Make fernet max active keys configurable

This will set the max_active_keys setting in keystone.conf, and furtherly we'll read this value from tripleo-common to do purging of keys if necessary. bp keystone-fernet-rotation Change-Id: I9c6b0708c2c03ad9918222599f8b6aad397d8089
2017-06-15 13:10:15 +03:00 · 2017-06-15 13:10:15 +03:00 · 4ec13cc91b
commit 4ec13cc91b
parent 24d552ae33
2 changed files with 10 additions and 0 deletions
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@ -122,6 +122,10 @@ parameters:
  KeystoneFernetKeys:
    type: json
    description: Mapping containing keystone's fernet keys and their paths.
+  KeystoneFernetMaxActiveKeys:
+    type: number
+    description: The maximum active keys in the keystone fernet key repository.
+    default: 5
  ManageKeystoneFernetKeys:
    type: boolean
    default: true
@ -258,6 +262,7 @@ outputs:
            keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
            keystone::token_provider: {get_param: KeystoneTokenProvider}
            keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
+            keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
            keystone::enable_proxy_headers_parsing: true
            keystone::enable_credential_setup: true
            keystone::credential_keys:
--- a/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml
+++ b/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - KeystoneFernetMaxActiveKeys was introduced as a parameter to the keystone
+    profile. It sets the max_active_keys value of the keystone.conf file and
+    will subsequently be used by mistral to purge the keys in a mistral task.