ce4c6dfe8e
Accroding to the note in keystone-manage code the proper order to
execute credetial rotation is to perform rotation first and migrate to
the new private key afterwars.
Our current code was doing vice versa for now. While it should not lead
to any issues as our autorotate script would fix that later on, let's
still improve task ordering and try to catch credential rotation issues
in ansible code as well, not only in autorotate cron job.
[1] f45921840c/keystone/cmd/cli.py (L803-L830)
Related-Bug: #2074196
Change-Id: I231cd6ddbfe837ed590c16c806023075102cc23d
122 lines
5.1 KiB
YAML
122 lines
5.1 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Check if credential keys already exist
|
|
stat:
|
|
path: "{{ keystone_credential_key_repository }}/0"
|
|
register: _credential_keys
|
|
|
|
- name: Check for credential keys on all Keystone containers
|
|
find:
|
|
paths: "{{ keystone_credential_key_repository }}"
|
|
patterns: "^[0-9]+$"
|
|
use_regex: True
|
|
when: not _credential_keys.stat.exists
|
|
register: credential_key_list
|
|
delegate_to: "{{ item }}"
|
|
with_items: "{{ groups['keystone_all'] }}"
|
|
|
|
- name: Aggregate the collected file lists
|
|
set_fact:
|
|
existing_credential_keys: >-
|
|
{% set _var = [] -%}
|
|
{% for result in credential_key_list.results -%}
|
|
{% if result.files is defined -%}
|
|
{% for file in result.files -%}
|
|
{% if _var.append({'host': result.item, 'file': file.path}) -%}{% endif -%}
|
|
{% endfor -%}
|
|
{% endif -%}
|
|
{% endfor -%}
|
|
{{ _var }}
|
|
when: not credential_key_list is skipped
|
|
|
|
- name: Collect the existing keys from containers
|
|
slurp:
|
|
src: "{{ item.file }}"
|
|
delegate_to: "{{ item.host }}"
|
|
with_items: "{{ existing_credential_keys }}"
|
|
register: collected_existing_credential_keys
|
|
when: existing_credential_keys is defined
|
|
|
|
- name: Ensure the target directory exists on the master Keystone container
|
|
file:
|
|
path: "{{ keystone_credential_key_repository }}"
|
|
state: directory
|
|
owner: "{{ keystone_system_user_name }}"
|
|
group: "{{ keystone_system_group_name }}"
|
|
mode: "0700"
|
|
when: not collected_existing_credential_keys is skipped
|
|
|
|
- name: Drop the existing credential keys in the master Keystone container
|
|
copy:
|
|
content: "{{ item.1 | b64decode }}"
|
|
dest: "{{ keystone_credential_key_repository }}/{{ item.0 }}"
|
|
owner: "{{ keystone_system_user_name }}"
|
|
group: "{{ keystone_system_group_name }}"
|
|
mode: "0600"
|
|
when: not collected_existing_credential_keys is skipped
|
|
register: drop_existing_credential_keys
|
|
with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}"
|
|
|
|
- name: Create credential keys for Keystone # noqa: no-changed-when
|
|
command: >
|
|
{{ keystone_bin }}/keystone-manage credential_setup
|
|
--keystone-user "{{ keystone_system_user_name }}"
|
|
--keystone-group "{{ keystone_system_group_name }}"
|
|
become: yes
|
|
become_user: "{{ keystone_system_user_name }}"
|
|
register: create_credential_keys
|
|
when:
|
|
- not _credential_keys.stat.exists
|
|
- not drop_existing_credential_keys is changed
|
|
|
|
- name: Perform rotation and migration of credential keys
|
|
when: create_credential_keys is skipped
|
|
block:
|
|
- name: Rotate credential keys for Keystone # noqa: no-changed-when
|
|
command: >
|
|
{{ keystone_bin }}/keystone-manage credential_rotate
|
|
--keystone-user "{{ keystone_system_user_name }}"
|
|
--keystone-group "{{ keystone_system_group_name }}"
|
|
become: yes
|
|
become_user: "{{ keystone_system_user_name }}"
|
|
# credential_rotate might fail in case any credential is not using current private key
|
|
# so in case it fails, we need to try perform the migraton and attempt rotation after that
|
|
rescue:
|
|
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
|
|
command: >
|
|
{{ keystone_bin }}/keystone-manage credential_migrate
|
|
--keystone-user "{{ keystone_system_user_name }}"
|
|
--keystone-group "{{ keystone_system_group_name }}"
|
|
become: yes
|
|
become_user: "{{ keystone_system_user_name }}"
|
|
|
|
- name: Rotate credential keys for Keystone # noqa: no-changed-when
|
|
command: >
|
|
{{ keystone_bin }}/keystone-manage credential_rotate
|
|
--keystone-user "{{ keystone_system_user_name }}"
|
|
--keystone-group "{{ keystone_system_group_name }}"
|
|
become: yes
|
|
become_user: "{{ keystone_system_user_name }}"
|
|
always:
|
|
# Let's run migration at the end anyway, as we need it after successfull rotation.
|
|
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
|
|
command: >
|
|
{{ keystone_bin }}/keystone-manage credential_migrate
|
|
--keystone-user "{{ keystone_system_user_name }}"
|
|
--keystone-group "{{ keystone_system_group_name }}"
|
|
become: yes
|
|
become_user: "{{ keystone_system_user_name }}"
|