Skip cred-key setup when keys already exist
This change adds a conditional to the _fernet_setup to avoid overwriting credential-keys when keystone-manage credential-setup is ran and there are already existing credential keys. This will mitigate issues where encrypted credential blobs in keystone were becoming un-decryptable when the credential keys were being overridden or lost upon upgrading. Change-Id: Iac2b080d5d44bdf07534126419a1d5dd86055d6b
This commit is contained in:
parent
0f459ecfee
commit
3b14e77d2a
@ -155,6 +155,11 @@ def main():
|
|||||||
FERNET_DIR)
|
FERNET_DIR)
|
||||||
write_to_files(secret['data'])
|
write_to_files(secret['data'])
|
||||||
|
|
||||||
|
if args.command == 'credential_setup':
|
||||||
|
if secret.get('data', False):
|
||||||
|
LOG.info('Credential keys already exist, skipping setup...')
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
execute_command(args.command)
|
execute_command(args.command)
|
||||||
|
|
||||||
LOG.info("Updating data for '%s' secret.", SECRET_NAME)
|
LOG.info("Updating data for '%s' secret.", SECRET_NAME)
|
||||||
|
Loading…
Reference in New Issue
Block a user