793a37e2ff
As per post-merge comments in [0] - following up. [0]: https://review.opendev.org/#/c/698710 Change-Id: I92b3de7fb792f1fffe298ffaf6bbafab8e640742
36 lines
1.1 KiB
Django/Jinja
36 lines
1.1 KiB
Django/Jinja
#!/bin/bash -x
|
|
{% set keystone_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
|
|
|
|
set -o errexit
|
|
set -o pipefail
|
|
|
|
TOKEN_DIR="/etc/keystone/fernet-keys"
|
|
|
|
# Ensure tokens are populated, check for 0 (staging) key
|
|
n=0
|
|
while [ ! -f "${TOKEN_DIR}/0" ]; do
|
|
if [ $n -lt 36 ]; then
|
|
n=$(( n + 1 ))
|
|
echo "ERROR: Fernet tokens have not been populated, rechecking in 5 seconds"
|
|
echo "DEBUG: ${TOKEN_DIR} contents:"
|
|
ls -l ${TOKEN_DIR}
|
|
sleep 5
|
|
else
|
|
echo "CRITICAL: Waited for 10 minutes - failing"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# Ensure tokens are not stale
|
|
# Get primary token (file with highest number)
|
|
TOKEN_PRIMARY=$(ls -1 ${TOKEN_DIR} | sort -hr | head -n 1)
|
|
# Check it's age in seconds
|
|
TOKEN_AGE=$(($(date +%s) - $(date +%s -r "${TOKEN_DIR}/${TOKEN_PRIMARY}")))
|
|
# Compare if it's older than fernet_token_expiry and run key rotation if needed
|
|
if [ "${TOKEN_AGE}" -gt "{{ fernet_token_expiry }}" ]; then
|
|
echo "ERROR: Primary token ${TOKEN_PRIMARY} is stale."
|
|
exit 1
|
|
fi
|
|
|
|
exec /usr/sbin/{{ keystone_cmd }} $@
|