - name-for-reference

The referenced secret must be defined in the 'secrets' section.

    Change-Id: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
    Partial-Bug: #1651392
    Partial-Bug: #1651394

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-14: Fix merged to fuel-ccp-keystone (master)

Reviewed: https://review.openstack.org/426092
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp-keystone/commit/?id=f6a75158c2dd32720ed178d91ef2b6df40c6984a
Submitter: Jenkins
Branch: master

commit f6a75158c2dd32720ed178d91ef2b6df40c6984a
Author: Dmitry Klenov <email address hidden>
Date: Tue Jan 17 09:05:11 2017 +0000

Fernet keys rotation action

Mechanism to rotate fernet keys is added. CCP operator can use one
of two ways to rotate keys:

    1. Manual rotation.
    Pre-generate keys manually and distribute them to keystone pod(s).
    To do it, operator needs to put generated keys to the ccp config file
    in the following format:

    configs:
        keystone:
            fernet_keys:
                "0": <key-0>
                "2": <key-2>
                "3": <key-3>

Then, execute custom action 'fernet-rotate'. The keys will be placed
to the k8s secret.

    2. Automatic rotation.
    Do not put keys to config, just execute 'fernet-rotate'. Keys will be
    automatically rotated and put to proper secret.

    Partial-Bug: #1651392
    Partial-Bug: #1651394
    Change-Id: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-14:

Reviewed: https://review.openstack.org/428074
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp-keystone/commit/?id=cef1b979ba6ca4dba34e815e860d28cc7f6440c6
Submitter: Jenkins
Branch: master

commit cef1b979ba6ca4dba34e815e860d28cc7f6440c6
Author: Dmitry Klenov <email address hidden>
Date: Fri Jan 27 07:08:58 2017 +0000

Enable fernet keys generation

    This change effectively enables fernet keys generation and their
    usage via the mechanism of k8s secrets. Legacy approach with
    pre-generated fernet key is removed.

    Change-Id: Ibdf0a0eafb48930d5536f35511be78c1e5df9921
    Partial-Bug: #1651392
    Partial-Bug: #1651394
    Depends-On: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
    Depends-On: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37

Dmitry Klenov (dklenov) on 2017-02-15

Changed in fuel-ccp:
status:	In Progress → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.