Make fernet max active keys configurable

This will set the max_active_keys setting in keystone.conf, and
furtherly we'll read this value from tripleo-common to do purging of
keys if necessary.

bp keystone-fernet-rotation

Change-Id: I9c6b0708c2c03ad9918222599f8b6aad397d8089

1 files changed, 5 insertions, 0 deletions

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index af494016..60d194bc 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -122,6 +122,10 @@ parameters:
   KeystoneFernetKeys:
     type: json
     description: Mapping containing keystone's fernet keys and their paths.
+  KeystoneFernetMaxActiveKeys:
+    type: number
+    description: The maximum active keys in the keystone fernet key repository.
+    default: 5
   ManageKeystoneFernetKeys:
     type: boolean
     default: true
@@ -258,6 +262,7 @@ outputs:
             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
             keystone::token_provider: {get_param: KeystoneTokenProvider}
             keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
+            keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
             keystone::enable_proxy_headers_parsing: true
             keystone::enable_credential_setup: true
             keystone::credential_keys: