3 files changed, 26 insertions, 1 deletions

diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index bd3a010e..3f8baef7 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -30,6 +30,12 @@ parameters:
     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
     type: string
     hidden: true
+  KeystoneTokenProvider:
+    description: The keystone token format
+    type: string
+    default: 'uuid'
+    constraints:
+      - allowed_values: ['uuid', 'fernet']
 
 resources:
 
@@ -40,6 +46,9 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+  keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -80,6 +89,16 @@ outputs:
              owner: keystone
              perm: '0600'
              source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
+           - dest: /etc/keystone/fernet-keys/0
+             owner: keystone
+             perm: '0600'
+             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
+             optional: {if: [keystone_fernet_tokens, false, true]}
+           - dest: /etc/keystone/fernet-keys/1
+             owner: keystone
+             perm: '0600'
+             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
+             optional: {if: [keystone_fernet_tokens, false, true]}
            - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
              owner: root
              perm: '0644'
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index f9a15391..17616867 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -35,7 +35,7 @@ parameters:
   KeystoneTokenProvider:
     description: The keystone token format
     type: string
-    default: 'uuid'
+    default: 'fernet'
     constraints:
       - allowed_values: ['uuid', 'fernet']
   ServiceNetMap:
diff --git a/releasenotes/notes/Switch-keystone's-default-token-provider-to-fernet-2542fccb5a588852.yaml b/releasenotes/notes/Switch-keystone's-default-token-provider-to-fernet-2542fccb5a588852.yaml
new file mode 100644
index 00000000..50b8167e
--- /dev/null
+++ b/releasenotes/notes/Switch-keystone's-default-token-provider-to-fernet-2542fccb5a588852.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - Keystone's default token provider is now fernet instead of UUID
+upgrade:
+  - When upgrading, old tokens will not work anymore due to the provider
+    changing from UUID to fernet.