tripleo-ansible/tripleo_ansible/playbooks/rotate-keys.yaml

---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- hosts: keystone
  vars:
    hide_sensitive_logs: true
  tasks:
    - name: Check for containerized keystone fernet repository
      stat:
        path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/
      register: containerized_keystone_dir

    - name: populate service facts
      service_facts:

    - name: Set container facts
      set_fact:
        is_container: "{{ containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir }}"
        podman_enabled: "{{ 'tripleo_keystone.service' in ansible_facts.services }}"

    - name: Rotate fernet keys for keystone container
      block:
        - name: Set keystone facts
          set_fact:
            keystone_base: /var/lib/config-data/puppet-generated/keystone

        - name: Remove previous fernet keys
          shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/*
          args:
            warn: false

        - name: Persist fernet keys to repository
          copy:
            dest: "{{ keystone_base }}{{ item.key }}"
            content: "{{ item.value.content }}"
            mode: 0600
          with_dict: "{{ fernet_keys }}"
          no_log: "{{ hide_sensitive_logs | bool }}"

        - name: Set permissions to match container's user
          shell: chown --reference={{ keystone_base }}/etc/keystone/fernet-keys {{ keystone_base }}{{ item.key }}
          with_dict: "{{ fernet_keys }}"
          no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"

        - name: Restart keystone container with docker
          shell: docker restart keystone
          when: not podman_enabled

        - name: Restart keystone container
          service:
            name: tripleo_keystone
            state: restarted
          when: podman_enabled
      when:
        - is_container | bool

    - name: Rotate fernet keys for keystone (no container)
      block:
        - name: Remove previous fernet keys
          shell: rm -rf /etc/keystone/fernet-keys/*
          args:
            warn: false

        - name: Persist fernet keys to repository
          copy:
            dest: "{{ item.key }}"
            content: "{{ item.value.content }}"
            mode: 0600
            owner: keystone
            group: keystone
          with_dict: "{{ fernet_keys }}"
          no_log: "{{ hide_sensitive_logs | bool }}"

        - name: Reload apache
          service:
            name: httpd
            state: reloaded
      when:
        - not (is_container | bool)