Update keystone default softparams
Moves _param:keystone_tokens_expiration: 3600 definition
into defaults/openstack/init.yml
Add default soft params for the keystone fernet rotation:
keystone_fernet_rotate_rsync_minute = 0
keystone_fernet_rotate_rsync_hour = '*'
Add default soft param for the keystone [token] allow_expired_window:
keystone_tokens_allow_expired_window = ''
Adjuststed the max_active_keys default value according to the following defaults:
``[token] allow_expired_window`` = 172800 (48 hours)
``[token] expiration`` = 3600 (1 hour)
rotation_frequency = 1 hour (keystone_fernet_rotate_rsync_minute/hour = 0 *)
max_active_keys = (allow_expired_window + expiration)/rotation_frequency + 2
keystone_tokens_max_active_keys = 51
Change-Id: I7a2a252afb34de9f3c7c4a1549f67d534959ecf9
Related-Prod: PROD-27591
(cherry picked from commit 1558a8ee927fa4f952fa4fd5c4c0e4adbaa6d03e)
Set default keystone_tokens_allow_expired_window
Set keystone_tokens_allow_expired_window = 172800
Change-Id: I65595c09ed31c302d4cdec52e73bc52abc58d80d
Related-Prod: PROD-27591
(cherry picked from commit 8b98a638d7243f4eab10da8ca6a5e728a60c2deb)
diff --git a/keystone/server/fernet_rotation/cluster.yml b/keystone/server/fernet_rotation/cluster.yml
index c34c4f8..cf7b328 100644
--- a/keystone/server/fernet_rotation/cluster.yml
+++ b/keystone/server/fernet_rotation/cluster.yml
@@ -36,7 +36,8 @@
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
user: keystone
- minute: 0
+ minute: ${_param:keystone_fernet_rotate_rsync_minute}
+ hour: ${_param:keystone_fernet_rotate_rsync_hour}
keystone_credential_rotate_rsync:
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true