Hi,
I finally got some time to work on this issue.
Looking at my sandbox right now, I think there're 2 different issues right now.
First one, which is obviously wrong, is regarding wrong permissions set for `openstack_dashboard/local/` folder. And this one I will fix right away.
The second part is regarding .secret_key_store specifically. This is actually a bit different. In a default template of user_secrets.yml we do have `horizon_secret_key` variable, which is expected to be populated during initial setup: https://opendev.org/openstack/openstack-ansible/src/branch/master/etc/openstack_deploy/user_secrets.yml#L136
This variable is then used to define the `SECRET_KEY` and ensures, that such key will be the same across all backends.
However, if the variable `horizon_secret_key` is not defined, the suggested by horizon approach will be used, which is to place .secret_key_store under LOCAL_PATH: https://docs.openstack.org/horizon/latest/configuration/settings.html#secret-key
Which is exactly what we are doing: https://opendev.org/openstack/openstack-ansible-os_horizon/src/commit/d4ef66fc028477709d6e4bd36a2bb39c957c3eae/templates/horizon_local_settings.py.j2#L140-L154
You should be also able to define any arbitrary path for the secret key, by leveraging `horizon_config_overrides` variable, for example:
horizon_config_overrides: SECRET_KEY: secret_key.generate_or_read_from_file('/var/cache/.secret_key_store')
But for multi-backend setup I'd suggest to use `horizon_secret_key` as secret key should be the same across all workers.
Hi,
I finally got some time to work on this issue.
Looking at my sandbox right now, I think there're 2 different issues right now.
First one, which is obviously wrong, is regarding wrong permissions set for `openstack_ dashboard/ local/` folder. And this one I will fix right away.
The second part is regarding .secret_key_store specifically. This is actually a bit different. In a default template of user_secrets.yml we do have `horizon_ secret_ key` variable, which is expected to be populated during initial setup: /opendev. org/openstack/ openstack- ansible/ src/branch/ master/ etc/openstack_ deploy/ user_secrets. yml#L136
https:/
This variable is then used to define the `SECRET_KEY` and ensures, that such key will be the same across all backends.
However, if the variable `horizon_ secret_ key` is not defined, the suggested by horizon approach will be used, which is to place .secret_key_store under LOCAL_PATH: /docs.openstack .org/horizon/ latest/ configuration/ settings. html#secret- key
https:/
Which is exactly what we are doing: /opendev. org/openstack/ openstack- ansible- os_horizon/ src/commit/ d4ef66fc0284777 09d6e4bd36a2bb3 9c957c3eae/ templates/ horizon_ local_settings. py.j2#L140- L154
https:/
You should be also able to define any arbitrary path for the secret key, by leveraging `horizon_ config_ overrides` variable, for example:
horizon_ config_ overrides: key.generate_ or_read_ from_file( '/var/cache/ .secret_ key_store' )
SECRET_KEY: secret_
But for multi-backend setup I'd suggest to use `horizon_ secret_ key` as secret key should be the same across all workers.