93 lines
3.1 KiB
YAML
93 lines
3.1 KiB
YAML
---
|
|
# Copyright 2019 Red Hat, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
- hosts: keystone
|
|
vars:
|
|
hide_sensitive_logs: true
|
|
tasks:
|
|
- name: Check for containerized keystone fernet repository
|
|
stat:
|
|
path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/
|
|
register: containerized_keystone_dir
|
|
|
|
- name: populate service facts
|
|
service_facts:
|
|
|
|
- name: Set container facts
|
|
set_fact:
|
|
is_container: "{{ containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir }}"
|
|
podman_enabled: "{{ 'tripleo_keystone.service' in ansible_facts.services }}"
|
|
|
|
- name: Rotate fernet keys for keystone container
|
|
block:
|
|
- name: Set keystone facts
|
|
set_fact:
|
|
keystone_base: /var/lib/config-data/puppet-generated/keystone
|
|
|
|
- name: Remove previous fernet keys
|
|
shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/*
|
|
args:
|
|
warn: false
|
|
|
|
- name: Persist fernet keys to repository
|
|
copy:
|
|
dest: "{{ keystone_base }}{{ item.key }}"
|
|
content: "{{ item.value.content }}"
|
|
mode: 0600
|
|
with_dict: "{{ fernet_keys }}"
|
|
no_log: "{{ hide_sensitive_logs | bool }}"
|
|
|
|
- name: Set permissions to match container's user
|
|
shell: chown --reference={{ keystone_base }}/etc/keystone/fernet-keys {{ keystone_base }}{{ item.key }}
|
|
with_dict: "{{ fernet_keys }}"
|
|
no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"
|
|
|
|
- name: Restart keystone container with docker
|
|
shell: docker restart keystone
|
|
when: not podman_enabled
|
|
|
|
- name: Restart keystone container
|
|
service:
|
|
name: tripleo_keystone
|
|
state: restarted
|
|
when: podman_enabled
|
|
when:
|
|
- is_container | bool
|
|
|
|
- name: Rotate fernet keys for keystone (no container)
|
|
block:
|
|
- name: Remove previous fernet keys
|
|
shell: rm -rf /etc/keystone/fernet-keys/*
|
|
args:
|
|
warn: false
|
|
|
|
- name: Persist fernet keys to repository
|
|
copy:
|
|
dest: "{{ item.key }}"
|
|
content: "{{ item.value.content }}"
|
|
mode: 0600
|
|
owner: keystone
|
|
group: keystone
|
|
with_dict: "{{ fernet_keys }}"
|
|
no_log: "{{ hide_sensitive_logs | bool }}"
|
|
|
|
- name: Reload apache
|
|
service:
|
|
name: httpd
|
|
state: reloaded
|
|
when:
|
|
- not (is_container | bool)
|