cinder_api needs etcd certs inside the container

When doing A/A we need the etcd certs in the cinder_api container otherwise we fail with: [Mon Aug 16 15:28:58.945345 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 416, in send [Mon Aug 16 15:28:58.945347 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] self.cert_verify(conn, request.url, verify, cert) [Mon Aug 16 15:28:58.945351 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 250, in cert_verify [Mon Aug 16 15:28:58.945354 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] "invalid path: {}".format(conn.cert_file)) [Mon Aug 16 15:28:58.945370 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] OSError: Could not find the TLS certificate file, invalid path: /etc/pki/tls/certs/etcd.crt After this change I correctly see the certs in the containers: [root@ctrl-1-0 ~]# podman exec -it cinder_api sh -c 'ls -lR /etc/pki/tls' |grep etcd -rw-------. 1 cinder cinder 1907 Aug 16 19:47 etcd.crt -rw-------. 1 cinder cinder 1708 Aug 16 19:47 etcd.key And am able to create a cinder A/A volume. We remove the following two bind mounts: - /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro - /var/log/containers/cinder:/var/log/cinder:z Because they are contained in cinder_common_volumes, which will also bind mount the etcd certs appropriately when needed. Since cinder_common_volumes also containerd ContainersCommon -> volumes we are not removing any bind mount. Likely removed by accident via I0e3d5748a50937880a55413b75fe6eca479c9160 Closes-Bug: #1940306 Change-Id: Ife89262675eefb645e61e6d029b4846f1a33a677
2021-08-16 19:03:31 +02:00 · 2021-08-16 19:03:31 +02:00 · 72a12aa833
commit 72a12aa833
parent c73ecb196c
1 changed files with 1 additions and 3 deletions
--- a/deployment/cinder/cinder-api-container-puppet.yaml
+++ b/deployment/cinder/cinder-api-container-puppet.yaml
@ -317,10 +317,8 @@ outputs:
              test: /openstack/healthcheck
            volumes:
              list_concat:
-                - {get_attr: [ContainersCommon, volumes]}
+                - {get_attr: [CinderCommon, cinder_common_volumes]}
                - - /var/lib/kolla/config_files/cinder_api.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
-                  - /var/log/containers/cinder:/var/log/cinder:z
                  - /var/log/containers/httpd/cinder-api:/var/log/httpd:z
                - if:
                    - {get_param: EnableInternalTLS}