Merge "Fix keystone-startup.sh - remove Fernet key age check"

ansible/roles/keystone/templates/keystone-startup.sh.j2

@@ -4,32 +4,21 @@
 set -o errexit
 set -o pipefail
 
-TOKEN_DIR="/etc/keystone/fernet-keys"
+FERNET_KEY_DIR="/etc/keystone/fernet-keys"
 
-# Ensure tokens are populated, check for 0 (staging) key
+# Ensure Fernet keys are populated, check for 0 (staging) key
 n=0
-while [ ! -f "${TOKEN_DIR}/0" ]; do
+while [ ! -f "${FERNET_KEY_DIR}/0" ]; do
     if [ $n -lt 36 ]; then
         n=$(( n + 1 ))
-        echo "ERROR: Fernet tokens have not been populated, rechecking in 5 seconds"
-        echo "DEBUG: ${TOKEN_DIR} contents:"
-        ls -l ${TOKEN_DIR}
+        echo "ERROR: Fernet keys have not been populated, rechecking in 5 seconds"
+        echo "DEBUG: ${FERNET_KEY_DIR} contents:"
+        ls -l ${FERNET_KEY_DIR}
         sleep 5
     else
-        echo "CRITICAL: Waited for 10 minutes - failing"
+        echo "CRITICAL: Waited for 3 minutes - failing"
         exit 1
     fi
 done
 
-# Ensure tokens are not stale
-# Get primary token (file with highest number)
-TOKEN_PRIMARY=$(ls -1 ${TOKEN_DIR} | sort -hr | head -n 1)
-# Check it's age in seconds
-TOKEN_AGE=$(($(date +%s) - $(date +%s -r "${TOKEN_DIR}/${TOKEN_PRIMARY}")))
-# Compare if it's older than fernet_key_rotation_interval and fail if it's stale
-if [ "${TOKEN_AGE}" -gt "{{ fernet_key_rotation_interval }}" ]; then
-    echo "ERROR: Primary token ${TOKEN_PRIMARY} is stale."
-    exit 1
-fi
-
 exec /usr/sbin/{{ keystone_cmd }} $@

releasenotes/notes/fix-keystone-startup-66c5aa11a464a562.yaml

@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Fixes an issue with Keystone startup when Fernet key rotation does not
+    occur within the configured interval. This may happen due to one of the
+    Keystone hosts being down at the scheduled time of rotation, or due to
+    uneven intervals between cron jobs. `LP#1895723
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1895723>`__