support tripleo_etcd ansible role

This patch removes the tripleo-heat-templates dependency on puppet
for etcd configuration (i.e, t-h-t-> puppet-tripleo-> puppet-etcd) and
ensures that t-h-t relies on the new ansible role tripleo_etcd.

puppet etcd hiera data generation code is removed and ansible vars are
passed to the role directly.

puppet_config section is no longer needed.

Depends-On: Ia3cf58512c35cd1c2501c606df6fc0f4e4438120
Change-Id: Ic12715f17e831cb5e1ac8993408f85adcd01a312
This commit is contained in:
katarimanoj 2022-08-09 15:28:10 +05:30
parent f9a4495c96
commit 3b110bb1db
8 changed files with 340 additions and 6 deletions

View File

@ -0,0 +1,334 @@
heat_template_version: wallaby
description: >
Containerized etcd services
parameters:
ContainerEtcdImage:
description: image
type: string
tags:
- role_specific
ContainerEtcdConfigImage:
description: The container image to use for the etcd config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EtcdInitialClusterToken:
description: Initial cluster token for the etcd cluster during bootstrap.
type: string
hidden: true
EtcdInitialClusterState:
description: Initial cluster state ("new" or "existing"). The default value "new"
needs to be overridden only when an overcloud node is replaced, at
which time the value should be set to "existing".
type: string
default: 'new'
constraints:
- allowed_values: ['new', 'existing']
MonitoringSubscriptionEtcd:
default: 'overcloud-etcd'
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
EtcdCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {get_param: EnableInternalTLS}
key_size_override_set:
not: {equals: [{get_param: EtcdCertificateKeySize}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerEtcdImage: ContainerEtcdImage
ContainerEtcdConfigImage: ContainerEtcdConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerEtcdImage: {get_param: ContainerEtcdImage}
ContainerEtcdConfigImage: {get_param: ContainerEtcdConfigImage}
outputs:
role_data:
description: Role data for the etcd role.
value:
service_name: etcd
firewall_rules:
'141 etcd':
dport:
- 2379
- 2380
firewall_frontend_rules:
'100 ectd_haproxy_frontend':
dport:
- 2379
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
ansible_group_vars:
map_merge:
- tripleo_etcd_client_port: '2379'
tripleo_etcd_peer_port: '2380'
tripleo_etcd_debug: {get_param: Debug}
tripleo_etcd_initial_cluster_token: {get_param: EtcdInitialClusterToken}
tripleo_etcd_initial_cluster_state: {get_param: EtcdInitialClusterState}
tripleo_etcd_proxy: 'off'
- if:
- internal_tls_enabled
- tripleo_etcd_certificate_specs_service_certificate: '/etc/pki/tls/certs/etcd.crt'
tripleo_etcd_certificate_specs_service_key: '/etc/pki/tls/private/etcd.key'
tripleo_etcd_trusted_ca_file: {get_param: InternalTLSCAFile}
tripleo_etcd_peer_trusted_ca_file: {get_param: InternalTLSCAFile}
tripleo_etcd_enable_internal_tls: true
# This data generated below is needed during backend_url creation in puppet-tripleo
config_settings:
map_merge:
- if:
- internal_tls_enabled
- tripleo::profile::base::etcd::certificate_specs:
service_certificate: '/etc/pki/tls/certs/etcd.crt'
service_key: '/etc/pki/tls/private/etcd.key'
# BEGIN DOCKER SETTINGS
kolla_config:
/var/lib/kolla/config_files/etcd.json:
command: /usr/bin/etcd --config-file /etc/etcd/etcd.yml
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/etcd
owner: etcd:etcd
recurse: true
- path: /etc/etcd/
owner: etcd:etcd
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: etcd:etcd
- path: /etc/pki/tls/private/etcd.key
owner: etcd:etcd
container_config_scripts:
etcd_update_members.sh:
mode: "0700"
content:
str_replace:
template: |
#!/bin/bash
echo "####################################"
echo "### $(date -u) ###"
source /etc/etcd/etcd.conf
export ETCDCTL_API=3
ETCDCTL="etcdctl TLS_OPTS --endpoints=${ETCD_LISTEN_CLIENT_URLS}"
# Ask etcd for the current list of members
eval $ETCDCTL member list | tr -d "," > /tmp/etcd-members
# etcdctl doesn't generate reliable error status, so use presence of the
# node's own name to determine whether this node is capable of managing
# etcd membership.
if ! grep -q $ETCD_NAME /tmp/etcd-members; then
echo "This is a new node that is unable to manage etcd membership"
exit 0
fi
# Remove old members. These are nodes in the current list of members
# that are *not* in the ETCD_INITIAL_CLUSTER.
while read id status name peers clients; do \
if [[ "${ETCD_INITIAL_CLUSTER}" != *"${name}=${peers}"* ]]; then
echo "Removing old member ${name} (ID ${id}) from the cluster"
eval $ETCDCTL member remove ${id}
fi
done < /tmp/etcd-members
# Add new members. These are nodes in the ETCD_INITIAL_CLUSTER that are
# not in the list of current members. ETCD_INITIAL_CLUSTER is a comma
# delimited list of "name=peers" tuples, so iterate over the list.
IFS=, ETCD_MEMBERS=(${ETCD_INITIAL_CLUSTER})
for member in ${ETCD_MEMBERS[@]}; do \
# Split the tuple
IFS='=' read name peers <<< $member
if ! grep -q "${name} ${peers}" /tmp/etcd-members; then
echo "Adding new member ${name} to the cluster"
eval $ETCDCTL member add ${name} --peer-urls=${peers}
fi
done
params:
TLS_OPTS:
if:
- internal_tls_enabled
- str_replace:
template: "--cacert=TLS_CA --cert=/etc/pki/tls/certs/etcd.crt --key=/etc/pki/tls/private/etcd.key"
params:
TLS_CA: {get_param: InternalTLSCAFile}
- ""
docker_config:
step_2:
etcd:
image: {get_attr: [RoleParametersValue, value, ContainerEtcdImage]}
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/etcd:/var/lib/etcd
- /var/lib/kolla/config_files/etcd.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/ansible-generated/etcd:/var/lib/kolla/config_files/src
- /var/lib/container-config-scripts/etcd_update_members.sh:/etcd_update_members.sh:ro
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
- name: Generate etcd configuration
when: step|int == 1
import_role:
name: tripleo_etcd
- list_concat:
- - name: Manage etcd cluster membership
vars:
initial_cluster_state: {get_param: EtcdInitialClusterState}
shell: |
"{{ container_cli }}" exec -ti -u root etcd /etcd_update_members.sh 2>&1 | \
tee -a /var/log/containers/stdouts/etcd_update_members.log
become: true
failed_when: false
when:
- step|int == 3
- initial_cluster_state == "existing"
- if:
- internal_tls_enabled
- - name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: etcd
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
# etcd3 expects to use IP addresses, so add a SAN IP to its cert
ip:
str_replace:
template: "{{NETWORK_ip}}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
principal:
str_replace:
template: "etcd/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
run_after: |
# cinder uses etcd, so its containers also need to be refreshed
container_names=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -E 'cinder|etcd')
service_crt="/etc/pki/tls/certs/etcd.crt"
service_key="/etc/pki/tls/private/etcd.key"
kolla_dir="/var/lib/kolla/config_files/src-tls"
# For each container, check whether the cert file needs to be updated.
# The check is necessary because the original THT design directly bind mounted
# the files to their final location, and did not copy them in via $kolla_dir.
# Regardless of whether the container is directly using the files, or a copy,
# there's no need to trigger a reload because the cert is not cached.
for container_name in ${container_names[*]}; do
{{container_cli}} exec -u root "$container_name" bash -c "
[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
true
"
done
key_size:
if:
- key_size_override_set
- {get_param: EtcdCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
- name: Prep host for etcd
import_role:
name: tripleo_etcd
tasks_from: host_prep
external_deploy_tasks:
if:
- internal_tls_enabled
- - name: check if ipa server has required permissions
when: step|int == 1
import_role:
name: tls_everywhere
tasks_from: ipa-server-check
upgrade_tasks: []
metadata_settings:
if:
- internal_tls_enabled
- - service: etcd
network: {get_param: [ServiceNetMap, EtcdNetwork]}
type: vip
- service: etcd
network: {get_param: [ServiceNetMap, EtcdNetwork]}
type: node

View File

@ -2,7 +2,7 @@ resource_registry:
# For A/A mode, do not run the cinder-volume service under pacemaker.
OS::TripleO::Services::CinderVolume: ../deployment/cinder/cinder-volume-container-puppet.yaml
# Cinder requires etcd for use as its Distributed Lock Manager (DLM).
OS::TripleO::Services::Etcd: ../deployment/etcd/etcd-container-puppet.yaml
OS::TripleO::Services::Etcd: ../deployment/etcd/etcd-container-ansible.yaml
parameter_defaults:
CinderVolumeCluster: tripleo

View File

@ -45,7 +45,7 @@ parameter_defaults:
resource_registry:
OS::TripleO::Services::CinderVolumeEdge: ../deployment/cinder/cinder-volume-container-puppet.yaml
OS::TripleO::Services::Etcd: ../deployment/etcd/etcd-container-puppet.yaml
OS::TripleO::Services::Etcd: ../deployment/etcd/etcd-container-ansible.yaml
OS::TripleO::Services::GlanceApiEdge: ../deployment/glance/glance-api-edge-container-puppet.yaml
OS::TripleO::Services::HAproxyEdge: ../deployment/haproxy/haproxy-edge-container-puppet.yaml
OS::TripleO::Services::NovaAZConfig: ../deployment/nova/nova-az-config.yaml

View File

@ -4,7 +4,7 @@ resource_registry:
OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None
OS::TripleO::Services::NeutronVppAgent: ../deployment/deprecated/neutron/neutron-vpp-agent-baremetal-puppet.yaml
OS::TripleO::Services::Etcd: ../deployment/etcd/etcd-container-puppet.yaml
OS::TripleO::Services::Etcd: ../deployment/etcd/etcd-container-ansible.yaml
# FIXME(bogdando): switch it, once it is containerized
OS::TripleO::Services::Vpp: ../deployment/deprecated/vpp/vpp-baremetal-puppet.yaml

View File

@ -1,2 +1,2 @@
resource_registry:
OS::TripleO::Services::Etcd: ../../deployment/etcd/etcd-container-puppet.yaml
OS::TripleO::Services::Etcd: ../../deployment/etcd/etcd-container-ansible.yaml

View File

@ -1,2 +1,2 @@
resource_registry:
OS::TripleO::Services::Etcd: ../../deployment/etcd/etcd-container-puppet.yaml
OS::TripleO::Services::Etcd: ../../deployment/etcd/etcd-container-ansible.yaml

View File

@ -53,5 +53,5 @@ environments:
GlanceEnabledImportMethods: web-download,copy-image
resource_registry:
<<: *dcn_resource_registry
OS::TripleO::Services::Etcd: ../deployment/etcd/etcd-container-puppet.yaml
OS::TripleO::Services::Etcd: ../deployment/etcd/etcd-container-ansible.yaml
OS::TripleO::Services::CinderVolumeEdge: ../deployment/cinder/cinder-volume-container-puppet.yaml