Can someone comment on this please ?

---------- Forwarded message ---------
From: engineer2024 <engineerlinux2024@gmail.com>
Date: Wed, Jul 24, 2024 at 9:34 PM
Subject: keystone credentials
To: <openstack-discuss@lists.openstack.org>


Hi all,

We are receiving this message while executing keystone playbook to upgrade from yoga to zed through openstack ansible:

----
FAILED! => {"changed": true, "cmd": ["/openstack/venvs/keystone-26.3.0/bin/keystone-manage", "credential_migrate", "--keystone-user", "keystone", "--keystone-group", "keystone"], "msg": "non-zero return code", "rc": 1,}
---

Then I tried credential_setup to setup new fernet keys which succeeded, but when trying to do credential_migrate, it is still failing with the above message. The debug log  shows something like
"unable to decrypt;  use the same primary key used for encryption"  I even copied the newly setup keys to the other two containers. Stil it does not work.

As a last resort , I have destroyed the three keystone containers and recreated and ran the playbook. Then it worked. But in our scenario, this caused downtime for the apps using this keystone setup which attracted an RCA requirement. So, I want to know how to avoid downtime as in a normal upgrade , when creating/destroying containers and the reason for the above error and the workaround... 

Appreciate your time.

Thanks
elinux