openstack
/
tripleo-heat-templates
Code Issues Proposed changes
Browse Source

Merge "Simplify internal_tls_enabled conditions"

changes/24/784724/1
Zuul 2 weeks ago
committed by Gerrit Code Review
parent
76cb99a2a7 5e4c17acfb
commit
824ec8b5ad
13 changed files with 520 additions and 547 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +36
    -38
      deployment/apache/apache-baremetal-puppet.j2.yaml
  2. +33
    -35
      deployment/ceph-ansible/ceph-grafana.yaml
  3. +38
    -40
      deployment/ceph-ansible/ceph-rgw.yaml
  4. +30
    -32
      deployment/database/mysql-base.yaml
  5. +43
    -45
      deployment/database/redis-container-puppet.yaml
  6. +51
    -53
      deployment/metrics/qdr-container-puppet.yaml
  7. +38
    -40
      deployment/neutron/neutron-dhcp-container-puppet.yaml
  8. +26
    -28
      deployment/ovn/ovn-controller-container-puppet.yaml
  9. +46
    -49
      deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
  10. +26
    -28
      deployment/ovn/ovn-metadata-container-puppet.yaml
  11. +51
    -53
      deployment/rabbitmq/rabbitmq-container-puppet.yaml
  12. +51
    -53
      deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
  13. +51
    -53
      deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml

+ 36
- 38
deployment/apache/apache-baremetal-puppet.j2.yaml View File

@ -133,42 +133,40 @@ outputs:
- null
upgrade_tasks: []
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- name: Create dirs for certificates and keys
file:
path: "{{ item }}"
state: directory
serole: object_r
setype: cert_t
seuser: system_u
with_items:
- '/etc/pki/tls/certs/httpd'
- '/etc/pki/tls/private/httpd'
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
repeat:
template:
name: httpd-NETWORK
dns: "{{fqdn_NETWORK}}"
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
run_after: |
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
pkill -USR1 httpd
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ApacheCertificateKeySize}
ca: ipa
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- name: Create dirs for certificates and keys
file:
path: "{{ item }}"
state: directory
serole: object_r
setype: cert_t
seuser: system_u
with_items:
- '/etc/pki/tls/certs/httpd'
- '/etc/pki/tls/private/httpd'
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
repeat:
template:
name: httpd-NETWORK
dns: "{{fqdn_NETWORK}}"
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
run_after: |
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
pkill -USR1 httpd
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ApacheCertificateKeySize}
ca: ipa
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
{%- endraw %}

+ 33
- 35
deployment/ceph-ansible/ceph-grafana.yaml View File

@ -161,38 +161,36 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_grafana
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
run_after: |
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_grafana
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
run_after: |
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
ca: ipa

+ 38
- 40
deployment/ceph-ansible/ceph-rgw.yaml View File

@ -174,43 +174,41 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_rgw
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
run_after: |
# Create PEM file
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
chmod 0640 $pemfile
chown 472:472 $pemfile
# Get ceph rgw systemd unit
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
# Restart the rgw systemd unit
if [ -n "$rgw_unit" ]; then
systemctl restart "$rgw_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_rgw
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
run_after: |
# Create PEM file
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
chmod 0640 $pemfile
chown 472:472 $pemfile
# Get ceph rgw systemd unit
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
# Restart the rgw systemd unit
if [ -n "$rgw_unit" ]; then
systemctl restart "$rgw_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
ca: ipa

+ 30
- 32
deployment/database/mysql-base.yaml View File

@ -174,35 +174,33 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: mysql
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MysqlCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: mysql
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MysqlCertificateKeySize}
ca: ipa

+ 43
- 45
deployment/database/redis-container-puppet.yaml View File

@ -196,51 +196,49 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: redis
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
principal:
str_replace:
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
service_crt="/etc/pki/tls/certs/redis.crt"
service_key="/etc/pki/tls/private/redis.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
# Trigger a reload for stunnel to read the new certificate
{{container_cli}} exec pkill -o -HUP stunnel
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RedisCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: redis
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
principal:
str_replace:
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
service_crt="/etc/pki/tls/certs/redis.crt"
service_key="/etc/pki/tls/private/redis.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
# Trigger a reload for stunnel to read the new certificate
{{container_cli}} exec pkill -o -HUP stunnel
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RedisCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:


+ 51
- 53
deployment/metrics/qdr-container-puppet.yaml View File

@ -327,59 +327,57 @@ outputs:
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: metrics_qdr
dns:
str_replace:
template: "{{fqdn_NETWORK}}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
principal:
str_replace:
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
service_key="/etc/pki/tls/private/metrics_qdr.key
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
# Trigger a container restart to read the new certificate
{{container_cli}} restart "$container_name"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: QdrCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: metrics_qdr
dns:
str_replace:
template: "{{fqdn_NETWORK}}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
principal:
str_replace:
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
service_key="/etc/pki/tls/private/metrics_qdr.key
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
# Trigger a container restart to read the new certificate
{{container_cli}} restart "$container_name"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: QdrCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent logs directory
file:


+ 38
- 40
deployment/neutron/neutron-dhcp-container-puppet.yaml View File

@ -376,47 +376,45 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: neutron
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
# The certificate is also installed on the computes, but neutron_dhcp is only
# present on the controllers, so we exit if the container could not be found.
[[ -z $container_name ]] && exit 0
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: neutron
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
# The certificate is also installed on the computes, but neutron_dhcp is only
# present on the controllers, so we exit if the container could not be found.
[[ -z $container_name ]] && exit 0
service_crt="/etc/pki/tls/certs/neutron.crt"
service_key="/etc/pki/tls/private/neutron.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
# No need to trigger a reload for neutron dhcpd since the cert is not cached
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronDhcpCertificateKeySize}
ca: ipa
- null
service_crt="/etc/pki/tls/certs/neutron.crt"
service_key="/etc/pki/tls/private/neutron.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
# No need to trigger a reload for neutron dhcpd since the cert is not cached
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronDhcpCertificateKeySize}
ca: ipa
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}


+ 26
- 28
deployment/ovn/ovn-controller-container-puppet.yaml View File

@ -303,34 +303,32 @@ outputs:
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_controller
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_controller
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:


+ 46
- 49
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml View File

@ -228,57 +228,54 @@ outputs:
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
deploy_steps_tasks:
list_concat:
- - name: OVN DBS tag container image for pacemaker
when: step|int == 1
- name: OVN DBS tag container image for pacemaker
when: step|int == 1
import_role:
name: tripleo_container_tag
vars:
container_image: {get_param: ContainerOvnDbsImage}
container_image_latest: *ovn_dbs_image_pcmklatest
- name: OVNDbs HA Wrappers Step
when: step|int == 3
block: &ovn_dbs_puppet_bundle
- name: Ovn dbs puppet bundle
import_role:
name: tripleo_container_tag
name: tripleo_ha_wrapper
vars:
container_image: {get_param: ContainerOvnDbsImage}
container_image_latest: *ovn_dbs_image_pcmklatest
- name: OVNDbs HA Wrappers Step
when: step|int == 3
block: &ovn_dbs_puppet_bundle
- name: Ovn dbs puppet bundle
import_role:
name: tripleo_ha_wrapper
vars:
tripleo_ha_wrapper_service_name: ovn_dbs
tripleo_ha_wrapper_resource_name: ovndbs_servers
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
tripleo_ha_wrapper_resource_state: Slave Master
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
- if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_dbs
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnDBSCertificateKeySize}
ca: ipa
- []
tripleo_ha_wrapper_service_name: ovn_dbs
tripleo_ha_wrapper_resource_name: ovndbs_servers
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
tripleo_ha_wrapper_resource_state: Slave Master
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_dbs
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnDBSCertificateKeySize}
ca: ipa
update_tasks:
- name: Tear-down non-HA ovn-dbs containers
when:


+ 26
- 28
deployment/ovn/ovn-metadata-container-puppet.yaml View File

@ -329,34 +329,32 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_metadata
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnMetadataCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_metadata
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnMetadataCertificateKeySize}
ca: ipa
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}


+ 51
- 53
deployment/rabbitmq/rabbitmq-container-puppet.yaml View File

@ -335,59 +335,57 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:


+ 51
- 53
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml View File

@ -270,59 +270,57 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqMessageCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqMessageCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:


+ 51
- 53
deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml View File

@ -270,59 +270,57 @@ outputs:
type: node
- null
deploy_steps_tasks:
if:
- internal_tls_enabled
-
- name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RpcCertificateKeySize}
ca: ipa
- null
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RpcCertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:


Write Preview
Loading…
Cancel
Save