From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 16 Mar 2017 11:26:25 +0000 (+0200)
Subject: docker/keystone: Bind mount entire fernet keys repository
X-Git-Tag: opnfv-6.0.0~870^2
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=656828530f331e095ea986cc102d359d6d7f429b;p=apex-tripleo-heat-templates.git

docker/keystone: Bind mount entire fernet keys repository

Previously only the first two intial fernet keys were mounted into the
container. This is not practical, however, as doing key rotation will
generate more entries in this repository. So instead we mount the whole
directory, which would allow us to do rotation in the base host and
seamlessly affect the container as well.

Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8
---

diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index b7da3cb8..e50315ba 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -89,16 +89,6 @@ outputs:
              owner: keystone
              perm: '0600'
              source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
-           - dest: /etc/keystone/fernet-keys/0
-             owner: keystone
-             perm: '0600'
-             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
-             optional: {if: [keystone_fernet_tokens, false, true]}
-           - dest: /etc/keystone/fernet-keys/1
-             owner: keystone
-             perm: '0600'
-             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
-             optional: {if: [keystone_fernet_tokens, false, true]}
            - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
              owner: root
              perm: '0644'
@@ -145,6 +135,11 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - keystone_fernet_tokens
+                  - /var/lib/config-data/keystone/etc/keystone/fernet-keys:/etc/keystone/fernet-keys:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS