Ensure correct order for credential rotate/migrate

Accroding to the note in keystone-manage code the proper order to
execute credetial rotation is to perform rotation first and migrate to
the new private key afterwars.
Our current code was doing vice versa for now. While it should not lead
to any issues as our autorotate script would fix that later on, let's
still improve task ordering and try to catch credential rotation issues
in ansible code as well, not only in autorotate cron job.

[1] f45921840c/keystone/cmd/cli.py (L803-L830)

Related-Bug: #2074196
Change-Id: I231cd6ddbfe837ed590c16c806023075102cc23d
This commit is contained in:
Dmitriy Rabotyagov 2024-08-05 11:13:02 +02:00
parent 95641cbd26
commit ce4c6dfe8e

View File

@ -82,20 +82,40 @@
- not _credential_keys.stat.exists
- not drop_existing_credential_keys is changed
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
- name: Perform rotation and migration of credential keys
when: create_credential_keys is skipped
- name: Rotate credential keys for Keystone # noqa: no-changed-when
block:
- name: Rotate credential keys for Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage credential_rotate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
when: create_credential_keys is skipped
# credential_rotate might fail in case any credential is not using current private key
# so in case it fails, we need to try perform the migraton and attempt rotation after that
rescue:
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
- name: Rotate credential keys for Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage credential_rotate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
always:
# Let's run migration at the end anyway, as we need it after successfull rotation.
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"