From b948402c76d6188caa7be376098354cdb850d638 Mon Sep 17 00:00:00 2001 From: "Kyle L. Henderson" Date: Thu, 23 Mar 2017 15:36:24 -0500 Subject: [PATCH] Add RPC encryption key support In the Ocata release, trove added support for encrypting the rpc communication between the guest instances and the control plane. These settings allow the user to specify installation specific keys versus using the default keys. Change-Id: Ie42d754d58e983a15b553ad8a399813c9a700344 --- defaults/main.yml | 14 +++++++++++++- doc/source/index.rst | 17 ++++++++++++++++- extras/user_secrets.yml | 14 ++++++++------ .../notes/rpc-encryption-b75fb0d08579a7dd.yaml | 7 +++++++ tasks/main.yml | 8 ++++++++ templates/trove-conductor.conf.j2 | 2 ++ templates/trove-taskmanager.conf.j2 | 4 ++++ templates/trove.conf.j2 | 3 +++ tests/os_trove-overrides.yml | 2 ++ 9 files changed, 63 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml diff --git a/defaults/main.yml b/defaults/main.yml index e8aa4dc..5178fa8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -109,7 +109,6 @@ trove_ssl_self_signed_regen: false trove_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" # Database vars - trove_galera_database_name: trove trove_galera_user: trove trove_galera_address: "{{ internal_lb_vip_address }}" @@ -126,6 +125,19 @@ trove_rabbitmq_use_ssl: False trove_rabbitmq_port: 5672 trove_rabbitmq_servers: "{{ rabbitmq_servers }}" +# RPC encryption keys +# See the Trove documentation as to the significance of the rpc encryption keys +# Trove supplies default values but we enforce they not be left to their default values +trove_enable_secure_rpc_messaging: "True" +trove_required_secrets: + - trove_galera_password + - trove_rabbitmq_password + - trove_service_password + - trove_admin_user_password + - trove_regular_user_password + - trove_taskmanager_rpc_encr_key + - trove_inst_rpc_key_encr_key + # Keystone AuthToken/Middleware trove_keystone_auth_plugin: "{{ trove_keystone_auth_type }}" trove_keystone_auth_type: password diff --git a/doc/source/index.rst b/doc/source/index.rst index b22a8bb..7b0cccd 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -17,7 +17,22 @@ Default variables Required variables ~~~~~~~~~~~~~~~~~~ -None. +This list is not exhaustive at present. See role internals for further +details. + +.. code-block:: yaml + + # Service and user passwords + trove_galera_password: + trove_rabbitmq_password: + trove_service_password: + trove_admin_user_password: + trove_regular_user_password: + + # Trove RPC encryption keys. + trove_taskmanager_rpc_encr_key: + trove_inst_rpc_key_encr_key: + Dependencies ~~~~~~~~~~~~ diff --git a/extras/user_secrets.yml b/extras/user_secrets.yml index 816147c..5641043 100755 --- a/extras/user_secrets.yml +++ b/extras/user_secrets.yml @@ -1,6 +1,8 @@ ---- -trove_galera_password: -trove_rabbitmq_password: -trove_service_password: -trove_admin_user_password: -trove_regular_user_password: +--- +trove_galera_password: +trove_rabbitmq_password: +trove_service_password: +trove_admin_user_password: +trove_regular_user_password: +trove_taskmanager_rpc_encr_key: +trove_inst_rpc_key_encr_key: diff --git a/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml b/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml new file mode 100644 index 0000000..289323b --- /dev/null +++ b/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml @@ -0,0 +1,7 @@ +--- +features: + - In the Ocata release, Trove added support for encrypting the rpc + communication between the guest DBaaS instances and the control plane. + The default values for ``trove_taskmanager_rpc_encr_key`` and + ``trove_inst_rpc_key_encr_key`` should be overridden to specify + installation specific values. diff --git a/tasks/main.yml b/tasks/main.yml index 8e7610a..f07d1e7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -27,6 +27,14 @@ tags: - always +- name: Fail if our required secrets are not present + fail: + msg: "Please set the {{ item }} variable prior to applying this role." + when: (item is undefined) or (item is none) + with_items: "{{ trove_required_secrets }}" + tags: + - always + - include: trove_pre_install.yml tags: - trove-install diff --git a/templates/trove-conductor.conf.j2 b/templates/trove-conductor.conf.j2 index c5e385e..0ff7745 100644 --- a/templates/trove-conductor.conf.j2 +++ b/templates/trove-conductor.conf.j2 @@ -10,6 +10,8 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} [profiler] enabled = {{ trove_profiler_enabled }} diff --git a/templates/trove-taskmanager.conf.j2 b/templates/trove-taskmanager.conf.j2 index 2a70726..8a41973 100644 --- a/templates/trove-taskmanager.conf.j2 +++ b/templates/trove-taskmanager.conf.j2 @@ -8,6 +8,10 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +taskmanager_rpc_encr_key = {{ trove_taskmanager_rpc_encr_key }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} + db_api_implementation = trove.db.sqlalchemy.api trove_auth_url = {{ trove_auth_url }} nova_compute_url = {{ trove_nova_compute_url }} diff --git a/templates/trove.conf.j2 b/templates/trove.conf.j2 index f4bc351..f1552b2 100644 --- a/templates/trove.conf.j2 +++ b/templates/trove.conf.j2 @@ -9,6 +9,9 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t {# There must be a blank line above or the following line will be appended to the previous. #} control_exchange = {{ trove_control_exchange }} +enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }} +inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }} + db_api_implementation = "trove.db.sqlalchemy.api" trove_auth_url = {{ trove_auth_url }} os_region_name = {{ trove_service_region }} diff --git a/tests/os_trove-overrides.yml b/tests/os_trove-overrides.yml index 833712a..bcc968d 100644 --- a/tests/os_trove-overrides.yml +++ b/tests/os_trove-overrides.yml @@ -31,6 +31,8 @@ trove_requirements_git_install_branch: master trove_service_password: "secrete" trove_regular_user_password: "secrete" trove_admin_user_password: "secrete" +trove_taskmanager_rpc_encr_key: bzH6y0SGmjuoY0FNSTptrhgieGXNDX6PIhvz +trove_inst_rpc_key_encr_key: emYjgHFqfXNB1NGehAFIUeoyw4V4XwWHEaKP trove_service_project_domain_id: default trove_service_project_name: service trove_service_region: RegionOne