Add credential keys rsync rotation
This commit adds possibility to rotate
credential keys along with fernet keys via rsync
Change-Id: I15145556c88f5e1fd15452491ce41d1b3eec9d8e
Related-PROD: PROD-22304
diff --git a/keystone/files/fernet_keys_rotate.sh b/keystone/files/fernet_keys_rotate.sh
deleted file mode 100644
index 636e315..0000000
--- a/keystone/files/fernet_keys_rotate.sh
+++ /dev/null
@@ -1,100 +0,0 @@
-{%- from "keystone/map.jinja" import server with context -%}
-#!/bin/bash
-usage() {
-cat <<EOF
-Script for Fernet key rotation and sync
- For additional help please use: $0 -h or --help
- example: $0 -s
-EOF
-}
-
-if [ $# -lt "1" ]; then
- usage
- exit 1
-fi
-
-help_usage() {
-cat <<EOF
-Following options are supported:
- -s Perform sync to secondary controller nodes only
- -r Perform Fernet key rotation on primary controller only
- -rs Perform Fernet key rotation on primary controller and sync to secondary controller nodes
-EOF
-}
-
-if [ $# -lt "1" ]; then
- usage
- exit 1
-fi
-
-POSITIONAL=()
-while [[ $# -gt 0 ]]
-do
-key="$1"
-
-case $key in
- -h|--help)
- help_usage
- shift # past argument
- ;;
- -s)
- MODE="SYNC"
- shift # past argument
- ;;
- -r)
- MODE="ROTATE"
- shift
- ;;
- -rs)
- MODE="ROTATE_AND_SYNC"
- shift
- ;;
- *) # unknown option
- echo "Unknown option. Please refer to help section by passing -h or --help option"
- shift # past argument
- ;;
-esac
-done
-set -- "${POSITIONAL[@]}" # restore positional parameters
-
-#Setting variables
-KEYSTONE_MANAGE_CMD="/usr/bin/keystone-manage"
-{%- if server.tokens.fernet_sync_nodes_list is defined %}
- {%- set _nodes = [] %}
- {%- for node_name, fernet_sync_nodes_list in server.tokens.get('fernet_sync_nodes_list', {}).iteritems() %}
- {%- if fernet_sync_nodes_list.get('enabled', False) %}
- {%- do _nodes.append(fernet_sync_nodes_list.name) %}
- {%- endif %}
- {%- endfor %}
-NODES="{{ ' '.join(_nodes) }}"
-{%- else %}
-NODES=""
-{%- endif %}
-
-if [[ ${MODE} == 'SYNC' ]]; then
- echo "Running in SYNC mode"
- if [[ ${NODES} != '' ]]; then
- for NODE in ${NODES}; do
- echo "${NODE}"
- rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' -avz --delete {{ server.tokens.location }}/ keystone@${NODE}:{{ server.tokens.location }}/
- done
- else
- echo "List of nodes is not specified, no need for sync, exiting"
- exit 0
- fi
-elif [[ ${MODE} == 'ROTATE' ]]; then
- echo "Running in ROTATE mode"
- /usr/bin/keystone-manage --log-file /var/log/keystone/keystone-rotate.log fernet_rotate --keystone-user keystone --keystone-group keystone
-elif [[ ${MODE} == 'ROTATE_AND_SYNC' ]]; then
- echo "Running in ROTATE_AND_SYNC mode"
- /usr/bin/keystone-manage --log-file /var/log/keystone/keystone-rotate.log fernet_rotate --keystone-user keystone --keystone-group keystone
- if [[ ${NODES} != '' ]]; then
- for NODE in ${NODES}; do
- echo "${NODE}"
- rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' -avz --delete {{ server.tokens.location }}/ keystone@${NODE}:{{ server.tokens.location }}/
- done
- else
- echo "List of nodes is not specified, no need for sync, exiting"
- exit 0
- fi
-fi
diff --git a/keystone/files/keystone_keys_rotate.sh b/keystone/files/keystone_keys_rotate.sh
new file mode 100644
index 0000000..d71eaff
--- /dev/null
+++ b/keystone/files/keystone_keys_rotate.sh
@@ -0,0 +1,141 @@
+{%- from "keystone/map.jinja" import server with context -%}
+#!/bin/bash
+usage() {
+cat <<EOF
+Script for fernet and credential key rotation and sync
+ For additional help please use: $0 -h or --help
+ example: $0 -s -t fernet
+ exit 1
+EOF
+}
+
+if [ $# -lt "2" ]; then
+ usage
+ exit 1
+fi
+
+help_usage() {
+cat <<EOF
+Following options are supported:
+ -s|--sync Perform keys sync to secondary controller nodes only
+ -r|--rotate Perform keys rotation on primary controller only
+ -t|--type Possible values are "fernet" or "credential"
+EOF
+exit 0
+}
+
+POSITIONAL=()
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+ -h|--help)
+ help_usage
+ shift # pass argument
+ ;;
+ -s|--sync)
+ SYNC=true
+ shift # pass argument
+ ;;
+ -r|--rotate)
+ ROTATE=true
+ shift
+ ;;
+ -t|--type)
+ TYPE="$2"
+ shift
+ shift
+ ;;
+ *) # unknown option
+ echo "Unknown option. Please refer to help section by passing -h or --help option"
+ exit 1
+ shift # pass argument
+ ;;
+esac
+done
+set -- "${POSITIONAL[@]}" # restore positional parameters
+
+#Setting variables
+START_DATE=`date +%d_%m_%Y-%H_%M`
+KEYSTONE_MANAGE_CMD="/usr/bin/keystone-manage"
+{%- if server.tokens.fernet_sync_nodes_list is defined %}
+ {%- set _nodes = [] %}
+ {%- for node_name, fernet_sync_nodes_list in server.tokens.get('fernet_sync_nodes_list', {}).iteritems() %}
+ {%- if fernet_sync_nodes_list.get('enabled', False) %}
+ {%- do _nodes.append(fernet_sync_nodes_list.name) %}
+ {%- endif %}
+ {%- endfor %}
+NODES="{{ ' '.join(_nodes) }}"
+{%- else %}
+NODES=""
+{%- endif %}
+{%- if server.credential.credential_sync_nodes_list is defined %}
+ {%- set _nodes = [] %}
+ {%- for node_name, credential_sync_nodes_list in server.credential.get('credential_sync_nodes_list', {}).iteritems() %}
+ {%- if credential_sync_nodes_list.get('enabled', False) %}
+ {%- do _nodes.append(credential_sync_nodes_list.name) %}
+ {%- endif %}
+ {%- endfor %}
+CRED_NODES="{{ ' '.join(_nodes) }}"
+{%- else %}
+CRED_NODES=""
+{%- endif %}
+FERNET_DIR="{{ server.get('tokens', {}).get('location', {}) }}/"
+CRED_DIR="{{ server.get('credential', {}).get('location', {}) }}/"
+
+run_rsync () {
+ local sync_dir=$1
+ local sync_node=$2
+ rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' -avz --delete ${sync_dir} keystone@${sync_node}:${sync_dir}
+}
+
+run_keystone () {
+ local keystone_cmd=$1
+ ${KEYSTONE_MANAGE_CMD} --log-file /var/log/keystone/keystone-rotate.log ${keystone_cmd} --keystone-user keystone --keystone-group keystone
+}
+if !([[ ${TYPE} == "fernet" ]] || [[ ${TYPE} == "credential" ]]) ; then
+ echo "Given type is not valid - exiting"
+ exit 1
+fi
+echo "Script started at: ${START_DATE}"
+
+if [[ "${ROTATE}" = true ]] ; then
+ if [[ ${TYPE} == "fernet" ]] ; then
+ echo "Running in Fernet ROTATE mode"
+ run_keystone "fernet_rotate"
+ else
+ echo "Running in Credential ROTATE mode"
+ if !(run_keystone "credential_rotate") ; then
+ echo "Credential rotate exited with fail status, calling credential_migrate and then credential_rotate again"
+ run_keystone "credential_migrate"
+ sleep 5
+ run_keystone "credential_rotate"
+ fi
+ fi
+fi
+if [[ "${SYNC}" = true ]] ; then
+ if [[ ${TYPE} == "fernet" ]] ; then
+ echo "Running in Fernet SYNC mode"
+ if [[ ${NODES} != '' ]]; then
+ for NODE in ${NODES}; do
+ echo "${NODE}"
+ run_rsync "${FERNET_DIR}" "${NODE}"
+ done
+ else
+ echo "List of nodes is not specified, no need for sync, exiting"
+ exit 0
+ fi
+ else
+ echo "Running in Credential SYNC mode"
+ if [[ ${CRED_NODES} != '' ]]; then
+ for NODE in ${CRED_NODES}; do
+ echo "${NODE}"
+ run_rsync "${CRED_DIR}" "${NODE}"
+ done
+ else
+ echo "List of nodes is not specified, no need for sync, exiting"
+ exit 0
+ fi
+ fi
+fi
diff --git a/keystone/orchestrate/get_keystone_public_key.sls b/keystone/orchestrate/get_keystone_public_key.sls
index 3904702..ecd66c8 100644
--- a/keystone/orchestrate/get_keystone_public_key.sls
+++ b/keystone/orchestrate/get_keystone_public_key.sls
@@ -4,13 +4,20 @@
{% if server.tokens.get('fernet_rotation_driver', 'shared_filesystem') == 'rsync' %}
{%- set authorized_keys = salt['mine.get']('I@keystone:server:role:primary', 'keystone_public_key', 'compound') %}
-keystone_fernet_keys:
+keystone_fernet_keys_dir:
file.directory:
- name: {{ server.tokens.location }}
- mode: 750
- user: keystone
- group: keystone
+keystone_credential_keys_dir:
+ file.directory:
+ - name: {{ server.credential.location }}
+ - mode: 750
+ - user: keystone
+ - group: keystone
+
/var/lib/keystone/.ssh:
file.directory:
- user: keystone
diff --git a/keystone/server.sls b/keystone/server.sls
index 6e236c4..4c3e17c 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -331,34 +331,35 @@
- onlyif: /bin/false
{%- endif %}
- {% if server.tokens.get('fernet_rotation_driver', 'shared_filesystem') == 'rsync' %}
+ {% if server.get('tokens', {}).get('fernet_rotation_driver', 'shared_filesystem') == 'rsync' or server.get('credential', {}).get('credential_rotation_driver', 'shared_filesystem') == 'rsync' %}
{% if server.get('role', 'secondary') == 'primary' %}
-/var/lib/keystone/fernet_keys_rotate.sh:
+/var/lib/keystone/keystone_keys_rotate.sh:
file.managed:
- - source: salt://keystone/files/fernet_keys_rotate.sh
+ - source: salt://keystone/files/keystone_keys_rotate.sh
- template: jinja
- user: keystone
- group: keystone
- mode: 744
- require:
- pkg: keystone_packages
- - file: keystone_fernet_keys
- - cmd: keystone_fernet_setup
+ {%- endif %}
+ {%- endif %}
-run_fernet_rotation_script_in_sync_mode:
+ {% if server.get('tokens', {}).get('fernet_rotation_driver', 'shared_filesystem') == 'rsync' %}
+ {% if server.get('role', 'secondary') == 'primary' %}
+run_fernet_rotation_sync_only:
cmd.run:
- - name: /var/lib/keystone/fernet_keys_rotate.sh -s
+ - name: /var/lib/keystone/keystone_keys_rotate.sh -s -t fernet
- runas: keystone
- require:
- - pkg: keystone_packages
- - file: /var/lib/keystone/fernet_keys_rotate.sh
-
+ - cmd: keystone_fernet_setup
+ - file: /var/lib/keystone/keystone_keys_rotate.sh
{%- endif %}
{%- endif %}
{% endif %}
-{%- if server.version in ['newton', 'ocata', 'pike'] %}
+{%- if server.version not in ['mitaka'] %}
keystone_credential_keys:
file.directory:
- name: {{ server.credential.location }}
@@ -378,6 +379,18 @@
- onlyif: /bin/false
{%- endif %}
+ {% if server.get('credential', {}).get('credential_rotation_driver', 'shared_filesystem') == 'rsync' %}
+ {% if server.get('role', 'secondary') == 'primary' %}
+run_credential_rotation_sync_only:
+ cmd.run:
+ - name: /var/lib/keystone/keystone_keys_rotate.sh -s -t credential
+ - runas: keystone
+ - require:
+ - cmd: keystone_credential_setup
+ - file: /var/lib/keystone/keystone_keys_rotate.sh
+ {%- endif %}
+ {%- endif %}
+
{%- endif %}
{%- if server.version not in ['mitaka', 'newton', 'ocata', 'pike'] %}