Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fernet key rotation #478

Merged
merged 1 commit into from
Oct 18, 2024
Merged

Add fernet key rotation #478

merged 1 commit into from
Oct 18, 2024
+271 −30

Conversation

xek
Copy link
Contributor

@xek xek commented Oct 4, 2024
edited
Loading

As part of this work, we needed to implement more than 2 keys, since rotating 2 would expire sessions on every rotation. There are new settings and the defaults are the same as in "old-gen" Tripelo.

jira: OSPRH-9309

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 4, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@xek
Copy link
Contributor Author

xek commented Oct 4, 2024

/test all

@xek
Copy link
Contributor Author

xek commented Oct 4, 2024

I'm keeping it as draft, since there is a mismatch of the names of mounted keys [1]. This will likely change, since
keystone-operator currently supports only 2 keys and there is ongoing work to support a variable number of keys #477

[1] https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openstack-k8s-operators_keystone-operator/478/pull-ci-openstack-k8s-operators-keystone-operator-main-keystone-operator-build-deploy-kuttl/1842180087600910336/artifacts/keystone-operator-build-deploy-kuttl/openstack-k8s-operators-gather/artifacts/must-gather/quay-io-openstack-k8s-operators-openstack-must-gather-sha256-3d1f620ae3617fbd6371f55aa948b34e9daf31a461d3c557cf1a7c2db38d0385/namespaces/openstack/cronjobs/keystone-fernet-cronjob.yaml

@xek
Copy link
Contributor Author

xek commented Oct 15, 2024

/test all

@xek
Copy link
Contributor Author

xek commented Oct 15, 2024

/test all

@xek xek force-pushed the fernet-rotation branch 2 times, most recently from 54fc55a to de882bc Compare October 17, 2024 09:20
@xek xek marked this pull request as ready for review October 17, 2024 09:21
@openshift-ci openshift-ci bot requested review from stuggi and viroel October 17, 2024 09:21
@xek
Copy link
Contributor Author

xek commented Oct 17, 2024

This pull request now also contains all changes needed in the keystone-operator to support variable number of keys

@xek xek force-pushed the fernet-rotation branch 2 times, most recently from 9444571 to 871490d Compare October 17, 2024 10:27
@dprince
Copy link
Collaborator

dprince commented Oct 17, 2024

If we land this PR please add the associated RELATED_IMAGE into the openstack-operator here: https://github.com/openstack-k8s-operators/openstack-operator/blob/main/config/default/manager_default_images.yaml

olliewalsh
olliewalsh reviewed Oct 18, 2024
View reviewed changes
controllers/keystoneapi_controller.go
}
rotatedAt, err := time.Parse(time.RFC3339, secret.Annotations[fernetAnnotation])

var duration int
Copy link
Contributor

@olliewalsh olliewalsh Oct 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: would move this (L1392-L1397) up so that err is checked right after setting

@afaranha @xek
Support rotation and variable number of Fernet keys
c05fc7b 
Add configuration for specifying the number of
fernet keys stored in the keystone secret.
More than 2 keys are needed, since rotating 2
keys would expire sessions on every rotation.

After configuration change, keys need to be
added/removed and rotated in the proper order,
to ensure that the sessions don't expire
prematurely.

Fernet key rotation is triggered in the reconcile
loop. The "rotated at" timestamp is set in the
secret annotation.

Co-Authored-By: Grzegorz Grasza <[email protected]>
olliewalsh
olliewalsh approved these changes Oct 18, 2024
View reviewed changes
Copy link
Contributor

@olliewalsh olliewalsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 18, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 18, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olliewalsh, xek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 61e711f into openstack-k8s-operators:main Oct 18, 2024
6 checks passed
@xek xek mentioned this pull request Oct 18, 2024
Draft
@xek xek changed the title Add fernet key rotation cronjob Add fernet key rotation Oct 18, 2024
@olliewalsh olliewalsh mentioned this pull request Oct 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stuggi stuggi stuggi left review comments

@olliewalsh olliewalsh olliewalsh approved these changes

@viroel viroel Awaiting requested review from viroel

Assignees

@olliewalsh olliewalsh

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@xek @dprince @olliewalsh @stuggi @openshift-merge-robot @afaranha