Merge "Deprecate novajoin"

This commit is contained in:
Zuul 2020-10-01 18:14:49 +00:00 committed by Gerrit Code Review
commit 5540877689
12 changed files with 111 additions and 9 deletions

View File

@ -87,7 +87,7 @@ parameters:
resources:
ContainersCommon:
type: ../containers-common.yaml
type: ../../containers-common.yaml
outputs:
role_data:

View File

@ -165,3 +165,13 @@ outputs:
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
tripleo_ipa_hosts_to_delete:
- "{{ fqdn_canonical }}"
external_upgrade_tasks:
- when: step|int == 1
block:
- name: check if ipa server has required permissions
import_role:
name: tls_everywhere
tasks_from: ipa-server-check
tags:
- opendev-validation
- opendev-validation-tls-everywhere

View File

@ -0,0 +1,60 @@
heat_template_version: rocky
description: Deletes novajoin containers from undercloud
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: Role data for deleting novajoin containers from undercloud.
value:
service_name: undercloud-remove-novajoin
deploy_steps_tasks: []
upgrade_tasks:
- name: perform upgrade tasks in step 0
when: step|int == 0
block:
- name: Stop novajoin containers
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- novajoin_server
- novajoin_notifier
- name: Remove novajoin containers
import_role:
name: tripleo_container_rm
vars:
containers_to_rm:
- novajoin_server
- novajoin_notifier

View File

@ -1,4 +1,5 @@
# A Heat environment file which can be used to enable
# Barbican with the default secret store backend.
# Novajoin to provide registration for TLS-E.
# As of Victoria, this service has been deprecated.
resource_registry:
OS::TripleO::Services::Novajoin: ../../deployment/nova/novajoin-container-puppet.yaml
OS::TripleO::Services::Novajoin: ../../deployment/deprecated/novajoin/novajoin-container-puppet.yaml

View File

@ -0,0 +1,4 @@
# A Heat environment file which can be used to enable
# ipa services with an OTP provided
resource_registry:
OS::TripleO::Services::UndercloudRemoveNovajoin: ../../deployment/tls/undercloud-remove-novajoin.yaml

View File

@ -36,9 +36,7 @@ parameter_defaults:
resource_registry:
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
# FIXME(xek): after removal of novajoin, switch to using this service instead
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
{%- for role in roles %}
OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml

View File

@ -210,6 +210,7 @@ resource_registry:
OS::TripleO::Services::SwiftRingBuilder: deployment/swift/swift-ringbuilder-container-puppet.yaml
OS::TripleO::Services::Snmp: deployment/snmp/snmp-baremetal-puppet.yaml
OS::TripleO::Services::Timezone: deployment/time/timezone-baremetal-ansible.yaml
OS::TripleO::Services::UndercloudRemoveNovajoin: OS::Heat::None
OS::TripleO::Services::UndercloudTLS: OS::Heat::None
OS::TripleO::Services::CeilometerAgentCentral: OS::Heat::None
OS::TripleO::Services::CeilometerAgentIpmi: OS::Heat::None

View File

@ -0,0 +1,28 @@
---
prelude: >
This change deprecates the novajoin and the composable service that
enables TLS-Everywhere using novajoin. Instead, TLS Everywhere will be
implemented using the tripleo-ipa ansible module.
upgrade:
- This change deprecates novajoin and the service that depends on novajoin
to enable TLS-Everywhere. From now on, TLS-Everywhere will be set up
using the tripleo-ansible ansible module instead.
- When the undercloud is upgraded, for TLS Everywhere systems, a new
composable service will run to remove the novajoin containers.
- A pre-upgrade validation has been written to ensure that some necessary
permissions and ACIs have been added to the IPA server. As these changes
require admin privileges, they cannot be automated in THT.
- The environments/ssl/enable-internal-tls.j2.yaml file has been modified
to automatically point to the new service that implements TLS-Everywhere
using tripleo-ansible. Assuming you are adding this environment file to
your templates (which is typically the case when setting up
TLS-Everywhere) no other changes are required.
deprecations:
- This change deprecates novajoin, the service that deploys it on the
undercloud, and the corresponding service that implements TLS-Everywhere
using novajoin. TLS everywhere will be implemented from now on using
the tripleo-ipa ansible module instead.
- These services are novajoin-container-puppet.yaml and
ipaclient-baremetal-ansible.yaml
- On undercloud upgrade, a new composable service will remove the novajoin
and novajoin-notifier containers from the undercloud.

View File

@ -44,6 +44,7 @@
- OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::UndercloudTLS
- OS::TripleO::Services::UndercloudRemoveNovajoin
- OS::TripleO::Services::IronicApi
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicInspector

View File

@ -47,6 +47,7 @@
- OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::UndercloudTLS
- OS::TripleO::Services::UndercloudRemoveNovajoin
- OS::TripleO::Services::IronicApi
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicInspector

View File

@ -64,9 +64,7 @@ environments:
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
# We use apache as a TLS proxy
# FIXME(bogdando): switch it, once it is containerized
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
# FIXME(xek): after removal of novajoin, switch to using this service instead
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
# Creates nova metadata that will create the extra service principals per
# node.