diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-15 13:10:15 +0300 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-16 07:26:34 +0000 |
commit | 4ec13cc91bd9003b3baf7af140c80d517c88f868 (patch) | |
tree | d6dc801d2f73cd4ddb4562cd5b9fd1974a883050 | |
parent | 24d552ae33adfbbbeb7a1b51b2fe09263c8e9a95 (diff) |
Make fernet max active keys configurable
This will set the max_active_keys setting in keystone.conf, and
furtherly we'll read this value from tripleo-common to do purging of
keys if necessary.
bp keystone-fernet-rotation
Change-Id: I9c6b0708c2c03ad9918222599f8b6aad397d8089
-rw-r--r-- | puppet/services/keystone.yaml | 5 | ||||
-rw-r--r-- | releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index af494016..60d194bc 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -122,6 +122,10 @@ parameters: KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. + KeystoneFernetMaxActiveKeys: + type: number + description: The maximum active keys in the keystone fernet key repository. + default: 5 ManageKeystoneFernetKeys: type: boolean default: true @@ -258,6 +262,7 @@ outputs: keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} + keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: diff --git a/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml b/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml new file mode 100644 index 00000000..4c10753a --- /dev/null +++ b/releasenotes/notes/max-active-fernet-keys-f960f08838a75eee.yaml @@ -0,0 +1,5 @@ +--- +features: + - KeystoneFernetMaxActiveKeys was introduced as a parameter to the keystone + profile. It sets the max_active_keys value of the keystone.conf file and + will subsequently be used by mistral to purge the keys in a mistral task. |