docker/keystone: Bind mount entire fernet keys repository

Previously only the first two intial fernet keys were mounted into the
container. This is not practical, however, as doing key rotation will
generate more entries in this repository. So instead we mount the whole
directory, which would allow us to do rotation in the base host and
seamlessly affect the container as well.

Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8

diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index b7da3cb..e50315b 100644 (file)
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -89,16 +89,6 @@ outputs:
              owner: keystone
              perm: '0600'
              source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
-           - dest: /etc/keystone/fernet-keys/0
-             owner: keystone
-             perm: '0600'
-             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
-             optional: {if: [keystone_fernet_tokens, false, true]}
-           - dest: /etc/keystone/fernet-keys/1
-             owner: keystone
-             perm: '0600'
-             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
-             optional: {if: [keystone_fernet_tokens, false, true]}
            - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
              owner: root
              perm: '0644'
@@ -145,6 +135,11 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - keystone_fernet_tokens
+                  - /var/lib/config-data/keystone/etc/keystone/fernet-keys:/etc/keystone/fernet-keys:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS