Keystone Fernet keys rotation
This blueprint will help to make Keystone Fernet keys rotations working in TripleO multinode environment, in a way that scale, is secure and is friendly for operators.
Blueprint information
- Status:
- Complete
- Approver:
- Emilien Macchi
- Priority:
- High
- Drafter:
- Emilien Macchi
- Direction:
- Approved
- Assignee:
- Juan Antonio Osorio Robles
- Definition:
- Approved
- Series goal:
- Accepted for pike
- Implementation:
-
Implemented
- Milestone target:
-
pike-3
- Started by
- Emilien Macchi
- Completed by
- Emilien Macchi
Related branches
Related bugs
Sprints
Whiteboard
Add fernet as default provider:
Add support for fernet in containerized keystone:
Address key rotation:
Gerrit topic: https:/
Undercloud work:
Addressed by: https:/
Configure Keystone Fernet Keys rotations in a secure way
Overcloud work:
WIP, currently being designed on https:/
https:/
Gerrit topic: https:/
Addressed by: https:/
Create mistral action to rotate fernet keys from passwords variable
Addressed by: https:/
Add KeystoneFernetKeys to generated passwords
Addressed by: https:/
Use KeystoneFernetKeys instead of individual parameters
Addressed by: https:/
Enable heat/puppet to manage the fernet keys and make it configurable
Addressed by: https:/
Make fernet max active keys configurable
Addressed by: https:/
Add fernet keys purging based no t-h-t parameter
Addressed by: https:/
Enable key rotation action and add release note
Addressed by: https:/
Add workbook to rotate fernet keys
Gerrit topic: https:/
Addressed by: https:/
Create ansible config file and disable retry files
(emilien) We are missing documentation on how to enable this feature. Juan, can we work on it before end of Pike?
Addressed by: https:/
Add documentation for fernet key rotation
