Skip updating service password by default

At the moment we always do attempt to reset passwords for the
keystone services, which in some cases leads to race conditions in
services. Thus, running a role is not idempotent which we fix by
introducing a `service_update_password` variable. So whenever password
needs to be reseted/updated, the variable should be supplied for that.

Change-Id: I11b1046ea91cef7de0b2f6433baabbb144e07700
Closes-Bug: #2023370
(cherry picked from commit f35126af68)
This commit is contained in:
Dmitriy Rabotyagov 2023-06-20 13:44:18 +02:00 committed by Dmitriy Rabotyagov
parent e6ce7a42e1
commit 88a8bfcd62
2 changed files with 15 additions and 1 deletions

View File

@ -0,0 +1,14 @@
---
features:
- |
Added variable ``service_update_password`` that will control whether
password should be updated, which defaults to `False`. This changes
previous behaviour when service passwords were always updated in
the keystone on role run.
Please use this variable whenever you need to update a password for
the service.
fixes:
- |
Different race conditions in services are fixed when keystone password
is forcefully reseted.
Closes Bug: `#2023370 <https://bugs.launchpad.net/openstack-ansible/+bug/2023370>`_

View File

@ -77,7 +77,7 @@
default_project: "{{ (default_project is truthy) | ternary(default_project, omit) }}"
endpoint_type: admin
validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
update_password: always
update_password: "{{ (service_update_password | default(False) | bool) | ternary('always', omit) }}"
register: add_service
when:
- not (_service_in_ldap | default(False) | bool)