diff --git a/ansible/roles/keystone/tasks/precheck.yml b/ansible/roles/keystone/tasks/precheck.yml index 633c3fc70a..1ca2f0a6f3 100644 --- a/ansible/roles/keystone/tasks/precheck.yml +++ b/ansible/roles/keystone/tasks/precheck.yml @@ -49,12 +49,23 @@ - keystone_ssh.enabled | bool - inventory_hostname in groups['keystone'] -- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails +- name: Checking fernet_token_expiry run_once: true - command: - cmd: awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml" - delegate_to: localhost - register: result - changed_when: false - failed_when: - - result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') is search(".+") + assert: + that: + - fernet_token_expiry is number + # Check that it is not a floating point number + - fernet_token_expiry | int == fernet_token_expiry + - fernet_token_expiry >= 0 + # NOTE(wszumski): fernet_rotate_cron_generator.py doesn't support a span + # greater than a week. + - fernet_token_expiry <= 604800 + msg: >- + fernet_token_expiry must be an integer up to and including 604800. You can + set this in `globals.yml`. The value represents the time period, in + seconds, at which to rotate the fernet keys. Suggested values are: 60, + 120, 240, 480, 720, 1440, 3600, 7200, 10800, 14400, 21600, 43200, 60480, + 120960, 151200, 201600, 302400, 604800. These values ensure an evenly-spaced + run schedule as they divide 7 days without remainder. + when: + - keystone_token_provider == 'fernet' diff --git a/releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml b/releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml new file mode 100644 index 0000000000..35c3066633 --- /dev/null +++ b/releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes an issue where ``fernet_token_expiry`` would fail the pre-checks + despite being set to a valid value. Please see `bug 1856021 + `_ for more details.