Execution
Date
14 Dec 2025 10:21:40 +0000
Duration
00:43:55.98
Controller
aio1.openstack.local
User
root
Versions
Ansible
2.18.6
ara
1.7.4 / 1.7.4
Python
3.13.5
Summary
13
Hosts
2438
Tasks
2413
Results
107
Plays
511
Files
0
Records
File: /home/zuul/src/opendev.org/openstack/openstack-ansible-os_keystone/tasks/keystone_credential_create.yml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 | --- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Check if credential keys already exist ansible.builtin.stat: path: "{{ keystone_credential_key_repository }}/0" register: _credential_keys - name: Check for credential keys on all Keystone containers ansible.builtin.find: paths: "{{ keystone_credential_key_repository }}" patterns: "^[0-9]+$" use_regex: true when: not _credential_keys.stat.exists register: credential_key_list delegate_to: "{{ item }}" with_items: "{{ groups['keystone_all'] }}" - name: Aggregate the collected file lists ansible.builtin.set_fact: existing_credential_keys: >- {% set _var = [] -%} {% for result in credential_key_list.results -%} {% if result.files is defined -%} {% for file in result.files -%} {% if _var.append({'host': result.item, 'file': file.path}) -%}{% endif -%} {% endfor -%} {% endif -%} {% endfor -%} {{ _var }} when: not credential_key_list is skipped - name: Collect the existing keys from containers ansible.builtin.slurp: src: "{{ item.file }}" delegate_to: "{{ item.host }}" with_items: "{{ existing_credential_keys }}" register: collected_existing_credential_keys when: existing_credential_keys is defined - name: Ensure the target directory exists on the master Keystone container ansible.builtin.file: path: "{{ keystone_credential_key_repository }}" state: directory owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" mode: "0700" when: not collected_existing_credential_keys is skipped - name: Drop the existing credential keys in the master Keystone container ansible.builtin.copy: content: "{{ item.1 | b64decode }}" dest: "{{ keystone_credential_key_repository }}/{{ item.0 }}" owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" mode: "0600" when: not collected_existing_credential_keys is skipped register: drop_existing_credential_keys with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}" - name: Create credential keys for Keystone # noqa: no-changed-when ansible.builtin.command: > {{ keystone_bin }}/keystone-manage credential_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" become: true become_user: "{{ keystone_system_user_name }}" register: create_credential_keys when: - not _credential_keys.stat.exists - not drop_existing_credential_keys is changed - name: Perform rotation and migration of credential keys when: create_credential_keys is skipped block: - name: Rotate credential keys for Keystone # noqa: no-changed-when ansible.builtin.command: > {{ keystone_bin }}/keystone-manage credential_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" become: true become_user: "{{ keystone_system_user_name }}" # credential_rotate might fail in case any credential is not using current private key # so in case it fails, we need to try perform the migraton and attempt rotation after that rescue: - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when ansible.builtin.command: > {{ keystone_bin }}/keystone-manage credential_migrate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" become: true become_user: "{{ keystone_system_user_name }}" - name: Rotate credential keys for Keystone # noqa: no-changed-when ansible.builtin.command: > {{ keystone_bin }}/keystone-manage credential_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" become: true become_user: "{{ keystone_system_user_name }}" always: # Let's run migration at the end anyway, as we need it after successfull rotation. - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when ansible.builtin.command: > {{ keystone_bin }}/keystone-manage credential_migrate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" become: true become_user: "{{ keystone_system_user_name }}" |