openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Simplify internal_tls_enabled conditions"

This commit is contained in:
Zuul 2021-04-03 13:20:28 +00:00 committed by Gerrit Code Review
parent 76cb99a2a7 5e4c17acfb
commit 824ec8b5ad
13 changed files with 520 additions and 547 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
deployment/apache/apache-baremetal-puppet.j2.yaml
View File

@ -133,42 +133,40 @@ outputs:
- null - null
upgrade_tasks: [] upgrade_tasks: []
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - name: Create dirs for certificates and keys
- name: Create dirs for certificates and keys file:
file: path: "{{ item }}"
path: "{{ item }}" state: directory
state: directory serole: object_r
serole: object_r setype: cert_t
setype: cert_t seuser: system_u
seuser: system_u with_items:
with_items: - '/etc/pki/tls/certs/httpd'
- '/etc/pki/tls/certs/httpd' - '/etc/pki/tls/private/httpd'
- '/etc/pki/tls/private/httpd' - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: repeat:
repeat: template:
template: name: httpd-NETWORK
name: httpd-NETWORK dns: "{{fqdn_NETWORK}}"
dns: "{{fqdn_NETWORK}}" principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}" run_after: |
run_after: | cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key pkill -USR1 httpd
pkill -USR1 httpd key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: ApacheCertificateKeySize}
- {get_param: ApacheCertificateKeySize} ca: ipa
ca: ipa for_each:
for_each: NETWORK: {get_attr: [ApacheNetworks, value]}
NETWORK: {get_attr: [ApacheNetworks, value]}
- null
{%- endraw %} {%- endraw %}

68
deployment/ceph-ansible/ceph-grafana.yaml
View File

@ -161,38 +161,36 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: ceph_grafana
- name: ceph_grafana dns:
dns: str_replace:
str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} principal:
principal: str_replace:
str_replace: template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} run_after: |
run_after: | # Get grafana systemd unit
# Get grafana systemd unit grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}') # Restart the grafana systemd unit
# Restart the grafana systemd unit if [ -z "$grafana_unit" ]; then
if [ -z "$grafana_unit" ]; then systemctl restart "$grafana_unit"
systemctl restart "$grafana_unit" fi
fi key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: GrafanaCertificateKeySize}
- {get_param: GrafanaCertificateKeySize} ca: ipa
ca: ipa
- null

78
deployment/ceph-ansible/ceph-rgw.yaml
View File

@ -174,43 +174,41 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: ceph_rgw
- name: ceph_rgw dns:
dns: str_replace:
str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} principal:
principal: str_replace:
str_replace: template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} run_after: |
run_after: | # Create PEM file
# Create PEM file pemfile=/etc/pki/tls/certs/ceph_rgw.pem
pemfile=/etc/pki/tls/certs/ceph_rgw.pem cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile chmod 0640 $pemfile
chmod 0640 $pemfile chown 472:472 $pemfile
chown 472:472 $pemfile # Get ceph rgw systemd unit
# Get ceph rgw systemd unit rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}') # Restart the rgw systemd unit
# Restart the rgw systemd unit if [ -n "$rgw_unit" ]; then
if [ -n "$rgw_unit" ]; then systemctl restart "$rgw_unit"
systemctl restart "$rgw_unit" fi
fi key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: CephRgwCertificateKeySize}
- {get_param: CephRgwCertificateKeySize} ca: ipa
ca: ipa
- null

62
deployment/database/mysql-base.yaml
View File

@ -174,35 +174,33 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: mysql
- name: mysql dns:
dns: - str_replace:
- str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} - str_replace:
- str_replace: template: "{{cloud_names.cloud_name_NETWORK}}"
template: "{{cloud_names.cloud_name_NETWORK}}" params:
params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} principal:
principal: str_replace:
str_replace: template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: MysqlCertificateKeySize}
- {get_param: MysqlCertificateKeySize} ca: ipa
ca: ipa
- null

88
deployment/database/redis-container-puppet.yaml
View File

@ -196,51 +196,49 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: redis
- name: redis dns:
dns: - str_replace:
- str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} - str_replace:
- str_replace: template: "{{cloud_names.cloud_name_NETWORK}}"
template: "{{cloud_names.cloud_name_NETWORK}}" params:
params: NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} principal:
principal: str_replace:
str_replace: template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} run_after: |
run_after: | container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy) service_crt="/etc/pki/tls/certs/redis.crt"
service_crt="/etc/pki/tls/certs/redis.crt" service_key="/etc/pki/tls/private/redis.key"
service_key="/etc/pki/tls/private/redis.key" # Copy the new cert from the mount-point to the real path
# Copy the new cert from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new cert from the mount-point to the real path
# Copy the new cert from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set appropriate permissions
# Set appropriate permissions {{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt" {{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key" # Trigger a reload for stunnel to read the new certificate
# Trigger a reload for stunnel to read the new certificate {{container_cli}} exec pkill -o -HUP stunnel
{{container_cli}} exec pkill -o -HUP stunnel key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: RedisCertificateKeySize}
- {get_param: RedisCertificateKeySize} ca: ipa
ca: ipa
- null
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file:

104
deployment/metrics/qdr-container-puppet.yaml
View File

@ -327,59 +327,57 @@ outputs:
environment: environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: metrics_qdr
- name: metrics_qdr dns:
dns: str_replace:
str_replace: template: "{{fqdn_NETWORK}}"
template: "{{fqdn_NETWORK}}" params:
params: NETWORK:
NETWORK: get_param:
get_param: - ServiceNetMap
- ServiceNetMap - str_replace:
- str_replace: template: "ROLENAMEMetricsQdrNetwork"
template: "ROLENAMEMetricsQdrNetwork" params:
params: ROLENAME: {get_param: RoleName}
ROLENAME: {get_param: RoleName} principal:
principal: str_replace:
str_replace: template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}" params:
params: NETWORK:
NETWORK: get_param:
get_param: - ServiceNetMap
- ServiceNetMap - str_replace:
- str_replace: template: "ROLENAMEMetricsQdrNetwork"
template: "ROLENAMEMetricsQdrNetwork" params:
params: ROLENAME: {get_param: RoleName}
ROLENAME: {get_param: RoleName} run_after: |
run_after: | container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr) service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
service_crt="/etc/pki/tls/certs/metrics_qdr.crt" service_key="/etc/pki/tls/private/metrics_qdr.key
service_key="/etc/pki/tls/private/metrics_qdr.key # Copy the new cert from the mount-point to the real path
# Copy the new cert from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path
# Copy the new key from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set appropriate permissions
# Set appropriate permissions {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt" {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key" # Trigger a container restart to read the new certificate
# Trigger a container restart to read the new certificate {{container_cli}} restart "$container_name"
{{container_cli}} restart "$container_name" key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: QdrCertificateKeySize}
- {get_param: QdrCertificateKeySize} ca: ipa
ca: ipa
- null
host_prep_tasks: host_prep_tasks:
- name: create persistent logs directory - name: create persistent logs directory
file: file:

78
deployment/neutron/neutron-dhcp-container-puppet.yaml
View File

@ -376,47 +376,45 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: neutron
- name: neutron dns:
dns: str_replace:
str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} principal:
principal: str_replace:
str_replace: template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} run_after: |
run_after: | container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp) # The certificate is also installed on the computes, but neutron_dhcp is only
# The certificate is also installed on the computes, but neutron_dhcp is only # present on the controllers, so we exit if the container could not be found.
# present on the controllers, so we exit if the container could not be found. [[ -z $container_name ]] && exit 0
[[ -z $container_name ]] && exit 0
service_crt="/etc/pki/tls/certs/neutron.crt" service_crt="/etc/pki/tls/certs/neutron.crt"
service_key="/etc/pki/tls/private/neutron.key" service_key="/etc/pki/tls/private/neutron.key"
# Copy the new cert from the mount-point to the real path # Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path # Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key" {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
# No need to trigger a reload for neutron dhcpd since the cert is not cached # No need to trigger a reload for neutron dhcpd since the cert is not cached
key_size: key_size:
if: if:
- key_size_override_unset - key_size_override_unset
- {get_param: CertificateKeySize} - {get_param: CertificateKeySize}
- {get_param: NeutronDhcpCertificateKeySize} - {get_param: NeutronDhcpCertificateKeySize}
ca: ipa ca: ipa
- null
host_prep_tasks: host_prep_tasks:
list_concat: list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]} - {get_attr: [NeutronLogging, host_prep_tasks]}

54
deployment/ovn/ovn-controller-container-puppet.yaml
View File

@ -303,34 +303,32 @@ outputs:
environment: environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: ovn_controller
- name: ovn_controller dns:
dns: str_replace:
str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} principal:
principal: str_replace:
str_replace: template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: ContainerOvnCertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize} ca: ipa
ca: ipa
- null
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file:

95
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
View File

@ -228,57 +228,54 @@ outputs:
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t } - { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
deploy_steps_tasks: deploy_steps_tasks:
list_concat: - name: OVN DBS tag container image for pacemaker
- - name: OVN DBS tag container image for pacemaker when: step|int == 1
when: step|int == 1 import_role:
name: tripleo_container_tag
vars:
container_image: {get_param: ContainerOvnDbsImage}
container_image_latest: *ovn_dbs_image_pcmklatest
- name: OVNDbs HA Wrappers Step
when: step|int == 3
block: &ovn_dbs_puppet_bundle
- name: Ovn dbs puppet bundle
import_role: import_role:
name: tripleo_container_tag name: tripleo_ha_wrapper
vars: vars:
container_image: {get_param: ContainerOvnDbsImage} tripleo_ha_wrapper_service_name: ovn_dbs
container_image_latest: *ovn_dbs_image_pcmklatest tripleo_ha_wrapper_resource_name: ovndbs_servers
- name: OVNDbs HA Wrappers Step tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
when: step|int == 3 tripleo_ha_wrapper_resource_state: Slave Master
block: &ovn_dbs_puppet_bundle tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
- name: Ovn dbs puppet bundle tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
import_role: tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
name: tripleo_ha_wrapper tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
vars: - name: Certificate generation
tripleo_ha_wrapper_service_name: ovn_dbs when:
tripleo_ha_wrapper_resource_name: ovndbs_servers - step|int == 1
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle - enable_internal_tls
tripleo_ha_wrapper_resource_state: Slave Master block:
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs - include_role:
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle' name: linux-system-roles.certificate
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' vars:
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug} certificate_requests:
- if: - name: ovn_dbs
- internal_tls_enabled dns:
- str_replace:
- name: Certificate generation template: "{{fqdn_$NETWORK}}"
when: step|int == 1 params:
block: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
- include_role: principal:
name: linux-system-roles.certificate str_replace:
vars: template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
certificate_requests: params:
- name: ovn_dbs $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
dns: key_size:
str_replace: if:
template: "{{fqdn_$NETWORK}}" - key_size_override_unset
params: - {get_param: CertificateKeySize}
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} - {get_param: OvnDBSCertificateKeySize}
principal: ca: ipa
str_replace:
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnDBSCertificateKeySize}
ca: ipa
- []
update_tasks: update_tasks:
- name: Tear-down non-HA ovn-dbs containers - name: Tear-down non-HA ovn-dbs containers
when: when:

54
deployment/ovn/ovn-metadata-container-puppet.yaml
View File

@ -329,34 +329,32 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: ovn_metadata
- name: ovn_metadata dns:
dns: str_replace:
str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} principal:
principal: str_replace:
str_replace: template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: OvnMetadataCertificateKeySize}
- {get_param: OvnMetadataCertificateKeySize} ca: ipa
ca: ipa
- null
host_prep_tasks: host_prep_tasks:
list_concat: list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]} - {get_attr: [NeutronLogging, host_prep_tasks]}

104
deployment/rabbitmq/rabbitmq-container-puppet.yaml
View File

@ -335,59 +335,57 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: rabbitmq
- name: rabbitmq dns:
dns: str_replace:
str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} principal:
principal: str_replace:
str_replace: template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} run_after: |
run_after: | container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_crt="/etc/pki/tls/certs/rabbitmq.crt" service_key="/etc/pki/tls/private/rabbitmq.key"
service_key="/etc/pki/tls/private/rabbitmq.key" if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then # lp#1917868: Do not use podman cp with HA containers as they get
# lp#1917868: Do not use podman cp with HA containers as they get # frozen temporarily and that can make pacemaker operation fail.
# frozen temporarily and that can make pacemaker operation fail. tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv # no need to update the mount point, because pacemaker
# no need to update the mount point, because pacemaker # recreates the container when it's restarted
# recreates the container when it's restarted else
else # Refresh the cert at the mount-point
# Refresh the cert at the mount-point {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" # Refresh the key at the mount-point
# Refresh the key at the mount-point {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" # Copy the new cert from the mount-point to the real path
# Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path
# Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" fi
fi # Set appropriate permissions
# Set appropriate permissions {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" # Trigger a pem cache clear in RabbitMQ to read the new certificates
# Trigger a pem cache clear in RabbitMQ to read the new certificates {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: RabbitmqCertificateKeySize}
- {get_param: RabbitmqCertificateKeySize} ca: ipa
ca: ipa
- null
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file:

104
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
View File

@ -270,59 +270,57 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: rabbitmq
- name: rabbitmq dns:
dns: str_replace:
str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} principal:
principal: str_replace:
str_replace: template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} run_after: |
run_after: | container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_crt="/etc/pki/tls/certs/rabbitmq.crt" service_key="/etc/pki/tls/private/rabbitmq.key"
service_key="/etc/pki/tls/private/rabbitmq.key" if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then # lp#1917868: Do not use podman cp with HA containers as they get
# lp#1917868: Do not use podman cp with HA containers as they get # frozen temporarily and that can make pacemaker operation fail.
# frozen temporarily and that can make pacemaker operation fail. tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv # no need to update the mount point, because pacemaker
# no need to update the mount point, because pacemaker # recreates the container when it's restarted
# recreates the container when it's restarted else
else # Refresh the cert at the mount-point
# Refresh the cert at the mount-point {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" # Refresh the key at the mount-point
# Refresh the key at the mount-point {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" # Copy the new cert from the mount-point to the real path
# Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path
# Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" fi
fi # Set appropriate permissions
# Set appropriate permissions {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" # Trigger a pem cache clear in RabbitMQ to read the new certificates
# Trigger a pem cache clear in RabbitMQ to read the new certificates {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: RabbitmqMessageCertificateKeySize}
- {get_param: RabbitmqMessageCertificateKeySize} ca: ipa
ca: ipa
- null
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file:

104
deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
View File

@ -270,59 +270,57 @@ outputs:
type: node type: node
- null - null
deploy_steps_tasks: deploy_steps_tasks:
if: - name: Certificate generation
- internal_tls_enabled when:
- - step|int == 1
- name: Certificate generation - enable_internal_tls
when: step|int == 1 block:
block: - include_role:
- include_role: name: linux-system-roles.certificate
name: linux-system-roles.certificate vars:
vars: certificate_requests:
certificate_requests: - name: rabbitmq
- name: rabbitmq dns:
dns: str_replace:
str_replace: template: "{{fqdn_$NETWORK}}"
template: "{{fqdn_$NETWORK}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} principal:
principal: str_replace:
str_replace: template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" params:
params: $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} run_after: |
run_after: | container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_crt="/etc/pki/tls/certs/rabbitmq.crt" service_key="/etc/pki/tls/private/rabbitmq.key"
service_key="/etc/pki/tls/private/rabbitmq.key" if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then # lp#1917868: Do not use podman cp with HA containers as they get
# lp#1917868: Do not use podman cp with HA containers as they get # frozen temporarily and that can make pacemaker operation fail.
# frozen temporarily and that can make pacemaker operation fail. tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv # no need to update the mount point, because pacemaker
# no need to update the mount point, because pacemaker # recreates the container when it's restarted
# recreates the container when it's restarted else
else # Refresh the cert at the mount-point
# Refresh the cert at the mount-point {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" # Refresh the key at the mount-point
# Refresh the key at the mount-point {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" # Copy the new cert from the mount-point to the real path
# Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path
# Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" fi
fi # Set appropriate permissions
# Set appropriate permissions {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" # Trigger a pem cache clear in RabbitMQ to read the new certificates
# Trigger a pem cache clear in RabbitMQ to read the new certificates {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." key_size:
key_size: if:
if: - key_size_override_unset
- key_size_override_unset - {get_param: CertificateKeySize}
- {get_param: CertificateKeySize} - {get_param: RpcCertificateKeySize}
- {get_param: RpcCertificateKeySize} ca: ipa
ca: ipa
- null
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file: