Browse Source

Merge "Make krb-service-principal metadata per-Role"

Zuul 5 days ago
parent
commit
2add17b409

common/services.yaml → common/services/role.role.j2.yaml View File

@@ -58,7 +58,7 @@ resources:
58 58
     type: OS::TripleO::LoggingConfiguration
59 59
 
60 60
   ServiceServerMetadataHook:
61
-    type: OS::TripleO::ServiceServerMetadataHook
61
+    type: OS::TripleO::{{role.name}}ServiceServerMetadataHook
62 62
     properties:
63 63
       RoleData: {get_attr: [ServiceChain, role_data]}
64 64
 
@@ -70,7 +70,7 @@ resources:
70 70
         list_join:
71 71
           - "\n"
72 72
           - - str_replace:
73
-                template: {get_file: ../puppet/manifests/overcloud_common.pp}
73
+                template: {get_file: ../../puppet/manifests/overcloud_common.pp}
74 74
                 params:
75 75
                   __ROLE__: {get_param: RoleName}
76 76
             - yaql:

environments/ssl/enable-internal-tls.yaml → environments/ssl/enable-internal-tls.j2.yaml View File

@@ -34,8 +34,10 @@ parameter_defaults:
34 34
   # End static parameters
35 35
   # *********************
36 36
 resource_registry:
37
-  OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
38 37
   OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml
39 38
   OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
40 39
   OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml
41 40
   OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
41
+{%- for role in roles %}
42
+  OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml
43
+{%- endfor %}

extraconfig/nova_metadata/krb-service-principals.j2.yaml → extraconfig/nova_metadata/krb-service-principals/role.role.j2.yaml View File

@@ -1,11 +1,11 @@
1 1
 heat_template_version: rocky
2
-description: 'Generates the relevant service principals for a server'
2
+description: 'Generates the relevant service principals for a {{role.name}} server'
3 3
 
4 4
 parameters:
5 5
   RoleData:
6 6
      type: json
7 7
      description: the list containing the 'role_data' output for the ServiceChain
8
-{%- for network in networks if network.vip|default(false) %}
8
+{%- for network in networks if network.vip|default(false) and network.name in role.networks %}
9 9
 {%- if network.name == 'External' %}
10 10
   # Special case the External hostname param, which is CloudName
11 11
   CloudName:
@@ -69,7 +69,7 @@ resources:
69 69
           data:
70 70
             metadata: {get_attr: [IncomingMetadataSettings, value]}
71 71
             fqdns:
72
-{%- for network in networks if network.vip|default(false) %}
72
+{%- for network in networks if network.vip|default(false) and network.name in role.networks %}
73 73
 {%- if network.name == 'External' %}
74 74
               external: {get_param: CloudName}
75 75
 {%- elif network.name == 'InternalApi' %}
@@ -97,4 +97,3 @@ outputs:
97 97
       map_merge:
98 98
         - {get_attr: [IndividualServices, value]}
99 99
         - {get_attr: [CompactServices, value]}
100
-

+ 6
- 2
overcloud-resource-registry-puppet.j2.yaml View File

@@ -31,7 +31,9 @@ resource_registry:
31 31
   # in the jinja loop
32 32
   OS::TripleO::Controller::Net::SoftwareConfig: net-config-bridge.yaml
33 33
 
34
-  OS::TripleO::ServiceServerMetadataHook: OS::Heat::None
34
+{% for role in roles %}
35
+  OS::TripleO::{{role.name}}ServiceServerMetadataHook: OS::Heat::None
36
+{%- endfor %}
35 37
 
36 38
   OS::TripleO::Server: OS::Nova::Server
37 39
 {% for role in roles %}
@@ -100,7 +102,9 @@ resource_registry:
100 102
   OS::TripleO::WorkflowSteps: OS::Mistral::ExternalResource
101 103
 
102 104
   # services
103
-  OS::TripleO::Services: common/services.yaml
105
+{%- for role in roles %}
106
+  OS::TripleO::{{role.name}}Services: common/services/{{role.name.lower()}}-role.yaml
107
+{%- endfor %}
104 108
   OS::TripleO::Services::Aide: OS::Heat::None
105 109
   OS::TripleO::Services::Apache: deployment/apache/apache-baremetal-puppet.yaml
106 110
   OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml

+ 1
- 1
overcloud.j2.yaml View File

@@ -467,7 +467,7 @@ resources:
467 467
 {% for role in roles %}
468 468
   # Resources generated for {{role.name}} Role
469 469
   {{role.name}}ServiceChain:
470
-    type: OS::TripleO::Services
470
+    type: OS::TripleO::{{role.name}}Services
471 471
     properties:
472 472
       Services:
473 473
         get_param: {{role.name}}Services

+ 5
- 1
sample-env-generator/ssl.yaml View File

@@ -65,7 +65,11 @@ environments:
65 65
       OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
66 66
       # Creates nova metadata that will create the extra service principals per
67 67
       # node.
68
-      OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
68
+      OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml
69
+      OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml
70
+      OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml
71
+      OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml
72
+      OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml
69 73
   - name: ssl/inject-trust-anchor
70 74
     title: Inject SSL Trust Anchor on Overcloud Nodes
71 75
     description: |

+ 1
- 1
tools/check-up-to-date.sh View File

@@ -18,7 +18,7 @@ cd $tmpdir
18 18
 
19 19
 file_list=$(find environments -type f)
20 20
 for f in $file_list; do
21
-    if ! diff -q $f $base/$f; then
21
+    if ! $base/tools/yaml-diff.py $f $base/$f; then
22 22
         echo "ERROR: $base/$f is not up to date"
23 23
         diff $f $base/$f
24 24
         retval=1

+ 7
- 0
tools/process-templates.py View File

@@ -328,9 +328,16 @@ def clean_templates(base_path, role_data_path, network_data_path):
328 328
         host_config_and_reboot_path = os.path.join(
329 329
             'extraconfig', 'pre_network',
330 330
             '%s-host_config_and_reboot.yaml' % role['name'].lower())
331
+        krb_service_principals_path = os.path.join(
332
+            'extraconfig', 'nova_metadata', 'krb-service-principals',
333
+            '%s-role.yaml' % role['name'].lower())
334
+        common_services_path = os.path.join(
335
+            'common', 'services', '%s-role.yaml' % role['name'].lower())
331 336
 
332 337
         delete(role_path)
333 338
         delete(host_config_and_reboot_path)
339
+        delete(krb_service_principals_path)
340
+        delete(common_services_path)
334 341
 
335 342
         nic_config_dir = os.path.join(base_path, 'network', 'config')
336 343
         for sample_nic_config_dir in os.listdir(nic_config_dir):

+ 32
- 0
tools/yaml-diff.py View File

@@ -0,0 +1,32 @@
1
+#!/usr/bin/env python
2
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
3
+#    not use this file except in compliance with the License. You may obtain
4
+#    a copy of the License at
5
+#
6
+#         http://www.apache.org/licenses/LICENSE-2.0
7
+#
8
+#    Unless required by applicable law or agreed to in writing, software
9
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
10
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
11
+#    License for the specific language governing permissions and limitations
12
+#    under the License.
13
+
14
+import sys
15
+import yaml
16
+
17
+if len(sys.argv) != 3:
18
+    raise RuntimeError('Not enough arguemnts')
19
+
20
+FILE_A = sys.argv[1]
21
+FILE_B = sys.argv[2]
22
+
23
+with open(FILE_A, 'r') as file_a:
24
+    a = yaml.safe_load(file_a)
25
+
26
+with open(FILE_B, 'r') as file_b:
27
+    b = yaml.safe_load(file_b)
28
+
29
+if a != b:
30
+    sys.exit("Files are different")
31
+
32
+sys.exit(0)

Loading…
Cancel
Save