kolla-ansible/ansible/roles/common/tasks/config.yml
James Kirsch f87814f794 Add support for encrypting Glance api
Add TLS support for Glance api using HAProxy to perform TLS termination.

Change-Id: I77051baaeb5d3f7dd9002262534e7d35f3926809
Partially-Implements: blueprint add-ssl-internal-network
2020-04-30 17:31:58 +01:00

393 lines
13 KiB
YAML

---
- name: Ensuring config directories exist
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
with_items:
- "kolla-toolbox"
- "cron"
- "cron/logrotate"
- name: Ensuring fluentd config directories exist
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
mode: "0770"
become: true
with_items:
- "fluentd"
- "fluentd/input"
- "fluentd/output"
- "fluentd/format"
- "fluentd/filter"
when: enable_fluentd | bool
- name: Ensure fluentd image is present for label check
vars:
service_name: "fluentd"
service: "{{ common_services[service_name] }}"
become: true
kolla_docker:
action: "ensure_image"
common_options: "{{ docker_common_options }}"
image: "{{ service.image }}"
when: enable_fluentd | bool
- name: Fetch fluentd image labels
vars:
service_name: "fluentd"
service: "{{ common_services[service_name] }}"
become: true
docker_image_info:
name: "{{ service.image }}"
register: fluentd_labels
when: enable_fluentd | bool
- name: Set fluentd facts
set_fact:
fluentd_binary: "{{ fluentd_labels.images.0.ContainerConfig.Labels.fluentd_binary }}"
when: enable_fluentd | bool
- include_tasks: copy-certs.yml
when:
- kolla_copy_ca_into_containers | bool
- name: Copying over config.json files for services
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
mode: "0660"
become: true
when: item.value.enabled | bool
with_dict: "{{ common_services }}"
notify:
- "Restart {{ item.key }} container"
- name: Find custom fluentd input config files
find:
path: "{{ node_custom_config }}/fluentd/input"
pattern: "*.conf"
run_once: True
register: find_custom_fluentd_inputs
delegate_to: localhost
when:
- enable_fluentd | bool
- name: Copying over fluentd input config files
vars:
customised_input_files: "{{ find_custom_fluentd_inputs.files | map(attribute='path') | map('basename') | list }}"
template:
src: "conf/input/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/input/{{ item }}.conf"
mode: "0660"
become: true
when:
- enable_fluentd | bool
- item ~ '.conf' not in customised_input_files
with_items:
- "00-global"
- "01-syslog"
- "02-mariadb"
- "03-rabbitmq"
- "04-openstack-wsgi"
- "05-libvirt"
- "06-zookeeper"
- "07-kafka"
- "09-monasca"
notify:
- Restart fluentd container
- name: Copying over custom fluentd input config files
template:
src: "{{ item.path }}"
dest: "{{ node_config_directory }}/fluentd/input/{{ item.path | basename }}"
mode: "0660"
when:
- enable_fluentd | bool
with_items: "{{ find_custom_fluentd_inputs.files }}"
notify:
- Restart fluentd container
- name: Determine whether logs should be forwarded directly to Elasticsearch
set_fact:
log_direct_to_elasticsearch: "{{ ( enable_elasticsearch | bool or
( elasticsearch_address != kolla_internal_vip_address )) and
not enable_monasca | bool }}"
- name: Find custom fluentd output config files
find:
path: "{{ node_custom_config }}/fluentd/output"
pattern: "*.conf"
run_once: True
register: find_custom_fluentd_outputs
delegate_to: localhost
when:
- enable_fluentd | bool
- name: Copying over fluentd output config files
vars:
customised_output_files: "{{ find_custom_fluentd_outputs.files | map(attribute='path') | map('basename') | list }}"
template:
src: "conf/output/{{ item.name }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/output/{{ item.name }}.conf"
mode: "0660"
become: true
when:
- enable_fluentd | bool
- item.enabled | bool
- item.name ~ '.conf' not in customised_output_files
with_items:
- name: "00-local"
enabled: true
- name: "01-es"
enabled: "{{ log_direct_to_elasticsearch }}"
- name: "02-monasca"
enabled: "{{ enable_monasca | bool }}"
notify:
- Restart fluentd container
- name: Removing stale output config files
file:
path: "{{ node_config_directory }}/fluentd/output/{{ item.name }}.conf"
state: "absent"
become: true
when:
- enable_fluentd | bool
- item.disable | bool
with_items:
- name: "02-monasca"
disable: "{{ not enable_monasca | bool }}"
- name: "01-es"
disable: "{{ not log_direct_to_elasticsearch }}"
notify:
- Restart fluentd container
- name: Copying over custom fluentd output config files
template:
src: "{{ item.path }}"
dest: "{{ node_config_directory }}/fluentd/output/{{ item.path | basename }}"
mode: "0660"
become: true
when:
- enable_fluentd | bool
with_items: "{{ find_custom_fluentd_outputs.files }}"
notify:
- Restart fluentd container
- name: Find custom fluentd format config files
find:
path: "{{ node_custom_config }}/fluentd/format"
pattern: "*.conf"
run_once: True
register: find_custom_fluentd_format
delegate_to: localhost
when:
- enable_fluentd | bool
- name: Copying over fluentd format config files
vars:
customised_format_files: "{{ find_custom_fluentd_format.files | map(attribute='path') | map('basename') | list }}"
template:
src: "conf/format/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/format/{{ item }}.conf"
mode: "0660"
become: true
with_items:
- "apache_access"
- "wsgi_access"
when:
- enable_fluentd | bool
- item ~ '.conf' not in customised_format_files
notify:
- Restart fluentd container
- name: Copying over custom fluentd format config files
template:
src: "{{ item.path }}"
dest: "{{ node_config_directory }}/fluentd/format/{{ item.path | basename }}"
mode: "0660"
when:
- enable_fluentd | bool
with_items: "{{ find_custom_fluentd_format.files }}"
notify:
- Restart fluentd container
- name: Find custom fluentd filter config files
find:
path: "{{ node_custom_config }}/fluentd/filter"
pattern: "*.conf"
run_once: True
register: find_custom_fluentd_filters
delegate_to: localhost
when: enable_fluentd | bool
- name: Copying over fluentd filter config files
vars:
customised_filter_files: "{{ find_custom_fluentd_filters.files | map(attribute='path') | map('basename') | list }}"
fluentd_version: "{{ fluentd_labels.images.0.ContainerConfig.Labels.fluentd_version | default('0.12') }}"
template:
src: "conf/filter/{{ item.src }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/filter/{{ item.dest }}.conf"
mode: "0660"
become: true
with_items:
- src: 00-record_transformer
dest: 00-record_transformer
- src: "{{ '01-rewrite-0.14' if fluentd_version == '0.14' else '01-rewrite-0.12' }}"
dest: 01-rewrite
- src: 02-parser
dest: 02-parser
when:
- enable_fluentd | bool
- item.src ~ '.conf' not in customised_filter_files
notify:
- Restart fluentd container
- name: Copying over custom fluentd filter config files
template:
src: "{{ item.path }}"
dest: "{{ node_config_directory }}/fluentd/filter/{{ item.path | basename }}"
mode: "0660"
become: true
with_items: "{{ find_custom_fluentd_filters.files }}"
when: enable_fluentd | bool
notify:
- Restart fluentd container
- name: Copying over td-agent.conf
template:
src: "td-agent.conf.j2"
dest: "{{ node_config_directory }}/{{ item }}/td-agent.conf"
mode: "0660"
become: true
with_items:
- "fluentd"
when: enable_fluentd | bool
notify:
- Restart fluentd container
- name: Copying over cron logrotate config files
template:
src: "cron-logrotate-{{ item.name }}.conf.j2"
dest: "{{ node_config_directory }}/cron/logrotate/{{ item.name }}.conf"
mode: "0660"
become: true
when: item.enabled | bool
with_items:
- { name: "ansible", enabled: "yes" }
- { name: "aodh", enabled: "{{ enable_aodh }}" }
- { name: "barbican", enabled: "{{ enable_barbican }}" }
- { name: "blazar", enabled: "{{ enable_blazar }}" }
- { name: "ceilometer", enabled: "{{ enable_ceilometer }}" }
- { name: "chrony", enabled: "{{ enable_chrony }}" }
- { name: "cinder", enabled: "{{ enable_cinder }}" }
- { name: "cloudkitty", enabled: "{{ enable_cloudkitty }}" }
- { name: "collectd", enabled: "{{ enable_collectd }}" }
- { name: "congress", enabled: "{{ enable_congress }}" }
- { name: "cyborg", enabled: "{{ enable_cyborg }}" }
- { name: "designate", enabled: "{{ enable_designate }}" }
- { name: "elasticsearch", enabled: "{{ enable_elasticsearch }}" }
- { name: "etcd", enabled: "{{ enable_etcd }}" }
- { name: "freezer", enabled: "{{ enable_freezer }}" }
- { name: "glance", enabled: "{{ enable_glance }}" }
- { name: "glance-tls-proxy", enabled: "{{ enable_glance }}" }
- { name: "global", enabled: "yes" }
- { name: "gnocchi", enabled: "{{ enable_gnocchi }}" }
- { name: "grafana", enabled: "{{ enable_grafana }}" }
- { name: "haproxy", enabled: "{{ enable_haproxy }}" }
- { name: "heat", enabled: "{{ enable_heat }}" }
- { name: "horizon", enabled: "{{ enable_horizon }}" }
- { name: "influxdb", enabled: "{{ enable_influxdb }}" }
- { name: "ironic", enabled: "{{ enable_ironic }}" }
- { name: "ironic-inspector", enabled: "{{ enable_ironic }}" }
- { name: "iscsid", enabled: "{{ enable_iscsid }}" }
- { name: "kafka", enabled: "{{ enable_kafka }}" }
- { name: "karbor", enabled: "{{ enable_karbor }}" }
- { name: "keepalived", enabled: "{{ enable_haproxy }}" }
- { name: "keystone", enabled: "{{ enable_keystone }}" }
- { name: "kibana", enabled: "{{ enable_kibana }}" }
- { name: "kuryr", enabled: "{{ enable_kuryr }}" }
- { name: "magnum", enabled: "{{ enable_magnum }}" }
- { name: "manila", enabled: "{{ enable_manila }}" }
- { name: "mariadb", enabled: "{{ enable_mariadb }}" }
- { name: "masakari", enabled: "{{ enable_masakari }}" }
- { name: "mistral", enabled: "{{ enable_mistral }}" }
- { name: "monasca", enabled: "{{ enable_monasca }}" }
- { name: "mongodb", enabled: "{{ enable_mongodb }}" }
- { name: "murano", enabled: "{{ enable_murano }}" }
- { name: "neutron", enabled: "{{ enable_neutron }}" }
- { name: "nova", enabled: "{{ enable_nova }}" }
- { name: "octavia", enabled: "{{ enable_octavia }}" }
- { name: "outward-rabbitmq", enabled: "{{ enable_outward_rabbitmq }}" }
- { name: "panko", enabled: "{{ enable_panko }}" }
- { name: "qinling", enabled: "{{ enable_qinling }}" }
- { name: "rabbitmq", enabled: "{{ enable_rabbitmq }}" }
- { name: "rally", enabled: "{{ enable_rally }}" }
- { name: "sahara", enabled: "{{ enable_sahara }}" }
- { name: "searchlight", enabled: "{{ enable_searchlight }}" }
- { name: "senlin", enabled: "{{ enable_senlin }}" }
- { name: "skydive", enabled: "{{ enable_skydive }}" }
- { name: "solum", enabled: "{{ enable_solum }}" }
- { name: "storm", enabled: "{{ enable_storm }}" }
- { name: "swift", enabled: "{{ enable_swift }}" }
- { name: "tacker", enabled: "{{ enable_tacker }}" }
- { name: "tempest", enabled: "{{ enable_tempest }}" }
- { name: "trove", enabled: "{{ enable_trove }}" }
- { name: "vitrage", enabled: "{{ enable_vitrage }}" }
- { name: "watcher", enabled: "{{ enable_watcher }}" }
- { name: "zookeeper", enabled: "{{ enable_zookeeper }}" }
- { name: "zun", enabled: "{{ enable_zun }}" }
notify:
- Restart cron container
- name: Ensure RabbitMQ Erlang cookie exists
become: true
copy:
content: "{{ rabbitmq_cluster_cookie }}"
dest: "{{ node_config_directory }}/kolla-toolbox/rabbitmq-erlang.cookie"
mode: "0660"
when: enable_rabbitmq | bool
notify:
- Restart kolla-toolbox container
- name: Ensuring config directories have correct owner and permission
become: true
file:
path: "{{ node_config_directory }}/{{ item.key }}"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
ignore_errors: "{{ ansible_check_mode }}"
when:
- item.value.enabled | bool
- item.key != "kolla-toolbox"
with_dict: "{{ common_services }}"
- name: Copy rabbitmq-env.conf to kolla toolbox
copy:
content: |
RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"
export ERL_INETRC=/etc/rabbitmq/erl_inetrc
dest: "{{ node_config_directory }}/kolla-toolbox/rabbitmq-env.conf"
mode: "0600"
become: true
when:
api_address_family == "ipv6"
- name: Copy rabbitmq erl_intr to kolla toolbox
copy:
content: |
{inet6,true}.
dest: "{{ node_config_directory }}/kolla-toolbox/erl_inetrc"
mode: "0600"
become: true
when:
api_address_family == "ipv6"
- include_tasks: check-containers.yml
when: kolla_action != "config"