Update Octavia keypair when public key changed

A change in the desired public key was not being reflected in the Overcloud on stack update/upgrade. TripleO should replace the keypair even when the desired public key changed, i.e. its fingerprint does not match the one (possibly) already existing in the overcloud. We should compare fingerprints and replace (delete and create, no keypair update option) when they mismatch. Closes-Bug: #1861031 Change-Id: I953c35c9ec24844598108bc173e84868393a98aa
3 years ago · bcc3efd650
1 changed files with 12 additions and 4 deletions
--- a/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml
+++ b/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml
@ -65,10 +65,18 @@
  when:
    - amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1)

- name: upload pub key to overcloud
-  shell: |-
-    openstack keypair show {{ amp_ssh_key_name }} || \
-      openstack keypair create --public-key {{ amp_ssh_key_path_final }} {{ amp_ssh_key_name }}
+- name: get the desired public key fingerprint
+  shell: |
+    set -o pipefail
+    ssh-keygen -E md5 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }' | cut -c 5-
+  register: ssh_keygen_results
+
+- name: Create keypair
+  os_keypair:
+    state: present
+    name: "{{ amp_ssh_key_name }}"
+    public_key_file: "{{ amp_ssh_key_path_final }}"
+  register: keypair_fingerprint
  environment:
    OS_USERNAME: "{{ auth_username }}"
    OS_PASSWORD: "{{ auth_password }}"