Add RPC encryption key support
In the Ocata release, trove added support for encrypting the rpc communication between the guest instances and the control plane. These settings allow the user to specify installation specific keys versus using the default keys. Change-Id: Ie42d754d58e983a15b553ad8a399813c9a700344
This commit is contained in:
Kyle L. Henderson
parent
83adc96f1b
commit
b948402c76
@ -109,7 +109,6 @@ trove_ssl_self_signed_regen: false
|
|||||||
trove_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
trove_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
||||||
|
|
||||||
# Database vars
|
# Database vars
|
||||||
|
|
||||||
trove_galera_database_name: trove
|
trove_galera_database_name: trove
|
||||||
trove_galera_user: trove
|
trove_galera_user: trove
|
||||||
trove_galera_address: "{{ internal_lb_vip_address }}"
|
trove_galera_address: "{{ internal_lb_vip_address }}"
|
||||||
@ -126,6 +125,19 @@ trove_rabbitmq_use_ssl: False
|
|||||||
trove_rabbitmq_port: 5672
|
trove_rabbitmq_port: 5672
|
||||||
trove_rabbitmq_servers: "{{ rabbitmq_servers }}"
|
trove_rabbitmq_servers: "{{ rabbitmq_servers }}"
|
||||||
|
|
||||||
|
# RPC encryption keys
|
||||||
|
# See the Trove documentation as to the significance of the rpc encryption keys
|
||||||
|
# Trove supplies default values but we enforce they not be left to their default values
|
||||||
|
trove_enable_secure_rpc_messaging: "True"
|
||||||
|
trove_required_secrets:
|
||||||
|
- trove_galera_password
|
||||||
|
- trove_rabbitmq_password
|
||||||
|
- trove_service_password
|
||||||
|
- trove_admin_user_password
|
||||||
|
- trove_regular_user_password
|
||||||
|
- trove_taskmanager_rpc_encr_key
|
||||||
|
- trove_inst_rpc_key_encr_key
|
||||||
|
|
||||||
# Keystone AuthToken/Middleware
|
# Keystone AuthToken/Middleware
|
||||||
trove_keystone_auth_plugin: "{{ trove_keystone_auth_type }}"
|
trove_keystone_auth_plugin: "{{ trove_keystone_auth_type }}"
|
||||||
trove_keystone_auth_type: password
|
trove_keystone_auth_type: password
|
||||||
|
|||||||
@ -17,7 +17,22 @@ Default variables
|
|||||||
Required variables
|
Required variables
|
||||||
~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
None.
|
This list is not exhaustive at present. See role internals for further
|
||||||
|
details.
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
# Service and user passwords
|
||||||
|
trove_galera_password:
|
||||||
|
trove_rabbitmq_password:
|
||||||
|
trove_service_password:
|
||||||
|
trove_admin_user_password:
|
||||||
|
trove_regular_user_password:
|
||||||
|
|
||||||
|
# Trove RPC encryption keys.
|
||||||
|
trove_taskmanager_rpc_encr_key:
|
||||||
|
trove_inst_rpc_key_encr_key:
|
||||||
|
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
~~~~~~~~~~~~
|
~~~~~~~~~~~~
|
||||||
|
|||||||
@ -4,3 +4,5 @@ trove_rabbitmq_password:
|
|||||||
trove_service_password:
|
trove_service_password:
|
||||||
trove_admin_user_password:
|
trove_admin_user_password:
|
||||||
trove_regular_user_password:
|
trove_regular_user_password:
|
||||||
|
trove_taskmanager_rpc_encr_key:
|
||||||
|
trove_inst_rpc_key_encr_key:
|
||||||
|
|||||||
7
releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml
Normal file
7
releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- In the Ocata release, Trove added support for encrypting the rpc
|
||||||
|
communication between the guest DBaaS instances and the control plane.
|
||||||
|
The default values for ``trove_taskmanager_rpc_encr_key`` and
|
||||||
|
``trove_inst_rpc_key_encr_key`` should be overridden to specify
|
||||||
|
installation specific values.
|
||||||
@ -27,6 +27,14 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- name: Fail if our required secrets are not present
|
||||||
|
fail:
|
||||||
|
msg: "Please set the {{ item }} variable prior to applying this role."
|
||||||
|
when: (item is undefined) or (item is none)
|
||||||
|
with_items: "{{ trove_required_secrets }}"
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- include: trove_pre_install.yml
|
- include: trove_pre_install.yml
|
||||||
tags:
|
tags:
|
||||||
- trove-install
|
- trove-install
|
||||||
|
|||||||
@ -10,6 +10,8 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t
|
|||||||
|
|
||||||
{# There must be a blank line above or the following line will be appended to the previous. #}
|
{# There must be a blank line above or the following line will be appended to the previous. #}
|
||||||
control_exchange = {{ trove_control_exchange }}
|
control_exchange = {{ trove_control_exchange }}
|
||||||
|
enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }}
|
||||||
|
inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }}
|
||||||
|
|
||||||
[profiler]
|
[profiler]
|
||||||
enabled = {{ trove_profiler_enabled }}
|
enabled = {{ trove_profiler_enabled }}
|
||||||
|
|||||||
@ -8,6 +8,10 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t
|
|||||||
|
|
||||||
{# There must be a blank line above or the following line will be appended to the previous. #}
|
{# There must be a blank line above or the following line will be appended to the previous. #}
|
||||||
control_exchange = {{ trove_control_exchange }}
|
control_exchange = {{ trove_control_exchange }}
|
||||||
|
enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }}
|
||||||
|
taskmanager_rpc_encr_key = {{ trove_taskmanager_rpc_encr_key }}
|
||||||
|
inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }}
|
||||||
|
|
||||||
db_api_implementation = trove.db.sqlalchemy.api
|
db_api_implementation = trove.db.sqlalchemy.api
|
||||||
trove_auth_url = {{ trove_auth_url }}
|
trove_auth_url = {{ trove_auth_url }}
|
||||||
nova_compute_url = {{ trove_nova_compute_url }}
|
nova_compute_url = {{ trove_nova_compute_url }}
|
||||||
|
|||||||
@ -9,6 +9,9 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t
|
|||||||
|
|
||||||
{# There must be a blank line above or the following line will be appended to the previous. #}
|
{# There must be a blank line above or the following line will be appended to the previous. #}
|
||||||
control_exchange = {{ trove_control_exchange }}
|
control_exchange = {{ trove_control_exchange }}
|
||||||
|
enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }}
|
||||||
|
inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }}
|
||||||
|
|
||||||
db_api_implementation = "trove.db.sqlalchemy.api"
|
db_api_implementation = "trove.db.sqlalchemy.api"
|
||||||
trove_auth_url = {{ trove_auth_url }}
|
trove_auth_url = {{ trove_auth_url }}
|
||||||
os_region_name = {{ trove_service_region }}
|
os_region_name = {{ trove_service_region }}
|
||||||
|
|||||||
@ -31,6 +31,8 @@ trove_requirements_git_install_branch: master
|
|||||||
trove_service_password: "secrete"
|
trove_service_password: "secrete"
|
||||||
trove_regular_user_password: "secrete"
|
trove_regular_user_password: "secrete"
|
||||||
trove_admin_user_password: "secrete"
|
trove_admin_user_password: "secrete"
|
||||||
|
trove_taskmanager_rpc_encr_key: bzH6y0SGmjuoY0FNSTptrhgieGXNDX6PIhvz
|
||||||
|
trove_inst_rpc_key_encr_key: emYjgHFqfXNB1NGehAFIUeoyw4V4XwWHEaKP
|
||||||
trove_service_project_domain_id: default
|
trove_service_project_domain_id: default
|
||||||
trove_service_project_name: service
|
trove_service_project_name: service
|
||||||
trove_service_region: RegionOne
|
trove_service_region: RegionOne
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user