diff --git a/deployment/ipa/ipaclient-baremetal-ansible.yaml b/deployment/deprecated/novajoin/ipaclient-baremetal-ansible.yaml similarity index 100% rename from deployment/ipa/ipaclient-baremetal-ansible.yaml rename to deployment/deprecated/novajoin/ipaclient-baremetal-ansible.yaml diff --git a/deployment/nova/novajoin-container-puppet.yaml b/deployment/deprecated/novajoin/novajoin-container-puppet.yaml similarity index 99% rename from deployment/nova/novajoin-container-puppet.yaml rename to deployment/deprecated/novajoin/novajoin-container-puppet.yaml index 8753c7ce03..3b867f6ac2 100644 --- a/deployment/nova/novajoin-container-puppet.yaml +++ b/deployment/deprecated/novajoin/novajoin-container-puppet.yaml @@ -87,7 +87,7 @@ parameters: resources: ContainersCommon: - type: ../containers-common.yaml + type: ../../containers-common.yaml outputs: role_data: diff --git a/deployment/ipa/ipaservices-baremetal-ansible.yaml b/deployment/ipa/ipaservices-baremetal-ansible.yaml index c159fa0e6a..11b51897df 100644 --- a/deployment/ipa/ipaservices-baremetal-ansible.yaml +++ b/deployment/ipa/ipaservices-baremetal-ansible.yaml @@ -165,3 +165,13 @@ outputs: tripleo_ipa_keytab: {get_param: IdMNovaKeytab} tripleo_ipa_hosts_to_delete: - "{{ fqdn_canonical }}" + external_upgrade_tasks: + - when: step|int == 1 + block: + - name: check if ipa server has required permissions + import_role: + name: tls_everywhere + tasks_from: ipa-server-check + tags: + - opendev-validation + - opendev-validation-tls-everywhere diff --git a/deployment/tls/undercloud-remove-novajoin.yaml b/deployment/tls/undercloud-remove-novajoin.yaml new file mode 100644 index 0000000000..6231b7bad2 --- /dev/null +++ b/deployment/tls/undercloud-remove-novajoin.yaml @@ -0,0 +1,60 @@ +heat_template_version: rocky + +description: Deletes novajoin containers from undercloud + +parameters: + RoleNetIpMap: + default: {} + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for deleting novajoin containers from undercloud. + value: + service_name: undercloud-remove-novajoin + deploy_steps_tasks: [] + upgrade_tasks: + - name: perform upgrade tasks in step 0 + when: step|int == 0 + block: + - name: Stop novajoin containers + import_role: + name: tripleo_container_stop + vars: + tripleo_containers_to_stop: + - novajoin_server + - novajoin_notifier + + - name: Remove novajoin containers + import_role: + name: tripleo_container_rm + vars: + containers_to_rm: + - novajoin_server + - novajoin_notifier diff --git a/environments/services/novajoin.yaml b/environments/services/novajoin.yaml index 3359e32261..762e75b996 100644 --- a/environments/services/novajoin.yaml +++ b/environments/services/novajoin.yaml @@ -1,4 +1,5 @@ # A Heat environment file which can be used to enable -# Barbican with the default secret store backend. +# Novajoin to provide registration for TLS-E. +# As of Victoria, this service has been deprecated. resource_registry: - OS::TripleO::Services::Novajoin: ../../deployment/nova/novajoin-container-puppet.yaml + OS::TripleO::Services::Novajoin: ../../deployment/deprecated/novajoin/novajoin-container-puppet.yaml diff --git a/environments/services/undercloud-remove-novajoin.yaml b/environments/services/undercloud-remove-novajoin.yaml new file mode 100644 index 0000000000..bd0236a18a --- /dev/null +++ b/environments/services/undercloud-remove-novajoin.yaml @@ -0,0 +1,4 @@ +# A Heat environment file which can be used to enable +# ipa services with an OTP provided +resource_registry: + OS::TripleO::Services::UndercloudRemoveNovajoin: ../../deployment/tls/undercloud-remove-novajoin.yaml diff --git a/environments/ssl/enable-internal-tls.j2.yaml b/environments/ssl/enable-internal-tls.j2.yaml index 1bec0f14e2..473ccad436 100644 --- a/environments/ssl/enable-internal-tls.j2.yaml +++ b/environments/ssl/enable-internal-tls.j2.yaml @@ -36,9 +36,7 @@ parameter_defaults: resource_registry: OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml - OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml - # FIXME(xek): after removal of novajoin, switch to using this service instead - # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml + OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml {%- for role in roles %} OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 94a57f3193..81b5be930c 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -210,6 +210,7 @@ resource_registry: OS::TripleO::Services::SwiftRingBuilder: deployment/swift/swift-ringbuilder-container-puppet.yaml OS::TripleO::Services::Snmp: deployment/snmp/snmp-baremetal-puppet.yaml OS::TripleO::Services::Timezone: deployment/time/timezone-baremetal-ansible.yaml + OS::TripleO::Services::UndercloudRemoveNovajoin: OS::Heat::None OS::TripleO::Services::UndercloudTLS: OS::Heat::None OS::TripleO::Services::CeilometerAgentCentral: OS::Heat::None OS::TripleO::Services::CeilometerAgentIpmi: OS::Heat::None diff --git a/releasenotes/notes/deprecate-novajoin-ef06b1ca33a2b80c.yaml b/releasenotes/notes/deprecate-novajoin-ef06b1ca33a2b80c.yaml new file mode 100644 index 0000000000..9bb5adeddb --- /dev/null +++ b/releasenotes/notes/deprecate-novajoin-ef06b1ca33a2b80c.yaml @@ -0,0 +1,28 @@ +--- +prelude: > + This change deprecates the novajoin and the composable service that + enables TLS-Everywhere using novajoin. Instead, TLS Everywhere will be + implemented using the tripleo-ipa ansible module. +upgrade: + - This change deprecates novajoin and the service that depends on novajoin + to enable TLS-Everywhere. From now on, TLS-Everywhere will be set up + using the tripleo-ansible ansible module instead. + - When the undercloud is upgraded, for TLS Everywhere systems, a new + composable service will run to remove the novajoin containers. + - A pre-upgrade validation has been written to ensure that some necessary + permissions and ACIs have been added to the IPA server. As these changes + require admin privileges, they cannot be automated in THT. + - The environments/ssl/enable-internal-tls.j2.yaml file has been modified + to automatically point to the new service that implements TLS-Everywhere + using tripleo-ansible. Assuming you are adding this environment file to + your templates (which is typically the case when setting up + TLS-Everywhere) no other changes are required. +deprecations: + - This change deprecates novajoin, the service that deploys it on the + undercloud, and the corresponding service that implements TLS-Everywhere + using novajoin. TLS everywhere will be implemented from now on using + the tripleo-ipa ansible module instead. + - These services are novajoin-container-puppet.yaml and + ipaclient-baremetal-ansible.yaml + - On undercloud upgrade, a new composable service will remove the novajoin + and novajoin-notifier containers from the undercloud. diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml index 24fc18f68d..66a0e74a6c 100644 --- a/roles/Undercloud.yaml +++ b/roles/Undercloud.yaml @@ -44,6 +44,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::UndercloudTLS + - OS::TripleO::Services::UndercloudRemoveNovajoin - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicInspector diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index 4fbeaa1d01..beb41b72ba 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -47,6 +47,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::UndercloudTLS + - OS::TripleO::Services::UndercloudRemoveNovajoin - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicInspector diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index dc55dc1218..5993a71cc0 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -64,9 +64,7 @@ environments: OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml # We use apache as a TLS proxy # FIXME(bogdando): switch it, once it is containerized - OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml - # FIXME(xek): after removal of novajoin, switch to using this service instead - # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml + OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml # Creates nova metadata that will create the extra service principals per # node.