From 656828530f331e095ea986cc102d359d6d7f429b Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 16 Mar 2017 13:26:25 +0200
Subject: [PATCH] docker/keystone: Bind mount entire fernet keys repository
Previously only the first two intial fernet keys were mounted into the
container. This is not practical, however, as doing key rotation will
generate more entries in this repository. So instead we mount the whole
directory, which would allow us to do rotation in the base host and
seamlessly affect the container as well.
Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8
---
docker/services/keystone.yaml | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index b7da3cb8..e50315ba 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -89,16 +89,6 @@ outputs:
owner: keystone
perm: '0600'
source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
- - dest: /etc/keystone/fernet-keys/0
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
- optional: {if: [keystone_fernet_tokens, false, true]}
- - dest: /etc/keystone/fernet-keys/1
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
- optional: {if: [keystone_fernet_tokens, false, true]}
- dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
owner: root
perm: '0644'
@@ -145,6 +135,11 @@ outputs:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- logs:/var/log
+ -
+ if:
+ - keystone_fernet_tokens
+ - /var/lib/config-data/keystone/etc/keystone/fernet-keys:/etc/keystone/fernet-keys:ro
+ - ''
environment:
- KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
--
2.16.6