Browse Source

Revamp how etcd's cert and key are handled in containers

Use kolla_config to merge etcd's cert and key files into containers,
and set the ownership so the corresponding service can read the files.

Previously, etcd's cert and key files were directly bind mounted
in the etcd and cinder containers that need the files. An ACL was
added to ensure the corresponding services had read access to the
files on the host, which are owned by root. The ACL was cumbersome,
and required hardcoding the UID of each service.

Change-Id: Ic606e751cb046c34d33a94a2acd4313f4043441f
Depends-On: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d
changes/66/742266/2
Alan Bishop 1 year ago
parent
commit
7bcdd2448b
  1. 9
      deployment/cinder/cinder-api-container-puppet.yaml
  2. 9
      deployment/cinder/cinder-backup-container-puppet.yaml
  3. 9
      deployment/cinder/cinder-backup-pacemaker-puppet.yaml
  4. 4
      deployment/cinder/cinder-common-container-puppet.yaml
  5. 9
      deployment/cinder/cinder-scheduler-container-puppet.yaml
  6. 26
      deployment/cinder/cinder-volume-container-puppet.yaml
  7. 4
      deployment/cinder/cinder-volume-pacemaker-puppet.yaml
  8. 31
      deployment/etcd/etcd-container-puppet.yaml

9
deployment/cinder/cinder-api-container-puppet.yaml

@ -263,10 +263,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
/var/lib/kolla/config_files/cinder_api_cron.json:
command: /usr/sbin/crond -n
config_files:

9
deployment/cinder/cinder-backup-container-puppet.yaml

@ -166,6 +166,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/cinder
owner: cinder:cinder
@ -181,6 +186,10 @@ outputs:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_3:
cinder_backup_init_logs:

9
deployment/cinder/cinder-backup-pacemaker-puppet.yaml

@ -163,6 +163,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/cinder
owner: cinder:cinder
@ -170,6 +175,10 @@ outputs:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_3:

4
deployment/cinder/cinder-common-container-puppet.yaml

@ -114,8 +114,8 @@ outputs:
if:
- cvol_active_active_tls_enabled
-
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- []
cinder_volume_host_prep_tasks:

9
deployment/cinder/cinder-scheduler-container-puppet.yaml

@ -101,10 +101,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_2:
cinder_scheduler_init_logs:

26
deployment/cinder/cinder-volume-container-puppet.yaml

@ -310,6 +310,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
@ -322,6 +327,10 @@ outputs:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_3:
cinder_volume_init_logs:
@ -345,20 +354,3 @@ outputs:
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
deploy_steps_tasks:
- name: ensure cinder can access etcd's tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42407 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
when:
- cvol_active_active_tls_enabled|bool
- step|int == 3

4
deployment/cinder/cinder-volume-pacemaker-puppet.yaml

@ -152,6 +152,10 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
# of etcd's TLS certificate and key. The etcd service is only used by
# cinder-volume when it's running active/active, and *not* when it's
# under pcmk control.
permissions:
- path: /var/log/cinder
owner: cinder:cinder

31
deployment/etcd/etcd-container-puppet.yaml

@ -131,6 +131,7 @@ outputs:
"%{hiera('NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
-
@ -154,10 +155,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/etcd
owner: etcd:etcd
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: etcd:etcd
- path: /etc/pki/tls/private/etcd.key
owner: etcd:etcd
docker_config:
step_2:
etcd:
@ -178,8 +188,8 @@ outputs:
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
@ -200,23 +210,6 @@ outputs:
path: /var/lib/etcd
state: directory
setype: container_file_t
deploy_steps_tasks:
- name: ensure etcd can access its tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42413 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
when:
- internal_tls_enabled|bool
- step|int == 2
upgrade_tasks: []
metadata_settings:
if:

Loading…
Cancel
Save