1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
# File 'modules/profile/manifests/openstack/base/keystone/fernet_keys.pp', line 1
class profile::openstack::base::keystone::fernet_keys(
Array[Stdlib::Fqdn] $keystone_hosts = lookup('profile::openstack::base::openstack_controllers'),
String $rotate_time = lookup('profile::openstack::base::rotate_time'),
String $sync_time = lookup('profile::openstack::base::sync_time'),
) {
systemd::timer::job { 'keystone_rotate_keys':
description => 'Rotate keys for Keystone fernet tokens',
command => '/usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone',
interval => {
'start' => 'OnCalendar',
'interval' => "*-*-* ${rotate_time}",
},
logging_enabled => true,
monitoring_enabled => false,
monitoring_contact_groups => 'wmcs-team',
user => 'root',
}
file { '/etc/keystone/fernet-keys':
ensure => directory,
owner => 'keystone',
group => 'keystone',
}
rsync::server::module { 'keystonefernetkeys':
path => '/etc/keystone/fernet-keys',
uid => 'keystone',
gid => 'keystone',
hosts_allow => $keystone_hosts,
auto_ferm => true,
read_only => true,
}
$other_hosts = $keystone_hosts - $::fqdn
$other_hosts.each |String $thishost| {
systemd::timer::job { "keystone_sync_keys_to_${thishost}":
description => "Sync keys for Keystone fernet tokens to ${thishost}",
command => "/usr/bin/rsync -a --delete rsync://${thishost}/keystonefernetkeys/* /etc/keystone/fernet-keys/",
interval => {
'start' => 'OnCalendar',
'interval' => "*-*-* ${sync_time}",
},
logging_enabled => true,
monitoring_enabled => false,
monitoring_contact_groups => 'wmcs-team',
user => 'keystone',
}
}
}
|