Ensure correct order for credential rotate/migrate

Accroding to the note in keystone-manage code the proper order to execute credetial rotation is to perform rotation first and migrate to the new private key afterwars. Our current code was doing vice versa for now. While it should not lead to any issues as our autorotate script would fix that later on, let's still improve task ordering and try to catch credential rotation issues in ansible code as well, not only in autorotate cron job. [1] f45921840c/keystone/cmd/cli.py (L803-L830) Related-Bug: #2074196 Change-Id: I231cd6ddbfe837ed590c16c806023075102cc23d
2024-08-05 11:13:02 +02:00 · 2024-08-05 11:13:02 +02:00 · ce4c6dfe8e
commit ce4c6dfe8e
parent 95641cbd26
1 changed files with 36 additions and 16 deletions
--- a/tasks/keystone_credential_create.yml
+++ b/tasks/keystone_credential_create.yml
@ -80,22 +80,42 @@
  register: create_credential_keys
  when:
    - not _credential_keys.stat.exists
-    - not drop_existing_credential_keys  is changed
+    - not drop_existing_credential_keys is changed
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
+- name: Perform rotation and migration of credential keys
  command: >
    {{ keystone_bin }}/keystone-manage credential_migrate
                                       --keystone-user "{{ keystone_system_user_name }}"
                                       --keystone-group "{{ keystone_system_group_name }}"
  become: yes
  become_user: "{{ keystone_system_user_name }}"
  when: create_credential_keys is skipped
  block:
    - name: Rotate credential keys for Keystone # noqa: no-changed-when
      command: >
        {{ keystone_bin }}/keystone-manage credential_rotate
                                          --keystone-user "{{ keystone_system_user_name }}"
                                          --keystone-group "{{ keystone_system_group_name }}"
      become: yes
      become_user: "{{ keystone_system_user_name }}"
  # credential_rotate might fail in case any credential is not using current private key
  # so in case it fails, we need to try perform the migraton and attempt rotation after that
  rescue:
    - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
      command: >
        {{ keystone_bin }}/keystone-manage credential_migrate
                                          --keystone-user "{{ keystone_system_user_name }}"
                                          --keystone-group "{{ keystone_system_group_name }}"
      become: yes
      become_user: "{{ keystone_system_user_name }}"
- name: Rotate credential keys for Keystone # noqa: no-changed-when
+    - name: Rotate credential keys for Keystone # noqa: no-changed-when
-  command: >
+      command: >
-    {{ keystone_bin }}/keystone-manage credential_rotate
+        {{ keystone_bin }}/keystone-manage credential_rotate
-                                       --keystone-user "{{ keystone_system_user_name }}"
+                                          --keystone-user "{{ keystone_system_user_name }}"
-                                       --keystone-group "{{ keystone_system_group_name }}"
+                                          --keystone-group "{{ keystone_system_group_name }}"
-  become: yes
+      become: yes
-  become_user: "{{ keystone_system_user_name }}"
+      become_user: "{{ keystone_system_user_name }}"
-  when: create_credential_keys is skipped
+  always:
    # Let's run migration at the end anyway, as we need it after successfull rotation.
    - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
      command: >
        {{ keystone_bin }}/keystone-manage credential_migrate
                                          --keystone-user "{{ keystone_system_user_name }}"
                                          --keystone-group "{{ keystone_system_group_name }}"
      become: yes
      become_user: "{{ keystone_system_user_name }}"