09e29d0db9
When running deploy or reconfigure for Keystone, ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml, which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage fernet_rotate. This means that a token can become invalid if the operator runs deploy or reconfigure too often. This change splits out fernet-push.sh from the fernet-rotate.sh script, then calls fernet-push.sh after the fernet bootstrap performed in deploy. Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e Closes-Bug: #1833729
28 lines
1018 B
YAML
28 lines
1018 B
YAML
---
|
|
- name: Waiting for Keystone SSH port to be UP
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ keystone_ssh_port }}"
|
|
connect_timeout: 1
|
|
register: check_keystone_ssh_port
|
|
until: check_keystone_ssh_port is success
|
|
retries: 10
|
|
delay: 5
|
|
|
|
- name: Initialise fernet key authentication
|
|
become: true
|
|
command: "docker exec -t keystone_fernet kolla_keystone_bootstrap {{ keystone_username }} {{ keystone_groupname }}"
|
|
register: fernet_create
|
|
changed_when: fernet_create.stdout.find('localhost | SUCCESS => ') != -1 and (fernet_create.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed
|
|
until: fernet_create.stdout.split()[2] == 'SUCCESS' or fernet_create.stdout.find('Key repository is already initialized') != -1
|
|
retries: 10
|
|
delay: 5
|
|
run_once: True
|
|
delegate_to: "{{ groups['keystone'][0] }}"
|
|
|
|
- name: Run key distribution
|
|
become: true
|
|
command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh
|
|
run_once: True
|
|
delegate_to: "{{ groups['keystone'][0] }}"
|