Revamp how etcd's cert and key are handled in containers
Use kolla_config to merge etcd's cert and key files into containers, and set the ownership so the corresponding service can read the files. Previously, etcd's cert and key files were directly bind mounted in the etcd and cinder containers that need the files. An ACL was added to ensure the corresponding services had read access to the files on the host, which are owned by root. The ACL was cumbersome, and required hardcoding the UID of each service. Change-Id: Ic606e751cb046c34d33a94a2acd4313f4043441f Depends-On: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d
This commit is contained in:
Alan Bishop
parent
f353a65f55
commit
7bcdd2448b
@ -263,10 +263,19 @@ outputs:
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
/var/lib/kolla/config_files/cinder_api_cron.json:
|
||||
command: /usr/sbin/crond -n
|
||||
config_files:
|
||||
|
||||
@ -166,6 +166,11 @@ outputs:
|
||||
dest: "/etc/iscsi/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/lib/cinder
|
||||
owner: cinder:cinder
|
||||
@ -181,6 +186,10 @@ outputs:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: cinder:cinder
|
||||
perm: '0600'
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
docker_config:
|
||||
step_3:
|
||||
cinder_backup_init_logs:
|
||||
|
||||
@ -163,6 +163,11 @@ outputs:
|
||||
dest: "/etc/iscsi/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/lib/cinder
|
||||
owner: cinder:cinder
|
||||
@ -170,6 +175,10 @@ outputs:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
||||
docker_config:
|
||||
step_3:
|
||||
|
||||
@ -114,8 +114,8 @@ outputs:
|
||||
if:
|
||||
- cvol_active_active_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
|
||||
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
|
||||
- []
|
||||
|
||||
cinder_volume_host_prep_tasks:
|
||||
|
||||
@ -101,10 +101,19 @@ outputs:
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
docker_config:
|
||||
step_2:
|
||||
cinder_scheduler_init_logs:
|
||||
|
||||
@ -310,6 +310,11 @@ outputs:
|
||||
dest: "/etc/iscsi/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
@ -322,6 +327,10 @@ outputs:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: cinder:cinder
|
||||
perm: '0600'
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
docker_config:
|
||||
step_3:
|
||||
cinder_volume_init_logs:
|
||||
@ -345,20 +354,3 @@ outputs:
|
||||
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
|
||||
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
|
||||
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
|
||||
deploy_steps_tasks:
|
||||
- name: ensure cinder can access etcd's tls cert and key
|
||||
become: true
|
||||
acl:
|
||||
path: "{{ item }}"
|
||||
entity: "{{ 42407 | string }}"
|
||||
etype: user
|
||||
permissions: r
|
||||
state: present
|
||||
with_items:
|
||||
- /etc/pki/tls/certs/etcd.crt
|
||||
- /etc/pki/tls/private/etcd.key
|
||||
vars:
|
||||
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
|
||||
when:
|
||||
- cvol_active_active_tls_enabled|bool
|
||||
- step|int == 3
|
||||
|
||||
@ -152,6 +152,10 @@ outputs:
|
||||
dest: "/etc/iscsi/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
|
||||
# of etcd's TLS certificate and key. The etcd service is only used by
|
||||
# cinder-volume when it's running active/active, and *not* when it's
|
||||
# under pcmk control.
|
||||
permissions:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
|
||||
@ -131,6 +131,7 @@ outputs:
|
||||
"%{hiera('NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
|
||||
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
-
|
||||
@ -154,10 +155,19 @@ outputs:
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/lib/etcd
|
||||
owner: etcd:etcd
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: etcd:etcd
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: etcd:etcd
|
||||
docker_config:
|
||||
step_2:
|
||||
etcd:
|
||||
@ -178,8 +188,8 @@ outputs:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
|
||||
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
|
||||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
@ -200,23 +210,6 @@ outputs:
|
||||
path: /var/lib/etcd
|
||||
state: directory
|
||||
setype: container_file_t
|
||||
deploy_steps_tasks:
|
||||
- name: ensure etcd can access its tls cert and key
|
||||
become: true
|
||||
acl:
|
||||
path: "{{ item }}"
|
||||
entity: "{{ 42413 | string }}"
|
||||
etype: user
|
||||
permissions: r
|
||||
state: present
|
||||
with_items:
|
||||
- /etc/pki/tls/certs/etcd.crt
|
||||
- /etc/pki/tls/private/etcd.key
|
||||
vars:
|
||||
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
|
||||
when:
|
||||
- internal_tls_enabled|bool
|
||||
- step|int == 2
|
||||
upgrade_tasks: []
|
||||
metadata_settings:
|
||||
if:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user