Merge "keystone: fix the number of max active fernet keys"

keystone/values.yaml

@@ -419,9 +419,10 @@ jobs:
     user: keystone
     group: keystone
   fernet_rotate:
-    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
-    # max_active_keys = (token_expiration / rotation_frequency) + 2
+    # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
-    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
+    # rotation_frequency need to be adjusted
     # 12 hours
     cron: "0 */12 * * *"
     user: keystone
@@ -540,6 +541,7 @@ conf:
       domain_config_dir: /etc/keystone/domains
     fernet_tokens:
       key_repository: /etc/keystone/fernet-keys/
+      max_active_keys: 7
     credential:
       key_repository: /etc/keystone/credential-keys/
     database:

releasenotes/notes/keystone-9bca09a40cc3dc68.yaml

@@ -0,0 +1,3 @@
+---
+fixes:
+  - Fix the number of max active fernet keys