Merge "definition for ceph-add-osd-upmap pipeline" into release/2019.2.0
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 3c46a0d..e4f686b 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -99,6 +99,24 @@
keystone_old_version: ${_param:openstack_old_version}
keystone_version: ${_param:openstack_version}
keystone_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ # (obryndzii) Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys``
+ # set too low, will cause tokens to become invalid prior to their expiration.
+ # As tokens may be fetched beyond their initial expiration period (nova live migration,
+ # cider volume backup), keys should not be fully rotated within the period of
+ # ``[token] expiration``+``[token] allow_expired_window`` seconds to prevent the tokens
+ # becoming unavailable.
+ # The max_active_keys default value was adjusted according to the following defaults:
+ # [token]/allow_expired_window = 172800 (48 hours)
+ # [token]/expiration = 3600 (1 hour)
+ # rotation_frequency = 1 hour (keystone_fernet_rotate_rsync_minute/hour 0 *)
+ # max_active_keys = (allow_expired_window + expiration)/rotation_frequency + 2
+ # In case of changing those defaults the keystone_tokens_max_active_keys value should be
+ # calculated according to the definition above.
+ keystone_tokens_expiration: 3600
+ keystone_tokens_max_active_keys: 51
+ keystone_tokens_allow_expired_window: 172800
+ keystone_fernet_rotate_rsync_minute: 0
+ keystone_fernet_rotate_rsync_hour: '*'
# Manila
manila_old_version: ${_param:openstack_old_version}
manila_version: ${_param:openstack_version}
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index d64a6cb..7e9ea1b 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -11,7 +11,6 @@
- system.keystone.client.os_client_config.admin_identity
parameters:
_param:
- keystone_tokens_expiration: 3600
openstack_node_role: primary
keystone_service_protocol: ${_param:cluster_internal_protocol}
linux:
@@ -58,7 +57,8 @@
tokens:
engine: fernet
expiration: ${_param:keystone_tokens_expiration}
- max_active_keys: 3
+ max_active_keys: ${_param:keystone_tokens_max_active_keys}
+ allow_expired_window: ${_param:keystone_tokens_allow_expired_window}
location: /var/lib/keystone/fernet-keys
credential:
location: /var/lib/keystone/credential-keys
diff --git a/keystone/server/fernet_rotation/cluster.yml b/keystone/server/fernet_rotation/cluster.yml
index c34c4f8..cf7b328 100644
--- a/keystone/server/fernet_rotation/cluster.yml
+++ b/keystone/server/fernet_rotation/cluster.yml
@@ -36,7 +36,8 @@
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
user: keystone
- minute: 0
+ minute: ${_param:keystone_fernet_rotate_rsync_minute}
+ hour: ${_param:keystone_fernet_rotate_rsync_hour}
keystone_credential_rotate_rsync:
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
diff --git a/keystone/server/fernet_rotation/single.yml b/keystone/server/fernet_rotation/single.yml
index 8a3d6fb..7514086 100644
--- a/keystone/server/fernet_rotation/single.yml
+++ b/keystone/server/fernet_rotation/single.yml
@@ -22,7 +22,8 @@
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
user: keystone
- minute: 0
+ minute: ${_param:keystone_fernet_rotate_rsync_minute}
+ hour: ${_param:keystone_fernet_rotate_rsync_hour}
keystone_credential_rotate_rsync:
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 6996968..9663488 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -13,7 +13,6 @@
mysql_admin_user: root
mysql_admin_password: password
mysql_keystone_password: password
- keystone_tokens_expiration: 3600
openstack_node_role: primary
keystone_service_protocol: ${_param:cluster_internal_protocol}
linux:
@@ -57,7 +56,8 @@
tokens:
engine: fernet
expiration: ${_param:keystone_tokens_expiration}
- max_active_keys: 3
+ max_active_keys: ${_param:keystone_tokens_max_active_keys}
+ allow_expired_window: ${_param:keystone_tokens_allow_expired_window}
location: /var/lib/keystone/fernet-keys
credential:
location: /var/lib/keystone/credential-keys