Prevent overwriting existing Keystone Fernet keys

Steps to reproduce:

* Deploy a cloud
* Add another controller to the inventory
* Deploy to the new controller using --limit:

kolla-ansible deploy --limit new-controller

Expected results:

The new controller uses the cluster's existing fernet keys.

Actual results:

New fernet keys are generated on the new controller, and pushed out to
the existing controllers. This invalidates tokens created from those
keys.

This change prevents the above scenario from happening, by failing the
deployment if there are no hosts with existing Ferney keys to
distribute, and not all Keystone hosts are in the target host list.

Closes-Bug: #1891364

Change-Id: If0c0e038b77fc010a3a017f9841a674d53b16457
This commit is contained in:
Mark Goddard 2020-08-13 09:57:00 +01:00
parent 516658f489
commit 8389140f05
2 changed files with 25 additions and 0 deletions

View File

@ -6,10 +6,28 @@
- keystone_fernet
register: container_facts
# FIXME(mgoddard): This does not catch some cases we might consider
# bootstrapped:
# * the keystone_fernet container is created but not running
# * the keystone_fernet volume exists but no container
# Probably what we care about is the existence of Fernet key 0.
- name: Group nodes where keystone_fernet is running
group_by:
key: keystone_fernet_{{ container_facts['keystone_fernet'].State | default('bootstrap') }}
# NOTE(mgoddard): If we bootstrap Fernet keys on an existing cluster, this
# would overwrite existing keys, and invalidate tokens created from them.
- name: Fail if any hosts need bootstrapping and not all hosts targeted
fail:
msg: >
Some hosts ({{ groups['keystone_fernet_bootstrap'] | join(', ') }}) need
Fernet key bootstrapping, but not all Keystone hosts are in the target
list. Stopping as it may be unsafe to proceed. Please run without --limit
or --serial to bootstrap these hosts.
when:
- groups['keystone_fernet_running'] is not defined
- groups['keystone'] | difference(ansible_play_batch) | list | length > 0
- name: Running Keystone bootstrap container
vars:
keystone: "{{ keystone_services.keystone }}"

View File

@ -0,0 +1,7 @@
---
fixes:
- |
Prevents adding a new Keystone host to an existing cluster when not
targeting all Keystone hosts (e.g. due to ``--limit`` or ``--serial``
arguments), to avoid overwriting existing Fernet keys. `LP#1891364
<https://bugs.launchpad.net/kolla-ansible/+bug/1891364>`__