From da276b2c7b320232f2a76aeee5e149583f748bdb Mon Sep 17 00:00:00 2001 From: Yuxing Jiang Date: Wed, 13 Oct 2021 18:07:14 -0400 Subject: [PATCH] Update registry credentials during rehoming As we are switching to use 'sysinv' user instead of 'admin' user to access the registries, this commit adds a task in the rehoming playbook to update the registry credentials with the sysinv credentials from the new system controllers which a subcloud is migrating to. Test steps: 1. Deploy a AIOSX subcloud in central cloud A, update the subcloud's registries with its sysinv credentials. 2. Update the admin credentials from central cloud B in the subcloud. 3. Migrate the subcloud to central cloud B. 4. Lock/unlock the subcloud after its deploy status turns to "complete" state. Test result: The subcloud turns online after unlocking and turns to "in-sync" after being managed by central cloud B. The registries auth-secrets are all updated to sysinv credentials from central cloud B. The central registry can be accessed from the subcloud with the sysinv user and its password. Depends-On: https://review.opendev.org/c/starlingx/utilities/+/814645 Closes-Bug: 1947014 Signed-off-by: Yuxing Jiang Change-Id: I384930d3842f8a4da03648af7153dea430c49baa --- .../rehome-subcloud/update-keystone-data/tasks/main.yml | 7 +++++++ .../tasks/migrate_keystone_passwords.yml | 7 +++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/main.yml b/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/main.yml index d923672d8..118b7248d 100644 --- a/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/main.yml +++ b/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/main.yml @@ -22,6 +22,13 @@ - name: Restart keystone service command: "sm-restart service keystone" +- name: Wait until keystone is restarted + command: "sm-query service keystone" + register: keystone_service_status + until: keystone_service_status.stdout == "keystone is enabled-active-" + retries: 10 + delay: 10 + - name: Migrate keystone passwords import_tasks: migrate_keystone_passwords.yml diff --git a/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/migrate_keystone_passwords.yml b/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/migrate_keystone_passwords.yml index 22d65f819..f5bae1b8c 100644 --- a/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/migrate_keystone_passwords.yml +++ b/playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/migrate_keystone_passwords.yml @@ -5,10 +5,13 @@ # SPDX-License-Identifier: Apache-2.0 # # SUB-TASKS DESCRIPTION: -# These tasks update keystone passwords in keystone database, secure hieradata, -# relevant service config files as well as service passwords in keyring. +# These tasks update docker registry credentials, keystone passwords in keystone +# database, secure hieradata, relevant service config files as well as service +# passwords in keyring. # +- name: Update docker registry credentials + command: "update_docker_registry_auth.sh 'sysinv' '{{ users['sysinv'] }}'" - name: Get current time before update password # TODO(yuxing) The 'openstack user set' may fail to update password in