I suggest to use pacemaker multistate clone resource to rotate and rsync fernet
tokens from local directories across cluster nodes. The resource prototype is
described here https://etherpad.openstack.org/p/fernet_tokens_pacemaker
Pros: Pacemaker will care about CAP/split-brain stuff for us, we just design
rotate and rsync logic. Also no shared FS/DB involved but only Corosync CIB -
to store few internal resource state related params, not tokens.
Cons: Keystone nodes hosting fernet tokens directories must be members of
pacemaker cluster. Also custom OCF script should be created to implement this.
__
Regards,
Bogdan Dobrelya.
IRC: bogdando
Matt Fischer also discusses key rotation here:
http://www.mattfischer.com/blog/?p=648
And here:
http://www.mattfischer.com/blog/?p=665
On Mon, Jul 27, 2015 at 2:30 PM, Dolph Mathews <dolph.mathews at gmail.com>
wrote:
…
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
