Comment 6 for bug 1748065

It looks like at least one cause of this issue is when adding a new controller, it does not have a copy of the fernet key repository. If this node becomes the first node in the keystone group, then the task "Initialise fernet key authentication" will create a new key, but presumably fail in some unexpected way.

I think what is required is:

* check if any of the keystone nodes has a fernet key repository
* if yes, sync to other keystone hosts
* if no, initialise on any keystone host and sync to other keystone hosts

The check could be something like:

docker exec -t keystone_fernet ls /etc/keystone/fernet-keys/