{"id":851,"sha1":"ad9e711670bc160575c8ed23b7027e28da73731e","playbook":{"id":4,"items":{"plays":32,"tasks":1505,"results":1497,"hosts":12,"files":487,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-openstack.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:57:07.871967Z","ended":"2025-12-08T14:21:54.049657Z","duration":"00:24:46.177690","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"failed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Check if credential keys already exist\n  ansible.builtin.stat:\n    path: \"{{ keystone_credential_key_repository }}/0\"\n  register: _credential_keys\n\n- name: Check for credential keys on all Keystone containers\n  ansible.builtin.find:\n    paths: \"{{ keystone_credential_key_repository }}\"\n    patterns: \"^[0-9]+$\"\n    use_regex: true\n  when: not _credential_keys.stat.exists\n  register: credential_key_list\n  delegate_to: \"{{ item }}\"\n  with_items: \"{{ groups['keystone_all'] }}\"\n\n- name: Aggregate the collected file lists\n  ansible.builtin.set_fact:\n    existing_credential_keys: >-\n      {% set _var = [] -%}\n      {% for result in credential_key_list.results -%}\n      {%   if result.files is defined -%}\n      {%     for file in result.files -%}\n      {%       if _var.append({'host': result.item, 'file': file.path}) -%}{% endif -%}\n      {%     endfor -%}\n      {%   endif -%}\n      {% endfor -%}\n      {{ _var }}\n  when: not credential_key_list is skipped\n\n- name: Collect the existing keys from containers\n  ansible.builtin.slurp:\n    src: \"{{ item.file }}\"\n  delegate_to: \"{{ item.host }}\"\n  with_items: \"{{ existing_credential_keys }}\"\n  register: collected_existing_credential_keys\n  when: existing_credential_keys is defined\n\n- name: Ensure the target directory exists on the master Keystone container\n  ansible.builtin.file:\n    path: \"{{ keystone_credential_key_repository }}\"\n    state: directory\n    owner: \"{{ keystone_system_user_name }}\"\n    group: \"{{ keystone_system_group_name }}\"\n    mode: \"0700\"\n  when: not collected_existing_credential_keys is skipped\n\n- name: Drop the existing credential keys in the master Keystone container\n  ansible.builtin.copy:\n    content: \"{{ item.1 | b64decode }}\"\n    dest: \"{{ keystone_credential_key_repository }}/{{ item.0 }}\"\n    owner: \"{{ keystone_system_user_name }}\"\n    group: \"{{ keystone_system_group_name }}\"\n    mode: \"0600\"\n  when: not collected_existing_credential_keys is skipped\n  register: drop_existing_credential_keys\n  with_indexed_items: \"{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}\"\n\n- name: Create credential keys for Keystone # noqa: no-changed-when\n  ansible.builtin.command: >\n    {{ keystone_bin }}/keystone-manage credential_setup\n                                       --keystone-user \"{{ keystone_system_user_name }}\"\n                                       --keystone-group \"{{ keystone_system_group_name }}\"\n  become: true\n  become_user: \"{{ keystone_system_user_name }}\"\n  register: create_credential_keys\n  when:\n    - not _credential_keys.stat.exists\n    - not drop_existing_credential_keys is changed\n\n- name: Perform rotation and migration of credential keys\n  when: create_credential_keys is skipped\n  block:\n    - name: Rotate credential keys for Keystone # noqa: no-changed-when\n      ansible.builtin.command: >\n        {{ keystone_bin }}/keystone-manage credential_rotate\n                                          --keystone-user \"{{ keystone_system_user_name }}\"\n                                          --keystone-group \"{{ keystone_system_group_name }}\"\n      become: true\n      become_user: \"{{ keystone_system_user_name }}\"\n  # credential_rotate might fail in case any credential is not using current private key\n  # so in case it fails, we need to try perform the migraton and attempt rotation after that\n  rescue:\n    - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when\n      ansible.builtin.command: >\n        {{ keystone_bin }}/keystone-manage credential_migrate\n                                          --keystone-user \"{{ keystone_system_user_name }}\"\n                                          --keystone-group \"{{ keystone_system_group_name }}\"\n      become: true\n      become_user: \"{{ keystone_system_user_name }}\"\n\n    - name: Rotate credential keys for Keystone # noqa: no-changed-when\n      ansible.builtin.command: >\n        {{ keystone_bin }}/keystone-manage credential_rotate\n                                          --keystone-user \"{{ keystone_system_user_name }}\"\n                                          --keystone-group \"{{ keystone_system_group_name }}\"\n      become: true\n      become_user: \"{{ keystone_system_user_name }}\"\n  always:\n    # Let's run migration at the end anyway, as we need it after successfull rotation.\n    - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when\n      ansible.builtin.command: >\n        {{ keystone_bin }}/keystone-manage credential_migrate\n                                          --keystone-user \"{{ keystone_system_user_name }}\"\n                                          --keystone-group \"{{ keystone_system_group_name }}\"\n      become: true\n      become_user: \"{{ keystone_system_user_name }}\"\n","created":"2025-12-08T14:00:03.821361Z","updated":"2025-12-08T14:00:03.821374Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible-os_keystone/tasks/keystone_credential_create.yml"}