Enable heat/puppet to manage the fernet keys and make it configurable

With the addition of the KeystoneFernetKeys parameter, it's now possible
to do fernet key rotations using mistral, by modifying the
KeystoneFernetKeys variable in mistral; subsequently a rotation could
happen when doing a stack update.

So this re-enables the managing of the key files by puppet. However,
this is left configurable, as folks might want to manage those files
out-of-band.

bp keystone-fernet-rotation
Change-Id: Ic82fb8b8a76481a6e588047acf33a036cf444d7d

1 files changed, 9 insertions, 1 deletions

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 57e3286a..af494016 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -122,6 +122,14 @@ parameters:
   KeystoneFernetKeys:
     type: json
     description: Mapping containing keystone's fernet keys and their paths.
+  ManageKeystoneFernetKeys:
+    type: boolean
+    default: true
+    description: Whether TripleO should manage the keystone fernet keys or not.
+                 If set to true, the fernet keys will get the values from the
+                 saved keys repository in mistral (the KeystoneFernetKeys
+                 variable). If set to false, only the stack creation
+                 initializes the keys, but subsequent updates won't touch them.
   KeystoneLoggingSource:
     type: json
     default:
@@ -258,7 +266,7 @@ outputs:
               '/etc/keystone/credential-keys/1':
                 content: {get_param: KeystoneCredential1}
             keystone::fernet_keys: {get_param: KeystoneFernetKeys}
-            keystone::fernet_replace_keys: false
+            keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
             keystone::debug:
               if:
               - service_debug_unset