On Tue, Mar 7, 2017 at 2:09 AM, Matt Fischer wrote:
> I don't think it would cause an issue if every controller rotated all at
> once. The issues are more along the lines of rotating to key C when there
> are tokens out there that are encrypted with keys A and B. In other words
> over-rotation. A
On Mon, Mar 6, 2017 at 6:05 PM, Paul Bourke wrote:
> Two initial ideas:
>
> We could create a specific ansible task to rotate the keys, and document
> that operator should set up a cron job on the deployment node to run this
> periodically.
>
> We could also look at making use of VRRP (keepalived
I don't think it would cause an issue if every controller rotated all at
once. The issues are more along the lines of rotating to key C when there
are tokens out there that are encrypted with keys A and B. In other words
over-rotation. As long as your keys are properly staged, do the rotation
all a
Two initial ideas:
We could create a specific ansible task to rotate the keys, and document
that operator should set up a cron job on the deployment node to run
this periodically.
We could also look at making use of VRRP (keepalived). Potentially the
cron job could run on every controller, b
fix subject typo
On Mon, Mar 6, 2017 at 12:28 PM, Jeffrey Zhang
wrote:
> Kolla have support keystone fernet keys. But there are still some
> topics worth to talk.
>
> The key issue is key distribution. Kolla's solution is like
>
> * there is a task run frequently by cronjob to check whether
>