Disabling replacing fernet keys from puppet

Once puppet has written the initial fernet keys, if a deployer wants to rotate them, the keys will be overwritten when another overcloud deploy is executed (for instance, for updates or upgrades). This disables replacing this keys via puppet, so now the operator can rotate the keys out of band. Change-Id: I01fd46ba7c5e0db12524095dc9fe29e90cb0de57
author: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2017-05-11 10:45:45 +0300
committer: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2017-05-11 10:45:45 +0300
commit: eb923b0fae8eef49b8b2abf19e3035c20c4138dc (patch)
tree: 30e6bcfb91eb81a16e173b5e9a40562361fdecbb /puppet
parent: 6c43d5b4ffc33b83f7f3bc2098b8a49b4c5c2364 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 58b2b7bf..c42b0530 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -231,6 +231,7 @@ outputs:
                 content: {get_param: KeystoneFernetKey0}
               '/etc/keystone/fernet-keys/1':
                 content: {get_param: KeystoneFernetKey1}
+            keystone::fernet_replace_keys: false
             keystone::debug: {get_param: Debug}
             keystone::rabbit_userid: {get_param: RabbitUserName}
             keystone::rabbit_password: {get_param: RabbitPassword}
author	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2017-05-11 10:45:45 +0300
committer	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2017-05-11 10:45:45 +0300
commit	eb923b0fae8eef49b8b2abf19e3035c20c4138dc (patch)
tree	30e6bcfb91eb81a16e173b5e9a40562361fdecbb /puppet
parent	6c43d5b4ffc33b83f7f3bc2098b8a49b4c5c2364 (diff)