Ensure the user_secrets file is updated
We shouldn't allow any arbitrary secret file to be updated in the leap process, but instead ensuring the file present in J/K/L will be properly updated to the end of the process. If you had set the variable in those playbooks, you would naturally CREATE a new file, alongside the existing user_secrets, with the risks of: - Having different values - Having precedence issues depending on the file name Change-Id: I2873318e2f1fd34673e95f8eb77a0001d649df1e
This commit is contained in:
parent
aca60fd187
commit
50f3fd6df7
@ -24,11 +24,9 @@
|
|||||||
register: secrets
|
register: secrets
|
||||||
- name: Add missing secret
|
- name: Add missing secret
|
||||||
shell: |
|
shell: |
|
||||||
if ! grep '^{{ item }}' /etc/openstack_deploy/{{ _osa_secrets_file_name }}; then
|
if ! grep '^{{ item }}' /etc/openstack_deploy/user_secrets.yml; then
|
||||||
echo {{ item }} | tee -a /etc/openstack_deploy/{{ _osa_secrets_file_name }}
|
echo {{ item }} | tee -a /etc/openstack_deploy/user_secrets.yml
|
||||||
fi
|
fi
|
||||||
with_items: secrets.stdout_lines
|
with_items: secrets.stdout_lines
|
||||||
- name: Generate new secrets
|
- name: Generate new secrets
|
||||||
shell: "{{ osa_playbook_dir }}/scripts/pw-token-gen.py --file /etc/openstack_deploy/{{ _osa_secrets_file_name }}"
|
shell: "{{ osa_playbook_dir }}/scripts/pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml"
|
||||||
vars:
|
|
||||||
_osa_secrets_file_name: "{{ osa_secrets_file_name | default('user_secrets.yml') }}"
|
|
||||||
|
@ -24,22 +24,20 @@
|
|||||||
register: secrets
|
register: secrets
|
||||||
- name: Rename changed secrets
|
- name: Rename changed secrets
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "/etc/openstack_deploy/{{ _osa_secrets_file_name }}"
|
dest: "/etc/openstack_deploy/user_secrets.yml"
|
||||||
regexp: "^{{ item.old_name }}: (.*)$"
|
regexp: "^{{ item.old_name }}: (.*)$"
|
||||||
line: "{{ item.new_name }}: \\1"
|
line: "{{ item.new_name }}: \\1"
|
||||||
backrefs: yes
|
backrefs: yes
|
||||||
with_items:
|
with_items:
|
||||||
- { old_name: "ironic_galera_password", new_name: "ironic_container_mysql_password" }
|
- { old_name: "ironic_galera_password", new_name: "ironic_container_mysql_password" }
|
||||||
- name: Read user secrets file
|
- name: Read user secrets file
|
||||||
shell: "grep '^[a-zA-Z]' /etc/openstack_deploy/{{ _osa_secrets_file_name }}"
|
shell: "grep '^[a-zA-Z]' /etc/openstack_deploy/user_secrets.yml"
|
||||||
register: user_secrets
|
register: user_secrets
|
||||||
- name: Add missing secrets
|
- name: Add missing secrets
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "/etc/openstack_deploy/{{ _osa_secrets_file_name }}"
|
dest: "/etc/openstack_deploy/user_secrets.yml"
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
with_items: "{{ secrets.stdout_lines }}"
|
with_items: "{{ secrets.stdout_lines }}"
|
||||||
when: user_secrets.stdout.find("{{ item }}") == -1
|
when: user_secrets.stdout.find("{{ item }}") == -1
|
||||||
- name: Generate new secrets
|
- name: Generate new secrets
|
||||||
shell: "{{ osa_playbook_dir }}/scripts/pw-token-gen.py --file /etc/openstack_deploy/{{ _osa_secrets_file_name }}"
|
shell: "{{ osa_playbook_dir }}/scripts/pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml"
|
||||||
vars:
|
|
||||||
_osa_secrets_file_name: "{{ osa_secrets_file_name | default('user_secrets.yml') }}"
|
|
||||||
|
Loading…
Reference in New Issue
Block a user