03543a3d53
Keystone supports (and that's a default setting since Ocata) using non-persistent fernet tokens instead of UUID tokens written into the DB. This setting is in some cases better in terms of performance and manageability (no more tokens DB table cleanups). OpenStack-Helm should be able to support it. General issue with fernet tokens is that keys used to encrypt them need to be persistent and shared accross the cluster. Moreover "rotate" operation generates a new key, so key repository will change over time. This commit implements fernet tokens support by: * A 'keystone-fernet-keys' secret is created to serve as keys repository. * New fernet-setup Job will populate secret with initial keys. * New fernet-rotate CronJob will be run periodically (weekly by default) and perform key rotation operation and update the secret. * Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens directory. Turns out k8s is updating secrets attached to pods automatically, so because of Keystone's fernet tokens implementation, we don't need to worry about synchronization of the key repository. Everything should be fine unless fernet-rotate job will run before all of the pods will notice the change in the secret. As in real-world scenario you would rotate your keys no more often than once an hour, this should be totally fine. Implements: blueprint keystone-fernet-tokens Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
OpenStack-Helm
Mission
The goal of OpenStack-Helm is to enable deployment, maintenance, and upgrading of loosely coupled OpenStack services and their dependencies individually or as part of complex environments.
Communication
- Join us on Slack - #openstack-helm
- Join us on IRC: #openstack-helm on freenode
- Community IRC Meetings: [Every Tuesday @ 3PM UTC], #openstack-meeting-5 on freenode
- Meeting Agenda Items: Agenda
Launchpad
Bugs and blueprints are tracked via OpenStack-Helm's Launchpad.
Installation and Development
Please review our documentation at Read the Docs. For quick installation, evaluation, and convenience, we have a kubeadm based all-in-one solution that runs in a Docker container. The Kubeadm-AIO set up can be found here, and the gate scripts, use are supported on any fresh Ubuntu, CentOS or Fedora machine.
This project is under active development. We encourage anyone interested in OpenStack-Helm to review our Installation documentation. Feel free to ask questions or check out our current Issues and Bugs.
To evaluate a multinode installation, follow the Bare Metal install guide.