Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-2020

[Dev] keystone fernet token configuration - implementation

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • 13
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • ?
    • OSPRH-811 - Red Hat OpenStack 18.0 Greenfield Deployment
    • ?
    • ?
    • DFG Security: UC Sprint 86
    • 2023Q4

      Jira Description

      As a PCP user, I want to configure fernet tokens so that I can distribute them across the cluster.

       

      Summary

      Fernet token configuration has been identified as one of the missing configuration options in the keystone operator (part of PCP) https://docs.google.com/document/d/12v3bN3o54YkkmgAKv5oooeMr-U_mWnJrLcX-gdh29J4/edit

      During the implementation it should be determined if there is a need to use extra volumes support https://docs.google.com/document/d/136x5Pq2EpwfuzBSXM-T0fdJzHc3Of57gu6XfAJZdU1U/edit

      Definition of Ready

      When we can consider User Story to be Ready?

      1. Defined clearly enough that all members of the team understand what needs to be done
        1. Understanding keystone fernet keys, Go, K8s concepts and PCP is a prerequisite
      2. Includes any required enabling specs. wire frames etc.
        1. This should follow the general K8s and PCP configuration methodology
      3. Fully meet INVEST criteria for User Stories
        1. This might need to be divided into 2 sprints, the initial work being to determine if we want to use extra volumes support. The extra volumes support has merged into lib-common.
      4. Dependencies identified and there is a clear strategy how they will be managed
        1. There are no dependencies, the steps needed to set up an environment are easy to follow

       

      Prerequisites:

      1. Have a testing environment for the Podified Control Plane with keystone and the meta operator https://issues.redhat.com/browse/OSP-19146

      Acceptance Criteria

      1. A method to distribute the key repository in the cluster for keystone containers to consume https://docs.openstack.org/keystone/queens/admin/identity-fernet-token-faq.html#where-do-i-put-my-key-repository 
      2. The above should take into account the later goal of rotation, using keystone provided tools (keystone-manage)
      3. The user should be able to configure fernet keys using both the keystone and the meta operator

      Definition of Done

      When we can consider User Story to be Done:

      1. Tests created
      2. Documentation updated
      3. Merged to master
      4. Ready for the next step - fernet key rotation https://issues.redhat.com/browse/OSP-19147

              ggrasza@redhat.com Grzegorz Grasza
              hrybacki@redhat.com Harry Rybacki (Inactive)
              rhos-dfg-security
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: