From c3b2c944f8597633de0fe0ee6a479a2386f6361c Mon Sep 17 00:00:00 2001
From: Ruslan Khanbikov <rk760n@att.com>
Date: Wed, 27 Jun 2018 12:50:00 -0700
Subject: [PATCH] Update fernet keys rotation and expiration

Keystone token expiration, rotation frequency and active keys
values should follow the formula:

max_active_keys = (token_expiration / rotation_frequency) + 2

max_active_keys by default is 3
token expiration set to 43200 (12h)
rotation frequency set to 12 hours

Change-Id: Ia04daec9b2905ef2d3f2d4fbb43557dda220dc70
Signed-off-by: Ruslan Khanbikov <rk760n@att.com>
---
 keystone/values.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/keystone/values.yaml b/keystone/values.yaml
index 0316b0e7e6..6ebd8ad9be 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -314,8 +314,11 @@ jobs:
     user: keystone
     group: keystone
   fernet_rotate:
-    # weekly
-    cron: "0 0 * * 0"
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
+    # max_active_keys = (token_expiration / rotation_frequency) + 2
+    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # 12 hours
+    cron: "0 */12 * * *"
     user: keystone
     group: keystone
     history:
@@ -341,6 +344,8 @@ conf:
       max_token_size: 255
     token:
       provider: fernet
+      # 12 hours
+      expiration: 43200
     identity:
       domain_specific_drivers_enabled: True
       domain_config_dir: /etc/keystonedomains