From 3b800110148b0fac3212e7719165090d6404292f Mon Sep 17 00:00:00 2001 From: "Oleksandr K." Date: Tue, 12 Nov 2024 06:44:15 +0100 Subject: [PATCH] [ATMOSPHERE-584] Fix the number of max active fernet keys in Keystone (#2109) https://review.opendev.org/c/openstack/openstack-helm/+/934703/ --- .charts.yml | 3 +- charts/keystone/Chart.yaml | 2 +- .../keystone/templates/bin/_cred-clean.py.tpl | 3 +- .../templates/bin/_endpoint-update.py.tpl | 35 ++++++++++--------- charts/keystone/values.yaml | 8 +++-- 5 files changed, 28 insertions(+), 23 deletions(-) diff --git a/.charts.yml b/.charts.yml index 3cc5376cd..a1da60f60 100644 --- a/.charts.yml +++ b/.charts.yml @@ -98,13 +98,14 @@ charts: repository: url: https://charts.bitnami.com/bitnami - name: keystone - version: 0.3.15 + version: 0.3.17 repository: *openstack_helm_repository dependencies: *openstack_helm_dependencies patches: gerrit: review.opendev.org: - 899867 + - 934703 - name: kube-prometheus-stack version: 60.2.0 repository: diff --git a/charts/keystone/Chart.yaml b/charts/keystone/Chart.yaml index 9205b40fe..ff2849409 100644 --- a/charts/keystone/Chart.yaml +++ b/charts/keystone/Chart.yaml @@ -9,4 +9,4 @@ name: keystone sources: - https://opendev.org/openstack/keystone - https://opendev.org/openstack/openstack-helm -version: 0.3.15 +version: 0.3.17 diff --git a/charts/keystone/templates/bin/_cred-clean.py.tpl b/charts/keystone/templates/bin/_cred-clean.py.tpl index d95ed2737..a7cbe6ba4 100644 --- a/charts/keystone/templates/bin/_cred-clean.py.tpl +++ b/charts/keystone/templates/bin/_cred-clean.py.tpl @@ -30,6 +30,7 @@ except ImportError: PARSER_OPTS = {"strict": False} import logging from sqlalchemy import create_engine +from sqlalchemy import text # Create logger, console handler and formatter logger = logging.getLogger('OpenStack-Helm DB Drop') @@ -127,7 +128,7 @@ except: # Delete all entries from credential table try: - cmd = "DELETE FROM credential" + cmd = text("DELETE FROM credential") with user_engine.connect() as connection: connection.execute(cmd) try: diff --git a/charts/keystone/templates/bin/_endpoint-update.py.tpl b/charts/keystone/templates/bin/_endpoint-update.py.tpl index 1433af21a..a3e64e934 100644 --- a/charts/keystone/templates/bin/_endpoint-update.py.tpl +++ b/charts/keystone/templates/bin/_endpoint-update.py.tpl @@ -4,6 +4,7 @@ import logging import sys from sqlalchemy import create_engine +from sqlalchemy import text try: import ConfigParser @@ -69,12 +70,12 @@ except: try: endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL'] region_id = os.environ['OS_REGION_NAME'] - cmd = ("update endpoint set url = %s where interface ='internal' and " - "service_id = (select id from service where " - "service.type = 'identity') and " - "region_id = %s") + cmd = text("update endpoint set url = :endpoint_url where interface ='internal' and " + "service_id = (select id from service where " + "service.type = 'identity') and " + "region_id = :region_id") with user_engine.connect() as connection: - connection.execute(cmd, (endpoint_url,region_id)) + connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id}) try: connection.commit() except AttributeError: @@ -87,12 +88,12 @@ except: try: endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL'] region_id = os.environ['OS_REGION_NAME'] - cmd = ("update endpoint set url = %s where interface ='admin' " - "and service_id = (select id from service where " - "service.type = 'identity') " - "and region_id = %s") + cmd = text("update endpoint set url = :endpoint_url where interface ='admin' " + "and service_id = (select id from service where " + "service.type = 'identity') " + "and region_id = :region_id") with user_engine.connect() as connection: - connection.execute(cmd, (endpoint_url,region_id)) + connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id}) try: connection.commit() except AttributeError: @@ -105,12 +106,12 @@ except: try: endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL'] region_id = os.environ['OS_REGION_NAME'] - cmd = ("update endpoint set url = %s where interface ='public' " - "and service_id = (select id from service where " - "service.type = 'identity') " - "and region_id = %s") + cmd = text("update endpoint set url = :endpoint_url where interface ='public' " + "and service_id = (select id from service where " + "service.type = 'identity') " + "and region_id = :region_id") with user_engine.connect() as connection: - connection.execute(cmd, (endpoint_url,region_id)) + connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id}) try: connection.commit() except AttributeError: @@ -123,8 +124,8 @@ except: try: with user_engine.connect() as connection: endpoints = connection.execute( - ("select interface, url from endpoint where service_id = " - "(select id from service where service.type = 'identity')") + text("select interface, url from endpoint where service_id = " + "(select id from service where service.type = 'identity')") ).fetchall() for row in endpoints: logger.info("endpoint ({0}): {1}".format(row[0], row[1])) diff --git a/charts/keystone/values.yaml b/charts/keystone/values.yaml index ab2e1ed0d..27e767cfa 100644 --- a/charts/keystone/values.yaml +++ b/charts/keystone/values.yaml @@ -419,9 +419,10 @@ jobs: user: keystone group: keystone fernet_rotate: - # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula - # max_active_keys = (token_expiration / rotation_frequency) + 2 - # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted + # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula + # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2 + # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default, + # rotation_frequency need to be adjusted # 12 hours cron: "0 */12 * * *" user: keystone @@ -540,6 +541,7 @@ conf: domain_config_dir: /etc/keystone/domains fernet_tokens: key_repository: /etc/keystone/fernet-keys/ + max_active_keys: 7 credential: key_repository: /etc/keystone/credential-keys/ database: