Jira Description

As a PCP user I want to set up a periodic job to rotate fernet tokens so that my keys are securely rotated and distributed across keystone instances.

Summary

Keystone fernet tokens should be periodicaly rotated using keystone-manage https://docs.openstack.org/keystone/queens/admin/identity-fernet-token-faq.html#what-is-the-recommended-way-to-rotate-and-distribute-keys

OpenShift uses periodic jobs instead of cron to achieve the same goals. We should use the keystone container to run keystone-manage, updating the volume containing fernet keys.

Definition of Ready

When we can consider User Story to be Ready?

1. Defined clearly enough that all members of the team understand what needs to be done
2. Includes any required enabling specs. wire frames etc.
3. Fully meet INVEST criteria for User Stories
4. Dependencies identified and there is a clear strategy how they will be managed

Prerequisites:

1. Ability to configure the fernet keys
2. Ability to configure the duration and time-frames of the rotations

Acceptance Criteria

1. Job created to run the rotation using the keystone-manage using the keystone image and updating the fernet keys
2. Periodic job added to the cluster by keystone-operator
3. Ability to configure the rotation timeframes from both keystone-operator and meta operator (openstack-operator)
4. This configuration will synchronize both keystone configuration settings and k8s periodic job schedule settings

Definition of Done

When we can consider User Story to be Done:

1. Tests created - the rotation should be triggered in the CI
2. Documentation on how to configure rotation
3. Created pull request and merged to master
4. Ready or next step: https://issues.redhat.com/browse/OSP-19148