---
upgrade:
  - |
    The Keystone fernet key rotation scheduling algorithm has been modified to
    avoid issues with over-rotation of keys.

    The variables ``fernet_token_expiry``,
    ``fernet_token_allow_expired_window`` and ``fernet_key_rotation_interval``
    may be set to configure the token expiry and key rotation schedule.

    By default, ``fernet_token_expiry`` is 86400,
    ``fernet_token_allow_expired_window`` is 172800, and
    ``fernet_key_rotation_interval`` is the sum of these two variables. This
    allows for the minimum number of active keys - 3.

    See `bug 1809469 <https://launchpad.net/bugs/1809469>`__ for details.