docker/keystone: Bind mount entire fernet keys repository

Previously only the first two intial fernet keys were mounted into the
container. This is not practical, however, as doing key rotation will
generate more entries in this repository. So instead we mount the whole
directory, which would allow us to do rotation in the base host and
seamlessly affect the container as well.

Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8

1 files changed, 5 insertions, 10 deletions

diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index b7da3cb8..e50315ba 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -89,16 +89,6 @@ outputs:
              owner: keystone
              perm: '0600'
              source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
-           - dest: /etc/keystone/fernet-keys/0
-             owner: keystone
-             perm: '0600'
-             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
-             optional: {if: [keystone_fernet_tokens, false, true]}
-           - dest: /etc/keystone/fernet-keys/1
-             owner: keystone
-             perm: '0600'
-             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
-             optional: {if: [keystone_fernet_tokens, false, true]}
            - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
              owner: root
              perm: '0644'
@@ -145,6 +135,11 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - keystone_fernet_tokens
+                  - /var/lib/config-data/keystone/etc/keystone/fernet-keys:/etc/keystone/fernet-keys:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS