From 656828530f331e095ea986cc102d359d6d7f429b Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 16 Mar 2017 13:26:25 +0200 Subject: docker/keystone: Bind mount entire fernet keys repository Previously only the first two intial fernet keys were mounted into the container. This is not practical, however, as doing key rotation will generate more entries in this repository. So instead we mount the whole directory, which would allow us to do rotation in the base host and seamlessly affect the container as well. Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8 --- docker/services/keystone.yaml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) (limited to 'docker') diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index b7da3cb8..e50315ba 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -89,16 +89,6 @@ outputs: owner: keystone perm: '0600' source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1 - - dest: /etc/keystone/fernet-keys/0 - owner: keystone - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0 - optional: {if: [keystone_fernet_tokens, false, true]} - - dest: /etc/keystone/fernet-keys/1 - owner: keystone - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1 - optional: {if: [keystone_fernet_tokens, false, true]} - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf owner: root perm: '0644' @@ -145,6 +135,11 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log + - + if: + - keystone_fernet_tokens + - /var/lib/config-data/keystone/etc/keystone/fernet-keys:/etc/keystone/fernet-keys:ro + - '' environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS -- cgit 1.2.3-korg