[ATMOSPHERE-584] Fix the number of max active fernet keys in Keystone (#2109)
https://review.opendev.org/c/openstack/openstack-helm/+/934703/
diff --git a/.charts.yml b/.charts.yml
index 3cc5376..a1da60f 100644
--- a/.charts.yml
+++ b/.charts.yml
@@ -98,13 +98,14 @@
repository:
url: https://charts.bitnami.com/bitnami
- name: keystone
- version: 0.3.15
+ version: 0.3.17
repository: *openstack_helm_repository
dependencies: *openstack_helm_dependencies
patches:
gerrit:
review.opendev.org:
- 899867
+ - 934703
- name: kube-prometheus-stack
version: 60.2.0
repository:
diff --git a/charts/keystone/Chart.yaml b/charts/keystone/Chart.yaml
index 9205b40..ff28494 100644
--- a/charts/keystone/Chart.yaml
+++ b/charts/keystone/Chart.yaml
@@ -9,4 +9,4 @@
sources:
- https://opendev.org/openstack/keystone
- https://opendev.org/openstack/openstack-helm
-version: 0.3.15
+version: 0.3.17
diff --git a/charts/keystone/templates/bin/_cred-clean.py.tpl b/charts/keystone/templates/bin/_cred-clean.py.tpl
index d95ed27..a7cbe6b 100644
--- a/charts/keystone/templates/bin/_cred-clean.py.tpl
+++ b/charts/keystone/templates/bin/_cred-clean.py.tpl
@@ -30,6 +30,7 @@
PARSER_OPTS = {"strict": False}
import logging
from sqlalchemy import create_engine
+from sqlalchemy import text
# Create logger, console handler and formatter
logger = logging.getLogger('OpenStack-Helm DB Drop')
@@ -127,7 +128,7 @@
# Delete all entries from credential table
try:
- cmd = "DELETE FROM credential"
+ cmd = text("DELETE FROM credential")
with user_engine.connect() as connection:
connection.execute(cmd)
try:
diff --git a/charts/keystone/templates/bin/_endpoint-update.py.tpl b/charts/keystone/templates/bin/_endpoint-update.py.tpl
index 1433af2..a3e64e9 100644
--- a/charts/keystone/templates/bin/_endpoint-update.py.tpl
+++ b/charts/keystone/templates/bin/_endpoint-update.py.tpl
@@ -4,6 +4,7 @@
import sys
from sqlalchemy import create_engine
+from sqlalchemy import text
try:
import ConfigParser
@@ -69,12 +70,12 @@
try:
endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
region_id = os.environ['OS_REGION_NAME']
- cmd = ("update endpoint set url = %s where interface ='internal' and "
- "service_id = (select id from service where "
- "service.type = 'identity') and "
- "region_id = %s")
+ cmd = text("update endpoint set url = :endpoint_url where interface ='internal' and "
+ "service_id = (select id from service where "
+ "service.type = 'identity') and "
+ "region_id = :region_id")
with user_engine.connect() as connection:
- connection.execute(cmd, (endpoint_url,region_id))
+ connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
try:
connection.commit()
except AttributeError:
@@ -87,12 +88,12 @@
try:
endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
region_id = os.environ['OS_REGION_NAME']
- cmd = ("update endpoint set url = %s where interface ='admin' "
- "and service_id = (select id from service where "
- "service.type = 'identity') "
- "and region_id = %s")
+ cmd = text("update endpoint set url = :endpoint_url where interface ='admin' "
+ "and service_id = (select id from service where "
+ "service.type = 'identity') "
+ "and region_id = :region_id")
with user_engine.connect() as connection:
- connection.execute(cmd, (endpoint_url,region_id))
+ connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
try:
connection.commit()
except AttributeError:
@@ -105,12 +106,12 @@
try:
endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
region_id = os.environ['OS_REGION_NAME']
- cmd = ("update endpoint set url = %s where interface ='public' "
- "and service_id = (select id from service where "
- "service.type = 'identity') "
- "and region_id = %s")
+ cmd = text("update endpoint set url = :endpoint_url where interface ='public' "
+ "and service_id = (select id from service where "
+ "service.type = 'identity') "
+ "and region_id = :region_id")
with user_engine.connect() as connection:
- connection.execute(cmd, (endpoint_url,region_id))
+ connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
try:
connection.commit()
except AttributeError:
@@ -123,8 +124,8 @@
try:
with user_engine.connect() as connection:
endpoints = connection.execute(
- ("select interface, url from endpoint where service_id = "
- "(select id from service where service.type = 'identity')")
+ text("select interface, url from endpoint where service_id = "
+ "(select id from service where service.type = 'identity')")
).fetchall()
for row in endpoints:
logger.info("endpoint ({0}): {1}".format(row[0], row[1]))
diff --git a/charts/keystone/values.yaml b/charts/keystone/values.yaml
index ab2e1ed..27e767c 100644
--- a/charts/keystone/values.yaml
+++ b/charts/keystone/values.yaml
@@ -419,9 +419,10 @@
user: keystone
group: keystone
fernet_rotate:
- # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
- # max_active_keys = (token_expiration / rotation_frequency) + 2
- # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+ # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
+ # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
+ # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
+ # rotation_frequency need to be adjusted
# 12 hours
cron: "0 */12 * * *"
user: keystone
@@ -540,6 +541,7 @@
domain_config_dir: /etc/keystone/domains
fernet_tokens:
key_repository: /etc/keystone/fernet-keys/
+ max_active_keys: 7
credential:
key_repository: /etc/keystone/credential-keys/
database: