kolla-ansible/ansible/roles/keystone/templates/keystone-startup.sh.j2
Mark Goddard ba8c27f554 Fix keystone-startup.sh - remove Fernet key age check
Currently we check the age of the primary Fernet key on Keystone
startup, and fail if it is older than the rotation interval. While this
may seem sensible, there are various reasons why the key may be older
than this:

* if the rotation interval is not a factor of the number of seconds in a
  week, the rotation schedule will be lumpy, with the last rotation
  being up to twice the nominal rotation interval
* if a keystone host is unavailable at its scheduled rotation time,
  rotation will not happen. This may happen multiple times

We could do several things to avoid this issue:

1. remove the check on the age of the key
2. multiply the rotation interval by some factor to determine the
   allowed key age

This change goes for the more simple option 1. It also cleans up some
terminology in the keystone-startup.sh script.

Closes-Bug: #1895723

Change-Id: I2c35f59ae9449cb1646e402e0a9f28ad61f918a8
2020-10-22 09:20:02 +01:00

25 lines
653 B
Django/Jinja

#!/bin/bash -x
{% set keystone_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
set -o errexit
set -o pipefail
FERNET_KEY_DIR="/etc/keystone/fernet-keys"
# Ensure Fernet keys are populated, check for 0 (staging) key
n=0
while [ ! -f "${FERNET_KEY_DIR}/0" ]; do
if [ $n -lt 36 ]; then
n=$(( n + 1 ))
echo "ERROR: Fernet keys have not been populated, rechecking in 5 seconds"
echo "DEBUG: ${FERNET_KEY_DIR} contents:"
ls -l ${FERNET_KEY_DIR}
sleep 5
else
echo "CRITICAL: Waited for 3 minutes - failing"
exit 1
fi
done
exec /usr/sbin/{{ keystone_cmd }} $@