Fernet key rotation is easy. 1) You don't need a maintenance window 2) You can do one node at a time even with a long delay between 3) You don't need to restart anything We rotate approximately weekly. On Wed, Mar 16, 2016 at 3:44 PM, Ajay Kalambur (akalambu) < akalambu at cisco.com> wrote: > Hi > In a multi node HA deployment for production does key rotate need a > keystone process reboot or should we just run the fernet rotate on one node > and distribute it without restarting any process > I presume keystone can handle the rotation without a restart? > > I also assume this key rotation can happen without a maintenance window > > What do folks typically do in production and how often do you rotate keys > > Ajay > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160316/251dd487/attachment.html>