Here is a proof of concept of deploying an OpenStack Tripleo Overcloud using the Fernet token Provider.
I’m going to take the short cut of using the Keystone setup on the undercloud to generate the keys. Since the undercloud is still using UUID, this Key repo will not be used by the undercloud.
It makes use of Heat swift artifacts, which puts a copy of the Fernet repo on every node, not just the Keystone/Controller node. That may or may not be acceptable for your deployment.
On the undercloud
sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone sudo tar -zcf keystone-fernet-keys.tar.gz /etc/keystone/fernet-keys curl -O https://raw.githubusercontent.com/openstack/tripleo-common/master/scripts/upload-swift-artifacts chmod +x upload-swift-artifacts ./upload-swift-artifacts -f keystone-fernet-keys.tar.gz
To Check your work so far:
sudo ls /etc/keystone/fernet-keys 0 1 swift list -l overcloud 265 2016-09-05 20:25:56 application/x-tar keystone-fernet-keys.tar.gz 265
To add an additional value to the overcloud Hiera, use an additional deploy.yaml file.
export DEPLOY_ENV_YAML=$PWD/depoloy.yaml
Here is what this file looks like
parameter_defaults:
controllerExtraConfig:
keystone::token_provider: 'fernet'
./overcloud-deploy.sh
[stack@undercloud ~]$ . ./overcloudrc [stack@undercloud ~]$ openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2016-09-06T01:03:08Z | | id | gAAAAABXzge8OFCW0xtT94wKr3NObVBR1Ucy9eP9cONF4uZeAQtjA6qP9SPUv4fKUGixG3W2PEpqwsrEiudzOOzGG1zxwzkv8EK59XC2dYH9HB5uMFrOfSKTiFPXgpzN2EOJ3uc7uKzx0wOjJhGvqDVHu4s_kiWnQUdAgEfK6WwQOcTvmWkE8DM | | project_id | e470032dce904ea2a4699815ee4e7697 | | user_id | d565cdc639de4834b5d50c6ab1dac344 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Check the state on the controller.
$ openstack server list +--------------------------------------+-------------------------+--------+---------------------+ | ID | Name | Status | Networks | +--------------------------------------+-------------------------+--------+---------------------+ | 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0 | ACTIVE | ctlplane=192.0.2.16 | | 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8 | +--------------------------------------+-------------------------+--------+---------------------+ [stack@undercloud ~]$ ssh heat-admin@192.0.2.16 Last login: Tue Sep 6 00:09:59 2016 from 192.0.2.1 [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /etc/keystone/keystone.conf token driver sql [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /etc/keystone/keystone.conf token provider fernet
Look in the database on the controller:
$ sudo su [root@overcloud-controller-0 heat-admin]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 415 Server version: 10.1.12-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use keystone Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [keystone]> select * from token; Empty set (0.00 sec) MariaDB [keystone]>