Ensure correct order for credential rotate/migrate
Accroding to the note in keystone-manage code the proper order to
execute credetial rotation is to perform rotation first and migrate to
the new private key afterwars.
Our current code was doing vice versa for now. While it should not lead
to any issues as our autorotate script would fix that later on, let's
still improve task ordering and try to catch credential rotation issues
in ansible code as well, not only in autorotate cron job.
[1] f45921840c/keystone/cmd/cli.py (L803-L830)
Related-Bug: #2074196
Change-Id: I231cd6ddbfe837ed590c16c806023075102cc23d
This commit is contained in:
parent
95641cbd26
commit
ce4c6dfe8e
@ -80,22 +80,42 @@
|
||||
register: create_credential_keys
|
||||
when:
|
||||
- not _credential_keys.stat.exists
|
||||
- not drop_existing_credential_keys is changed
|
||||
- not drop_existing_credential_keys is changed
|
||||
|
||||
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
|
||||
command: >
|
||||
{{ keystone_bin }}/keystone-manage credential_migrate
|
||||
--keystone-user "{{ keystone_system_user_name }}"
|
||||
--keystone-group "{{ keystone_system_group_name }}"
|
||||
become: yes
|
||||
become_user: "{{ keystone_system_user_name }}"
|
||||
- name: Perform rotation and migration of credential keys
|
||||
when: create_credential_keys is skipped
|
||||
block:
|
||||
- name: Rotate credential keys for Keystone # noqa: no-changed-when
|
||||
command: >
|
||||
{{ keystone_bin }}/keystone-manage credential_rotate
|
||||
--keystone-user "{{ keystone_system_user_name }}"
|
||||
--keystone-group "{{ keystone_system_group_name }}"
|
||||
become: yes
|
||||
become_user: "{{ keystone_system_user_name }}"
|
||||
# credential_rotate might fail in case any credential is not using current private key
|
||||
# so in case it fails, we need to try perform the migraton and attempt rotation after that
|
||||
rescue:
|
||||
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
|
||||
command: >
|
||||
{{ keystone_bin }}/keystone-manage credential_migrate
|
||||
--keystone-user "{{ keystone_system_user_name }}"
|
||||
--keystone-group "{{ keystone_system_group_name }}"
|
||||
become: yes
|
||||
become_user: "{{ keystone_system_user_name }}"
|
||||
|
||||
- name: Rotate credential keys for Keystone # noqa: no-changed-when
|
||||
command: >
|
||||
{{ keystone_bin }}/keystone-manage credential_rotate
|
||||
--keystone-user "{{ keystone_system_user_name }}"
|
||||
--keystone-group "{{ keystone_system_group_name }}"
|
||||
become: yes
|
||||
become_user: "{{ keystone_system_user_name }}"
|
||||
when: create_credential_keys is skipped
|
||||
- name: Rotate credential keys for Keystone # noqa: no-changed-when
|
||||
command: >
|
||||
{{ keystone_bin }}/keystone-manage credential_rotate
|
||||
--keystone-user "{{ keystone_system_user_name }}"
|
||||
--keystone-group "{{ keystone_system_group_name }}"
|
||||
become: yes
|
||||
become_user: "{{ keystone_system_user_name }}"
|
||||
always:
|
||||
# Let's run migration at the end anyway, as we need it after successfull rotation.
|
||||
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
|
||||
command: >
|
||||
{{ keystone_bin }}/keystone-manage credential_migrate
|
||||
--keystone-user "{{ keystone_system_user_name }}"
|
||||
--keystone-group "{{ keystone_system_group_name }}"
|
||||
become: yes
|
||||
become_user: "{{ keystone_system_user_name }}"
|
||||
|
Loading…
Reference in New Issue
Block a user