OpenStack-Ansible

  1. Bug #1833414
  2. Comment #4

Comment 4 for bug 1833414

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_keystone (stable/stein)

Reviewed: https://review.opendev.org/667201
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=8fc9bbb88bf677ddbb5f2780e9ed2b7dcd668458
Submitter: Zuul
Branch: stable/stein

commit 8fc9bbb88bf677ddbb5f2780e9ed2b7dcd668458
Author: Jonathan Rosser <email address hidden>
Date: Wed Jun 19 20:17:02 2019 +0100

    Fix loss of fernet and credential keys during Rocky to Stein upgrade

    This applies only to source based installations.

    The introduction of smart-sources in [1] created a code path
    which deletes the /etc/keystone directory before symlinking it
    into the keystone venv and creating the necessary config files.

    Unfortunatley this has the side effect of also deleting any fernet
    and credential keys which pre-existed in the case of an upgrade from
    Rocky. The original keys were deleted simulataneously across the whole
    keystone_all group in a way which is makes them unrecoverable in
    the absence of a backup taken by the operator.

    This change simplifies the smart-sources code to always keep the
    keystone config files and fernet keys in the host /etc/keystone.
    This ensures that the lifecycle of the fernet keys is not coupled
    to the lifecycle of the keystone venvs.

    In addition, a task is added to rescue any keys which have been
    created in the keystone venv by installations from the Stein
    release-candidate.

    [1] https://review.opendev.org/#/c/588960/

    Closes-Bug: 1833414
    Change-Id: Ide611fd3d88e352367220f05dbcf4186ac20319f
    (cherry picked from commit 8e1f7f4ad8918af9e467387144c7eede7f19f92a)