103 lines
5.1 KiB
YAML
103 lines
5.1 KiB
YAML
---
|
|
#
|
|
# Copyright (c) 2021 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# SUB-TASKS DESCRIPTION:
|
|
# These tasks update docker registry credentials, keystone passwords in keystone
|
|
# database, secure hieradata, relevant service config files as well as service
|
|
# passwords in keyring.
|
|
#
|
|
|
|
- name: Update docker registry credentials
|
|
command: "update_docker_registry_auth.sh 'sysinv' '{{ users['sysinv'] }}'"
|
|
|
|
- name: Get current time before update password
|
|
# TODO(yuxing) The 'openstack user set' may fail to update password in
|
|
# keystone database. Further, if we move it in a shell script and invoke the
|
|
# script remotely, the ansible will fail to access the remote keystone
|
|
# endpoint for authentication. Need to remove this workaround if we can
|
|
# address either of these two problems.
|
|
shell: START_TIME=$(date +%s); echo $START_TIME
|
|
register: current_time_result
|
|
|
|
- name: Update keystone passwords
|
|
# There's special characters in password, wrap the passwords with single quotes
|
|
shell: >-
|
|
source /etc/platform/openrc;
|
|
openstack user set {{ item.name }} --password $'{{ item.password }}';
|
|
{{ validate_keystone_passwords_script }} {{ item.name }} {{ current_time_result.stdout }}
|
|
with_items:
|
|
- { name: 'sysinv', password: "{{ users['sysinv'] }}" }
|
|
- { name: 'patching', password: "{{ users['patching'] }}" }
|
|
- { name: 'smapi', password: "{{ users['smapi'] }}" }
|
|
- { name: 'mtce', password: "{{ users['mtce'] }}" }
|
|
- { name: 'dcmanager', password: "{{ users['dcmanager'] }}" }
|
|
- { name: 'barbican', password: "{{ users['barbican'] }}" }
|
|
register: migrate_keystone_password_result
|
|
until: migrate_keystone_password_result.rc == 0
|
|
retries: 3
|
|
delay: 20
|
|
no_log: true
|
|
|
|
- name: Update services' passwords in hieradata
|
|
lineinfile:
|
|
path: "/opt/platform/puppet/{{ software_version }}/hieradata/secure_static.yaml"
|
|
regexp: "{{ item.From }}"
|
|
line: "{{ item.To }}"
|
|
with_items:
|
|
- { From: "^dcmanager::api::keystone_password",
|
|
To: "dcmanager::api::keystone_password: !!python/unicode '{{ users['dcmanager'] }}'" }
|
|
- { From: "^dcmanager::keystone::auth::password",
|
|
To: "dcmanager::keystone::auth::password: !!python/unicode '{{ users['dcmanager'] }}'" }
|
|
- { From: "^dcorch::api_proxy::dcmanager_keystone_password",
|
|
To: "dcorch::api_proxy::dcmanager_keystone_password: !!python/unicode '{{ users['dcmanager'] }}'" }
|
|
- { From: "^patching::api::keystone_password",
|
|
To: "patching::api::keystone_password: !!python/unicode '{{ users['patching'] }}'" }
|
|
- { From: "^patching::keystone::auth::password",
|
|
To: "patching::keystone::auth::password: !!python/unicode '{{ users['patching'] }}'" }
|
|
- { From: "^patching::keystone::authtoken::password",
|
|
To: "patching::keystone::authtoken::password: !!python/unicode '{{ users['patching'] }}'" }
|
|
- { From: "^platform::mtce::params::auth_pw",
|
|
To: "platform::mtce::params::auth_pw: !!python/unicode '{{ users['mtce'] }}'" }
|
|
- { From: "^platform::smapi::params::keystone_password",
|
|
To: "platform::smapi::params::keystone_password: !!python/unicode '{{ users['smapi'] }}'" }
|
|
- { From: "^smapi::auth::auth_password",
|
|
To: "smapi::auth::auth_password: !!python/unicode '{{ users['smapi'] }}'" }
|
|
- { From: "^smapi::keystone::auth::password",
|
|
To: "smapi::keystone::auth::password: !!python/unicode '{{ users['smapi'] }}'" }
|
|
- { From: "^smapi::keystone::authtoken::password",
|
|
To: "smapi::keystone::authtoken::password: !!python/unicode '{{ users['smapi'] }}'" }
|
|
- { From: "^sysinv::api::keystone_password",
|
|
To: "sysinv::api::keystone_password: !!python/unicode '{{ users['sysinv'] }}'" }
|
|
- { From: "^sysinv::certmon::local_keystone_password",
|
|
To: "sysinv::certmon::local_keystone_password: !!python/unicode '{{ users['sysinv'] }}'" }
|
|
- { From: "^sysinv::keystone::auth::password",
|
|
To: "sysinv::keystone::auth::password: !!python/unicode '{{ users['sysinv'] }}'" }
|
|
- { From: "^barbican::keystone::auth::password",
|
|
To: "barbican::keystone::auth::password: !!python/unicode '{{ users['barbican'] }}'" }
|
|
- { From: "^barbican::keystone::authtoken::password",
|
|
To: "barbican::keystone::authtoken::password: !!python/unicode '{{ users['barbican'] }}'" }
|
|
no_log: true
|
|
|
|
- name: Store service passwords in keyring
|
|
vars:
|
|
script_content: |
|
|
import keyring
|
|
import os
|
|
os.environ['XDG_DATA_HOME'] = "/opt/platform/.keyring/{{ software_version }}"
|
|
keyring.set_password("{{ item.username }}", "services", "{{ item.password }}")
|
|
del os.environ['XDG_DATA_HOME']
|
|
shell: "{{ script_content }}"
|
|
with_items:
|
|
- { username: 'sysinv', password: "{{ users['sysinv'] }}" }
|
|
- { username: 'patching', password: "{{ users['patching'] }}" }
|
|
- { username: 'mtce', password: "{{ users['mtce'] }}" }
|
|
- { username: 'smapi', password: "{{ users['smapi'] }}" }
|
|
- { username: 'dcmanager', password: "{{ users['dcmanager'] }}" }
|
|
- { username: 'barbican', password: "{{ users['barbican'] }}" }
|
|
args:
|
|
executable: /usr/bin/python
|
|
no_log: true
|