openstack/kolla-ansible
Code Issues Proposed changes

Merge "Improve fernet_token_expiry precheck" into stable/stein

Browse Source
This commit is contained in:
Zuul 2020-05-18 13:08:26 +00:00 committed by Gerrit Code Review
commit ee45b16f68
2 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
ansible/roles/keystone/tasks/precheck.yml
View File

@ -43,9 +43,23 @@
- keystone_ssh.enabled | bool - keystone_ssh.enabled | bool
- inventory_hostname in groups['keystone'] - inventory_hostname in groups['keystone']
- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails - name: Checking fernet_token_expiry
run_once: true run_once: true
local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml" assert:
register: result that:
changed_when: false - fernet_token_expiry is number
failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') is search(".+") # Check that it is not a floating point number
- fernet_token_expiry | int == fernet_token_expiry
- fernet_token_expiry >= 0
# NOTE(wszumski): fernet_rotate_cron_generator.py doesn't support a span
# greater than a week.
- fernet_token_expiry <= 604800
msg: >-
fernet_token_expiry must be an integer up to and including 604800. You can
set this in `globals.yml`. The value represents the time period, in
seconds, at which to rotate the fernet keys. Suggested values are: 60,
120, 240, 480, 720, 1440, 3600, 7200, 10800, 14400, 21600, 43200, 60480,
120960, 151200, 201600, 302400, 604800. These values ensure an evenly-spaced
run schedule as they divide 7 days without remainder.
when:
- keystone_token_provider == 'fernet'

6
releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Fixes an issue where ``fernet_token_expiry`` would fail the pre-checks
despite being set to a valid value. Please see `bug 1856021
<https://bugs.launchpad.net/kolla-ansible/+bug/1856021>`_ for more details.