openstack/kolla-ansible
Code Issues Proposed changes

Update keystone service user passwords

Browse Source 
Service user passwords will now be updated in keystone if services are
reconfigured with new passwords set in config. This behaviour can be
overridden.

Closes-Bug: #2045990
Change-Id: I91671dda2242255e789b521d19348b0cccec266f
This commit is contained in:
Alex-Welsh 2023-12-08 15:28:27 +00:00
parent 7a29abb590
commit ffd6e3bf32
5 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/group_vars/all.yml
View File

@ -1019,6 +1019,10 @@ keystone_public_url: "{{ keystone_external_fqdn | kolla_url(public_protocol, key
keystone_admin_user: "admin" keystone_admin_user: "admin"
keystone_admin_project: "admin" keystone_admin_project: "admin"
# Whether or not to apply changes to service user passwords when services are
# reconfigured
update_keystone_service_user_passwords: true
default_project_domain_name: "Default" default_project_domain_name: "Default"
default_project_domain_id: "default" default_project_domain_id: "default"

1
ansible/roles/magnum/tasks/register.yml
View File

@ -30,6 +30,7 @@
name: "{{ magnum_trustee_domain_admin }}" name: "{{ magnum_trustee_domain_admin }}"
domain: "{{ magnum_trustee_domain }}" domain: "{{ magnum_trustee_domain }}"
password: "{{ magnum_keystone_password }}" password: "{{ magnum_keystone_password }}"
update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
auth: "{{ openstack_magnum_auth }}" auth: "{{ openstack_magnum_auth }}"
endpoint_type: "{{ openstack_interface }}" endpoint_type: "{{ openstack_interface }}"
cacert: "{{ openstack_cacert }}" cacert: "{{ openstack_cacert }}"

1
ansible/roles/service-ks-register/tasks/main.yml
View File

@ -70,6 +70,7 @@
default_project: "{{ item.project }}" default_project: "{{ item.project }}"
name: "{{ item.user }}" name: "{{ item.user }}"
password: "{{ item.password }}" password: "{{ item.password }}"
update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
domain: "{{ service_ks_register_domain }}" domain: "{{ service_ks_register_domain }}"
region_name: "{{ service_ks_register_region_name }}" region_name: "{{ service_ks_register_region_name }}"
auth: "{{ service_ks_register_auth }}" auth: "{{ service_ks_register_auth }}"

3
etc/kolla/globals.yml
View File

@ -519,6 +519,9 @@ workaround_ansible_issue_8743: yes
# 28800(8 hour), 43200(12 hour), 86400(1 day), 604800(1 week). # 28800(8 hour), 43200(12 hour), 86400(1 day), 604800(1 week).
#fernet_token_expiry: 86400 #fernet_token_expiry: 86400
# Whether or not to apply changes to service user passwords when services are
# reconfigured
#update_keystone_service_user_passwords: "true"
######################## ########################
# Glance - Image Options # Glance - Image Options

29
releasenotes/notes/update-keystone-passwords-7507119213391652.yaml Normal file
View File

@ -0,0 +1,29 @@
---
fixes:
- |
Changes to service user passwords in ``passwords.yml`` will now be applied
when reconfiguring services.
This behaviour can reverted by setting
``update_keystone_service_user_passwords: false``.
Fixes `LP#2045990
<https://bugs.launchpad.net/kolla-ansible/+bug/2045990>`__
upgrade:
- |
If credentials are updated in ``passwords.yml`` kolla-ansible is now able
to update these credentials in the keystone database and in the on disk
config files.
The changes to ``passwords.yml`` are applied once ``kolla-ansible -i
INVENTORY`` reconfigure has been run.
If you want to revert to the old behavior - credentials not automatically
updating during reconfigure if they changed in ``passwords.yml`` - you can
specify this by setting ``update_keystone_service_user_passwords: false``
in your globals.yml.
Notice that passwords are only changed if you change them in
``passwords.yml``. This mechanism is not a complete solution for automatic
credential rollover. No passwords are changed if you do not change them
inside ``passwords.yml``.