commit 8fc9bbb88bf677ddbb5f2780e9ed2b7dcd668458
Author: Jonathan Rosser <email address hidden>
Date: Wed Jun 19 20:17:02 2019 +0100
Fix loss of fernet and credential keys during Rocky to Stein upgrade
This applies only to source based installations.
The introduction of smart-sources in [1] created a code path
which deletes the /etc/keystone directory before symlinking it
into the keystone venv and creating the necessary config files.
Unfortunatley this has the side effect of also deleting any fernet
and credential keys which pre-existed in the case of an upgrade from
Rocky. The original keys were deleted simulataneously across the whole
keystone_all group in a way which is makes them unrecoverable in
the absence of a backup taken by the operator.
This change simplifies the smart-sources code to always keep the
keystone config files and fernet keys in the host /etc/keystone.
This ensures that the lifecycle of the fernet keys is not coupled
to the lifecycle of the keystone venvs.
In addition, a task is added to rescue any keys which have been
created in the keystone venv by installations from the Stein
release-candidate.
Reviewed: https:/ /review. opendev. org/667201 /git.openstack. org/cgit/ openstack/ openstack- ansible- os_keystone/ commit/ ?id=8fc9bbb88bf 677ddbb5f2780e9 ed2b7dcd668458
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 8fc9bbb88bf677d dbb5f2780e9ed2b 7dcd668458
Author: Jonathan Rosser <email address hidden>
Date: Wed Jun 19 20:17:02 2019 +0100
Fix loss of fernet and credential keys during Rocky to Stein upgrade
This applies only to source based installations.
The introduction of smart-sources in [1] created a code path
which deletes the /etc/keystone directory before symlinking it
into the keystone venv and creating the necessary config files.
Unfortunatley this has the side effect of also deleting any fernet
and credential keys which pre-existed in the case of an upgrade from
Rocky. The original keys were deleted simulataneously across the whole
keystone_all group in a way which is makes them unrecoverable in
the absence of a backup taken by the operator.
This change simplifies the smart-sources code to always keep the
keystone config files and fernet keys in the host /etc/keystone.
This ensures that the lifecycle of the fernet keys is not coupled
to the lifecycle of the keystone venvs.
In addition, a task is added to rescue any keys which have been candidate.
created in the keystone venv by installations from the Stein
release-
[1] https:/ /review. opendev. org/#/c/ 588960/
Closes-Bug: 1833414 2367220f05dbcf4 186ac20319f 9e467387144c7ee de7f19f92a)
Change-Id: Ide611fd3d88e35
(cherry picked from commit 8e1f7f4ad8918af