1.3. Rotating the Fernet keys by using the Workflow service
By default, director manages the overcloud Fernet keys. This setting is managed in an environment file using ManageKeystoneFernetKeys. As a result, the Fernet keys are stored in the Workflow service (mistral), in the KeystoneFernetKeys section. This approach means that you can rotate the Fernet keys with the Workflow service and the keys persist after stack updates.
Procedure
Review the existing Fernet keys:
Identify the Fernet key location. Log in to a Controller node as the heat-admin user and use the
crudinicommand to query the Fernet keys:[stack@<undercloud_host> ~]$ ssh heat-admin@overcloud-controller-o [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf fernet_tokens key_repository /etc/keystone/fernet-keys
注記The
/etc/keystone/directory refers to the container file system path.Inspect the current Fernet key directories:
[heat-admin@overcloud-controller-0 ~]$ sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys 0 1 2
-
0- Contains the staged key, which becomes the next primary key and is always numbered0. -
1- Contains the secondary key. 2- Contains the primary key. This number increments each time that the keys rotate. The highest number always serves as the primary key.注記-
The maximum number of keys is set with
max_active_keysproperty. The default is 5 keys. - The keys propagate across all Controller nodes.
-
The maximum number of keys is set with
-
Rotate the Fernet keys by using the
workflowcommand:[stack@director ~]$ source ~/stackrc [stack@director ~]$ openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys {"container": "overcloud"}
--------------------------------------------------------------+ | Field | Value |--------------------------------------------------------------+ | ID | 58c9c664-b966-4f82-b368-af5ed8de5b47 | | Workflow ID | 78f0990a-3d34-4bf2-a127-10c149bb275c | | Workflow name | tripleo.fernet_keys.v1.rotate_fernet_keys | | Description | | | Task Execution ID | <none> | | State | RUNNING | | State info | None | | Created at | 2017-12-20 11:13:50 | | Updated at | 2017-12-20 11:13:50 |--------------------------------------------------------------+
Verification
Retrieve the ID and ensure that the workflow is successful.
[stack@director ~]$ openstack workflow execution show 58c9c664-b966-4f82-b368-af5ed8de5b47
--------------------------------------------------------------+ | Field | Value |--------------------------------------------------------------+ | ID | 58c9c664-b966-4f82-b368-af5ed8de5b47 | | Workflow ID | 78f0990a-3d34-4bf2-a127-10c149bb275c | | Workflow name | tripleo.fernet_keys.v1.rotate_fernet_keys | | Description | | | Task Execution ID | <none> | | State | SUCCESS | | State info | None | | Created at | 2017-12-20 11:13:50 | | Updated at | 2017-12-20 11:15:00 |--------------------------------------------------------------+On the Controller node, review the number of Fernet keys, and compare with the previous result.
[heat-admin@overcloud-controller-0 ~]$ sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys 0 1 2 3
-
0- Contains the staged key and always be numbered0. This key becomes a primary key during the next rotation. -
1 & 2- Contain the secondary keys. 3- Contains the primary key. This number increments each time the keys rotate. The highest number always serves as the primary key.注記-
The maximum number of keys is set with the
max_active_keysproperty. The default is 5 keys. - The keys propagate across all Controller nodes.
-
The maximum number of keys is set with the
-