From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 11 May 2017 07:45:45 +0000 (+0300)
Subject: Disabling replacing fernet keys from puppet
X-Git-Tag: opnfv-6.0.0~677^2
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=eb923b0fae8eef49b8b2abf19e3035c20c4138dc;p=apex-tripleo-heat-templates.git

Disabling replacing fernet keys from puppet

Once puppet has written the initial fernet keys, if a deployer wants to
rotate them, the keys will be overwritten when another overcloud deploy
is executed (for instance, for updates or upgrades). This disables
replacing this keys via puppet, so now the operator can rotate the keys
out of band.

Change-Id: I01fd46ba7c5e0db12524095dc9fe29e90cb0de57
---

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 58b2b7bf..c42b0530 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -231,6 +231,7 @@ outputs:
                 content: {get_param: KeystoneFernetKey0}
               '/etc/keystone/fernet-keys/1':
                 content: {get_param: KeystoneFernetKey1}
+            keystone::fernet_replace_keys: false
             keystone::debug: {get_param: Debug}
             keystone::rabbit_userid: {get_param: RabbitUserName}
             keystone::rabbit_password: {get_param: RabbitPassword}