From ce4c6dfe8e2a554df5a0432076e89f8f0839a8eb Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Mon, 5 Aug 2024 11:13:02 +0200 Subject: [PATCH] Ensure correct order for credential rotate/migrate Accroding to the note in keystone-manage code the proper order to execute credetial rotation is to perform rotation first and migrate to the new private key afterwars. Our current code was doing vice versa for now. While it should not lead to any issues as our autorotate script would fix that later on, let's still improve task ordering and try to catch credential rotation issues in ansible code as well, not only in autorotate cron job. [1] https://opendev.org/openstack/keystone/src/commit/f45921840c17e3b967a136de594f0c7eade82488/keystone/cmd/cli.py#L803-L830 Related-Bug: #2074196 Change-Id: I231cd6ddbfe837ed590c16c806023075102cc23d --- tasks/keystone_credential_create.yml | 52 +++++++++++++++++++--------- 1 file changed, 36 insertions(+), 16 deletions(-) diff --git a/tasks/keystone_credential_create.yml b/tasks/keystone_credential_create.yml index f0fce59b..475f364b 100644 --- a/tasks/keystone_credential_create.yml +++ b/tasks/keystone_credential_create.yml @@ -80,22 +80,42 @@ register: create_credential_keys when: - not _credential_keys.stat.exists - - not drop_existing_credential_keys is changed + - not drop_existing_credential_keys is changed -- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when - command: > - {{ keystone_bin }}/keystone-manage credential_migrate - --keystone-user "{{ keystone_system_user_name }}" - --keystone-group "{{ keystone_system_group_name }}" - become: yes - become_user: "{{ keystone_system_user_name }}" +- name: Perform rotation and migration of credential keys when: create_credential_keys is skipped + block: + - name: Rotate credential keys for Keystone # noqa: no-changed-when + command: > + {{ keystone_bin }}/keystone-manage credential_rotate + --keystone-user "{{ keystone_system_user_name }}" + --keystone-group "{{ keystone_system_group_name }}" + become: yes + become_user: "{{ keystone_system_user_name }}" + # credential_rotate might fail in case any credential is not using current private key + # so in case it fails, we need to try perform the migraton and attempt rotation after that + rescue: + - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when + command: > + {{ keystone_bin }}/keystone-manage credential_migrate + --keystone-user "{{ keystone_system_user_name }}" + --keystone-group "{{ keystone_system_group_name }}" + become: yes + become_user: "{{ keystone_system_user_name }}" -- name: Rotate credential keys for Keystone # noqa: no-changed-when - command: > - {{ keystone_bin }}/keystone-manage credential_rotate - --keystone-user "{{ keystone_system_user_name }}" - --keystone-group "{{ keystone_system_group_name }}" - become: yes - become_user: "{{ keystone_system_user_name }}" - when: create_credential_keys is skipped + - name: Rotate credential keys for Keystone # noqa: no-changed-when + command: > + {{ keystone_bin }}/keystone-manage credential_rotate + --keystone-user "{{ keystone_system_user_name }}" + --keystone-group "{{ keystone_system_group_name }}" + become: yes + become_user: "{{ keystone_system_user_name }}" + always: + # Let's run migration at the end anyway, as we need it after successfull rotation. + - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when + command: > + {{ keystone_bin }}/keystone-manage credential_migrate + --keystone-user "{{ keystone_system_user_name }}" + --keystone-group "{{ keystone_system_group_name }}" + become: yes + become_user: "{{ keystone_system_user_name }}"