Update keystone service user passwords

Service user passwords will now be updated in keystone if services are reconfigured with new passwords set in config. This behaviour can be overridden. Closes-Bug: #2045990 Change-Id: I91671dda2242255e789b521d19348b0cccec266f
2023-12-08 15:28:27 +00:00 · 2023-12-08 15:28:27 +00:00 · ffd6e3bf32
commit ffd6e3bf32
parent 7a29abb590
5 changed files with 38 additions and 0 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -1019,6 +1019,10 @@ keystone_public_url: "{{ keystone_external_fqdn | kolla_url(public_protocol, key
 keystone_admin_user: "admin"
 keystone_admin_project: "admin"

+# Whether or not to apply changes to service user passwords when services are
+# reconfigured
+update_keystone_service_user_passwords: true
+
 default_project_domain_name: "Default"
 default_project_domain_id: "default"

--- a/ansible/roles/magnum/tasks/register.yml
+++ b/ansible/roles/magnum/tasks/register.yml
@ -30,6 +30,7 @@
      name: "{{ magnum_trustee_domain_admin }}"
      domain: "{{ magnum_trustee_domain }}"
      password: "{{ magnum_keystone_password }}"
+      update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
      auth: "{{ openstack_magnum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
      cacert: "{{ openstack_cacert }}"
--- a/ansible/roles/service-ks-register/tasks/main.yml
+++ b/ansible/roles/service-ks-register/tasks/main.yml
@ -70,6 +70,7 @@
          default_project: "{{ item.project }}"
          name: "{{ item.user }}"
          password: "{{ item.password }}"
+          update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
          domain: "{{ service_ks_register_domain }}"
          region_name: "{{ service_ks_register_region_name }}"
          auth: "{{ service_ks_register_auth }}"
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -519,6 +519,9 @@ workaround_ansible_issue_8743: yes
 # 28800(8 hour), 43200(12 hour), 86400(1 day), 604800(1 week).
 #fernet_token_expiry: 86400

+# Whether or not to apply changes to service user passwords when services are
+# reconfigured
+#update_keystone_service_user_passwords: "true"

 ########################
 # Glance - Image Options
--- a/releasenotes/notes/update-keystone-passwords-7507119213391652.yaml
+++ b/releasenotes/notes/update-keystone-passwords-7507119213391652.yaml
@ -0,0 +1,29 @@
+---
+fixes:
+  - |
+    Changes to service user passwords in ``passwords.yml`` will now be applied
+    when reconfiguring services.
+
+    This behaviour can reverted by setting
+    ``update_keystone_service_user_passwords: false``.
+
+    Fixes `LP#2045990
+    <https://bugs.launchpad.net/kolla-ansible/+bug/2045990>`__
+upgrade:
+  - |
+    If credentials are updated in ``passwords.yml`` kolla-ansible is now able
+    to update these credentials in the keystone database and in the on disk
+    config files.
+
+    The changes to ``passwords.yml`` are applied once ``kolla-ansible -i
+    INVENTORY`` reconfigure has been run.
+
+    If you want to revert to the old behavior - credentials not automatically
+    updating during reconfigure if they changed in ``passwords.yml`` - you can
+    specify this by setting ``update_keystone_service_user_passwords: false``
+    in your globals.yml.
+
+    Notice that passwords are only changed if you change them in
+    ``passwords.yml``. This mechanism is not a complete solution for automatic
+    credential rollover. No passwords are changed if you do not change them
+    inside ``passwords.yml``.