Merge "Simplify internal_tls_enabled conditions"
This commit is contained in:
commit
824ec8b5ad
|
@ -133,42 +133,40 @@ outputs:
|
||||||
- null
|
- null
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- name: Create dirs for certificates and keys
|
||||||
- name: Create dirs for certificates and keys
|
file:
|
||||||
file:
|
path: "{{ item }}"
|
||||||
path: "{{ item }}"
|
state: directory
|
||||||
state: directory
|
serole: object_r
|
||||||
serole: object_r
|
setype: cert_t
|
||||||
setype: cert_t
|
seuser: system_u
|
||||||
seuser: system_u
|
with_items:
|
||||||
with_items:
|
- '/etc/pki/tls/certs/httpd'
|
||||||
- '/etc/pki/tls/certs/httpd'
|
- '/etc/pki/tls/private/httpd'
|
||||||
- '/etc/pki/tls/private/httpd'
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
repeat:
|
||||||
repeat:
|
template:
|
||||||
template:
|
name: httpd-NETWORK
|
||||||
name: httpd-NETWORK
|
dns: "{{fqdn_NETWORK}}"
|
||||||
dns: "{{fqdn_NETWORK}}"
|
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||||
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
|
run_after: |
|
||||||
run_after: |
|
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
|
||||||
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
|
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
|
||||||
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
|
pkill -USR1 httpd
|
||||||
pkill -USR1 httpd
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: ApacheCertificateKeySize}
|
||||||
- {get_param: ApacheCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
for_each:
|
||||||
for_each:
|
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
|
||||||
- null
|
|
||||||
{%- endraw %}
|
{%- endraw %}
|
||||||
|
|
|
@ -161,38 +161,36 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: ceph_grafana
|
||||||
- name: ceph_grafana
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
run_after: |
|
||||||
run_after: |
|
# Get grafana systemd unit
|
||||||
# Get grafana systemd unit
|
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
||||||
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
# Restart the grafana systemd unit
|
||||||
# Restart the grafana systemd unit
|
if [ -z "$grafana_unit" ]; then
|
||||||
if [ -z "$grafana_unit" ]; then
|
systemctl restart "$grafana_unit"
|
||||||
systemctl restart "$grafana_unit"
|
fi
|
||||||
fi
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: GrafanaCertificateKeySize}
|
||||||
- {get_param: GrafanaCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
|
|
|
@ -174,43 +174,41 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: ceph_rgw
|
||||||
- name: ceph_rgw
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
run_after: |
|
||||||
run_after: |
|
# Create PEM file
|
||||||
# Create PEM file
|
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
|
||||||
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
|
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
|
||||||
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
|
chmod 0640 $pemfile
|
||||||
chmod 0640 $pemfile
|
chown 472:472 $pemfile
|
||||||
chown 472:472 $pemfile
|
# Get ceph rgw systemd unit
|
||||||
# Get ceph rgw systemd unit
|
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
|
||||||
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
|
# Restart the rgw systemd unit
|
||||||
# Restart the rgw systemd unit
|
if [ -n "$rgw_unit" ]; then
|
||||||
if [ -n "$rgw_unit" ]; then
|
systemctl restart "$rgw_unit"
|
||||||
systemctl restart "$rgw_unit"
|
fi
|
||||||
fi
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: CephRgwCertificateKeySize}
|
||||||
- {get_param: CephRgwCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
|
|
|
@ -174,35 +174,33 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: mysql
|
||||||
- name: mysql
|
dns:
|
||||||
dns:
|
- str_replace:
|
||||||
- str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
- str_replace:
|
||||||
- str_replace:
|
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
params:
|
||||||
params:
|
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: MysqlCertificateKeySize}
|
||||||
- {get_param: MysqlCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
|
|
|
@ -196,51 +196,49 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: redis
|
||||||
- name: redis
|
dns:
|
||||||
dns:
|
- str_replace:
|
||||||
- str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
- str_replace:
|
||||||
- str_replace:
|
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
params:
|
||||||
params:
|
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
run_after: |
|
||||||
run_after: |
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
|
||||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
|
service_crt="/etc/pki/tls/certs/redis.crt"
|
||||||
service_crt="/etc/pki/tls/certs/redis.crt"
|
service_key="/etc/pki/tls/private/redis.key"
|
||||||
service_key="/etc/pki/tls/private/redis.key"
|
# Copy the new cert from the mount-point to the real path
|
||||||
# Copy the new cert from the mount-point to the real path
|
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
# Copy the new cert from the mount-point to the real path
|
||||||
# Copy the new cert from the mount-point to the real path
|
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
# Set appropriate permissions
|
||||||
# Set appropriate permissions
|
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
|
||||||
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
|
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
|
||||||
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
|
# Trigger a reload for stunnel to read the new certificate
|
||||||
# Trigger a reload for stunnel to read the new certificate
|
{{container_cli}} exec pkill -o -HUP stunnel
|
||||||
{{container_cli}} exec pkill -o -HUP stunnel
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: RedisCertificateKeySize}
|
||||||
- {get_param: RedisCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -327,59 +327,57 @@ outputs:
|
||||||
environment:
|
environment:
|
||||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: metrics_qdr
|
||||||
- name: metrics_qdr
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_NETWORK}}"
|
||||||
template: "{{fqdn_NETWORK}}"
|
params:
|
||||||
params:
|
NETWORK:
|
||||||
NETWORK:
|
get_param:
|
||||||
get_param:
|
- ServiceNetMap
|
||||||
- ServiceNetMap
|
- str_replace:
|
||||||
- str_replace:
|
template: "ROLENAMEMetricsQdrNetwork"
|
||||||
template: "ROLENAMEMetricsQdrNetwork"
|
params:
|
||||||
params:
|
ROLENAME: {get_param: RoleName}
|
||||||
ROLENAME: {get_param: RoleName}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||||
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
NETWORK:
|
||||||
NETWORK:
|
get_param:
|
||||||
get_param:
|
- ServiceNetMap
|
||||||
- ServiceNetMap
|
- str_replace:
|
||||||
- str_replace:
|
template: "ROLENAMEMetricsQdrNetwork"
|
||||||
template: "ROLENAMEMetricsQdrNetwork"
|
params:
|
||||||
params:
|
ROLENAME: {get_param: RoleName}
|
||||||
ROLENAME: {get_param: RoleName}
|
run_after: |
|
||||||
run_after: |
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
|
||||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
|
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
|
||||||
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
|
service_key="/etc/pki/tls/private/metrics_qdr.key
|
||||||
service_key="/etc/pki/tls/private/metrics_qdr.key
|
# Copy the new cert from the mount-point to the real path
|
||||||
# Copy the new cert from the mount-point to the real path
|
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
# Copy the new key from the mount-point to the real path
|
||||||
# Copy the new key from the mount-point to the real path
|
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
# Set appropriate permissions
|
||||||
# Set appropriate permissions
|
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
|
||||||
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
|
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
||||||
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
# Trigger a container restart to read the new certificate
|
||||||
# Trigger a container restart to read the new certificate
|
{{container_cli}} restart "$container_name"
|
||||||
{{container_cli}} restart "$container_name"
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: QdrCertificateKeySize}
|
||||||
- {get_param: QdrCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent logs directory
|
- name: create persistent logs directory
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -376,47 +376,45 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: neutron
|
||||||
- name: neutron
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
run_after: |
|
||||||
run_after: |
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
|
||||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
|
# The certificate is also installed on the computes, but neutron_dhcp is only
|
||||||
# The certificate is also installed on the computes, but neutron_dhcp is only
|
# present on the controllers, so we exit if the container could not be found.
|
||||||
# present on the controllers, so we exit if the container could not be found.
|
[[ -z $container_name ]] && exit 0
|
||||||
[[ -z $container_name ]] && exit 0
|
|
||||||
|
|
||||||
service_crt="/etc/pki/tls/certs/neutron.crt"
|
service_crt="/etc/pki/tls/certs/neutron.crt"
|
||||||
service_key="/etc/pki/tls/private/neutron.key"
|
service_key="/etc/pki/tls/private/neutron.key"
|
||||||
# Copy the new cert from the mount-point to the real path
|
# Copy the new cert from the mount-point to the real path
|
||||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||||
# Copy the new key from the mount-point to the real path
|
# Copy the new key from the mount-point to the real path
|
||||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
|
||||||
# No need to trigger a reload for neutron dhcpd since the cert is not cached
|
# No need to trigger a reload for neutron dhcpd since the cert is not cached
|
||||||
key_size:
|
key_size:
|
||||||
if:
|
if:
|
||||||
- key_size_override_unset
|
- key_size_override_unset
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: NeutronDhcpCertificateKeySize}
|
- {get_param: NeutronDhcpCertificateKeySize}
|
||||||
ca: ipa
|
ca: ipa
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||||
|
|
|
@ -303,34 +303,32 @@ outputs:
|
||||||
environment:
|
environment:
|
||||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: ovn_controller
|
||||||
- name: ovn_controller
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: ContainerOvnCertificateKeySize}
|
||||||
- {get_param: ContainerOvnCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -228,57 +228,54 @@ outputs:
|
||||||
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
|
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
|
||||||
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
|
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
list_concat:
|
- name: OVN DBS tag container image for pacemaker
|
||||||
- - name: OVN DBS tag container image for pacemaker
|
when: step|int == 1
|
||||||
when: step|int == 1
|
import_role:
|
||||||
|
name: tripleo_container_tag
|
||||||
|
vars:
|
||||||
|
container_image: {get_param: ContainerOvnDbsImage}
|
||||||
|
container_image_latest: *ovn_dbs_image_pcmklatest
|
||||||
|
- name: OVNDbs HA Wrappers Step
|
||||||
|
when: step|int == 3
|
||||||
|
block: &ovn_dbs_puppet_bundle
|
||||||
|
- name: Ovn dbs puppet bundle
|
||||||
import_role:
|
import_role:
|
||||||
name: tripleo_container_tag
|
name: tripleo_ha_wrapper
|
||||||
vars:
|
vars:
|
||||||
container_image: {get_param: ContainerOvnDbsImage}
|
tripleo_ha_wrapper_service_name: ovn_dbs
|
||||||
container_image_latest: *ovn_dbs_image_pcmklatest
|
tripleo_ha_wrapper_resource_name: ovndbs_servers
|
||||||
- name: OVNDbs HA Wrappers Step
|
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
|
||||||
when: step|int == 3
|
tripleo_ha_wrapper_resource_state: Slave Master
|
||||||
block: &ovn_dbs_puppet_bundle
|
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
|
||||||
- name: Ovn dbs puppet bundle
|
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
|
||||||
import_role:
|
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||||
name: tripleo_ha_wrapper
|
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||||
vars:
|
- name: Certificate generation
|
||||||
tripleo_ha_wrapper_service_name: ovn_dbs
|
when:
|
||||||
tripleo_ha_wrapper_resource_name: ovndbs_servers
|
- step|int == 1
|
||||||
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
|
- enable_internal_tls
|
||||||
tripleo_ha_wrapper_resource_state: Slave Master
|
block:
|
||||||
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
|
- include_role:
|
||||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
|
name: linux-system-roles.certificate
|
||||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
vars:
|
||||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
certificate_requests:
|
||||||
- if:
|
- name: ovn_dbs
|
||||||
- internal_tls_enabled
|
dns:
|
||||||
-
|
str_replace:
|
||||||
- name: Certificate generation
|
template: "{{fqdn_$NETWORK}}"
|
||||||
when: step|int == 1
|
params:
|
||||||
block:
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||||
- include_role:
|
principal:
|
||||||
name: linux-system-roles.certificate
|
str_replace:
|
||||||
vars:
|
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
certificate_requests:
|
params:
|
||||||
- name: ovn_dbs
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||||
dns:
|
key_size:
|
||||||
str_replace:
|
if:
|
||||||
template: "{{fqdn_$NETWORK}}"
|
- key_size_override_unset
|
||||||
params:
|
- {get_param: CertificateKeySize}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
- {get_param: OvnDBSCertificateKeySize}
|
||||||
principal:
|
ca: ipa
|
||||||
str_replace:
|
|
||||||
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
||||||
params:
|
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
||||||
key_size:
|
|
||||||
if:
|
|
||||||
- key_size_override_unset
|
|
||||||
- {get_param: CertificateKeySize}
|
|
||||||
- {get_param: OvnDBSCertificateKeySize}
|
|
||||||
ca: ipa
|
|
||||||
- []
|
|
||||||
update_tasks:
|
update_tasks:
|
||||||
- name: Tear-down non-HA ovn-dbs containers
|
- name: Tear-down non-HA ovn-dbs containers
|
||||||
when:
|
when:
|
||||||
|
|
|
@ -329,34 +329,32 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: ovn_metadata
|
||||||
- name: ovn_metadata
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: OvnMetadataCertificateKeySize}
|
||||||
- {get_param: OvnMetadataCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||||
|
|
|
@ -335,59 +335,57 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: rabbitmq
|
||||||
- name: rabbitmq
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
run_after: |
|
||||||
run_after: |
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
# frozen temporarily and that can make pacemaker operation fail.
|
||||||
# frozen temporarily and that can make pacemaker operation fail.
|
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
# no need to update the mount point, because pacemaker
|
||||||
# no need to update the mount point, because pacemaker
|
# recreates the container when it's restarted
|
||||||
# recreates the container when it's restarted
|
else
|
||||||
else
|
# Refresh the cert at the mount-point
|
||||||
# Refresh the cert at the mount-point
|
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
# Refresh the key at the mount-point
|
||||||
# Refresh the key at the mount-point
|
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
# Copy the new cert from the mount-point to the real path
|
||||||
# Copy the new cert from the mount-point to the real path
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
# Copy the new key from the mount-point to the real path
|
||||||
# Copy the new key from the mount-point to the real path
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
fi
|
||||||
fi
|
# Set appropriate permissions
|
||||||
# Set appropriate permissions
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: RabbitmqCertificateKeySize}
|
||||||
- {get_param: RabbitmqCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -270,59 +270,57 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: rabbitmq
|
||||||
- name: rabbitmq
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
run_after: |
|
||||||
run_after: |
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
# frozen temporarily and that can make pacemaker operation fail.
|
||||||
# frozen temporarily and that can make pacemaker operation fail.
|
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
# no need to update the mount point, because pacemaker
|
||||||
# no need to update the mount point, because pacemaker
|
# recreates the container when it's restarted
|
||||||
# recreates the container when it's restarted
|
else
|
||||||
else
|
# Refresh the cert at the mount-point
|
||||||
# Refresh the cert at the mount-point
|
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
# Refresh the key at the mount-point
|
||||||
# Refresh the key at the mount-point
|
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
# Copy the new cert from the mount-point to the real path
|
||||||
# Copy the new cert from the mount-point to the real path
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
# Copy the new key from the mount-point to the real path
|
||||||
# Copy the new key from the mount-point to the real path
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
fi
|
||||||
fi
|
# Set appropriate permissions
|
||||||
# Set appropriate permissions
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: RabbitmqMessageCertificateKeySize}
|
||||||
- {get_param: RabbitmqMessageCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -270,59 +270,57 @@ outputs:
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
- name: Certificate generation
|
||||||
- internal_tls_enabled
|
when:
|
||||||
-
|
- step|int == 1
|
||||||
- name: Certificate generation
|
- enable_internal_tls
|
||||||
when: step|int == 1
|
block:
|
||||||
block:
|
- include_role:
|
||||||
- include_role:
|
name: linux-system-roles.certificate
|
||||||
name: linux-system-roles.certificate
|
vars:
|
||||||
vars:
|
certificate_requests:
|
||||||
certificate_requests:
|
- name: rabbitmq
|
||||||
- name: rabbitmq
|
dns:
|
||||||
dns:
|
str_replace:
|
||||||
str_replace:
|
template: "{{fqdn_$NETWORK}}"
|
||||||
template: "{{fqdn_$NETWORK}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
principal:
|
||||||
principal:
|
str_replace:
|
||||||
str_replace:
|
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
params:
|
||||||
params:
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
run_after: |
|
||||||
run_after: |
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
# frozen temporarily and that can make pacemaker operation fail.
|
||||||
# frozen temporarily and that can make pacemaker operation fail.
|
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
# no need to update the mount point, because pacemaker
|
||||||
# no need to update the mount point, because pacemaker
|
# recreates the container when it's restarted
|
||||||
# recreates the container when it's restarted
|
else
|
||||||
else
|
# Refresh the cert at the mount-point
|
||||||
# Refresh the cert at the mount-point
|
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
# Refresh the key at the mount-point
|
||||||
# Refresh the key at the mount-point
|
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
# Copy the new cert from the mount-point to the real path
|
||||||
# Copy the new cert from the mount-point to the real path
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
# Copy the new key from the mount-point to the real path
|
||||||
# Copy the new key from the mount-point to the real path
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
fi
|
||||||
fi
|
# Set appropriate permissions
|
||||||
# Set appropriate permissions
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
key_size:
|
||||||
key_size:
|
if:
|
||||||
if:
|
- key_size_override_unset
|
||||||
- key_size_override_unset
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: RpcCertificateKeySize}
|
||||||
- {get_param: RpcCertificateKeySize}
|
ca: ipa
|
||||||
ca: ipa
|
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|
Loading…
Reference in New Issue