From a782b6157a8cef316a8bacef569ba3c390df1619 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Thu, 4 Apr 2024 22:38:43 +0200
Subject: [PATCH] Fix permissions for SSH private key for Ubuntu distro
 installations

Due to weird postinst logic of keystone-common package permissions
for SSH private key that is used for fernet rotation are reset to 0640 which
prevents SSH from further functioning.

We add post-package installation task that will ensure private key permissions
for Ubuntu distro installations specifically.

Change-Id: I1ebee33e3cf52cc0a9c474423a4fd5fa7f1cbe81
---
 tasks/keystone_install.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml
index c3214119..18cae5d8 100644
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@@ -113,6 +113,17 @@
         value: "{{ keystone_venv_tag }}"
         mode: "0644"
 
+    # NOTE(noonedeadpunk): Ubuntu packages does recursively chmod all files
+    #                      for keystone user $HOME:
+    #                      https://bugs.launchpad.net/cloud-archive/+bug/2060235
+    - name: Ensure SSH keys has right permissions
+      file:
+        path: "{{ keystone_system_user_home }}/.ssh/id_rsa"
+        mode: "0600"
+      when:
+        - install_packages is changed
+        - ansible_facts['distribution'] | lower == 'ubuntu'
+
     - name: Initialise the upgrade facts
       ini_file:
         dest: "/etc/ansible/facts.d/openstack_ansible.fact"