Fernet tokens support for Keystone
Non-persistent fernet tokens are somehow better in terms of performance than
UUID tokens that require saving to the database [1]. We should make it possible
to use them with OpenStack-Helm and this specification aims to explain how to
achieve it.
General issue with using fernet tokens with Keystone deployed on kubernetes is
the fact, that keys used to encrypt/decrypt tokens need to be shared among all
of the keystone-api services. Besides that we have an operation called
"rotate", that basically generates a new key. In classic bare-metal deployment
a rotate operation is done on one of the nodes, and key repository content is
then replicated among all of the keystone-api nodes. Fernet is engineered smart
enough to make sure that a single rotate operation will not break
keystone-api's that are one rotate behind, so whole update can be done in a
rolling manner [2, 3].
We should achieve the same with OpenStack deployed on k8s. In case of kolla-k8s
guys used secrets:
1. Initial fernet job initializes the secret.
2. Secret is attached to any keystone-api pod.
3. Rotate job does rotate and updates the secret through PUT request to k8s
API.
4. Secret gets reloaded into the pods once kubelets notice that it had changed.
An obvious disadvantage here is that reload time in point 4 is undefined
(related to kubelet configuration). If another rotate job will get triggered
before secret gets reloaded on one of the nodes, this node will be unable to
validate new tokens.
The simplest and safest solution seem to be to use Persistent Volume in
ReadWriteMany mode to store keys. This is because we can have a few
assumptions:
* Production OpenStack-Helm deployments are advised to deploy with Ceph anyway.
* Rotate operation is the only operation that writes to fernet key repository
and it should be possible to ensure that we won't start two jobs
independently.
* Rotate operation is implemented to be atomic and safe in environment that is
using key repository that is being rotated.
[1] http://
[2] http://
[3] http://
Blueprint information
- Status:
- Complete
- Approver:
- Brandon B. Jozsa
- Priority:
- Undefined
- Drafter:
- Michal Dulko
- Direction:
- Approved
- Assignee:
- Michal Dulko
- Definition:
- Approved
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Steve Wilkerson
- Completed by
- Steve Wilkerson
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Add support for Keystone's fernet tokens
Gerrit topic: https:/