keystone/containers: Add support for fernet keys

Since the 'file' resource is included in the tags that puppet takes into
account, we already generate the fernet keys if it's enabled as a token
provider.

This merely adds the keys to the container. However, if fernet is not
the provider, we make this file addition optional.

Change-Id: Id92039b3bad9ecda169323e01de7bebae70f2ba0

docker/services/keystone.yaml

@@ -30,6 +30,12 @@ parameters:
     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
     type: string
     hidden: true
+  KeystoneTokenProvider:
+    description: The keystone token format
+    type: string
+    default: 'uuid'
+    constraints:
+      - allowed_values: ['uuid', 'fernet']
 
 resources:
 
@@ -40,6 +46,9 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+  keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -80,6 +89,16 @@ outputs:
              owner: keystone
              perm: '0600'
              source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
+           - dest: /etc/keystone/fernet-keys/0
+             owner: keystone
+             perm: '0600'
+             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
+             optional: {if: [keystone_fernet_tokens, false, true]}
+           - dest: /etc/keystone/fernet-keys/1
+             owner: keystone
+             perm: '0600'
+             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
+             optional: {if: [keystone_fernet_tokens, false, true]}
            - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
              owner: root
              perm: '0644'