Do the keys all need to be changed at once in a cluster? If so that makes it difficult for puppet at least how we do puppet deployments.
Also, David can you share your ansible script for this? On Fri, Mar 27, 2015 at 9:48 AM, David Stanek <dsta...@dstanek.com> wrote: > > On Fri, Mar 27, 2015 at 10:14 AM, Boris Bobrov <bbob...@mirantis.com> > wrote: > >> As you know, keystone introduced non-persistent tokens in kilo -- Fernet >> tokens. These tokens use Fernet keys, that are rotated from time to time. >> A >> great description of key rotation and replication can be found on [0] and >> [1] >> (thanks, lbragstad). In HA setup there are multiple nodes with Keystone >> and >> that requires key replication. How do we do that with new Fernet tokens? >> >> Please keep in mind that the solution should be HA -- there should not be >> any >> "master" server, pushing keys to slave servers, because master server >> might go >> down. >> > > In my test environment I was using ansible to sync the keys across > multiple nodes. Keystone should probably provide some guidance around this > process, but I don't think it should deal with the actual syncing. I think > that's better left to an installation's existing configuration management > tools. > > > -- > David > blog: http://www.traceback.org > twitter: http://twitter.com/dstanek > www: http://dstanek.com > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
