Update fernet keys rotation and expiration

Keystone token expiration, rotation frequency and active keys values should follow the formula: max_active_keys = (token_expiration / rotation_frequency) + 2 max_active_keys by default is 3 token expiration set to 43200 (12h) rotation frequency set to 12 hours Change-Id: Ia04daec9b2905ef2d3f2d4fbb43557dda220dc70 Signed-off-by: Ruslan Khanbikov <rk760n@att.com>
2018-06-27 12:50:00 -07:00 · 2018-06-27 12:50:00 -07:00 · c3b2c944f8
commit c3b2c944f8
parent 25e50a34c6
1 changed files with 7 additions and 2 deletions
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -314,8 +314,11 @@ jobs:
    user: keystone
    group: keystone
  fernet_rotate:
-    # weekly
-    cron: "0 0 * * 0"
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
+    # max_active_keys = (token_expiration / rotation_frequency) + 2
+    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # 12 hours
+    cron: "0 */12 * * *"
    user: keystone
    group: keystone
    history:
@ -341,6 +344,8 @@ conf:
      max_token_size: 255
    token:
      provider: fernet
+      # 12 hours
+      expiration: 43200
    identity:
      domain_specific_drivers_enabled: True
      domain_config_dir: /etc/keystonedomains