Merge "Make krb-service-principal metadata per-Role" into stable/rocky

2019-05-30 22:42:59 +00:00 · 2019-05-30 22:42:59 +00:00 · 113e1e71a0
parent 5c910e4ddc 218582c4cc
commit 113e1e71a0
9 changed files with 60 additions and 12 deletions
--- a/common/services/role.role.j2.yaml
+++ b/common/services/role.role.j2.yaml
@ -58,7 +58,7 @@ resources:
    type: OS::TripleO::LoggingConfiguration

  ServiceServerMetadataHook:
-    type: OS::TripleO::ServiceServerMetadataHook
+    type: OS::TripleO::{{role.name}}ServiceServerMetadataHook
    properties:
      RoleData: {get_attr: [ServiceChain, role_data]}

@ -70,7 +70,7 @@ resources:
        list_join:
          - "\n"
          - - str_replace:
-                template: {get_file: ../puppet/manifests/overcloud_common.pp}
+                template: {get_file: ../../puppet/manifests/overcloud_common.pp}
                params:
                  __ROLE__: {get_param: RoleName}
            - yaql:
--- a/environments/ssl/enable-internal-tls.j2.yaml
+++ b/environments/ssl/enable-internal-tls.j2.yaml
@ -34,8 +34,10 @@ parameter_defaults:
  # End static parameters
  # *********************
 resource_registry:
-  OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
  OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml
  OS::TripleO::Services::HAProxyInternalTLS: ../../puppet/services/haproxy-internal-tls-certmonger.yaml
  OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml
  OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml
+{%- for role in roles %}
+  OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml
+{%- endfor %}
--- a/extraconfig/nova_metadata/krb-service-principals/role.role.j2.yaml
+++ b/extraconfig/nova_metadata/krb-service-principals/role.role.j2.yaml
@ -1,11 +1,11 @@
 heat_template_version: rocky
-description: 'Generates the relevant service principals for a server'
+description: 'Generates the relevant service principals for a {{role.name}} server'

 parameters:
  RoleData:
     type: json
     description: the list containing the 'role_data' output for the ServiceChain
-{%- for network in networks if network.vip|default(false) %}
+{%- for network in networks if network.vip|default(false) and network.name in role.networks %}
 {%- if network.name == 'External' %}
  # Special case the External hostname param, which is CloudName
  CloudName:
@ -69,7 +69,7 @@ resources:
          data:
            metadata: {get_attr: [IncomingMetadataSettings, value]}
            fqdns:
-{%- for network in networks if network.vip|default(false) %}
+{%- for network in networks if network.vip|default(false) and network.name in role.networks %}
 {%- if network.name == 'External' %}
              external: {get_param: CloudName}
 {%- elif network.name == 'InternalApi' %}
@ -97,4 +97,3 @@ outputs:
      map_merge:
        - {get_attr: [IndividualServices, value]}
        - {get_attr: [CompactServices, value]}
-
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -33,7 +33,9 @@ resource_registry:
  # in the jinja loop
  OS::TripleO::Controller::Net::SoftwareConfig: net-config-bridge.yaml

-  OS::TripleO::ServiceServerMetadataHook: OS::Heat::None
+{% for role in roles %}
+  OS::TripleO::{{role.name}}ServiceServerMetadataHook: OS::Heat::None
+{%- endfor %}

  OS::TripleO::Server: OS::Nova::Server
 {% for role in roles %}
@ -106,7 +108,9 @@ resource_registry:
  OS::TripleO::WorkflowSteps: OS::Mistral::ExternalResource

  # services
-  OS::TripleO::Services: common/services.yaml
+{%- for role in roles %}
+  OS::TripleO::{{role.name}}Services: common/services/{{role.name.lower()}}-role.yaml
+{%- endfor %}
  OS::TripleO::Services::Aide: OS::Heat::None
  OS::TripleO::Services::Apache: puppet/services/apache.yaml
  OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@ -416,7 +416,7 @@ resources:
 {% for role in roles %}
  # Resources generated for {{role.name}} Role
  {{role.name}}ServiceChain:
-    type: OS::TripleO::Services
+    type: OS::TripleO::{{role.name}}Services
    properties:
      Services:
        get_param: {{role.name}}Services
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@ -65,7 +65,11 @@ environments:
      OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml
      # Creates nova metadata that will create the extra service principals per
      # node.
-      OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
+      OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml
+      OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml
+      OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml
+      OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml
+      OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml
  - name: ssl/inject-trust-anchor
    title: Inject SSL Trust Anchor on Overcloud Nodes
    description: |
--- a/tools/check-up-to-date.sh
+++ b/tools/check-up-to-date.sh
@ -18,7 +18,7 @@ cd $tmpdir

 file_list=$(find environments -type f)
 for f in $file_list; do
-    if ! diff -q $f $base/$f; then
+    if ! $base/tools/yaml-diff.py $f $base/$f; then
        echo "ERROR: $base/$f is not up to date"
        diff $f $base/$f
        retval=1
--- a/tools/process-templates.py
+++ b/tools/process-templates.py
@ -320,9 +320,16 @@ def clean_templates(base_path, role_data_path, network_data_path):
        host_config_and_reboot_path = os.path.join(
            'extraconfig', 'pre_network',
            '%s-host_config_and_reboot.yaml' % role['name'].lower())
+        krb_service_principals_path = os.path.join(
+            'extraconfig', 'nova_metadata', 'krb-service-principals',
+            '%s-role.yaml' % role['name'].lower())
+        common_services_path = os.path.join(
+            'common', 'services', '%s-role.yaml' % role['name'].lower())

        delete(role_path)
        delete(host_config_and_reboot_path)
+        delete(krb_service_principals_path)
+        delete(common_services_path)

        nic_config_dir = os.path.join(base_path, 'network', 'config')
        for sample_nic_config_dir in os.listdir(nic_config_dir):
--- a/tools/yaml-diff.py
+++ b/tools/yaml-diff.py
@ -0,0 +1,32 @@
+#!/usr/bin/env python
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import sys
+import yaml
+
+if len(sys.argv) != 3:
+    raise RuntimeError('Not enough arguemnts')
+
+FILE_A = sys.argv[1]
+FILE_B = sys.argv[2]
+
+with open(FILE_A, 'r') as file_a:
+    a = yaml.safe_load(file_a)
+
+with open(FILE_B, 'r') as file_b:
+    b = yaml.safe_load(file_b)
+
+if a != b:
+    sys.exit("Files are different")
+
+sys.exit(0)