Use KeystoneFernetKeys instead of individual parameters

This uses the newly introduced dict with the keys and paths instead of
the individual keys. Having the advantage that rotation will be
possible on stack update, as we no longer have a limit on how many keys
we can pass (as we did with the individual parameters).

bp keystone-fernet-rotation
Change-Id: I7d224595b731d9f3390fce5a9d002282b2b4b8f2
Depends-On: I63ae158fa8cb33ac857dcf9434e9fbef07ecb68d

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index f3a9cbc..57e3286 100644 (file)
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -113,10 +113,15 @@ parameters:
     description: The second Keystone credential key. Must be a valid key.
   KeystoneFernetKey0:
     type: string
-    description: The first Keystone fernet key. Must be a valid key.
+    default: ''
+    description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
   KeystoneFernetKey1:
     type: string
-    description: The second Keystone fernet key. Must be a valid key.
+    default: ''
+    description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
+  KeystoneFernetKeys:
+    type: json
+    description: Mapping containing keystone's fernet keys and their paths.
   KeystoneLoggingSource:
     type: json
     default:
@@ -187,6 +192,17 @@ parameters:
     default: {}
     hidden: true
 
+parameter_groups:
+- label: deprecated
+  description: |
+   The following parameters are deprecated and will be removed. They should not
+   be relied on for new deployments. If you have concerns regarding deprecated
+   parameters, please contact the TripleO development team on IRC or the
+   OpenStack mailing list.
+  parameters:
+  - KeystoneFernetKey0
+  - KeystoneFernetKey1
+
 resources:
 
   ApacheServiceBase:
@@ -241,11 +257,7 @@ outputs:
                 content: {get_param: KeystoneCredential0}
               '/etc/keystone/credential-keys/1':
                 content: {get_param: KeystoneCredential1}
-            keystone::fernet_keys:
-              '/etc/keystone/fernet-keys/0':
-                content: {get_param: KeystoneFernetKey0}
-              '/etc/keystone/fernet-keys/1':
-                content: {get_param: KeystoneFernetKey1}
+            keystone::fernet_keys: {get_param: KeystoneFernetKeys}
             keystone::fernet_replace_keys: false
             keystone::debug:
               if:

diff --git a/releasenotes/notes/Use-KeystoneFernetKeys-parameter-bd635a106bb8e00f.yaml b/releasenotes/notes/Use-KeystoneFernetKeys-parameter-bd635a106bb8e00f.yaml
new file mode 100644 (file)
index 0000000..1e2673f
--- /dev/null
+++ b/releasenotes/notes/Use-KeystoneFernetKeys-parameter-bd635a106bb8e00f.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - The KeystoneFernetKeys parameter was introduced, which is able to take any
+    amount of keys as long as it's in the right format. It's generated by the
+    same mechanism as the rest of the passwords; so it's value is also
+    available via mistral's "password" environment variable. This will also
+    allow for rotations to be made via mistral and via stack updates.
+deprecations:
+  - The individual keystone fernet key parameters (KeystoneFernetKey0 and
+    KeystoneFernetKey1) were deprecated in favor of KeystoneFernetKeys.