1 files changed, 9 insertions, 1 deletions

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 57e3286a..af494016 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -122,6 +122,14 @@ parameters:
   KeystoneFernetKeys:
     type: json
     description: Mapping containing keystone's fernet keys and their paths.
+  ManageKeystoneFernetKeys:
+    type: boolean
+    default: true
+    description: Whether TripleO should manage the keystone fernet keys or not.
+                 If set to true, the fernet keys will get the values from the
+                 saved keys repository in mistral (the KeystoneFernetKeys
+                 variable). If set to false, only the stack creation
+                 initializes the keys, but subsequent updates won't touch them.
   KeystoneLoggingSource:
     type: json
     default:
@@ -258,7 +266,7 @@ outputs:
               '/etc/keystone/credential-keys/1':
                 content: {get_param: KeystoneCredential1}
             keystone::fernet_keys: {get_param: KeystoneFernetKeys}
-            keystone::fernet_replace_keys: false
+            keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
             keystone::debug:
               if:
               - service_debug_unset