Configure Keystone Fernet Keys

Provision the Keystone Fernet Token provider
by installing 2 keys with dynamic content
generated by python-tripleoclient.

Note that this only sets up the necessary keys to use fernet as a token
provider, however, this does not intend to set it up as the default
provider; This will be discussed and will come as part of another
commit.

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: Ic070d160b519b8637997dbde165dbf15275e0dfe
Change-Id: Iaa5499614417000c1b9ba42a776a50cb22c1bb30

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index d819e04..fe023a6 100644 (file)
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -99,6 +99,12 @@ parameters:
   KeystoneCredential1:
     type: string
     description: The second Keystone credential key. Must be a valid key.
+  KeystoneFernetKey0:
+    type: string
+    description: The first Keystone fernet key. Must be a valid key.
+  KeystoneFernetKey1:
+    type: string
+    description: The second Keystone fernet key. Must be a valid key.
   KeystoneLoggingSource:
     type: json
     default:
@@ -156,6 +162,11 @@ outputs:
                 content: {get_param: KeystoneCredential0}
               '/etc/keystone/credential-keys/1':
                 content: {get_param: KeystoneCredential1}
+            keystone::fernet_keys:
+              '/etc/keystone/fernet-keys/0':
+                content: {get_param: KeystoneFernetKey0}
+              '/etc/keystone/fernet-keys/1':
+                content: {get_param: KeystoneFernetKey1}
             keystone::debug: {get_param: Debug}
             keystone::rabbit_userid: {get_param: RabbitUserName}
             keystone::rabbit_password: {get_param: RabbitPassword}