Support fernet key rotation with containers

The original playbook did not support the keystone container, this fixes that. Change-Id: I758390749961d0ca020e2d73f746d0c85c5286c8 Closes-Bug: #1713905
2017-08-30 08:32:02 +03:00 · 2017-08-30 08:32:02 +03:00 · 0b80b1b0b4
parent 923658a720
commit 0b80b1b0b4
1 changed files with 47 additions and 14 deletions
--- a/playbooks/rotate-keys.yaml
+++ b/playbooks/rotate-keys.yaml
@ -1,19 +1,52 @@
 ---
 - hosts: keystone
  tasks:
-  - name: Remove previous fernet keys
-    shell: rm -rf /etc/keystone/fernet-keys/*
+  - name: Check for containerized keystone fernet repository
+    stat:
+      path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/
+    register: containerized_keystone_dir

-  - name: Persist fernet keys to repository
-    copy:
-      dest: "{{ item.key }}"
-      content: "{{ item.value.content }}"
-      mode: 0600
-      owner: keystone
-      group: keystone
-    with_dict: "{{ fernet_keys }}"
+  - set_fact:
+      is_container: containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir

-  - name: Reload apache
-    service:
-      name: httpd
-      state: reloaded
+  - name: Rotate fernet keys for keystone container
+    block:
+      - name: Remove previous fernet keys
+        shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/*
+        args:
+          warn: false
+
+      - name: Persist fernet keys to repository
+        copy:
+          dest: "/var/lib/config-data/puppet-generated/keystone{{ item.key }}"
+          content: "{{ item.value.content }}"
+          mode: 0600
+          owner: keystone
+          group: keystone
+        with_dict: "{{ fernet_keys }}"
+
+      - name: Restart keystone container
+        shell: docker restart keystone
+    when: is_container
+
+  - name: Rotate fernet keys for keystone (no container)
+    block:
+      - name: Remove previous fernet keys
+        shell: rm -rf /etc/keystone/fernet-keys/*
+        args:
+          warn: false
+
+      - name: Persist fernet keys to repository
+        copy:
+          dest: "{{ item.key }}"
+          content: "{{ item.value.content }}"
+          mode: 0600
+          owner: keystone
+          group: keystone
+        with_dict: "{{ fernet_keys }}"
+
+      - name: Reload apache
+        service:
+          name: httpd
+          state: reloaded
+    when: not is_container