commit 8e56a1a7975d7030241cfb8476ae54c9550498a0
Author: Mark Goddard <email address hidden>
Date: Thu Oct 22 09:18:32 2020 +0100
Fix keystone-startup.sh - remove Fernet key age check
Currently we check the age of the primary Fernet key on Keystone
startup, and fail if it is older than the rotation interval. While this
may seem sensible, there are various reasons why the key may be older
than this:
* if the rotation interval is not a factor of the number of seconds in a
week, the rotation schedule will be lumpy, with the last rotation
being up to twice the nominal rotation interval
* if a keystone host is unavailable at its scheduled rotation time,
rotation will not happen. This may happen multiple times
We could do several things to avoid this issue:
1. remove the check on the age of the key
2. multiply the rotation interval by some factor to determine the
allowed key age
This change goes for the more simple option 1. It also cleans up some
terminology in the keystone-startup.sh script.
Closes-Bug: #1895723
Change-Id: I2c35f59ae9449cb1646e402e0a9f28ad61f918a8
(cherry picked from commit ba8c27f554682e1f2720fad1bff5cfa1b35017f2)
Reviewed: https:/ /review. opendev. org/759560 /git.openstack. org/cgit/ openstack/ kolla-ansible/ commit/ ?id=8e56a1a7975 d7030241cfb8476 ae54c9550498a0
Committed: https:/
Submitter: Zuul
Branch: stable/ussuri
commit 8e56a1a7975d703 0241cfb8476ae54 c9550498a0
Author: Mark Goddard <email address hidden>
Date: Thu Oct 22 09:18:32 2020 +0100
Fix keystone-startup.sh - remove Fernet key age check
Currently we check the age of the primary Fernet key on Keystone
startup, and fail if it is older than the rotation interval. While this
may seem sensible, there are various reasons why the key may be older
than this:
* if the rotation interval is not a factor of the number of seconds in a
week, the rotation schedule will be lumpy, with the last rotation
being up to twice the nominal rotation interval
* if a keystone host is unavailable at its scheduled rotation time,
rotation will not happen. This may happen multiple times
We could do several things to avoid this issue:
1. remove the check on the age of the key
2. multiply the rotation interval by some factor to determine the
allowed key age
This change goes for the more simple option 1. It also cleans up some
terminology in the keystone-startup.sh script.
Closes-Bug: #1895723
Change-Id: I2c35f59ae9449c b1646e402e0a9f2 8ad61f918a8 f2720fad1bff5cf a1b35017f2)
(cherry picked from commit ba8c27f554682e1