Allow configure credential repository.
Change-Id: I6301c401cfbd02590b770e7caac4155645bf866c
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index a464ac3..7c5960e 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -672,7 +672,7 @@
# of keys should be managed separately and require different rotation policies.
# Do not share this repository with the repository used to manage keys for
# Fernet tokens. (string value)
-#key_repository = /etc/keystone/credential-keys/
+key_repository = {{ server.credential.location }}
[database]
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 5374c5d..9e9ff1c 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -745,7 +745,7 @@
# of keys should be managed separately and require different rotation policies.
# Do not share this repository with the repository used to manage keys for
# Fernet tokens. (string value)
-#key_repository = /etc/keystone/credential-keys/
+key_repository = {{ server.credential.location }}
[database]
diff --git a/keystone/server.sls b/keystone/server.sls
index c88db61..d6a54da 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -242,20 +242,30 @@
- require:
- service: {{ keystone_service }}
- file: keystone_fernet_keys
+{%- endif %}
-{%- if server.version == 'newton' %}
-keystone_fernet_setup_credentials:
+{% endif %}
+
+{%- if server.version in ['newton', 'ocata'] %}
+keystone_credential_keys:
+ file.directory:
+ - name: {{ server.credential.location }}
+ - mode: 750
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+
+{%- if not grains.get('noservices', False) %}
+keystone_credential_setup:
cmd.run:
- name: keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
- require:
- service: {{ keystone_service }}
- - cmd: keystone_fernet_setup
- - file: keystone_fernet_keys
+ - file: keystone_credential_keys
{%- endif %}
{%- endif %}
-{% endif %}
-
{%- if not grains.get('noservices', False) %}
{%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index 5038cf3..147bd34 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -30,6 +30,8 @@
engine: cache
expiration: 43200
location: /etc/keystone/fernet-keys/
+ credential:
+ location: /etc/keystone/credential-keys/
message_queue:
engine: rabbitmq
host: ${_param:cluster_vip_address}
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 5269121..d131fd7 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -30,6 +30,8 @@
engine: cache
expiration: 43200
location: /etc/keystone/fernet-keys/
+ credential:
+ location: /etc/keystone/credential-keys/
message_queue:
engine: rabbitmq
host: ${_param:single_address}