From ffd6e3bf329f59318317fba624bc7b1a88f3f7bb Mon Sep 17 00:00:00 2001
From: Alex-Welsh <alex@stackhpc.com>
Date: Fri, 8 Dec 2023 15:28:27 +0000
Subject: [PATCH] Update keystone service user passwords

Service user passwords will now be updated in keystone if services are
reconfigured with new passwords set in config. This behaviour can be
overridden.

Closes-Bug: #2045990
Change-Id: I91671dda2242255e789b521d19348b0cccec266f
---
 ansible/group_vars/all.yml                    |  4 +++
 ansible/roles/magnum/tasks/register.yml       |  1 +
 .../roles/service-ks-register/tasks/main.yml  |  1 +
 etc/kolla/globals.yml                         |  3 ++
 ...e-keystone-passwords-7507119213391652.yaml | 29 +++++++++++++++++++
 5 files changed, 38 insertions(+)
 create mode 100644 releasenotes/notes/update-keystone-passwords-7507119213391652.yaml

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index f512f5c03c..6147b08f92 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -1019,6 +1019,10 @@ keystone_public_url: "{{ keystone_external_fqdn | kolla_url(public_protocol, key
 keystone_admin_user: "admin"
 keystone_admin_project: "admin"
 
+# Whether or not to apply changes to service user passwords when services are
+# reconfigured
+update_keystone_service_user_passwords: true
+
 default_project_domain_name: "Default"
 default_project_domain_id: "default"
 
diff --git a/ansible/roles/magnum/tasks/register.yml b/ansible/roles/magnum/tasks/register.yml
index 9c64cb58b3..1d024041a4 100644
--- a/ansible/roles/magnum/tasks/register.yml
+++ b/ansible/roles/magnum/tasks/register.yml
@@ -30,6 +30,7 @@
       name: "{{ magnum_trustee_domain_admin }}"
       domain: "{{ magnum_trustee_domain }}"
       password: "{{ magnum_keystone_password }}"
+      update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
       auth: "{{ openstack_magnum_auth }}"
       endpoint_type: "{{ openstack_interface }}"
       cacert: "{{ openstack_cacert }}"
diff --git a/ansible/roles/service-ks-register/tasks/main.yml b/ansible/roles/service-ks-register/tasks/main.yml
index 056a9fc707..813ea26ff1 100644
--- a/ansible/roles/service-ks-register/tasks/main.yml
+++ b/ansible/roles/service-ks-register/tasks/main.yml
@@ -70,6 +70,7 @@
           default_project: "{{ item.project }}"
           name: "{{ item.user }}"
           password: "{{ item.password }}"
+          update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
           domain: "{{ service_ks_register_domain }}"
           region_name: "{{ service_ks_register_region_name }}"
           auth: "{{ service_ks_register_auth }}"
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 3429c2c0e4..f7e2285ce0 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -519,6 +519,9 @@ workaround_ansible_issue_8743: yes
 # 28800(8 hour), 43200(12 hour), 86400(1 day), 604800(1 week).
 #fernet_token_expiry: 86400
 
+# Whether or not to apply changes to service user passwords when services are
+# reconfigured
+#update_keystone_service_user_passwords: "true"
 
 ########################
 # Glance - Image Options
diff --git a/releasenotes/notes/update-keystone-passwords-7507119213391652.yaml b/releasenotes/notes/update-keystone-passwords-7507119213391652.yaml
new file mode 100644
index 0000000000..8a4546e5d7
--- /dev/null
+++ b/releasenotes/notes/update-keystone-passwords-7507119213391652.yaml
@@ -0,0 +1,29 @@
+---
+fixes:
+  - |
+    Changes to service user passwords in ``passwords.yml`` will now be applied
+    when reconfiguring services.
+
+    This behaviour can reverted by setting
+    ``update_keystone_service_user_passwords: false``.
+
+    Fixes `LP#2045990
+    <https://bugs.launchpad.net/kolla-ansible/+bug/2045990>`__
+upgrade:
+  - |
+    If credentials are updated in ``passwords.yml`` kolla-ansible is now able
+    to update these credentials in the keystone database and in the on disk
+    config files.
+
+    The changes to ``passwords.yml`` are applied once ``kolla-ansible -i
+    INVENTORY`` reconfigure has been run.
+
+    If you want to revert to the old behavior - credentials not automatically
+    updating during reconfigure if they changed in ``passwords.yml`` - you can
+    specify this by setting ``update_keystone_service_user_passwords: false``
+    in your globals.yml.
+
+    Notice that passwords are only changed if you change them in
+    ``passwords.yml``. This mechanism is not a complete solution for automatic
+    credential rollover. No passwords are changed if you do not change them
+    inside ``passwords.yml``.