The task for keystone is missing a 'per service' entry for it's config
augments. This means for example that users could not add:
/etc/kolla/config/keystone/keystone-fernet.conf
or
/etc/kolla/config/keystone/keystone.conf
and have keystone.conf augmented for those services only.
Change-Id: I8d2570b4a52dc6c3552397b0a6fa7866133dc2f1
Closes-Bug: #1646898
Currently, policy.json is put in
"{{ node_config_directory }}/{{ service_name }}"
in target nodes.
Relocation policy.json to "{{ node_config_directory }}/{{ item }}"
with item is corresponding service compoment config directory.
Currently, the policy.json is copied to all services, but it
should be reviewed and left only in neccesary service
(at many cases, only API service needs that).
Redundant files will be removed in follow up patchset.
Change-Id: I0e997dccf4ec438c9c0436db71ec2fd06650f50d
Closes-Bug: #1639686
Allow operators to use their custom policy files.
Avoid maintain policy files in kolla repos, only copying
the files when an operator add their custom config.
Implements: blueprint custom-policies
Change-Id: Icf3c961b87cbc7a1f1dd2ffbfffcf271d151d862
* install openssh client in keystone-fernet container
* install rsync in keystone-ssh container
* fix syntax issue in ssh configuration
* copy ssh configuration into keystone-fernet container
* copy id_rsa.pub into keystone-ssh container
* copy id_rsa into keystone-fernet container
* use full path to ssh binary in used scripts
* add missing newlines at EOF
* when using type source set /var/lib/keystone as home
directory for the user keystone
Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Change-Id: Id6b41030056a69f6516a054beb2fc0e08226e876
Closes-bug: #1623013
The use of the admin_token_auth middleware presents a security risk
and was removed from [pipeline:api_v3], [pipeline:admin_api],
and [pipeline:public_api].
Change-Id: I3a3ca2e74c0ae341105d3481f97956c6da473046
Closes-bug: #1587747
This addresses the ansible aspects of fernet key bootstrapping as
well as distributed key rotation.
- Bootstrapping is handled in the same way as keystone bootstrap.
- A new keystone-fernet and keystone-ssh container is created to allow
the nodes to communicate with each other (taken from nova-ssh).
- The keystone-fernet is a keystone container with crontab installed.
This will handle key rotations through keystone-manage and trigger
an rsync to push new tokens to other nodes.
- Key rotation is setup to be balanced across the keystone nodes using
a round-robbin style. This ensures that any node failures will not
stop the keys from rotating. This is configured by a desired token
expiration time which then determines the cron scheduling for each
node as well as the number of fernet tokens in rotation.
- Ability for recovered node to resync with the cluster. When a node
starts it will run sanity checks to ensure that its fernet tokens
are not stale. If they are it will rsync with other nodes to ensure
its tokens are up to date.
The Docker component is implemented in:
https://review.openstack.org/#/c/349366
Change-Id: I15052c25a1d1149d364236f10ced2e2346119738
Implements: blueprint keystone-fernet-token
Ansible's template action supports replacing keystone's wsgi default
config with custom config, it should only add with_first_found param
to config.yml to support this.
Change-Id: Id66302802db9a57188067982ea697f16faa1d8eb
Closes-Bug: #1609655
Currently, it is not possible to make use of Keystone Domain
specific settings. Such as different domains using different
LDAP servers or SQL.
To enable for example domain ACME - domain settings would be
put into:
{{ node_custom_config }}keystone/domains/keystone.ACME.conf
Change-Id: I23620978c618dd4a3598d7cb74c3e9cf8c2394ac
Closes-Bug: #1599868
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
An operator may want to specify the location of custom config
files so that kolla can detect their location and merge
them with the default configs generated.
Partially implements: blueprint multi-project-config
Change-Id: Ibfb38d07a36dfa7fe25381adc34cc1d3cbe7d1e1
This type of per node configuration is required to support things like
availability zones for nova. As always, if this file doesnt exist it
doesnt get used so this change is safe.
TrivialFix
Change-Id: Iff8172af522c2c96e5f2c173b24a5dfd4d522ed2
Convert config creation from a playbook to an action_plugin. This
reduces the complexity and confusion while retaining the same augment
structure and flexibility.
This allows us to remove the 0-byte files as requirements. They will
still be used if they are present (this means we require additional
documentation around them).
DocImpact
Closes-Bug: #1528430
Change-Id: I2c789f6be9f195c7771ca093a6d59499564b4740
This will switch config-external to using wsgi vs evenlet for keystone.
Partially Implements: blueprint ansible-service
Change-Id: I85a88c813ed36d827916796199dad735b2d44b40
Add set_configs function that implements the flow from the proposed
ansible-multi spec. Move start.sh to config-internal.sh to preserve existing
behaviour.
config-externall.sh copies the appropriate configs in from the bind'd
location and sets permissions and ownership appropriately.
Partially Implements: blueprint ansible-multi
Change-Id: I53fca0660451087f273fefc3c63e0d8cf1a2c096
