[ATMOSPHERE-584] Fix the number of max active fernet keys in Keystone (…

…#2109)

https://review.opendev.org/c/openstack/openstack-helm/+/934703/

.charts.yml

@@ -98,13 +98,14 @@ charts:
     repository:
       url: https://charts.bitnami.com/bitnami
   - name: keystone
-    version: 0.3.15
+    version: 0.3.17
     repository: *openstack_helm_repository
     dependencies: *openstack_helm_dependencies
     patches:
       gerrit:
         review.opendev.org:
           - 899867
+          - 934703
   - name: kube-prometheus-stack
     version: 60.2.0
     repository:

charts/keystone/Chart.yaml

@@ -9,4 +9,4 @@ name: keystone
 sources:
 - https://opendev.org/openstack/keystone
 - https://opendev.org/openstack/openstack-helm
-version: 0.3.15
+version: 0.3.17

charts/keystone/templates/bin/_cred-clean.py.tpl

@@ -30,6 +30,7 @@ except ImportError:
     PARSER_OPTS = {"strict": False}
 import logging
 from sqlalchemy import create_engine
+from sqlalchemy import text
 
 # Create logger, console handler and formatter
 logger = logging.getLogger('OpenStack-Helm DB Drop')
@@ -127,7 +128,7 @@ except:
 # Delete all entries from credential table
 
 try:
-    cmd = "DELETE FROM credential"
+    cmd = text("DELETE FROM credential")
     with user_engine.connect() as connection:
         connection.execute(cmd)
         try:

charts/keystone/templates/bin/_endpoint-update.py.tpl

@@ -4,6 +4,7 @@ import logging
 import sys
 
 from sqlalchemy import create_engine
+from sqlalchemy import text
 
 try:
     import ConfigParser
@@ -69,12 +70,12 @@ except:
 try:
     endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
     region_id = os.environ['OS_REGION_NAME']
-    cmd = ("update endpoint set url = %s where interface ='internal' and "
-           "service_id = (select id from service where "
-           "service.type = 'identity') and "
-           "region_id = %s")
+    cmd = text("update endpoint set url = :endpoint_url where interface ='internal' and "
+               "service_id = (select id from service where "
+               "service.type = 'identity') and "
+               "region_id = :region_id")
     with user_engine.connect() as connection:
-        connection.execute(cmd, (endpoint_url,region_id))
+        connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
         try:
             connection.commit()
         except AttributeError:
@@ -87,12 +88,12 @@ except:
 try:
     endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
     region_id = os.environ['OS_REGION_NAME']
-    cmd = ("update endpoint set url = %s where interface ='admin' "
-           "and service_id = (select id from service where "
-           "service.type = 'identity') "
-           "and region_id = %s")
+    cmd = text("update endpoint set url = :endpoint_url where interface ='admin' "
+               "and service_id = (select id from service where "
+               "service.type = 'identity') "
+               "and region_id = :region_id")
     with user_engine.connect() as connection:
-        connection.execute(cmd, (endpoint_url,region_id))
+        connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
         try:
             connection.commit()
         except AttributeError:
@@ -105,12 +106,12 @@ except:
 try:
     endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
     region_id = os.environ['OS_REGION_NAME']
-    cmd = ("update endpoint set url = %s where interface ='public' "
-           "and service_id = (select id from service where "
-           "service.type = 'identity') "
-           "and region_id = %s")
+    cmd = text("update endpoint set url = :endpoint_url where interface ='public' "
+               "and service_id = (select id from service where "
+               "service.type = 'identity') "
+               "and region_id = :region_id")
     with user_engine.connect() as connection:
-        connection.execute(cmd, (endpoint_url,region_id))
+        connection.execute(cmd, {"endpoint_url": endpoint_url, "region_id": region_id})
         try:
             connection.commit()
         except AttributeError:
@@ -123,8 +124,8 @@ except:
 try:
     with user_engine.connect() as connection:
         endpoints = connection.execute(
-            ("select interface, url from endpoint where service_id = "
-            "(select id from service where service.type = 'identity')")
+            text("select interface, url from endpoint where service_id = "
+                 "(select id from service where service.type = 'identity')")
         ).fetchall()
     for row in endpoints:
         logger.info("endpoint ({0}): {1}".format(row[0], row[1]))

charts/keystone/values.yaml

@@ -419,9 +419,10 @@ jobs:
     user: keystone
     group: keystone
   fernet_rotate:
-    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
-    # max_active_keys = (token_expiration / rotation_frequency) + 2
-    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
+    # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
+    # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
+    # rotation_frequency need to be adjusted
     # 12 hours
     cron: "0 */12 * * *"
     user: keystone
@@ -540,6 +541,7 @@ conf:
       domain_config_dir: /etc/keystone/domains
     fernet_tokens:
       key_repository: /etc/keystone/fernet-keys/
+      max_active_keys: 7
     credential:
       key_repository: /etc/keystone/credential-keys/
     database: