diff --git a/defaults/main.yml b/defaults/main.yml index e8aa4dc..5178fa8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -109,7 +109,6 @@ trove_ssl_self_signed_regen: false trove_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" # Database vars - trove_galera_database_name: trove trove_galera_user: trove trove_galera_address: "{{ internal_lb_vip_address }}" @@ -126,6 +125,19 @@ trove_rabbitmq_use_ssl: False trove_rabbitmq_port: 5672 trove_rabbitmq_servers: "{{ rabbitmq_servers }}" +# RPC encryption keys +# See the Trove documentation as to the significance of the rpc encryption keys +# Trove supplies default values but we enforce they not be left to their default values +trove_enable_secure_rpc_messaging: "True" +trove_required_secrets: + - trove_galera_password + - trove_rabbitmq_password + - trove_service_password + - trove_admin_user_password + - trove_regular_user_password + - trove_taskmanager_rpc_encr_key + - trove_inst_rpc_key_encr_key + # Keystone AuthToken/Middleware trove_keystone_auth_plugin: "{{ trove_keystone_auth_type }}" trove_keystone_auth_type: password diff --git a/doc/source/index.rst b/doc/source/index.rst index b22a8bb..7b0cccd 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -17,7 +17,22 @@ Default variables Required variables ~~~~~~~~~~~~~~~~~~ -None. +This list is not exhaustive at present. See role internals for further +details. + +.. code-block:: yaml + + # Service and user passwords + trove_galera_password: + trove_rabbitmq_password: + trove_service_password: + trove_admin_user_password: + trove_regular_user_password: + + # Trove RPC encryption keys. + trove_taskmanager_rpc_encr_key: + trove_inst_rpc_key_encr_key: + Dependencies ~~~~~~~~~~~~ diff --git a/extras/user_secrets.yml b/extras/user_secrets.yml index 816147c..5641043 100755 --- a/extras/user_secrets.yml +++ b/extras/user_secrets.yml @@ -1,6 +1,8 @@ ---- -trove_galera_password: -trove_rabbitmq_password: -trove_service_password: -trove_admin_user_password: -trove_regular_user_password: +--- +trove_galera_password: +trove_rabbitmq_password: +trove_service_password: +trove_admin_user_password: +trove_regular_user_password: +trove_taskmanager_rpc_encr_key: +trove_inst_rpc_key_encr_key: diff --git a/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml b/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml new file mode 100644 index 0000000..289323b --- /dev/null +++ b/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml @@ -0,0 +1,7 @@ +--- +features: + - In the Ocata release, Trove added support for encrypting the rpc + communication between the guest DBaaS instances and the control plane. + The default values for ``trove_taskmanager_rpc_encr_key`` and + ``trove_inst_rpc_key_encr_key`` should be overridden to specify + installation specific values. diff --git a/tasks/main.yml b/tasks/main.yml index 8e7610a..f07d1e7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -27,6 +27,14 @@ tags: - always +- name: Fail if our required secrets are not present + fail: + msg: "Please set the {{ item }} variable prior to applying this role." + when: (item is undefined) or (item is none) + with_items: "{{ trove_required_secrets }}" + tags: + - always + - include: trove_pre_install.yml tags: - trove-install diff --git a/templates/trove-conductor.conf.j2 b/templates/trove-conductor.conf.j2 index c5e385e..0ff7745 100644 --- a/templates/trove-conductor.conf.j2 +++ b/templates/trove-conductor.conf.j2 @@ -10,6 +10,8 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} [profiler] enabled = {{ trove_profiler_enabled }} diff --git a/templates/trove-taskmanager.conf.j2 b/templates/trove-taskmanager.conf.j2 index 2a70726..8a41973 100644 --- a/templates/trove-taskmanager.conf.j2 +++ b/templates/trove-taskmanager.conf.j2 @@ -8,6 +8,10 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +taskmanager_rpc_encr_key = {{ trove_taskmanager_rpc_encr_key }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} + db_api_implementation = trove.db.sqlalchemy.api trove_auth_url = {{ trove_auth_url }} nova_compute_url = {{ trove_nova_compute_url }} diff --git a/templates/trove.conf.j2 b/templates/trove.conf.j2 index f4bc351..f1552b2 100644 --- a/templates/trove.conf.j2 +++ b/templates/trove.conf.j2 @@ -9,6 +9,9 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} + db_api_implementation = "trove.db.sqlalchemy.api" trove_auth_url = {{ trove_auth_url }} os_region_name = {{ trove_service_region }} diff --git a/tests/os_trove-overrides.yml b/tests/os_trove-overrides.yml index 833712a..bcc968d 100644 --- a/tests/os_trove-overrides.yml +++ b/tests/os_trove-overrides.yml @@ -31,6 +31,8 @@ trove_requirements_git_install_branch: master trove_service_password: "secrete" trove_regular_user_password: "secrete" trove_admin_user_password: "secrete" +trove_taskmanager_rpc_encr_key: bzH6y0SGmjuoY0FNSTptrhgieGXNDX6PIhvz +trove_inst_rpc_key_encr_key: emYjgHFqfXNB1NGehAFIUeoyw4V4XwWHEaKP trove_service_project_domain_id: default trove_service_project_name: service trove_service_region: RegionOne