Prevent overwriting existing Keystone Fernet keys

Steps to reproduce: * Deploy a cloud * Add another controller to the inventory * Deploy to the new controller using --limit: kolla-ansible deploy --limit new-controller Expected results: The new controller uses the cluster's existing fernet keys. Actual results: New fernet keys are generated on the new controller, and pushed out to the existing controllers. This invalidates tokens created from those keys. This change prevents the above scenario from happening, by failing the deployment if there are no hosts with existing Ferney keys to distribute, and not all Keystone hosts are in the target host list. Closes-Bug: #1891364 Change-Id: If0c0e038b77fc010a3a017f9841a674d53b16457
2020-08-13 09:57:00 +01:00 · 2020-08-13 09:57:00 +01:00 · 8389140f05
parent 516658f489
commit 8389140f05
2 changed files with 25 additions and 0 deletions
--- a/ansible/roles/keystone/tasks/bootstrap_service.yml
+++ b/ansible/roles/keystone/tasks/bootstrap_service.yml
@ -6,10 +6,28 @@
      - keystone_fernet
  register: container_facts

+# FIXME(mgoddard): This does not catch some cases we might consider
+# bootstrapped:
+# * the keystone_fernet container is created but not running
+# * the keystone_fernet volume exists but no container
+# Probably what we care about is the existence of Fernet key 0.
 - name: Group nodes where keystone_fernet is running
  group_by:
    key: keystone_fernet_{{ container_facts['keystone_fernet'].State | default('bootstrap') }}

+# NOTE(mgoddard): If we bootstrap Fernet keys on an existing cluster, this
+# would overwrite existing keys, and invalidate tokens created from them.
+- name: Fail if any hosts need bootstrapping and not all hosts targeted
+  fail:
+    msg: >
+      Some hosts ({{ groups['keystone_fernet_bootstrap'] | join(', ') }}) need
+      Fernet key bootstrapping, but not all Keystone hosts are in the target
+      list. Stopping as it may be unsafe to proceed. Please run without --limit
+      or --serial to bootstrap these hosts.
+  when:
+    - groups['keystone_fernet_running'] is not defined
+    - groups['keystone'] | difference(ansible_play_batch) | list | length > 0
+
 - name: Running Keystone bootstrap container
  vars:
    keystone: "{{ keystone_services.keystone }}"
--- a/releasenotes/notes/prevent-keystone-bootstrap-limit-f0250725633c16de.yaml
+++ b/releasenotes/notes/prevent-keystone-bootstrap-limit-f0250725633c16de.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Prevents adding a new Keystone host to an existing cluster when not
+    targeting all Keystone hosts (e.g. due to ``--limit`` or ``--serial``
+    arguments), to avoid overwriting existing Fernet keys. `LP#1891364
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1891364>`__