openstack/tripleo-heat-templates
Code Issues Proposed changes

[train-only] Make principal realms configuratble in certs

Browse Source 
The certificates specs for certmonger are configured in hiera
as 'service/host_fqdn'. Certmonger automatically happen
a default realm to it to look like 'service/host_fqdn/REALM'.

This discrepancy makes puppet think certificate resources
differ each time puppet apply is run, so puppet-certmonger
resubmit the certificates and this causes unecessary service
restart, which can be costly (e.g. mariadb).

All the principal to be configured with a user-defined realm,
and use uppercased cloud-domain by default (i.e. what
certmongers automatically happens by default).

Change-Id: I0a217b4a457881367de27414faca347e50f2db72
Related-Bug: #1906505
Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/822244
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
This commit is contained in:
Damien Ciabrini
2021-01-14 12:39:43 +01:00
committed by Grzegorz Grasza
parent f24ae3eae6
commit 34fd20704a
21 changed files with 44 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
deployment/apache/apache-baremetal-puppet.j2.yaml
View File

@@ -125,7 +125,7 @@ outputs:
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
postsave_cmd: "pkill -USR1 httpd"
key_size:
if:

2
deployment/ceph-ansible/ceph-grafana.yaml
View File

@@ -158,7 +158,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/%{hiera('fqdn_NETWORK')}"
template: "ceph_grafana/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"

2
deployment/ceph-ansible/ceph-mgr.yaml
View File

@@ -151,7 +151,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
principal:
str_replace:
template: "ceph_dashboard/%{hiera('fqdn_NETWORK')}"
template: "ceph_dashboard/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"

2
deployment/ceph-ansible/ceph-rgw.yaml
View File

@@ -188,7 +188,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/%{hiera('fqdn_NETWORK')}"
template: "ceph_rgw/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"

19
deployment/certs/certmonger-user-baremetal-puppet.yaml
View File

@@ -51,6 +51,18 @@ parameters:
CertmongerQemuCA:
type: string
default: 'IPA'
CloudDomain:
default: 'localdomain'
type: string
description: >
The DNS domain used for the hosts. This must match the
overcloud_domain_name configured on the undercloud.
CertmongerKerberosRealm:
description: When EnableInternalTLS is true, this defines the realm
part of the Kerberos principals used to request certificates.
When not defined, it realm is the uppercased CloudDomain
type: string
default: ''
conditions:
@@ -69,6 +81,13 @@ outputs:
- tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
certmonger_ca_vnc: {get_param: CertmongerVncCA}
certmonger_ca_qemu: {get_param: CertmongerQemuCA}
certmonger_krb_realm:
if:
- {not: {equals: [{get_param: CertmongerKerberosRealm},'']}}
- {get_param: CertmongerKerberosRealm}
- yaql:
expression: $.data.toUpper()
data: {get_param: CloudDomain}
- {}
step_config: |
include ::tripleo::profile::base::certmonger_user

2
deployment/database/mysql-base.yaml
View File

@@ -177,7 +177,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/%{hiera('fqdn_NETWORK')}"
template: "mysql/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:

2
deployment/database/redis-container-puppet.yaml
View File

@@ -120,7 +120,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
principal:
str_replace:
template: "redis/%{hiera('fqdn_NETWORK')}"
template: "redis/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"

2
deployment/etcd/etcd-container-puppet.yaml
View File

@@ -129,7 +129,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
principal:
str_replace:
template: "etcd/%{hiera('fqdn_NETWORK')}"
template: "etcd/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
dnsnames:

2
deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
View File

@@ -104,7 +104,7 @@ outputs:
dnsnames:
- "%{hiera('cloud_name_NETWORK')}"
- "%{hiera('fqdn_NETWORK')}"
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
principal: "haproxy/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
key_size:
if:

2
deployment/haproxy/haproxy-public-tls-certmonger.yaml
View File

@@ -88,7 +88,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
principal:
str_replace:
template: "haproxy/%{hiera('cloud_name_NETWORK')}"
template: "haproxy/%{hiera('cloud_name_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"

2
deployment/metrics/qdr-container-puppet.yaml
View File

@@ -251,7 +251,7 @@ outputs:
ROLENAME: {get_param: RoleName}
principal:
str_replace:
template: "metrics_qdr/%{hiera('fqdn_NETWORK')}"
template: "metrics_qdr/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK:
get_param:

2
deployment/neutron/neutron-api-container-puppet.yaml
View File

@@ -408,7 +408,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
key_size:

2
deployment/neutron/neutron-dhcp-container-puppet.yaml
View File

@@ -265,7 +265,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron/%{hiera('fqdn_NETWORK')}"
template: "neutron/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"

10
deployment/nova/nova-libvirt-container-puppet.yaml
View File

@@ -482,7 +482,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
template: "libvirt/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
libvirt-client-cert:
@@ -495,7 +495,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
template: "libvirt/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
@@ -529,7 +529,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
template: "qemu/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
@@ -547,7 +547,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
template: "qemu/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
@@ -591,7 +591,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:

4
deployment/nova/nova-vnc-proxy-container-puppet.yaml
View File

@@ -218,7 +218,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
@@ -236,7 +236,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:

2
deployment/octavia/providers/ovn-provider-config.yaml
View File

@@ -94,7 +94,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
template: "ovn_octavia/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:

2
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
View File

@@ -188,7 +188,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:

2
deployment/ovn/ovn-metadata-container-puppet.yaml
View File

@@ -209,7 +209,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:

2
deployment/rabbitmq/rabbitmq-container-puppet.yaml
View File

@@ -214,7 +214,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
template: "rabbitmq/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"

2
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
View File

@@ -164,7 +164,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
principal:
str_replace:
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
template: "rabbitmq/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"

2
deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
View File

@@ -164,7 +164,7 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
principal:
str_replace:
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
template: "rabbitmq/%{hiera('fqdn_NETWORK')}@%{hiera('certmonger_krb_realm')}"
params:
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"