Description of problem: NOTE: my stack is named "sweatpants" here Running the tripleo.fernet_keys.rotate_fernet_keys workflow from the undercloud as such: openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "sweatpants"}' Will fail if your cloud is not named "overcloud" Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1.Deploy a cloud named something other than "overcloud" (such as "sweatpants") 2.try rotate your fernet decrypt keys on the controllers with openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "sweatpants"}' 3. look at the output of the workflow after a minute or so openstack workflow execution output show <workflow id> Actual results: Look at your ferent keys in the contain from the controller node, notice that they haven't changed: docker exec -ti keystone ls -l /etc/keystone/fernet-keys ' Check the actual workflow output, you'll see something like the following: { "status": "SUCCESS", "message": { "stderr": "\nPLAY [keystone] ****************************************************************\nskipping: no hosts matched\n\nPLAY RECAP *********************************************************************\n\n", "stdout": " [WARNING]: Could not match supplied host pattern, ignoring: keystone\n" } } The only way to get this working, is the following: openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{ "container": "sweatpants", "ansible_extra_env_variables": { "TRIPLEO_PLAN_NAME": "sweatpants", "ANSIBLE_HOST_KEY_CHECKING": "False" }}' Note, additionally, that we have to pass the ANSIBLE_HOST_KEY_CHECKING variable because this gets overwritten by the workflow and isn't picked up if the plan name is the only variable passed into the workflow. Expected results: Expect to have rotated keys on all controller nodes Additional info:
This has merged upstream: https://review.openstack.org/#/c/532808/
Patch fixed-in: openstack-tripleo-common-7.6.9-4.el7ost by rebase.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2331