Ensure the user_secrets file is updated

We shouldn't allow any arbitrary secret file to be updated in the
leap process, but instead ensuring the file present in
J/K/L will be properly updated to the end of the process.

If you had set the variable in those playbooks, you would
naturally CREATE a new file, alongside the existing user_secrets,
with the risks of:

- Having different values
- Having precedence issues depending on the file name

Change-Id: I2873318e2f1fd34673e95f8eb77a0001d649df1e
This commit is contained in:
Jean-Philippe Evrard 2017-08-31 09:16:07 +00:00
parent aca60fd187
commit 50f3fd6df7
2 changed files with 7 additions and 11 deletions

View File

@ -24,11 +24,9 @@
register: secrets register: secrets
- name: Add missing secret - name: Add missing secret
shell: | shell: |
if ! grep '^{{ item }}' /etc/openstack_deploy/{{ _osa_secrets_file_name }}; then if ! grep '^{{ item }}' /etc/openstack_deploy/user_secrets.yml; then
echo {{ item }} | tee -a /etc/openstack_deploy/{{ _osa_secrets_file_name }} echo {{ item }} | tee -a /etc/openstack_deploy/user_secrets.yml
fi fi
with_items: secrets.stdout_lines with_items: secrets.stdout_lines
- name: Generate new secrets - name: Generate new secrets
shell: "{{ osa_playbook_dir }}/scripts/pw-token-gen.py --file /etc/openstack_deploy/{{ _osa_secrets_file_name }}" shell: "{{ osa_playbook_dir }}/scripts/pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml"
vars:
_osa_secrets_file_name: "{{ osa_secrets_file_name | default('user_secrets.yml') }}"

View File

@ -24,22 +24,20 @@
register: secrets register: secrets
- name: Rename changed secrets - name: Rename changed secrets
lineinfile: lineinfile:
dest: "/etc/openstack_deploy/{{ _osa_secrets_file_name }}" dest: "/etc/openstack_deploy/user_secrets.yml"
regexp: "^{{ item.old_name }}: (.*)$" regexp: "^{{ item.old_name }}: (.*)$"
line: "{{ item.new_name }}: \\1" line: "{{ item.new_name }}: \\1"
backrefs: yes backrefs: yes
with_items: with_items:
- { old_name: "ironic_galera_password", new_name: "ironic_container_mysql_password" } - { old_name: "ironic_galera_password", new_name: "ironic_container_mysql_password" }
- name: Read user secrets file - name: Read user secrets file
shell: "grep '^[a-zA-Z]' /etc/openstack_deploy/{{ _osa_secrets_file_name }}" shell: "grep '^[a-zA-Z]' /etc/openstack_deploy/user_secrets.yml"
register: user_secrets register: user_secrets
- name: Add missing secrets - name: Add missing secrets
lineinfile: lineinfile:
dest: "/etc/openstack_deploy/{{ _osa_secrets_file_name }}" dest: "/etc/openstack_deploy/user_secrets.yml"
line: "{{ item }}" line: "{{ item }}"
with_items: "{{ secrets.stdout_lines }}" with_items: "{{ secrets.stdout_lines }}"
when: user_secrets.stdout.find("{{ item }}") == -1 when: user_secrets.stdout.find("{{ item }}") == -1
- name: Generate new secrets - name: Generate new secrets
shell: "{{ osa_playbook_dir }}/scripts/pw-token-gen.py --file /etc/openstack_deploy/{{ _osa_secrets_file_name }}" shell: "{{ osa_playbook_dir }}/scripts/pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml"
vars:
_osa_secrets_file_name: "{{ osa_secrets_file_name | default('user_secrets.yml') }}"