From d78673e77fc376274192a8f7b547ce90d6bdc151 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Thu, 24 Sep 2020 15:16:55 +0200
Subject: [PATCH] Fix keystone-startup.sh

keystone-startup.sh is using fernet_token_expiry instead of
fernet_key_rotation_interval - which effects in restart loop of keystone
containers - when restarted after 2-3 days.

Closes-Bug: #1895723

Change-Id: Ifff77af3d25d9dc659fff34f2ae3c6f2670df0f4
---
 ansible/roles/keystone/templates/keystone-startup.sh.j2 | 4 ++--
 releasenotes/notes/bug-1895723-910de90908de260a.yaml    | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/bug-1895723-910de90908de260a.yaml

diff --git a/ansible/roles/keystone/templates/keystone-startup.sh.j2 b/ansible/roles/keystone/templates/keystone-startup.sh.j2
index f5769b9488..2304df1ab2 100644
--- a/ansible/roles/keystone/templates/keystone-startup.sh.j2
+++ b/ansible/roles/keystone/templates/keystone-startup.sh.j2
@@ -26,8 +26,8 @@ done
 TOKEN_PRIMARY=$(ls -1 ${TOKEN_DIR} | sort -hr | head -n 1)
 # Check it's age in seconds
 TOKEN_AGE=$(($(date +%s) - $(date +%s -r "${TOKEN_DIR}/${TOKEN_PRIMARY}")))
-# Compare if it's older than fernet_token_expiry and run key rotation if needed
-if [ "${TOKEN_AGE}" -gt "{{ fernet_token_expiry }}" ]; then
+# Compare if it's older than fernet_key_rotation_interval and fail if it's stale
+if [ "${TOKEN_AGE}" -gt "{{ fernet_key_rotation_interval }}" ]; then
     echo "ERROR: Primary token ${TOKEN_PRIMARY} is stale."
     exit 1
 fi
diff --git a/releasenotes/notes/bug-1895723-910de90908de260a.yaml b/releasenotes/notes/bug-1895723-910de90908de260a.yaml
new file mode 100644
index 0000000000..959285bf60
--- /dev/null
+++ b/releasenotes/notes/bug-1895723-910de90908de260a.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    An issue has been fixed when ``keystone`` container would be stuck in
+    restart loop with a message that fernet key is stale.
+    `LP#1895723 <https://launchpad.net/bugs/1895723>`__