Merge "Simplify internal_tls_enabled conditions"
This commit is contained in:
commit
824ec8b5ad
|
@ -133,42 +133,40 @@ outputs:
|
|||
- null
|
||||
upgrade_tasks: []
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: Create dirs for certificates and keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
serole: object_r
|
||||
setype: cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- '/etc/pki/tls/certs/httpd'
|
||||
- '/etc/pki/tls/private/httpd'
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
repeat:
|
||||
template:
|
||||
name: httpd-NETWORK
|
||||
dns: "{{fqdn_NETWORK}}"
|
||||
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
run_after: |
|
||||
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
|
||||
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
|
||||
pkill -USR1 httpd
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ApacheCertificateKeySize}
|
||||
ca: ipa
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- name: Create dirs for certificates and keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
serole: object_r
|
||||
setype: cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- '/etc/pki/tls/certs/httpd'
|
||||
- '/etc/pki/tls/private/httpd'
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
repeat:
|
||||
template:
|
||||
name: httpd-NETWORK
|
||||
dns: "{{fqdn_NETWORK}}"
|
||||
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
run_after: |
|
||||
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
|
||||
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
|
||||
pkill -USR1 httpd
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ApacheCertificateKeySize}
|
||||
ca: ipa
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
{%- endraw %}
|
||||
|
|
|
@ -161,38 +161,36 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_grafana
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
run_after: |
|
||||
# Get grafana systemd unit
|
||||
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
||||
# Restart the grafana systemd unit
|
||||
if [ -z "$grafana_unit" ]; then
|
||||
systemctl restart "$grafana_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_grafana
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
run_after: |
|
||||
# Get grafana systemd unit
|
||||
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
||||
# Restart the grafana systemd unit
|
||||
if [ -z "$grafana_unit" ]; then
|
||||
systemctl restart "$grafana_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
ca: ipa
|
||||
|
|
|
@ -174,43 +174,41 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_rgw
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
run_after: |
|
||||
# Create PEM file
|
||||
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
|
||||
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
|
||||
chmod 0640 $pemfile
|
||||
chown 472:472 $pemfile
|
||||
# Get ceph rgw systemd unit
|
||||
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
|
||||
# Restart the rgw systemd unit
|
||||
if [ -n "$rgw_unit" ]; then
|
||||
systemctl restart "$rgw_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_rgw
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
run_after: |
|
||||
# Create PEM file
|
||||
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
|
||||
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
|
||||
chmod 0640 $pemfile
|
||||
chown 472:472 $pemfile
|
||||
# Get ceph rgw systemd unit
|
||||
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
|
||||
# Restart the rgw systemd unit
|
||||
if [ -n "$rgw_unit" ]; then
|
||||
systemctl restart "$rgw_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
ca: ipa
|
||||
|
|
|
@ -174,35 +174,33 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: mysql
|
||||
dns:
|
||||
- str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
- str_replace:
|
||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MysqlCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: mysql
|
||||
dns:
|
||||
- str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
- str_replace:
|
||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MysqlCertificateKeySize}
|
||||
ca: ipa
|
||||
|
|
|
@ -196,51 +196,49 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: redis
|
||||
dns:
|
||||
- str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
- str_replace:
|
||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
|
||||
service_crt="/etc/pki/tls/certs/redis.crt"
|
||||
service_key="/etc/pki/tls/private/redis.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
|
||||
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
|
||||
# Trigger a reload for stunnel to read the new certificate
|
||||
{{container_cli}} exec pkill -o -HUP stunnel
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RedisCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: redis
|
||||
dns:
|
||||
- str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
- str_replace:
|
||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
|
||||
service_crt="/etc/pki/tls/certs/redis.crt"
|
||||
service_key="/etc/pki/tls/private/redis.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
|
||||
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
|
||||
# Trigger a reload for stunnel to read the new certificate
|
||||
{{container_cli}} exec pkill -o -HUP stunnel
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RedisCertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
@ -327,59 +327,57 @@ outputs:
|
|||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: metrics_qdr
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_NETWORK}}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
|
||||
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
|
||||
service_key="/etc/pki/tls/private/metrics_qdr.key
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
|
||||
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
||||
# Trigger a container restart to read the new certificate
|
||||
{{container_cli}} restart "$container_name"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QdrCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: metrics_qdr
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_NETWORK}}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
|
||||
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
|
||||
service_key="/etc/pki/tls/private/metrics_qdr.key
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
|
||||
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
||||
# Trigger a container restart to read the new certificate
|
||||
{{container_cli}} restart "$container_name"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QdrCertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
- name: create persistent logs directory
|
||||
file:
|
||||
|
|
|
@ -376,47 +376,45 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: neutron
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
|
||||
# The certificate is also installed on the computes, but neutron_dhcp is only
|
||||
# present on the controllers, so we exit if the container could not be found.
|
||||
[[ -z $container_name ]] && exit 0
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: neutron
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
|
||||
# The certificate is also installed on the computes, but neutron_dhcp is only
|
||||
# present on the controllers, so we exit if the container could not be found.
|
||||
[[ -z $container_name ]] && exit 0
|
||||
|
||||
service_crt="/etc/pki/tls/certs/neutron.crt"
|
||||
service_key="/etc/pki/tls/private/neutron.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
|
||||
# No need to trigger a reload for neutron dhcpd since the cert is not cached
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronDhcpCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
service_crt="/etc/pki/tls/certs/neutron.crt"
|
||||
service_key="/etc/pki/tls/private/neutron.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
|
||||
# No need to trigger a reload for neutron dhcpd since the cert is not cached
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronDhcpCertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||
|
|
|
@ -303,34 +303,32 @@ outputs:
|
|||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_controller
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ContainerOvnCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_controller
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ContainerOvnCertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
@ -228,57 +228,54 @@ outputs:
|
|||
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
|
||||
deploy_steps_tasks:
|
||||
list_concat:
|
||||
- - name: OVN DBS tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
- name: OVN DBS tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
container_image: {get_param: ContainerOvnDbsImage}
|
||||
container_image_latest: *ovn_dbs_image_pcmklatest
|
||||
- name: OVNDbs HA Wrappers Step
|
||||
when: step|int == 3
|
||||
block: &ovn_dbs_puppet_bundle
|
||||
- name: Ovn dbs puppet bundle
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
container_image: {get_param: ContainerOvnDbsImage}
|
||||
container_image_latest: *ovn_dbs_image_pcmklatest
|
||||
- name: OVNDbs HA Wrappers Step
|
||||
when: step|int == 3
|
||||
block: &ovn_dbs_puppet_bundle
|
||||
- name: Ovn dbs puppet bundle
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: ovn_dbs
|
||||
tripleo_ha_wrapper_resource_name: ovndbs_servers
|
||||
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
|
||||
tripleo_ha_wrapper_resource_state: Slave Master
|
||||
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
|
||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_dbs
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnDBSCertificateKeySize}
|
||||
ca: ipa
|
||||
- []
|
||||
tripleo_ha_wrapper_service_name: ovn_dbs
|
||||
tripleo_ha_wrapper_resource_name: ovndbs_servers
|
||||
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
|
||||
tripleo_ha_wrapper_resource_state: Slave Master
|
||||
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
|
||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_dbs
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_dbs/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnDBSCertificateKeySize}
|
||||
ca: ipa
|
||||
update_tasks:
|
||||
- name: Tear-down non-HA ovn-dbs containers
|
||||
when:
|
||||
|
|
|
@ -329,34 +329,32 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_metadata
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnMetadataCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_metadata
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnMetadataCertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||
|
|
|
@ -335,59 +335,57 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqCertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
@ -270,59 +270,57 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqMessageCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqMessageCertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
@ -270,59 +270,57 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RpcCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RpcCertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
Loading…
Reference in New Issue