cf5a131cd7
When keystone uses Fernet tokens in a multi node environment, each of the nodes needs to have a copy of the keys used by other nodes. While the upstream suggestion is to run the command on one node and then copy the keys to the others, deployments using a central configuration server do not usually follow workflows like this. Instead the keys are generated off server, and managed in a central data store. This change follows the pattern set for credentials key management. Change-Id: Ibd2a7692c247d0367c5fd331bb88790f882c2c91
13 lines
605 B
YAML
13 lines
605 B
YAML
---
|
|
features:
|
|
- keystone-manage can be used to setup Keystone Fernet Keys. Disabled by default
|
|
as long as the proper version of keystone is not in UCA.
|
|
Upstream Keystone is moving to Fernet token support as the default provider.
|
|
With recent issues witj PKI, Fernet is the only viable token format for
|
|
multisite.
|
|
|
|
Note, if fernet_keys parameter is set to a valid hash, keystone-manage won't
|
|
be used to generate credential keys but Puppet will manage file resources for each
|
|
key in the hash. It allows ensures that a the keys are synchronized in a
|
|
multinode environment.
|