Skip updating service password by default

At the moment we always do attempt to reset passwords for the keystone services, which in some cases leads to race conditions in services. Thus, running a role is not idempotent which we fix by introducing a `service_update_password` variable. So whenever password needs to be reseted/updated, the variable should be supplied for that. Change-Id: I11b1046ea91cef7de0b2f6433baabbb144e07700 Closes-Bug: #2023370
2023-06-20 13:44:18 +02:00 · 2023-06-20 13:44:18 +02:00 · f35126af68
parent a4357fbb9a
commit f35126af68
2 changed files with 15 additions and 1 deletions
--- a/releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml
+++ b/releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml
@ -0,0 +1,14 @@
+---
+features:
+  - |
+    Added variable ``service_update_password`` that will control whether
+    password should be updated, which defaults to `False`. This changes
+    previous behaviour when service passwords were always updated in
+    the keystone on role run.
+    Please use this variable whenever you need to update a password for
+    the service.
+fixes:
+  - |
+    Different race conditions in services are fixed when keystone password
+    is forcefully reseted.
+    Closes Bug: `#2023370 <https://bugs.launchpad.net/openstack-ansible/+bug/2023370>`_
--- a/roles/service_setup/tasks/main.yml
+++ b/roles/service_setup/tasks/main.yml
@ -77,7 +77,7 @@
        default_project: "{{ (default_project is truthy) | ternary(default_project, omit) }}"
        endpoint_type: admin
        validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
-        update_password: always
+        update_password: "{{ (service_update_password | default(False) | bool) | ternary('always', omit) }}"
      register: add_service
      when:
        - not (_service_in_ldap | default(False) | bool)