Merge "Revamp how etcd's cert and key are handled in containers" into stable/train
This commit is contained in:
commit
89e9937380
|
@ -274,10 +274,19 @@ outputs:
|
|||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
/var/lib/kolla/config_files/cinder_api_cron.json:
|
||||
command: /usr/sbin/crond -n
|
||||
config_files:
|
||||
|
|
|
@ -165,6 +165,11 @@ outputs:
|
|||
dest: "/etc/iscsi/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/lib/cinder
|
||||
owner: cinder:cinder
|
||||
|
@ -180,6 +185,10 @@ outputs:
|
|||
USER: {get_param: CephClientUserName}
|
||||
owner: cinder:cinder
|
||||
perm: '0600'
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
docker_config:
|
||||
step_3:
|
||||
cinder_backup_init_logs:
|
||||
|
|
|
@ -163,6 +163,11 @@ outputs:
|
|||
dest: "/etc/iscsi/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/lib/cinder
|
||||
owner: cinder:cinder
|
||||
|
@ -170,6 +175,10 @@ outputs:
|
|||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
||||
docker_config:
|
||||
step_3:
|
||||
|
|
|
@ -114,8 +114,8 @@ outputs:
|
|||
if:
|
||||
- cvol_active_active_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
|
||||
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
|
||||
- []
|
||||
|
||||
cinder_volume_host_prep_tasks:
|
||||
|
|
|
@ -101,10 +101,19 @@ outputs:
|
|||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
docker_config:
|
||||
step_2:
|
||||
cinder_scheduler_init_logs:
|
||||
|
|
|
@ -310,6 +310,11 @@ outputs:
|
|||
dest: "/etc/iscsi/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
|
@ -322,6 +327,10 @@ outputs:
|
|||
USER: {get_param: CephClientUserName}
|
||||
owner: cinder:cinder
|
||||
perm: '0600'
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: cinder:cinder
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: cinder:cinder
|
||||
docker_config:
|
||||
step_3:
|
||||
cinder_volume_init_logs:
|
||||
|
@ -345,20 +354,3 @@ outputs:
|
|||
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
|
||||
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
|
||||
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
|
||||
deploy_steps_tasks:
|
||||
- name: ensure cinder can access etcd's tls cert and key
|
||||
become: true
|
||||
acl:
|
||||
path: "{{ item }}"
|
||||
entity: "{{ 42407 | string }}"
|
||||
etype: user
|
||||
permissions: r
|
||||
state: present
|
||||
with_items:
|
||||
- /etc/pki/tls/certs/etcd.crt
|
||||
- /etc/pki/tls/private/etcd.key
|
||||
vars:
|
||||
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
|
||||
when:
|
||||
- cvol_active_active_tls_enabled|bool
|
||||
- step|int == 3
|
||||
|
|
|
@ -151,6 +151,10 @@ outputs:
|
|||
dest: "/etc/iscsi/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
|
||||
# of etcd's TLS certificate and key. The etcd service is only used by
|
||||
# cinder-volume when it's running active/active, and *not* when it's
|
||||
# under pcmk control.
|
||||
permissions:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
|
|
|
@ -131,6 +131,7 @@ outputs:
|
|||
"%{hiera('NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
|
||||
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
-
|
||||
|
@ -154,10 +155,19 @@ outputs:
|
|||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/lib/etcd
|
||||
owner: etcd:etcd
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/etcd.crt
|
||||
owner: etcd:etcd
|
||||
- path: /etc/pki/tls/private/etcd.key
|
||||
owner: etcd:etcd
|
||||
docker_config:
|
||||
step_2:
|
||||
etcd:
|
||||
|
@ -178,8 +188,8 @@ outputs:
|
|||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
|
||||
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
|
||||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
|
@ -200,23 +210,6 @@ outputs:
|
|||
path: /var/lib/etcd
|
||||
state: directory
|
||||
setype: svirt_sandbox_file_t
|
||||
deploy_steps_tasks:
|
||||
- name: ensure etcd can access its tls cert and key
|
||||
become: true
|
||||
acl:
|
||||
path: "{{ item }}"
|
||||
entity: "{{ 42413 | string }}"
|
||||
etype: user
|
||||
permissions: r
|
||||
state: present
|
||||
with_items:
|
||||
- /etc/pki/tls/certs/etcd.crt
|
||||
- /etc/pki/tls/private/etcd.key
|
||||
vars:
|
||||
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
|
||||
when:
|
||||
- internal_tls_enabled|bool
|
||||
- step|int == 2
|
||||
upgrade_tasks: []
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
Loading…
Reference in New Issue