From 88a8bfcd62fe7bb027ca7a8636fbe943bfda88c1 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Tue, 20 Jun 2023 13:44:18 +0200 Subject: [PATCH] Skip updating service password by default At the moment we always do attempt to reset passwords for the keystone services, which in some cases leads to race conditions in services. Thus, running a role is not idempotent which we fix by introducing a `service_update_password` variable. So whenever password needs to be reseted/updated, the variable should be supplied for that. Change-Id: I11b1046ea91cef7de0b2f6433baabbb144e07700 Closes-Bug: #2023370 (cherry picked from commit f35126af68e17d76be00f1cb70cd42fab15f2f4e) --- .../service_password_update-3bdd2bb5ed3a99b5.yaml | 14 ++++++++++++++ roles/service_setup/tasks/main.yml | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml diff --git a/releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml b/releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml new file mode 100644 index 00000000..216d367a --- /dev/null +++ b/releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Added variable ``service_update_password`` that will control whether + password should be updated, which defaults to `False`. This changes + previous behaviour when service passwords were always updated in + the keystone on role run. + Please use this variable whenever you need to update a password for + the service. +fixes: + - | + Different race conditions in services are fixed when keystone password + is forcefully reseted. + Closes Bug: `#2023370 `_ diff --git a/roles/service_setup/tasks/main.yml b/roles/service_setup/tasks/main.yml index cf3b879f..6eb0f737 100644 --- a/roles/service_setup/tasks/main.yml +++ b/roles/service_setup/tasks/main.yml @@ -77,7 +77,7 @@ default_project: "{{ (default_project is truthy) | ternary(default_project, omit) }}" endpoint_type: admin validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}" - update_password: always + update_password: "{{ (service_update_password | default(False) | bool) | ternary('always', omit) }}" register: add_service when: - not (_service_in_ldap | default(False) | bool)