When setting up Fernet key rotation with a maximum number of active of keys set to 25, it turned out that 'keystone-manage fernet_rotate' started deleting two keys once there reached 13 existing keys. It would waver between 12 and 13 keys every time it was rotated. It looks like this might be related to the range of keys to remove being negative :
excess_keys = ( keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1])
.. ends up being excess_keys = ( keys[:-11] )
.. which seems to be dipping back into the range of keys that should still be good and removing those.
Adding something like: "if len(key_files) - CONF.fernet_tokens.max_active_keys + 1 >= 0" for the purge excess keys section seemed to allow us to generate all 25 keys, then rotate as normal. Once we hit the full 25 keys, this additional line was no longer needed.
Attaching some log information showing the available keys going from 12, 13, 12, 13.
Hi Chris,
Thanks for the report. I am able to confirm. For me, the first key (/etc/keystone/ fernet- keys/1) is being pruned when I perform a rotate after there are 12 keys in the repository. So, once the 13th key is added, the first key is prematurely removed. Sounds like what you were experiencing.
I'll take a look into the code, thanks!