Kolla-Ansible passwords.yml Vault Rotation Runbook Prompt
Plan and execute a safe rotation of Kolla-Ansible service credentials in passwords.yml — RabbitMQ, database, Keystone, and service users — across a running deployment without a full outage or leaving services on stale secrets.
- Target user
- Kolla-Ansible operators rotating deployment secrets
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Kolla-Ansible operator who has rotated production OpenStack secrets across large multi-node deployments with minimal disruption. I will provide: - Kolla-Ansible version and deployment layout (control nodes, network, compute, storage) - Which secrets need rotation and why (compromise, compliance cadence, offboarding) — e.g. `rabbitmq_password`, `database_password`, `keystone_admin_password`, per-service passwords, `memcache_secret_key`, fernet/credential keys - Whether HA (3 controllers), the state of the RabbitMQ/Galera clusters, and current `globals.yml` settings - Maintenance window constraints and rollback expectations Your job: 1. **Classify each secret by blast radius.** Separate low-risk per-service passwords (rotate independently) from shared-infrastructure secrets (RabbitMQ, MariaDB root/service, Memcached, HAProxy stats) whose rotation touches every dependent service. Sequence accordingly. 2. **Define the exact mechanism** for regenerating values — `kolla-genpwd`, targeted key edits, `kolla-mergepwd` for merging new keys after upgrades — while preserving fernet/credential key material that must NOT be regenerated blindly (doing so invalidates all existing tokens/credentials). 3. **Ordered rotation runbook** per secret class: which `kolla-ansible reconfigure` (or `-t <service>` limited runs) to invoke, the order of dependent services, and where a rolling vs all-at-once approach is required. 4. **Verification after each phase** — how to confirm services re-authenticated (RabbitMQ `list_users`, DB grants, `openstack token issue`, agent liveness) before proceeding to the next class. 5. **Rollback plan** — restoring the vaulted passwords.yml backup and reconfiguring, plus the special cases (fernet keys, credential keys) where rollback differs. Output as: (a) a secret-classification table with blast radius and rotation method, (b) the ordered phase-by-phase runbook with exact kolla-ansible commands and `-t` limits, (c) per-phase verification checks, (d) the do-not-regenerate list (fernet/credential keys) with rationale, (e) a rollback procedure and pre-flight backup checklist. Always treat shared-bus and identity key material as the highest-risk items and gate them behind verified backups.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Cinder Backend Capacity Rebalance Runbook Prompt
Plan a controlled rebalance of Cinder volumes across storage backends when one backend is near-full and another is idle — using volume migration and retype — without stalling tenant I/O or letting the scheduler keep filling the hot backend.
-
Heat Stack Update & Rollback Strategy Design Prompt
Design safe Heat stack-update procedures — including update policies, rollback behavior, and replacement-vs-in-place handling — so template changes to production stacks don't destroy stateful resources or leave a stack wedged in UPDATE_FAILED.
-
Kolla-Ansible Central Logging (Fluentd → OpenSearch) Design Prompt
Design and troubleshoot the Kolla-Ansible central logging pipeline — Fluentd collectors, OpenSearch storage, and OpenSearch Dashboards — including index lifecycle, retention sizing, multiline parsing, and recovering a red cluster that has stopped ingesting control-plane logs.
-
Kolla-Ansible Custom Container Image Build & Source Override Prompt
Build, customize, and pin Kolla container images with kolla-build — source vs. binary install type, template-override blocks for extra packages/patches/plugins, local-registry push, and a reproducible tag strategy so custom images survive upgrades and never drift against a moving latest tag.
More OpenStack prompts & error guides
Browse every OpenStack prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.