openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Simplify internal_tls_enabled conditions 

We do not need to add an if: internal_tls_enabled in a number of
ansible tasks. enabled_internal_tls is already defined as an ansible
fact in common/deploy-steps.j2:
enable_internal_tls: {get_param: EnableInternalTLS}

So when the service uses the enable_internal_tls condition and it points
to the EnableInternalTLS param, we can just use the ansible fact
directly. Note that if the enable_internal_tls condition points to
something else than the mere EnableInternalTLS we may not do this
cleanup.

Change-Id: Idb07cbc8fc3a4d73ff52c54d869310fd6c49b502
This commit is contained in:
Michele Baldessari 2021-03-17 10:19:54 +01:00
parent bb81090ef1
commit 5e4c17acfb
13 changed files with 520 additions and 547 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
deployment/apache/apache-baremetal-puppet.j2.yaml
View File

@ -133,42 +133,40 @@ outputs:
- null
upgrade_tasks: []
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- name: Create dirs for certificates and keys
file:
path: "{{ item }}"
state: directory
serole: object_r
setype: cert_t
seuser: system_u
with_items:
- '/etc/pki/tls/certs/httpd'
- '/etc/pki/tls/private/httpd'
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
repeat:
template:
name: httpd-NETWORK
dns: "{{fqdn_NETWORK}}"
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
run_after: |
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
pkill -USR1 httpd
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ApacheCertificateKeySize}
ca: ipa
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- name: Create dirs for certificates and keys
file:
path: "{{ item }}"
state: directory
serole: object_r
setype: cert_t
seuser: system_u
with_items:
- '/etc/pki/tls/certs/httpd'
- '/etc/pki/tls/private/httpd'
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
repeat:
template:
name: httpd-NETWORK
dns: "{{fqdn_NETWORK}}"
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
run_after: |
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
pkill -USR1 httpd
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ApacheCertificateKeySize}
ca: ipa
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
{%- endraw %}

68
deployment/ceph-ansible/ceph-grafana.yaml
View File

@ -161,38 +161,36 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_grafana
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
run_after: |
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_grafana
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
run_after: |
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
ca: ipa

78
deployment/ceph-ansible/ceph-rgw.yaml
View File

@ -174,43 +174,41 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_rgw
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
run_after: |
# Create PEM file
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
chmod 0640 $pemfile
chown 472:472 $pemfile
# Get ceph rgw systemd unit
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
# Restart the rgw systemd unit
if [ -n "$rgw_unit" ]; then
systemctl restart "$rgw_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_rgw
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
run_after: |
# Create PEM file
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
chmod 0640 $pemfile
chown 472:472 $pemfile
# Get ceph rgw systemd unit
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
# Restart the rgw systemd unit
if [ -n "$rgw_unit" ]; then
systemctl restart "$rgw_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
ca: ipa

62
deployment/database/mysql-base.yaml
View File

@ -174,35 +174,33 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: mysql
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MysqlCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: mysql
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MysqlCertificateKeySize}
ca: ipa

88
deployment/database/redis-container-puppet.yaml
View File

@ -196,51 +196,49 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: redis
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
principal:
str_replace:
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
service_crt="/etc/pki/tls/certs/redis.crt"
service_key="/etc/pki/tls/private/redis.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
# Trigger a reload for stunnel to read the new certificate
{{container_cli}} exec pkill -o -HUP stunnel
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RedisCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: redis
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
principal:
str_replace:
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
service_crt="/etc/pki/tls/certs/redis.crt"
service_key="/etc/pki/tls/private/redis.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
# Trigger a reload for stunnel to read the new certificate
{{container_cli}} exec pkill -o -HUP stunnel
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RedisCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:

104
deployment/metrics/qdr-container-puppet.yaml
View File

@ -327,59 +327,57 @@ outputs:
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: metrics_qdr
dns:
str_replace:
template: "{{fqdn_NETWORK}}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
principal:
str_replace:
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
service_key="/etc/pki/tls/private/metrics_qdr.key
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
# Trigger a container restart to read the new certificate
{{container_cli}} restart "$container_name"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: QdrCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: metrics_qdr
dns:
str_replace:
template: "{{fqdn_NETWORK}}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
principal:
str_replace:
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
service_key="/etc/pki/tls/private/metrics_qdr.key
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
# Trigger a container restart to read the new certificate
{{container_cli}} restart "$container_name"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: QdrCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent logs directory
file:

78
deployment/neutron/neutron-dhcp-container-puppet.yaml
View File

@ -382,47 +382,45 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: neutron
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
# The certificate is also installed on the computes, but neutron_dhcp is only
# present on the controllers, so we exit if the container could not be found.
[[ -z $container_name ]] && exit 0
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: neutron
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
# The certificate is also installed on the computes, but neutron_dhcp is only
# present on the controllers, so we exit if the container could not be found.
[[ -z $container_name ]] && exit 0
service_crt="/etc/pki/tls/certs/neutron.crt"
service_key="/etc/pki/tls/private/neutron.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
# No need to trigger a reload for neutron dhcpd since the cert is not cached
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronDhcpCertificateKeySize}
ca: ipa
- null
service_crt="/etc/pki/tls/certs/neutron.crt"
service_key="/etc/pki/tls/private/neutron.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
# No need to trigger a reload for neutron dhcpd since the cert is not cached
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronDhcpCertificateKeySize}
ca: ipa
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}

54
deployment/ovn/ovn-controller-container-puppet.yaml
View File

@ -291,34 +291,32 @@ outputs:
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_controller
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_controller
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:

95
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
View File

@ -228,57 +228,54 @@ outputs:
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
deploy_steps_tasks:
list_concat:
- - name: OVN DBS tag container image for pacemaker
when: step|int == 1
- name: OVN DBS tag container image for pacemaker
when: step|int == 1
import_role:
name: tripleo_container_tag
vars:
container_image: {get_param: ContainerOvnDbsImage}
container_image_latest: *ovn_dbs_image_pcmklatest
- name: OVNDbs HA Wrappers Step
when: step|int == 3
block: &ovn_dbs_puppet_bundle
- name: Ovn dbs puppet bundle
import_role:
name: tripleo_container_tag
name: tripleo_ha_wrapper
vars:
container_image: {get_param: ContainerOvnDbsImage}
container_image_latest: *ovn_dbs_image_pcmklatest
- name: OVNDbs HA Wrappers Step
when: step|int == 3
block: &ovn_dbs_puppet_bundle
- name: Ovn dbs puppet bundle
import_role:
name: tripleo_ha_wrapper
vars:
tripleo_ha_wrapper_service_name: ovn_dbs
tripleo_ha_wrapper_resource_name: ovndbs_servers
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
tripleo_ha_wrapper_resource_state: Slave Master
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
- if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_dbs
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnDBSCertificateKeySize}
ca: ipa
- []
tripleo_ha_wrapper_service_name: ovn_dbs
tripleo_ha_wrapper_resource_name: ovndbs_servers
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
tripleo_ha_wrapper_resource_state: Slave Master
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_dbs
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnDBSCertificateKeySize}
ca: ipa
update_tasks:
- name: Tear-down non-HA ovn-dbs containers
when:

54
deployment/ovn/ovn-metadata-container-puppet.yaml
View File

@ -336,34 +336,32 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_metadata
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnMetadataCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_metadata
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnMetadataCertificateKeySize}
ca: ipa
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}

104
deployment/rabbitmq/rabbitmq-container-puppet.yaml
View File

@ -335,59 +335,57 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:

104
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
View File

@ -270,59 +270,57 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqMessageCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqMessageCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:

104
deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
View File

@ -270,59 +270,57 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RpcCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RpcCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file: