From 4ec13cc91bd9003b3baf7af140c80d517c88f868 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 15 Jun 2017 13:10:15 +0300 Subject: [PATCH] Make fernet max active keys configurable This will set the max_active_keys setting in keystone.conf, and furtherly we'll read this value from tripleo-common to do purging of keys if necessary. bp keystone-fernet-rotation Change-Id: I9c6b0708c2c03ad9918222599f8b6aad397d8089 --- puppet/services/keystone.yaml | 5 +++++ .../notes/max-active-fernet-keys-f960f08838a75eee.yaml | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index af494016da..60d194bcf2 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -122,6 +122,10 @@ parameters: KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. + KeystoneFernetMaxActiveKeys: + type: number + description: The maximum active keys in the keystone fernet key repository. + default: 5 ManageKeystoneFernetKeys: type: boolean default: true @@ -258,6 +262,7 @@ outputs: keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} + keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: diff --git a/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml b/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml new file mode 100644 index 0000000000..4c10753aea --- /dev/null +++ b/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml @@ -0,0 +1,5 @@ +--- +features: + - KeystoneFernetMaxActiveKeys was introduced as a parameter to the keystone + profile. It sets the max_active_keys value of the keystone.conf file and + will subsequently be used by mistral to purge the keys in a mistral task.