Keystone fernet key rotation without gluster
In order to get rid of keystone fernet key directory being
managed by a shared filesystem, this patch contains salt orchestrate states
to create needed directories, generate ssh keys and put public keys
to respective nodes PRIOR to keystone installation. Rsync script
is used to copy fernet keys from primary control node to all the rest of
control nodes.
Change-Id: I6a11870a59301902cf1bc12624c1fd86d8e816b8
Related-PROD: PROD-19972
diff --git a/README.rst b/README.rst
index bc98bf2..a171ab2 100644
--- a/README.rst
+++ b/README.rst
@@ -811,6 +811,40 @@
#. Apply the :command:`keystone.client` state.
+Fernet-keys rotation without gluster
+------------------------------------
+
+In the future fernet keys supposed to be rotated with rsync+ssh instead of using glusterfs. By default it is assumed
+that the script will run on primary control node (ctl01) and will rotate and transfer fernet keys to secondary
+controller nodes (ctl02, ctl03). Following parameter should be set on cluster level:
+
+keystone_node_role
+
+and fernet_rotation_driver should be set to 'rsync'
+
+By default this parameter is set to "secondary" on system level along with other parameters:
+.. code-block:: yaml
+
+ keystone:
+ server:
+ role: ${_param:keystone_node_role}
+ tokens:
+ fernet_sync_nodes_list:
+ control02:
+ name: ctl02
+ enabled: True
+ control03:
+ name: ctl03
+ enabled: True
+ fernet_rotation_driver: rsync
+
+Prior to running keystone salt states ssh key should be generated and its public part should be placed on secondary controllers.
+It can be accomplished by running following orchestration state before keystone states:
+
+salt-run state.orchestrate keystone.orchestrate.deploy
+
+Currently the default fernet rotation driver is a shared filesystem
+
Documentation and Bugs
======================