Here is a proof of concept of deploying an OpenStack Tripleo Overcloud using the Fernet token provider.
I’m going to take the short cut of using the Keystone setup on the undercloud to generate the keys. Since the undercloud is still using UUID, this Key repo will not be used by the undercloud.
It makes use of Heat swift artifacts, which puts a copy of the Fernet repo on every node, not just the Keystone/Controller node. That may or may not be acceptable for your deployment.
On the undercloud
. ~/stackrc sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone sudo tar -zcf keystone-fernet-keys.tar.gz /etc/keystone/fernet-keys upload-swift-artifacts -f keystone-fernet-keys.tar.gz
To add an additional value to the overcloud Hiera, use an additional deploy.yaml file.
export DEPLOY_ENV_YAML=$PWD/depoloy.yaml
Here is what this file looks like
parameter_defaults:
controllerExtraConfig:
keystone::token_provider: 'fernet'
Deploy with
openstack overcloud deploy --templates -e deploy-env.sh
And wait for completion
Check the state on the controller.
$ openstack server list +--------------------------------------+-------------------------+--------+---------------------+ | ID | Name | Status | Networks | +--------------------------------------+-------------------------+--------+---------------------+ | 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0 | ACTIVE | ctlplane=192.0.2.16 | | 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8 | +--------------------------------------+-------------------------+--------+---------------------+ [stack@undercloud ~]$ ssh heat-admin@192.0.2.16 Last login: Tue Sep 6 00:09:59 2016 from 192.0.2.1 [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /etc/keystone/keystone.conf token driver sql [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /etc/keystone/keystone.conf token provider fernet
Look in the database on the controller:
$ sudo su [root@overcloud-controller-0 heat-admin]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 415 Server version: 10.1.12-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use keystone Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [keystone]> select * from token; Empty set (0.00 sec) MariaDB [keystone]>
Test the provider:
$ openstack token issue WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2016-09-20 05:26:17+00:00 | | id | gAAAAABX4LppE8vaiFZ992eah2i3edpO1aDFxlKZq6a_RJzxUx56QVKORrmW0-oZK3-Xuu2wcnpYq_eek2SGLz250eLpZOzxKBR0GsoMfxJU8mEFF8NzfLNcbuS-iz7SV-N1re3XEywSDG90JcgwjQfXW-8jtCm-n3LL5IaZexAYIw059T_-cd8 | | project_id | 26156621d0d54fc39bf3adb98e63b63d | | user_id | 397daf32cadd490a8f3ac23a626ac06c | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
The really long token, but not as long as PKI token, is Fernet.
Note that the keys used to sign tokens are now available via the undercloud’s swift. I would recommend deleting them immediately after deployment with:
swift delete overcloud-artifacts keystone-fernet-keys.tar.gz