From 72a12aa83317bab601747582aed4c1989cb9db48 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Mon, 16 Aug 2021 19:03:31 +0200
Subject: [PATCH] cinder_api needs etcd certs inside the container

When doing A/A we need the etcd certs in the cinder_api container
otherwise we fail with:
[Mon Aug 16 15:28:58.945345 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 416, in send
[Mon Aug 16 15:28:58.945347 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] self.cert_verify(conn, request.url, verify, cert)
[Mon Aug 16 15:28:58.945351 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 250, in cert_verify
[Mon Aug 16 15:28:58.945354 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] "invalid path: {}".format(conn.cert_file))
[Mon Aug 16 15:28:58.945370 2021] [wsgi:error] [pid 12] [remote 172.30.1.1:48082] OSError: Could not find the TLS certificate file, invalid path: /etc/pki/tls/certs/etcd.crt

After this change I correctly see the certs in the containers:
[root@ctrl-1-0 ~]# podman exec -it cinder_api sh -c 'ls -lR /etc/pki/tls' |grep etcd
-rw-------. 1 cinder cinder 1907 Aug 16 19:47 etcd.crt
-rw-------. 1 cinder cinder 1708 Aug 16 19:47 etcd.key

And am able to create a cinder A/A volume.

We remove the following two bind mounts:
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
- /var/log/containers/cinder:/var/log/cinder:z

Because they are contained in cinder_common_volumes, which will also
bind mount the etcd certs appropriately when needed. Since
cinder_common_volumes also containerd ContainersCommon -> volumes
we are not removing any bind mount.

Likely removed by accident via I0e3d5748a50937880a55413b75fe6eca479c9160

Closes-Bug: #1940306

Change-Id: Ife89262675eefb645e61e6d029b4846f1a33a677
---
 deployment/cinder/cinder-api-container-puppet.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml
index d09e9ebbb3..5bbca020f7 100644
--- a/deployment/cinder/cinder-api-container-puppet.yaml
+++ b/deployment/cinder/cinder-api-container-puppet.yaml
@@ -317,10 +317,8 @@ outputs:
               test: /openstack/healthcheck
             volumes:
               list_concat:
-                - {get_attr: [ContainersCommon, volumes]}
+                - {get_attr: [CinderCommon, cinder_common_volumes]}
                 - - /var/lib/kolla/config_files/cinder_api.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
-                  - /var/log/containers/cinder:/var/log/cinder:z
                   - /var/log/containers/httpd/cinder-api:/var/log/httpd:z
                 - if:
                     - {get_param: EnableInternalTLS}