28cd0e4bf5
The default verbosity ended up logging the values of the fernet keys. This is not desirable, so we set the least amount of verbosity to stop this. Change-Id: I38646729692231f305630fc36ef7591a99daff63 Closes-Bug: #1714198
55 lines
1.6 KiB
YAML
55 lines
1.6 KiB
YAML
---
|
|
- hosts: keystone
|
|
tasks:
|
|
- name: Check for containerized keystone fernet repository
|
|
stat:
|
|
path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/
|
|
register: containerized_keystone_dir
|
|
|
|
- set_fact:
|
|
is_container: containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir
|
|
|
|
- name: Rotate fernet keys for keystone container
|
|
block:
|
|
- name: Remove previous fernet keys
|
|
shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/*
|
|
args:
|
|
warn: false
|
|
|
|
- name: Persist fernet keys to repository
|
|
copy:
|
|
dest: "/var/lib/config-data/puppet-generated/keystone{{ item.key }}"
|
|
content: "{{ item.value.content }}"
|
|
mode: 0600
|
|
owner: keystone
|
|
group: keystone
|
|
with_dict: "{{ fernet_keys }}"
|
|
no_log: true
|
|
|
|
- name: Restart keystone container
|
|
shell: docker restart keystone
|
|
when: is_container
|
|
|
|
- name: Rotate fernet keys for keystone (no container)
|
|
block:
|
|
- name: Remove previous fernet keys
|
|
shell: rm -rf /etc/keystone/fernet-keys/*
|
|
args:
|
|
warn: false
|
|
|
|
- name: Persist fernet keys to repository
|
|
copy:
|
|
dest: "{{ item.key }}"
|
|
content: "{{ item.value.content }}"
|
|
mode: 0600
|
|
owner: keystone
|
|
group: keystone
|
|
with_dict: "{{ fernet_keys }}"
|
|
no_log: true
|
|
|
|
- name: Reload apache
|
|
service:
|
|
name: httpd
|
|
state: reloaded
|
|
when: not is_container
|