Skip cred-key setup when keys already exist

This change adds a conditional to the _fernet_setup to avoid
overwriting credential-keys when keystone-manage credential-setup
is ran and there are already existing credential keys. This will
mitigate issues where encrypted credential blobs in keystone were
becoming un-decryptable when the credential keys were being
overridden or lost upon upgrading.

Change-Id: Iac2b080d5d44bdf07534126419a1d5dd86055d6b
This commit is contained in:
Gage Hugo 2019-04-26 11:12:48 -05:00
parent 0f459ecfee
commit 3b14e77d2a

View File

@ -155,6 +155,11 @@ def main():
FERNET_DIR) FERNET_DIR)
write_to_files(secret['data']) write_to_files(secret['data'])
if args.command == 'credential_setup':
if secret.get('data', False):
LOG.info('Credential keys already exist, skipping setup...')
sys.exit(0)
execute_command(args.command) execute_command(args.command)
LOG.info("Updating data for '%s' secret.", SECRET_NAME) LOG.info("Updating data for '%s' secret.", SECRET_NAME)