openstack-ansible-os_keystone/tasks/keystone_credential_create.yml
Kevin Carter 56eadbfa76 Set the user argument in the cron module
This change sets the user argument in the cron module which is
required in future versions of ansible when the cron_file argument
is also used.

Filter deprecations for skipped items have also been fixed.

Change-Id: I803cd3c62707880e873662ea86590274b2766d21
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2019-02-22 02:12:23 +00:00

102 lines
3.8 KiB
YAML

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if credential keys already exist
stat:
path: "{{ keystone_credential_key_repository }}/0"
register: _credential_keys
- name: Check for credential keys on all Keystone containers
find:
paths: "{{ keystone_credential_key_repository }}"
patterns: "^[0-9]+$"
use_regex: True
when: not _credential_keys.stat.exists
register: credential_key_list
delegate_to: "{{ item }}"
with_items: "{{ groups['keystone_all'] }}"
- name: Aggregate the collected file lists
set_fact:
existing_credential_keys: >-
{% set _var = [] -%}
{% for result in credential_key_list.results -%}
{% if result.files is defined -%}
{% for file in result.files -%}
{% if _var.append({'host': result.item, 'file': file.path}) -%}{% endif -%}
{% endfor -%}
{% endif -%}
{% endfor -%}
{{ _var }}
when: not credential_key_list is skipped
- name: Collect the existing keys from containers
slurp:
src: "{{ item.file }}"
delegate_to: "{{ item.host }}"
with_items: "{{ existing_credential_keys }}"
register: collected_existing_credential_keys
when: existing_credential_keys is defined
- name: Ensure the target directory exists on the master Keystone container
file:
path: "{{ keystone_credential_key_repository }}"
state: directory
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "0700"
when: not collected_existing_credential_keys is skipped
- name: Drop the existing credential keys in the master Keystone container
copy:
content: "{{ item.1 | b64decode }}"
dest: "{{ keystone_credential_key_repository }}/{{ item.0 }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "0600"
when: not collected_existing_credential_keys is skipped
register: drop_existing_credential_keys
with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}"
- name: Create credential keys for Keystone
command: >
{{ keystone_bin }}/keystone-manage credential_setup
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
register: create_credential_keys
when:
- not _credential_keys.stat.exists
- not drop_existing_credential_keys is changed
- name: Ensure newest key is used for credential in Keystone
command: >
{{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
when: create_credential_keys is skipped
- name: Rotate credential keys for Keystone
command: >
{{ keystone_bin }}/keystone-manage credential_rotate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
become: yes
become_user: "{{ keystone_system_user_name }}"
when: create_credential_keys is skipped