[ATMOSPHERE-586] support SQLAlchemy 2.0 and fix the number of max active fernet keys in Keystone (#2122)
Depends-On: #2134
diff --git a/charts/keystone/values.yaml b/charts/keystone/values.yaml
index 2b5caaf..27e767c 100644
--- a/charts/keystone/values.yaml
+++ b/charts/keystone/values.yaml
@@ -35,21 +35,21 @@
images:
tags:
- bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
test: docker.io/xrally/xrally-openstack:2.0.0
- db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
- keystone_db_sync: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
- db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
- ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
- rabbit_init: docker.io/rabbitmq:3.7-management
- keystone_fernet_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
- keystone_fernet_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
- keystone_credential_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
- keystone_credential_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
- keystone_credential_cleanup: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
- keystone_api: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
- keystone_domain_manage: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
- dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+ keystone_db_sync: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
+ db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+ ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+ rabbit_init: docker.io/rabbitmq:3.13-management
+ keystone_fernet_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
+ keystone_fernet_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
+ keystone_credential_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
+ keystone_credential_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
+ keystone_credential_cleanup: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+ keystone_api: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
+ keystone_domain_manage: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
@@ -419,9 +419,10 @@
user: keystone
group: keystone
fernet_rotate:
- # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
- # max_active_keys = (token_expiration / rotation_frequency) + 2
- # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+ # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
+ # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
+ # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
+ # rotation_frequency need to be adjusted
# 12 hours
cron: "0 */12 * * *"
user: keystone
@@ -540,6 +541,7 @@
domain_config_dir: /etc/keystone/domains
fernet_tokens:
key_repository: /etc/keystone/fernet-keys/
+ max_active_keys: 7
credential:
key_repository: /etc/keystone/credential-keys/
database: