[ATMOSPHERE-584] Fix the number of max active fernet keys in Keystone (#2109)

https://review.opendev.org/c/openstack/openstack-helm/+/934703/
diff --git a/.charts.yml b/.charts.yml
index 3cc5376..a1da60f 100644
--- a/.charts.yml
+++ b/.charts.yml
@@ -98,13 +98,14 @@
     repository:
       url: https://charts.bitnami.com/bitnami
   - name: keystone
-    version: 0.3.15
+    version: 0.3.17
     repository: *openstack_helm_repository
     dependencies: *openstack_helm_dependencies
     patches:
       gerrit:
         review.opendev.org:
           - 899867
+          - 934703
   - name: kube-prometheus-stack
     version: 60.2.0
     repository:
diff --git a/charts/keystone/Chart.yaml b/charts/keystone/Chart.yaml
index 9205b40..ff28494 100644
--- a/charts/keystone/Chart.yaml
+++ b/charts/keystone/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/keystone
 - https://opendev.org/openstack/openstack-helm
-version: 0.3.15
+version: 0.3.17
diff --git a/charts/keystone/templates/bin/_cred-clean.py.tpl b/charts/keystone/templates/bin/_cred-clean.py.tpl
index d95ed27..a7cbe6b 100644
--- a/charts/keystone/templates/bin/_cred-clean.py.tpl
+++ b/charts/keystone/templates/bin/_cred-clean.py.tpl
@@ -30,6 +30,7 @@
     PARSER_OPTS = {"strict": False}
 import logging
 from sqlalchemy import create_engine
+from sqlalchemy import text
 
 # Create logger, console handler and formatter
 logger = logging.getLogger('OpenStack-Helm DB Drop')
@@ -127,7 +128,7 @@
 # Delete all entries from credential table
 
 try:
-    cmd = "DELETE FROM credential"
+    cmd = text("DELETE FROM credential")
     with user_engine.connect() as connection:
         connection.execute(cmd)
         try:
diff --git a/charts/keystone/templates/bin/_endpoint-update.py.tpl b/charts/keystone/templates/bin/_endpoint-update.py.tpl
index 1433af2..a3e64e9 100644
--- a/charts/keystone/templates/bin/_endpoint-update.py.tpl
+++ b/charts/keystone/templates/bin/_endpoint-update.py.tpl
@@ -4,6 +4,7 @@
 import sys
 
 from sqlalchemy import create_engine
+from sqlalchemy import text
 
 try:
     import ConfigParser
@@ -69,12 +70,12 @@
 try:
     endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
     region_id = os.environ['OS_REGION_NAME']
-    cmd = ("update endpoint set url = %s where interface ='internal' and "
-           "service_id = (select id from service where "
-           "service.type = 'identity') and "
-           "region_id = %s")
+    cmd = text("update endpoint set url = :endpoint_url where interface ='internal' and "
+               "service_id = (select id from service where "
+               "service.type = 'identity') and "
+               "region_id = :region_id")
     with user_engine.connect() as connection:
-        connection.execute(cmd, (endpoint_url,region_id))
+        connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
         try:
             connection.commit()
         except AttributeError:
@@ -87,12 +88,12 @@
 try:
     endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
     region_id = os.environ['OS_REGION_NAME']
-    cmd = ("update endpoint set url = %s where interface ='admin' "
-           "and service_id = (select id from service where "
-           "service.type = 'identity') "
-           "and region_id = %s")
+    cmd = text("update endpoint set url = :endpoint_url where interface ='admin' "
+               "and service_id = (select id from service where "
+               "service.type = 'identity') "
+               "and region_id = :region_id")
     with user_engine.connect() as connection:
-        connection.execute(cmd, (endpoint_url,region_id))
+        connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
         try:
             connection.commit()
         except AttributeError:
@@ -105,12 +106,12 @@
 try:
     endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
     region_id = os.environ['OS_REGION_NAME']
-    cmd = ("update endpoint set url = %s where interface ='public' "
-           "and service_id = (select id from service where "
-           "service.type = 'identity') "
-           "and region_id = %s")
+    cmd = text("update endpoint set url = :endpoint_url where interface ='public' "
+               "and service_id = (select id from service where "
+               "service.type = 'identity') "
+               "and region_id = :region_id")
     with user_engine.connect() as connection:
-        connection.execute(cmd, (endpoint_url,region_id))
+        connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
         try:
             connection.commit()
         except AttributeError:
@@ -123,8 +124,8 @@
 try:
     with user_engine.connect() as connection:
         endpoints = connection.execute(
-            ("select interface, url from endpoint where service_id = "
-            "(select id from service where service.type = 'identity')")
+            text("select interface, url from endpoint where service_id = "
+                 "(select id from service where service.type = 'identity')")
         ).fetchall()
     for row in endpoints:
         logger.info("endpoint ({0}): {1}".format(row[0], row[1]))
diff --git a/charts/keystone/values.yaml b/charts/keystone/values.yaml
index ab2e1ed..27e767c 100644
--- a/charts/keystone/values.yaml
+++ b/charts/keystone/values.yaml
@@ -419,9 +419,10 @@
     user: keystone
     group: keystone
   fernet_rotate:
-    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
-    # max_active_keys = (token_expiration / rotation_frequency) + 2
-    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
+    # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
+    # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
+    # rotation_frequency need to be adjusted
     # 12 hours
     cron: "0 */12 * * *"
     user: keystone
@@ -540,6 +541,7 @@
       domain_config_dir: /etc/keystone/domains
     fernet_tokens:
       key_repository: /etc/keystone/fernet-keys/
+      max_active_keys: 7
     credential:
       key_repository: /etc/keystone/credential-keys/
     database: