From 5e4c17acfb12a050f03bf7e67147b2db05544e89 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 17 Mar 2021 10:19:54 +0100 Subject: [PATCH] Simplify internal_tls_enabled conditions We do not need to add an if: internal_tls_enabled in a number of ansible tasks. enabled_internal_tls is already defined as an ansible fact in common/deploy-steps.j2: enable_internal_tls: {get_param: EnableInternalTLS} So when the service uses the enable_internal_tls condition and it points to the EnableInternalTLS param, we can just use the ansible fact directly. Note that if the enable_internal_tls condition points to something else than the mere EnableInternalTLS we may not do this cleanup. Change-Id: Idb07cbc8fc3a4d73ff52c54d869310fd6c49b502 --- .../apache/apache-baremetal-puppet.j2.yaml | 74 ++++++------- deployment/ceph-ansible/ceph-grafana.yaml | 68 ++++++------ deployment/ceph-ansible/ceph-rgw.yaml | 78 +++++++------ deployment/database/mysql-base.yaml | 62 +++++------ .../database/redis-container-puppet.yaml | 88 ++++++++------- deployment/metrics/qdr-container-puppet.yaml | 104 +++++++++--------- .../neutron-dhcp-container-puppet.yaml | 78 +++++++------ .../ovn/ovn-controller-container-puppet.yaml | 54 +++++---- deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 95 ++++++++-------- .../ovn/ovn-metadata-container-puppet.yaml | 54 +++++---- .../rabbitmq/rabbitmq-container-puppet.yaml | 104 +++++++++--------- ...tmq-messaging-notify-container-puppet.yaml | 104 +++++++++--------- ...bbitmq-messaging-rpc-container-puppet.yaml | 104 +++++++++--------- 13 files changed, 520 insertions(+), 547 deletions(-) diff --git a/deployment/apache/apache-baremetal-puppet.j2.yaml b/deployment/apache/apache-baremetal-puppet.j2.yaml index 20257d6fee..afd446519d 100644 --- a/deployment/apache/apache-baremetal-puppet.j2.yaml +++ b/deployment/apache/apache-baremetal-puppet.j2.yaml @@ -133,42 +133,40 @@ outputs: - null upgrade_tasks: [] deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - name: Create dirs for certificates and keys - file: - path: "{{ item }}" - state: directory - serole: object_r - setype: cert_t - seuser: system_u - with_items: - - '/etc/pki/tls/certs/httpd' - - '/etc/pki/tls/private/httpd' - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - repeat: - template: - name: httpd-NETWORK - dns: "{{fqdn_NETWORK}}" - principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}" - run_after: | - cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt - cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key - pkill -USR1 httpd - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: ApacheCertificateKeySize} - ca: ipa - for_each: - NETWORK: {get_attr: [ApacheNetworks, value]} - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - name: Create dirs for certificates and keys + file: + path: "{{ item }}" + state: directory + serole: object_r + setype: cert_t + seuser: system_u + with_items: + - '/etc/pki/tls/certs/httpd' + - '/etc/pki/tls/private/httpd' + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + repeat: + template: + name: httpd-NETWORK + dns: "{{fqdn_NETWORK}}" + principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}" + run_after: | + cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt + cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key + pkill -USR1 httpd + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ApacheCertificateKeySize} + ca: ipa + for_each: + NETWORK: {get_attr: [ApacheNetworks, value]} {%- endraw %} diff --git a/deployment/ceph-ansible/ceph-grafana.yaml b/deployment/ceph-ansible/ceph-grafana.yaml index 4e36942d9f..dbd194bad3 100644 --- a/deployment/ceph-ansible/ceph-grafana.yaml +++ b/deployment/ceph-ansible/ceph-grafana.yaml @@ -161,38 +161,36 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: ceph_grafana - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} - principal: - str_replace: - template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} - run_after: | - # Get grafana systemd unit - grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}') - # Restart the grafana systemd unit - if [ -z "$grafana_unit" ]; then - systemctl restart "$grafana_unit" - fi - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: GrafanaCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ceph_grafana + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} + principal: + str_replace: + template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} + run_after: | + # Get grafana systemd unit + grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}') + # Restart the grafana systemd unit + if [ -z "$grafana_unit" ]; then + systemctl restart "$grafana_unit" + fi + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: GrafanaCertificateKeySize} + ca: ipa diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml index 8d8848d707..5b79354d87 100644 --- a/deployment/ceph-ansible/ceph-rgw.yaml +++ b/deployment/ceph-ansible/ceph-rgw.yaml @@ -174,43 +174,41 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: ceph_rgw - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} - principal: - str_replace: - template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} - run_after: | - # Create PEM file - pemfile=/etc/pki/tls/certs/ceph_rgw.pem - cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile - chmod 0640 $pemfile - chown 472:472 $pemfile - # Get ceph rgw systemd unit - rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}') - # Restart the rgw systemd unit - if [ -n "$rgw_unit" ]; then - systemctl restart "$rgw_unit" - fi - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: CephRgwCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ceph_rgw + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} + principal: + str_replace: + template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} + run_after: | + # Create PEM file + pemfile=/etc/pki/tls/certs/ceph_rgw.pem + cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile + chmod 0640 $pemfile + chown 472:472 $pemfile + # Get ceph rgw systemd unit + rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}') + # Restart the rgw systemd unit + if [ -n "$rgw_unit" ]; then + systemctl restart "$rgw_unit" + fi + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephRgwCertificateKeySize} + ca: ipa diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml index 0e70547256..728f98f120 100644 --- a/deployment/database/mysql-base.yaml +++ b/deployment/database/mysql-base.yaml @@ -174,35 +174,33 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: mysql - dns: - - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - - str_replace: - template: "{{cloud_names.cloud_name_NETWORK}}" - params: - NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - principal: - str_replace: - template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: MysqlCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: mysql + dns: + - str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + - str_replace: + template: "{{cloud_names.cloud_name_NETWORK}}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + principal: + str_replace: + template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: MysqlCertificateKeySize} + ca: ipa diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index 88c4f9a86e..e5ac515572 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -196,51 +196,49 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: redis - dns: - - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} - - str_replace: - template: "{{cloud_names.cloud_name_NETWORK}}" - params: - NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} - principal: - str_replace: - template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} - run_after: | - container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy) - service_crt="/etc/pki/tls/certs/redis.crt" - service_key="/etc/pki/tls/private/redis.key" - # Copy the new cert from the mount-point to the real path - {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" - # Copy the new cert from the mount-point to the real path - {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - # Set appropriate permissions - {{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt" - {{container_cli}} exec "$container_name" chown memcached:memcached "$service_key" - # Trigger a reload for stunnel to read the new certificate - {{container_cli}} exec pkill -o -HUP stunnel - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: RedisCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: redis + dns: + - str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + - str_replace: + template: "{{cloud_names.cloud_name_NETWORK}}" + params: + NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + principal: + str_replace: + template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + run_after: | + container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy) + service_crt="/etc/pki/tls/certs/redis.crt" + service_key="/etc/pki/tls/private/redis.key" + # Copy the new cert from the mount-point to the real path + {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" + # Copy the new cert from the mount-point to the real path + {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" + # Set appropriate permissions + {{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt" + {{container_cli}} exec "$container_name" chown memcached:memcached "$service_key" + # Trigger a reload for stunnel to read the new certificate + {{container_cli}} exec pkill -o -HUP stunnel + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RedisCertificateKeySize} + ca: ipa host_prep_tasks: - name: create persistent directories file: diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml index 06c2ee45fb..ab26e564e4 100644 --- a/deployment/metrics/qdr-container-puppet.yaml +++ b/deployment/metrics/qdr-container-puppet.yaml @@ -327,59 +327,57 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: metrics_qdr - dns: - str_replace: - template: "{{fqdn_NETWORK}}" - params: - NETWORK: - get_param: - - ServiceNetMap - - str_replace: - template: "ROLENAMEMetricsQdrNetwork" - params: - ROLENAME: {get_param: RoleName} - principal: - str_replace: - template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}" - params: - NETWORK: - get_param: - - ServiceNetMap - - str_replace: - template: "ROLENAMEMetricsQdrNetwork" - params: - ROLENAME: {get_param: RoleName} - run_after: | - container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr) - service_crt="/etc/pki/tls/certs/metrics_qdr.crt" - service_key="/etc/pki/tls/private/metrics_qdr.key - # Copy the new cert from the mount-point to the real path - {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" - # Copy the new key from the mount-point to the real path - {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - # Set appropriate permissions - {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt" - {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key" - # Trigger a container restart to read the new certificate - {{container_cli}} restart "$container_name" - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: QdrCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: metrics_qdr + dns: + str_replace: + template: "{{fqdn_NETWORK}}" + params: + NETWORK: + get_param: + - ServiceNetMap + - str_replace: + template: "ROLENAMEMetricsQdrNetwork" + params: + ROLENAME: {get_param: RoleName} + principal: + str_replace: + template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}" + params: + NETWORK: + get_param: + - ServiceNetMap + - str_replace: + template: "ROLENAMEMetricsQdrNetwork" + params: + ROLENAME: {get_param: RoleName} + run_after: | + container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr) + service_crt="/etc/pki/tls/certs/metrics_qdr.crt" + service_key="/etc/pki/tls/private/metrics_qdr.key + # Copy the new cert from the mount-point to the real path + {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" + # Copy the new key from the mount-point to the real path + {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" + # Set appropriate permissions + {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt" + {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key" + # Trigger a container restart to read the new certificate + {{container_cli}} restart "$container_name" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: QdrCertificateKeySize} + ca: ipa host_prep_tasks: - name: create persistent logs directory file: diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index 86878a7fdb..30395fb922 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -382,47 +382,45 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: neutron - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} - principal: - str_replace: - template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} - run_after: | - container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp) - # The certificate is also installed on the computes, but neutron_dhcp is only - # present on the controllers, so we exit if the container could not be found. - [[ -z $container_name ]] && exit 0 + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: neutron + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + principal: + str_replace: + template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + run_after: | + container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp) + # The certificate is also installed on the computes, but neutron_dhcp is only + # present on the controllers, so we exit if the container could not be found. + [[ -z $container_name ]] && exit 0 - service_crt="/etc/pki/tls/certs/neutron.crt" - service_key="/etc/pki/tls/private/neutron.key" - # Copy the new cert from the mount-point to the real path - {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" - # Copy the new key from the mount-point to the real path - {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key" - # No need to trigger a reload for neutron dhcpd since the cert is not cached - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: NeutronDhcpCertificateKeySize} - ca: ipa - - null + service_crt="/etc/pki/tls/certs/neutron.crt" + service_key="/etc/pki/tls/private/neutron.key" + # Copy the new cert from the mount-point to the real path + {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" + # Copy the new key from the mount-point to the real path + {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key" + # No need to trigger a reload for neutron dhcpd since the cert is not cached + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronDhcpCertificateKeySize} + ca: ipa host_prep_tasks: list_concat: - {get_attr: [NeutronLogging, host_prep_tasks]} diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index 598fb833f4..f39ec6e6eb 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -291,34 +291,32 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: ovn_controller - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} - principal: - str_replace: - template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: ContainerOvnCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ovn_controller + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + principal: + str_replace: + template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ContainerOvnCertificateKeySize} + ca: ipa host_prep_tasks: - name: create persistent directories file: diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index c320fd9ad0..f7bc18c0ad 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -228,57 +228,54 @@ outputs: - { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t } deploy_steps_tasks: - list_concat: - - - name: OVN DBS tag container image for pacemaker - when: step|int == 1 + - name: OVN DBS tag container image for pacemaker + when: step|int == 1 + import_role: + name: tripleo_container_tag + vars: + container_image: {get_param: ContainerOvnDbsImage} + container_image_latest: *ovn_dbs_image_pcmklatest + - name: OVNDbs HA Wrappers Step + when: step|int == 3 + block: &ovn_dbs_puppet_bundle + - name: Ovn dbs puppet bundle import_role: - name: tripleo_container_tag + name: tripleo_ha_wrapper vars: - container_image: {get_param: ContainerOvnDbsImage} - container_image_latest: *ovn_dbs_image_pcmklatest - - name: OVNDbs HA Wrappers Step - when: step|int == 3 - block: &ovn_dbs_puppet_bundle - - name: Ovn dbs puppet bundle - import_role: - name: tripleo_ha_wrapper - vars: - tripleo_ha_wrapper_service_name: ovn_dbs - tripleo_ha_wrapper_resource_name: ovndbs_servers - tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle - tripleo_ha_wrapper_resource_state: Slave Master - tripleo_ha_wrapper_puppet_config_volume: ovn_dbs - tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle' - tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' - tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug} - - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: ovn_dbs - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} - principal: - str_replace: - template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: OvnDBSCertificateKeySize} - ca: ipa - - [] + tripleo_ha_wrapper_service_name: ovn_dbs + tripleo_ha_wrapper_resource_name: ovndbs_servers + tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle + tripleo_ha_wrapper_resource_state: Slave Master + tripleo_ha_wrapper_puppet_config_volume: ovn_dbs + tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle' + tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug} + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ovn_dbs + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + principal: + str_replace: + template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnDBSCertificateKeySize} + ca: ipa update_tasks: - name: Tear-down non-HA ovn-dbs containers when: diff --git a/deployment/ovn/ovn-metadata-container-puppet.yaml b/deployment/ovn/ovn-metadata-container-puppet.yaml index 3f528ed8d1..1c4f45abce 100644 --- a/deployment/ovn/ovn-metadata-container-puppet.yaml +++ b/deployment/ovn/ovn-metadata-container-puppet.yaml @@ -336,34 +336,32 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: ovn_metadata - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} - principal: - str_replace: - template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: OvnMetadataCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ovn_metadata + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + principal: + str_replace: + template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnMetadataCertificateKeySize} + ca: ipa host_prep_tasks: list_concat: - {get_attr: [NeutronLogging, host_prep_tasks]} diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index 7949f26170..966f23abdb 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -335,59 +335,57 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: rabbitmq - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - principal: - str_replace: - template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - run_after: | - container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') - service_crt="/etc/pki/tls/certs/rabbitmq.crt" - service_key="/etc/pki/tls/private/rabbitmq.key" - if echo "$container_name" | grep -q "^rabbitmq-bundle"; then - # lp#1917868: Do not use podman cp with HA containers as they get - # frozen temporarily and that can make pacemaker operation fail. - tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv - # no need to update the mount point, because pacemaker - # recreates the container when it's restarted - else - # Refresh the cert at the mount-point - {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" - # Refresh the key at the mount-point - {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" - # Copy the new cert from the mount-point to the real path - {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" - # Copy the new key from the mount-point to the real path - {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - fi - # Set appropriate permissions - {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" - {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" - # Trigger a pem cache clear in RabbitMQ to read the new certificates - {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: RabbitmqCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: rabbitmq + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + principal: + str_replace: + template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + run_after: | + container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') + service_crt="/etc/pki/tls/certs/rabbitmq.crt" + service_key="/etc/pki/tls/private/rabbitmq.key" + if echo "$container_name" | grep -q "^rabbitmq-bundle"; then + # lp#1917868: Do not use podman cp with HA containers as they get + # frozen temporarily and that can make pacemaker operation fail. + tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv + # no need to update the mount point, because pacemaker + # recreates the container when it's restarted + else + # Refresh the cert at the mount-point + {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" + # Refresh the key at the mount-point + {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" + # Copy the new cert from the mount-point to the real path + {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" + # Copy the new key from the mount-point to the real path + {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" + fi + # Set appropriate permissions + {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" + {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" + # Trigger a pem cache clear in RabbitMQ to read the new certificates + {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqCertificateKeySize} + ca: ipa host_prep_tasks: - name: create persistent directories file: diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index cccce7a036..aff27d6b7a 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -270,59 +270,57 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: rabbitmq - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} - principal: - str_replace: - template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} - run_after: | - container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') - service_crt="/etc/pki/tls/certs/rabbitmq.crt" - service_key="/etc/pki/tls/private/rabbitmq.key" - if echo "$container_name" | grep -q "^rabbitmq-bundle"; then - # lp#1917868: Do not use podman cp with HA containers as they get - # frozen temporarily and that can make pacemaker operation fail. - tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv - # no need to update the mount point, because pacemaker - # recreates the container when it's restarted - else - # Refresh the cert at the mount-point - {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" - # Refresh the key at the mount-point - {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" - # Copy the new cert from the mount-point to the real path - {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" - # Copy the new key from the mount-point to the real path - {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - fi - # Set appropriate permissions - {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" - {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" - # Trigger a pem cache clear in RabbitMQ to read the new certificates - {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: RabbitmqMessageCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: rabbitmq + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} + principal: + str_replace: + template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} + run_after: | + container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') + service_crt="/etc/pki/tls/certs/rabbitmq.crt" + service_key="/etc/pki/tls/private/rabbitmq.key" + if echo "$container_name" | grep -q "^rabbitmq-bundle"; then + # lp#1917868: Do not use podman cp with HA containers as they get + # frozen temporarily and that can make pacemaker operation fail. + tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv + # no need to update the mount point, because pacemaker + # recreates the container when it's restarted + else + # Refresh the cert at the mount-point + {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" + # Refresh the key at the mount-point + {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" + # Copy the new cert from the mount-point to the real path + {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" + # Copy the new key from the mount-point to the real path + {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" + fi + # Set appropriate permissions + {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" + {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" + # Trigger a pem cache clear in RabbitMQ to read the new certificates + {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqMessageCertificateKeySize} + ca: ipa host_prep_tasks: - name: create persistent directories file: diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index b82d5de136..0586308dfa 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -270,59 +270,57 @@ outputs: type: node - null deploy_steps_tasks: - if: - - internal_tls_enabled - - - - name: Certificate generation - when: step|int == 1 - block: - - include_role: - name: linux-system-roles.certificate - vars: - certificate_requests: - - name: rabbitmq - dns: - str_replace: - template: "{{fqdn_$NETWORK}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} - principal: - str_replace: - template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" - params: - $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} - run_after: | - container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') - service_crt="/etc/pki/tls/certs/rabbitmq.crt" - service_key="/etc/pki/tls/private/rabbitmq.key" - if echo "$container_name" | grep -q "^rabbitmq-bundle"; then - # lp#1917868: Do not use podman cp with HA containers as they get - # frozen temporarily and that can make pacemaker operation fail. - tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv - # no need to update the mount point, because pacemaker - # recreates the container when it's restarted - else - # Refresh the cert at the mount-point - {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" - # Refresh the key at the mount-point - {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" - # Copy the new cert from the mount-point to the real path - {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" - # Copy the new key from the mount-point to the real path - {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - fi - # Set appropriate permissions - {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" - {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" - # Trigger a pem cache clear in RabbitMQ to read the new certificates - {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: RpcCertificateKeySize} - ca: ipa - - null + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: rabbitmq + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} + principal: + str_replace: + template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} + run_after: | + container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') + service_crt="/etc/pki/tls/certs/rabbitmq.crt" + service_key="/etc/pki/tls/private/rabbitmq.key" + if echo "$container_name" | grep -q "^rabbitmq-bundle"; then + # lp#1917868: Do not use podman cp with HA containers as they get + # frozen temporarily and that can make pacemaker operation fail. + tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv + # no need to update the mount point, because pacemaker + # recreates the container when it's restarted + else + # Refresh the cert at the mount-point + {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" + # Refresh the key at the mount-point + {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" + # Copy the new cert from the mount-point to the real path + {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" + # Copy the new key from the mount-point to the real path + {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" + fi + # Set appropriate permissions + {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" + {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" + # Trigger a pem cache clear in RabbitMQ to read the new certificates + {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RpcCertificateKeySize} + ca: ipa host_prep_tasks: - name: create persistent directories file: