Merge "Deprecate novajoin"

deployment/deprecated/novajoin/novajoin-container-puppet.yaml

@@ -87,7 +87,7 @@ parameters:
 resources:
 
   ContainersCommon:
-    type: ../containers-common.yaml
+    type: ../../containers-common.yaml
 
 outputs:
   role_data:

deployment/ipa/ipaservices-baremetal-ansible.yaml

@@ -165,3 +165,13 @@ outputs:
                 tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
                 tripleo_ipa_hosts_to_delete:
                   - "{{ fqdn_canonical }}"
+      external_upgrade_tasks:
+        - when: step|int == 1
+          block:
+            - name: check if ipa server has required permissions
+              import_role:
+                name: tls_everywhere
+                tasks_from: ipa-server-check
+              tags:
+                - opendev-validation
+                - opendev-validation-tls-everywhere

deployment/tls/undercloud-remove-novajoin.yaml

@@ -0,0 +1,60 @@
+heat_template_version: rocky
+
+description: Deletes novajoin containers from undercloud
+
+parameters:
+  RoleNetIpMap:
+    default: {}
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for deleting novajoin containers from undercloud.
+    value:
+      service_name: undercloud-remove-novajoin
+      deploy_steps_tasks: []
+      upgrade_tasks:
+        - name: perform upgrade tasks in step 0
+          when: step|int == 0
+          block:
+            - name: Stop novajoin containers
+              import_role:
+                name: tripleo_container_stop
+              vars:
+                tripleo_containers_to_stop:
+                   - novajoin_server
+                   - novajoin_notifier
+
+            - name: Remove novajoin containers
+              import_role:
+                name: tripleo_container_rm
+              vars:
+                containers_to_rm:
+                  - novajoin_server
+                  - novajoin_notifier

environments/services/novajoin.yaml

@@ -1,4 +1,5 @@
 # A Heat environment file which can be used to enable
-# Barbican with the default secret store backend.
+# Novajoin to provide registration for TLS-E.
+# As of Victoria, this service has been deprecated.
 resource_registry:
-  OS::TripleO::Services::Novajoin: ../../deployment/nova/novajoin-container-puppet.yaml
+  OS::TripleO::Services::Novajoin: ../../deployment/deprecated/novajoin/novajoin-container-puppet.yaml

environments/services/undercloud-remove-novajoin.yaml

@@ -0,0 +1,4 @@
+# A Heat environment file which can be used to enable
+# ipa services with an OTP provided
+resource_registry:
+   OS::TripleO::Services::UndercloudRemoveNovajoin: ../../deployment/tls/undercloud-remove-novajoin.yaml

environments/ssl/enable-internal-tls.j2.yaml

@@ -36,9 +36,7 @@ parameter_defaults:
 resource_registry:
   OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
   OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
-  OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
+  OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
-  # FIXME(xek): after removal of novajoin, switch to using this service instead
-  # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
   OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
 {%- for role in roles %}
   OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml

overcloud-resource-registry-puppet.j2.yaml

@@ -210,6 +210,7 @@ resource_registry:
   OS::TripleO::Services::SwiftRingBuilder: deployment/swift/swift-ringbuilder-container-puppet.yaml
   OS::TripleO::Services::Snmp: deployment/snmp/snmp-baremetal-puppet.yaml
   OS::TripleO::Services::Timezone: deployment/time/timezone-baremetal-ansible.yaml
+  OS::TripleO::Services::UndercloudRemoveNovajoin: OS::Heat::None
   OS::TripleO::Services::UndercloudTLS: OS::Heat::None
   OS::TripleO::Services::CeilometerAgentCentral: OS::Heat::None
   OS::TripleO::Services::CeilometerAgentIpmi: OS::Heat::None

releasenotes/notes/deprecate-novajoin-ef06b1ca33a2b80c.yaml

@@ -0,0 +1,28 @@
+---
+prelude: >
+    This change deprecates the novajoin and the composable service that
+    enables TLS-Everywhere using novajoin.  Instead, TLS Everywhere will be
+    implemented using the tripleo-ipa ansible module.
+upgrade:
+  - This change deprecates novajoin and the service that depends on novajoin
+    to enable TLS-Everywhere.  From now on, TLS-Everywhere will be set up
+    using the tripleo-ansible ansible module instead.
+  - When the undercloud is upgraded, for TLS Everywhere systems, a new
+    composable service will run to remove the novajoin containers.
+  - A pre-upgrade validation has been written to ensure that some necessary
+    permissions and ACIs have been added to the IPA server.  As these changes
+    require admin privileges, they cannot be automated in THT.
+  - The environments/ssl/enable-internal-tls.j2.yaml file has been modified
+    to automatically point to the new service that implements TLS-Everywhere
+    using tripleo-ansible.  Assuming you are adding this environment file to
+    your templates (which is typically the case when setting up
+    TLS-Everywhere) no other changes are required.
+deprecations:
+  - This change deprecates novajoin, the service that deploys it on the
+    undercloud, and the corresponding service that implements TLS-Everywhere
+    using novajoin.  TLS everywhere will be implemented from now on using
+    the tripleo-ipa ansible module instead.
+  - These services are novajoin-container-puppet.yaml and
+    ipaclient-baremetal-ansible.yaml
+  - On undercloud upgrade, a new composable service will remove the novajoin
+    and novajoin-notifier containers from the undercloud.

roles/Undercloud.yaml

@@ -44,6 +44,7 @@
     - OS::TripleO::Services::HeatApiCfn
     - OS::TripleO::Services::HeatEngine
     - OS::TripleO::Services::UndercloudTLS
+    - OS::TripleO::Services::UndercloudRemoveNovajoin
     - OS::TripleO::Services::IronicApi
     - OS::TripleO::Services::IronicConductor
     - OS::TripleO::Services::IronicInspector

roles_data_undercloud.yaml

@@ -47,6 +47,7 @@
     - OS::TripleO::Services::HeatApiCfn
     - OS::TripleO::Services::HeatEngine
     - OS::TripleO::Services::UndercloudTLS
+    - OS::TripleO::Services::UndercloudRemoveNovajoin
     - OS::TripleO::Services::IronicApi
     - OS::TripleO::Services::IronicConductor
     - OS::TripleO::Services::IronicInspector

sample-env-generator/ssl.yaml

@@ -64,9 +64,7 @@ environments:
       OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
       # We use apache as a TLS proxy
       # FIXME(bogdando): switch it, once it is containerized
-      OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
+      OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
-      # FIXME(xek): after removal of novajoin, switch to using this service instead
-      # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
       OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
       # Creates nova metadata that will create the extra service principals per
       # node.