Rotation Scripts
The Fernet and credential rotation scripts (fernet_rotate.sh, credential_rotate.sh) are embedded in the operator binary via go:embed and mounted into CronJob pods as immutable, content-hash-named ConfigMaps.
For full reference documentation — including the go:embed pattern, ConfigMap mounting, content-hash naming, CronJob volume layout, error handling, and idempotency guarantees — see the sub-reconciler sections in Keystone Reconciler Architecture:
reconcileFernetKeys— Fernet key rotation script lifecyclereconcileCredentialKeys— Credential key rotation script lifecycle
Script Locations
text
operators/keystone/internal/controller/
├── scripts/
│ ├── fernet_rotate.sh # Fernet key rotation
│ └── credential_rotate.sh # Credential key rotation
├── reconcile_fernet.go # go:embed + ConfigMap creation
└── reconcile_credential.go # go:embed + ConfigMap creationScript Contract
Both scripts follow the same contract:
- Run
keystone-manage {type}_rotate(andcredential_migratefor credentials) - Read rotated keys from the local filesystem
- Base64-encode key data and PATCH the Kubernetes Secret via the in-cluster API
- Exit non-zero on HTTP error (status >= 300)
Environment variables required by both scripts:
| Variable | Description |
|---|---|
SECRET_NAMESPACE | Namespace of the target keys Secret |
SECRET_NAME | Name of the target keys Secret |