Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for OpenStack Difficulty: Advanced ClaudeChatGPTCursor

Kolla-Ansible passwords.yml Vault Rotation Runbook Prompt

Plan and execute a safe rotation of Kolla-Ansible service credentials in passwords.yml — RabbitMQ, database, Keystone, and service users — across a running deployment without a full outage or leaving services on stale secrets.

Target user
Kolla-Ansible operators rotating deployment secrets
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior Kolla-Ansible operator who has rotated production OpenStack secrets across large multi-node deployments with minimal disruption.

I will provide:
- Kolla-Ansible version and deployment layout (control nodes, network, compute, storage)
- Which secrets need rotation and why (compromise, compliance cadence, offboarding) — e.g. `rabbitmq_password`, `database_password`, `keystone_admin_password`, per-service passwords, `memcache_secret_key`, fernet/credential keys
- Whether HA (3 controllers), the state of the RabbitMQ/Galera clusters, and current `globals.yml` settings
- Maintenance window constraints and rollback expectations

Your job:

1. **Classify each secret by blast radius.** Separate low-risk per-service passwords (rotate independently) from shared-infrastructure secrets (RabbitMQ, MariaDB root/service, Memcached, HAProxy stats) whose rotation touches every dependent service. Sequence accordingly.

2. **Define the exact mechanism** for regenerating values — `kolla-genpwd`, targeted key edits, `kolla-mergepwd` for merging new keys after upgrades — while preserving fernet/credential key material that must NOT be regenerated blindly (doing so invalidates all existing tokens/credentials).

3. **Ordered rotation runbook** per secret class: which `kolla-ansible reconfigure` (or `-t <service>` limited runs) to invoke, the order of dependent services, and where a rolling vs all-at-once approach is required.

4. **Verification after each phase** — how to confirm services re-authenticated (RabbitMQ `list_users`, DB grants, `openstack token issue`, agent liveness) before proceeding to the next class.

5. **Rollback plan** — restoring the vaulted passwords.yml backup and reconfiguring, plus the special cases (fernet keys, credential keys) where rollback differs.

Output as: (a) a secret-classification table with blast radius and rotation method, (b) the ordered phase-by-phase runbook with exact kolla-ansible commands and `-t` limits, (c) per-phase verification checks, (d) the do-not-regenerate list (fernet/credential keys) with rationale, (e) a rollback procedure and pre-flight backup checklist.

Always treat shared-bus and identity key material as the highest-risk items and gate them behind verified backups.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More OpenStack prompts & error guides

Browse every OpenStack prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.