diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-12 15:17:28 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-14 10:03:54 +0300 |
| commit | 490e237f09d2c685903b173d3fd94efc450a9cb2 (patch) | |
| tree | bbe79fb4666eff4ff5f170a409cef190416b2959 /puppet | |
| parent | 4c78689966132b9a0b224e8e1ab5b789c72c0978 (diff) | |
Use KeystoneFernetKeys instead of individual parameters
This uses the newly introduced dict with the keys and paths instead of
the individual keys. Having the advantage that rotation will be
possible on stack update, as we no longer have a limit on how many keys
we can pass (as we did with the individual parameters).
bp keystone-fernet-rotation
Change-Id: I7d224595b731d9f3390fce5a9d002282b2b4b8f2
Depends-On: I63ae158fa8cb33ac857dcf9434e9fbef07ecb68d
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/services/keystone.yaml | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index f3a9cbc4..57e3286a 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -113,10 +113,15 @@ parameters: description: The second Keystone credential key. Must be a valid key. KeystoneFernetKey0: type: string - description: The first Keystone fernet key. Must be a valid key. + default: '' + description: (DEPRECATED) The first Keystone fernet key. Must be a valid key. KeystoneFernetKey1: type: string - description: The second Keystone fernet key. Must be a valid key. + default: '' + description: (DEPRECATED) The second Keystone fernet key. Must be a valid key. + KeystoneFernetKeys: + type: json + description: Mapping containing keystone's fernet keys and their paths. KeystoneLoggingSource: type: json default: @@ -187,6 +192,17 @@ parameters: default: {} hidden: true +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - KeystoneFernetKey0 + - KeystoneFernetKey1 + resources: ApacheServiceBase: @@ -241,11 +257,7 @@ outputs: content: {get_param: KeystoneCredential0} '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} - keystone::fernet_keys: - '/etc/keystone/fernet-keys/0': - content: {get_param: KeystoneFernetKey0} - '/etc/keystone/fernet-keys/1': - content: {get_param: KeystoneFernetKey1} + keystone::fernet_keys: {get_param: KeystoneFernetKeys} keystone::fernet_replace_keys: false keystone::debug: if: |