From 2323fd3b7e6ff9232932f3ebda7ab20a25754b1a Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Thu, 4 Jun 2020 09:39:32 +0200
Subject: [PATCH] [queens-only] Increase auth_ttl for ec2token expiry

The recently added default of 15 mins for CVE-2020-12692 in keystone
 may not work with undercloud where deployments can run for long
time. Let's keep it large enough to avoid it's expiration during
a overcloud deployment before the stack action times out.

Change-Id: I217192b8563e615dffc590f9d548883e0f1b38de
Related-Bug: #1872737
---
 .../puppet-stack-config/puppet-stack-config.yaml.template     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template
index 64996fe94..87b62d28a 100644
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@@ -239,6 +239,10 @@ keystone::enable_credential_setup: true
 keystone::fernet_max_active_keys: 2
 keystone::cache_memcache_servers: "%{hiera('memcached::listen_ip')}:11211"
 keystone::cache_backend: "dogpile.cache.memcached"
+# CVE-2020-12692 set the default of 15 mins for ttl in keystone, we need that to be a lot higher
+keystone::config::keystone_config:
+  credential/auth_ttl:
+    value: 240
 
 # MySQL
 admin_password: {{UNDERCLOUD_ADMIN_PASSWORD}}