openstack-helm

Fernet tokens support for Keystone

Registered by Michal Dulko

Non-persistent fernet tokens are somehow better in terms of performance than
UUID tokens that require saving to the database [1]. We should make it possible
to use them with OpenStack-Helm and this specification aims to explain how to
achieve it.

General issue with using fernet tokens with Keystone deployed on kubernetes is
the fact, that keys used to encrypt/decrypt tokens need to be shared among all
of the keystone-api services. Besides that we have an operation called
"rotate", that basically generates a new key. In classic bare-metal deployment
a rotate operation is done on one of the nodes, and key repository content is
then replicated among all of the keystone-api nodes. Fernet is engineered smart
enough to make sure that a single rotate operation will not break
keystone-api's that are one rotate behind, so whole update can be done in a
rolling manner [2, 3].

We should achieve the same with OpenStack deployed on k8s. In case of kolla-k8s
guys used secrets:

1. Initial fernet job initializes the secret.
2. Secret is attached to any keystone-api pod.
3. Rotate job does rotate and updates the secret through PUT request to k8s
   API.
4. Secret gets reloaded into the pods once kubelets notice that it had changed.

An obvious disadvantage here is that reload time in point 4 is undefined
(related to kubelet configuration). If another rotate job will get triggered
before secret gets reloaded on one of the nodes, this node will be unable to
validate new tokens.

The simplest and safest solution seem to be to use Persistent Volume in
ReadWriteMany mode to store keys. This is because we can have a few
assumptions:

* Production OpenStack-Helm deployments are advised to deploy with Ceph anyway.
* Rotate operation is the only operation that writes to fernet key repository
  and it should be possible to ensure that we won't start two jobs
  independently.
* Rotate operation is implemented to be atomic and safe in environment that is
  using key repository that is being rotated.

[1] http://blog.dolphm.com/benchmarking-openstack-keystone-token-formats/
[2] http://lbragstad.com/fernet-tokens-and-key-distribution/
[3] http://lbragstad.com/fernet-tokens-and-key-distribution-part-2/

Blueprint information

Status:
Complete
Approver:
Brandon B. Jozsa
Priority:
Undefined
Drafter:
Michal Dulko
Direction:
Approved
Assignee:
Michal Dulko
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Steve Wilkerson
Completed by
Steve Wilkerson

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/keystone-fernet-tokens,n,z

Addressed by: https://review.openstack.org/463730
    Add support for Keystone's fernet tokens

Gerrit topic: https://review.openstack.org/#q,topic:bug/1693807,n,z

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.