09e29d0db9
When running deploy or reconfigure for Keystone, ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml, which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage fernet_rotate. This means that a token can become invalid if the operator runs deploy or reconfigure too often. This change splits out fernet-push.sh from the fernet-rotate.sh script, then calls fernet-push.sh after the fernet bootstrap performed in deploy. Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e Closes-Bug: #1833729
55 lines
1.9 KiB
Django/Jinja
55 lines
1.9 KiB
Django/Jinja
{% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %}
|
|
{% set cron_path = '/var/spool/cron/crontabs/root/fernet-cron' if kolla_base_distro in ['ubuntu', 'debian'] else '/var/spool/cron/root' %}
|
|
{
|
|
"command": "{{ cron_cmd }}",
|
|
"config_files": [{
|
|
"source": "{{ container_config_directory }}/keystone.conf",
|
|
"dest": "/etc/keystone/keystone.conf",
|
|
"owner": "keystone",
|
|
"perm": "0600"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/crontab",
|
|
"dest": "{{ cron_path }}",
|
|
"owner": "root",
|
|
"perm": "0600"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/fernet-rotate.sh",
|
|
"dest": "/usr/bin/fernet-rotate.sh",
|
|
"owner": "root",
|
|
"perm": "0755"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/fernet-node-sync.sh",
|
|
"dest": "/usr/bin/fernet-node-sync.sh",
|
|
"owner": "root",
|
|
"perm": "0755"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/fernet-push.sh",
|
|
"dest": "/usr/bin/fernet-push.sh",
|
|
"owner": "root",
|
|
"perm": "0755"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/ssh_config",
|
|
"dest": "/var/lib/keystone/.ssh/config",
|
|
"owner": "keystone",
|
|
"perm": "0600"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/id_rsa",
|
|
"dest": "/var/lib/keystone/.ssh/id_rsa",
|
|
"owner": "keystone",
|
|
"perm": "0600"
|
|
}{% if keystone_policy_file is defined %},
|
|
{
|
|
"source": "{{ container_config_directory }}/{{ keystone_policy_file }}",
|
|
"dest": "/etc/keystone/{{ keystone_policy_file }}",
|
|
"owner": "keystone",
|
|
"perm": "0600"
|
|
}{% endif %}
|
|
]
|
|
}
|