Update registry credentials during rehoming

As we are switching to use 'sysinv' user instead of 'admin' user to access the registries, this commit adds a task in the rehoming playbook to update the registry credentials with the sysinv credentials from the new system controllers which a subcloud is migrating to. Test steps: 1. Deploy a AIOSX subcloud in central cloud A, update the subcloud's registries with its sysinv credentials. 2. Update the admin credentials from central cloud B in the subcloud. 3. Migrate the subcloud to central cloud B. 4. Lock/unlock the subcloud after its deploy status turns to "complete" state. Test result: The subcloud turns online after unlocking and turns to "in-sync" after being managed by central cloud B. The registries auth-secrets are all updated to sysinv credentials from central cloud B. The central registry can be accessed from the subcloud with the sysinv user and its password. Depends-On: https://review.opendev.org/c/starlingx/utilities/+/814645 Closes-Bug: 1947014 Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com> Change-Id: I384930d3842f8a4da03648af7153dea430c49baa
2021-10-13 18:07:14 -04:00 · 2021-10-13 18:07:14 -04:00 · da276b2c7b
parent d481ce9ffe
commit da276b2c7b
2 changed files with 12 additions and 2 deletions
--- a/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/main.yml
@ -22,6 +22,13 @@
 - name: Restart keystone service
  command: "sm-restart service keystone"

+- name: Wait until keystone is restarted
+  command: "sm-query service keystone"
+  register: keystone_service_status
+  until: keystone_service_status.stdout == "keystone is enabled-active-"
+  retries: 10
+  delay: 10
+
 - name: Migrate keystone passwords
  import_tasks: migrate_keystone_passwords.yml

--- a/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/migrate_keystone_passwords.yml
+++ b/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/migrate_keystone_passwords.yml
@ -5,10 +5,13 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 # SUB-TASKS DESCRIPTION:
-#   These tasks update keystone passwords in keystone database, secure hieradata,
-#   relevant service config files as well as service passwords in keyring.
+#   These tasks update docker registry credentials, keystone passwords in keystone
+#   database, secure hieradata, relevant service config files as well as service
+#   passwords in keyring.
 #

+- name: Update docker registry credentials
+  command: "update_docker_registry_auth.sh 'sysinv' '{{ users['sysinv'] }}'"

 - name: Get current time before update password
  # TODO(yuxing) The 'openstack user set' may fail to update password in