From 3114c8996a6b139552ea2527471780afd3d550b1 Mon Sep 17 00:00:00 2001
From: okozachenko <okozachenko1203@gmail.com>
Date: Tue, 12 Nov 2024 12:51:18 +1100
Subject: [PATCH] keystone: fix the number of max active fernet keys

As services are configured to use ServiceToken auth, the formula to calculate the max_active_keys is max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2

Change-Id: I4794e11fe307b16f3a1dca65ec2feb619661142f
---
 keystone/values.yaml                              | 8 +++++---
 releasenotes/notes/keystone-9bca09a40cc3dc68.yaml | 3 +++
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/keystone-9bca09a40cc3dc68.yaml

diff --git a/keystone/values.yaml b/keystone/values.yaml
index ab2e1ed0d1..27e767cfa2 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -419,9 +419,10 @@ jobs:
     user: keystone
     group: keystone
   fernet_rotate:
-    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
-    # max_active_keys = (token_expiration / rotation_frequency) + 2
-    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
+    # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
+    # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
+    # rotation_frequency need to be adjusted
     # 12 hours
     cron: "0 */12 * * *"
     user: keystone
@@ -540,6 +541,7 @@ conf:
       domain_config_dir: /etc/keystone/domains
     fernet_tokens:
       key_repository: /etc/keystone/fernet-keys/
+      max_active_keys: 7
     credential:
       key_repository: /etc/keystone/credential-keys/
     database:
diff --git a/releasenotes/notes/keystone-9bca09a40cc3dc68.yaml b/releasenotes/notes/keystone-9bca09a40cc3dc68.yaml
new file mode 100644
index 0000000000..bb40e46229
--- /dev/null
+++ b/releasenotes/notes/keystone-9bca09a40cc3dc68.yaml
@@ -0,0 +1,3 @@
+---
+fixes:
+  - Fix the number of max active fernet keys