keystone fernet key issuance should be redesigned not to use swift tempurls
Bug #1870463 reported by
Ade Lee
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
New
|
Undecided
|
Unassigned |
Bug Description
keystone fernet keys are uploaded to controllers in the initial deploy through swift tempurls.
If those keys are not rotated often, the swift tempurl could expire, resulting in bugs being reprted like the following:
https:/
We should redesign this whole issuance process to avoid tempurls to begin with.
To post a comment you must log in.
> keystone fernet keys are uploaded to controllers in the initial deploy through swift tempurls.
That's probably not correct.
Initial configuration of fernet_keys[1] is done with puppet and subsequently rotated using ansible playbooks[2] (earlier with a mistral workflow that used to call the ansible playbook[3])
In the bz you mentioned, customer was using DeployArtifactU RLs[4] interface to replace fernet keys (that can pull content from any url accessible, not only with swift temp url[4]). I think that was one of the recommended ways to rotate fernet keys in earlier versions, before the playbooks were added, but not any more.
So, Someone can use the new playbook on master or mistral workflow in older releases to rotate keys. I don't think DeployArtifactsURLs interfaces should be used anymore and anything there to be fixed for this bug.
[1] https:/ /github. com/openstack/ puppet- keystone/ blob/master/ manifests/ init.pp# L943-L966 /github. com/openstack/ tripleo- ansible/ blob/master/ tripleo_ ansible/ playbooks/ rotate- fernet- keys.yaml /github. com/openstack/ tripleo- common/ blob/stable/ queens/ workbooks/ fernet- key-rotate. yaml /github. com/openstack/ tripleo- heat-templates/ blob/master/ common/ deploy- steps.j2# L146-L150 /github. com/openstack/ tripleo- common/ blob/master/ scripts/ upload- swift-artifacts
[2] https:/
[3] https:/
[4] https:/
[5] https:/