Merge "keystone: fix the number of max active fernet keys"

2025-01-24 21:51:29 +00:00 · 2025-01-24 21:51:29 +00:00 · bb64b3a938
commit bb64b3a938
parent 910170504e 3114c8996a
2 changed files with 8 additions and 3 deletions
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -419,9 +419,10 @@ jobs:
    user: keystone
    group: keystone
  fernet_rotate:
-    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
-    # max_active_keys = (token_expiration / rotation_frequency) + 2
-    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
+    # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
+    # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
+    # rotation_frequency need to be adjusted
    # 12 hours
    cron: "0 */12 * * *"
    user: keystone
@ -540,6 +541,7 @@ conf:
      domain_config_dir: /etc/keystone/domains
    fernet_tokens:
      key_repository: /etc/keystone/fernet-keys/
+      max_active_keys: 7
    credential:
      key_repository: /etc/keystone/credential-keys/
    database:
--- a/releasenotes/notes/keystone-9bca09a40cc3dc68.yaml
+++ b/releasenotes/notes/keystone-9bca09a40cc3dc68.yaml
@ -0,0 +1,3 @@
+---
+fixes:
+  - Fix the number of max active fernet keys