tripleo

Keystone fernet token rotation only works with clouds names 'overcloud'

  1. Series pike
  2. Bug #1742655
Bug #1742655 reported by Juan Antonio Osorio Robles
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Juan Antonio Osorio Robles
tripleo queens-3
Pike
Fix Committed
High
Juan Antonio Osorio Robles

Bug Description

Originally filed by Ken Savich.

https://bugzilla.redhat.com/show_bug.cgi?id=1533271

Description of problem:

NOTE: my stack is named "sweatpants" here

Running the tripleo.fernet_keys.rotate_fernet_keys workflow from the undercloud as such:

openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "sweatpants"}'

Will fail if your cloud is not named "overcloud"

Version-Release number of selected component (if applicable):

How reproducible:

100%

Steps to Reproduce:
1.Deploy a cloud named something other than "overcloud" (such as "sweatpants")
2.try rotate your fernet decrypt keys on the controllers with

openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "sweatpants"}'

3. look at the output of the workflow after a minute or so

openstack workflow execution output show <workflow id>

Actual results:

Look at your ferent keys in the contain from the controller node, notice that they haven't changed:

docker exec -ti keystone ls -l /etc/keystone/fernet-keys
'
Check the actual workflow output, you'll see something like the following:

{
    "status": "SUCCESS",
    "message": {
        "stderr": "\nPLAY [keystone] ****************************************************************\nskipping: no hosts matched\n\nPLAY RECAP *********************************************************************\n\n",
        "stdout": " [WARNING]: Could not match supplied host pattern, ignoring: keystone\n"
    }
}

The only way to get this working, is the following:

openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{ "container": "sweatpants", "ansible_extra_env_variables": { "TRIPLEO_PLAN_NAME": "sweatpants", "ANSIBLE_HOST_KEY_CHECKING": "False" }}'

Note, additionally, that we have to pass the ANSIBLE_HOST_KEY_CHECKING variable because this gets overwritten by the workflow and isn't picked up if the plan name is the only variable passed into the workflow.

Expected results:

Expect to have rotated keys on all controller nodes

Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
milestone: none → queens-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (master)

Fix proposed to branch: master
Review: https://review.openstack.org/532808

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/532808
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=49cb3b2e052bda379d35c6141874a332e983fa8c
Submitter: Zuul
Branch: master

commit 49cb3b2e052bda379d35c6141874a332e983fa8c
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Jan 11 14:55:23 2018 +0200

    Always pass the plan name to fernet workbook

    It was using the default (overcloud) which is not necessarily the case
    for every deployment.

    This commit passes the TRIPLEO_PLAN_NAME environment file and derives
    the value from the passed container name.

    Change-Id: I2fc481336b945c88f8b6a017690773be3293a2b4
    Closes-Bug: #1742655

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/533704

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/pike)

Reviewed: https://review.openstack.org/533704
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=786f3d6f7ef7e2dc33e534cfc33600ec4dc35f23
Submitter: Zuul
Branch: stable/pike

commit 786f3d6f7ef7e2dc33e534cfc33600ec4dc35f23
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Jan 11 14:55:23 2018 +0200

    Always pass the plan name to fernet workbook

    It was using the default (overcloud) which is not necessarily the case
    for every deployment.

    This commit passes the TRIPLEO_PLAN_NAME environment file and derives
    the value from the passed container name.

    Change-Id: I2fc481336b945c88f8b6a017690773be3293a2b4
    Closes-Bug: #1742655
    (cherry picked from commit 49cb3b2e052bda379d35c6141874a332e983fa8c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 8.4.0

This issue was fixed in the openstack/tripleo-common 8.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 7.6.9

This issue was fixed in the openstack/tripleo-common 7.6.9 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.