Disabling replacing fernet keys from puppet

Once puppet has written the initial fernet keys, if a deployer wants to rotate them, the keys will be overwritten when another overcloud deploy is executed (for instance, for updates or upgrades). This disables replacing this keys via puppet, so now the operator can rotate the keys out of band. Change-Id: I01fd46ba7c5e0db12524095dc9fe29e90cb0de57
2017-05-11 10:45:45 +03:00 · 2017-05-11 10:45:45 +03:00 · eb923b0fae
commit eb923b0fae
parent 6c43d5b4ff
1 changed files with 1 additions and 0 deletions
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@ -231,6 +231,7 @@ outputs:
                content: {get_param: KeystoneFernetKey0}
              '/etc/keystone/fernet-keys/1':
                content: {get_param: KeystoneFernetKey1}
+            keystone::fernet_replace_keys: false
            keystone::debug: {get_param: Debug}
            keystone::rabbit_userid: {get_param: RabbitUserName}
            keystone::rabbit_password: {get_param: RabbitPassword}