Merge "Prevent overwriting existing Keystone Fernet keys"
This commit is contained in:
commit
02ba8bb847
@ -6,10 +6,28 @@
|
|||||||
- keystone_fernet
|
- keystone_fernet
|
||||||
register: container_facts
|
register: container_facts
|
||||||
|
|
||||||
|
# FIXME(mgoddard): This does not catch some cases we might consider
|
||||||
|
# bootstrapped:
|
||||||
|
# * the keystone_fernet container is created but not running
|
||||||
|
# * the keystone_fernet volume exists but no container
|
||||||
|
# Probably what we care about is the existence of Fernet key 0.
|
||||||
- name: Group nodes where keystone_fernet is running
|
- name: Group nodes where keystone_fernet is running
|
||||||
group_by:
|
group_by:
|
||||||
key: keystone_fernet_{{ container_facts['keystone_fernet'].State | default('bootstrap') }}
|
key: keystone_fernet_{{ container_facts['keystone_fernet'].State | default('bootstrap') }}
|
||||||
|
|
||||||
|
# NOTE(mgoddard): If we bootstrap Fernet keys on an existing cluster, this
|
||||||
|
# would overwrite existing keys, and invalidate tokens created from them.
|
||||||
|
- name: Fail if any hosts need bootstrapping and not all hosts targeted
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
Some hosts ({{ groups['keystone_fernet_bootstrap'] | join(', ') }}) need
|
||||||
|
Fernet key bootstrapping, but not all Keystone hosts are in the target
|
||||||
|
list. Stopping as it may be unsafe to proceed. Please run without --limit
|
||||||
|
or --serial to bootstrap these hosts.
|
||||||
|
when:
|
||||||
|
- groups['keystone_fernet_running'] is not defined
|
||||||
|
- groups['keystone'] | difference(ansible_play_batch) | list | length > 0
|
||||||
|
|
||||||
- name: Running Keystone bootstrap container
|
- name: Running Keystone bootstrap container
|
||||||
vars:
|
vars:
|
||||||
keystone: "{{ keystone_services.keystone }}"
|
keystone: "{{ keystone_services.keystone }}"
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Prevents adding a new Keystone host to an existing cluster when not
|
||||||
|
targeting all Keystone hosts (e.g. due to ``--limit`` or ``--serial``
|
||||||
|
arguments), to avoid overwriting existing Fernet keys. `LP#1891364
|
||||||
|
<https://bugs.launchpad.net/kolla-ansible/+bug/1891364>`__
|
Loading…
x
Reference in New Issue
Block a user