Browse Source

Merge "Revamp how etcd's cert and key are handled in containers" into stable/train

changes/86/748486/1
Zuul 1 month ago
committed by Gerrit Code Review
parent
commit
89e9937380
8 changed files with 63 additions and 38 deletions
  1. +9
    -0
      deployment/cinder/cinder-api-container-puppet.yaml
  2. +9
    -0
      deployment/cinder/cinder-backup-container-puppet.yaml
  3. +9
    -0
      deployment/cinder/cinder-backup-pacemaker-puppet.yaml
  4. +2
    -2
      deployment/cinder/cinder-common-container-puppet.yaml
  5. +9
    -0
      deployment/cinder/cinder-scheduler-container-puppet.yaml
  6. +9
    -17
      deployment/cinder/cinder-volume-container-puppet.yaml
  7. +4
    -0
      deployment/cinder/cinder-volume-pacemaker-puppet.yaml
  8. +12
    -19
      deployment/etcd/etcd-container-puppet.yaml

+ 9
- 0
deployment/cinder/cinder-api-container-puppet.yaml View File

@@ -274,10 +274,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
/var/lib/kolla/config_files/cinder_api_cron.json:
command: /usr/sbin/crond -n
config_files:


+ 9
- 0
deployment/cinder/cinder-backup-container-puppet.yaml View File

@@ -165,6 +165,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/cinder
owner: cinder:cinder
@@ -180,6 +185,10 @@ outputs:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_3:
cinder_backup_init_logs:


+ 9
- 0
deployment/cinder/cinder-backup-pacemaker-puppet.yaml View File

@@ -163,6 +163,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/cinder
owner: cinder:cinder
@@ -170,6 +175,10 @@ outputs:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_3:


+ 2
- 2
deployment/cinder/cinder-common-container-puppet.yaml View File

@@ -114,8 +114,8 @@ outputs:
if:
- cvol_active_active_tls_enabled
-
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- []

cinder_volume_host_prep_tasks:


+ 9
- 0
deployment/cinder/cinder-scheduler-container-puppet.yaml View File

@@ -101,10 +101,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_2:
cinder_scheduler_init_logs:


+ 9
- 17
deployment/cinder/cinder-volume-container-puppet.yaml View File

@@ -310,6 +310,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
@@ -322,6 +327,10 @@ outputs:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_3:
cinder_volume_init_logs:
@@ -345,20 +354,3 @@ outputs:
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
deploy_steps_tasks:
- name: ensure cinder can access etcd's tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42407 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
when:
- cvol_active_active_tls_enabled|bool
- step|int == 3

+ 4
- 0
deployment/cinder/cinder-volume-pacemaker-puppet.yaml View File

@@ -151,6 +151,10 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
# of etcd's TLS certificate and key. The etcd service is only used by
# cinder-volume when it's running active/active, and *not* when it's
# under pcmk control.
permissions:
- path: /var/log/cinder
owner: cinder:cinder


+ 12
- 19
deployment/etcd/etcd-container-puppet.yaml View File

@@ -131,6 +131,7 @@ outputs:
"%{hiera('NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
-
@@ -154,10 +155,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/etcd
owner: etcd:etcd
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: etcd:etcd
- path: /etc/pki/tls/private/etcd.key
owner: etcd:etcd
docker_config:
step_2:
etcd:
@@ -178,8 +188,8 @@ outputs:
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
@@ -200,23 +210,6 @@ outputs:
path: /var/lib/etcd
state: directory
setype: svirt_sandbox_file_t
deploy_steps_tasks:
- name: ensure etcd can access its tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42413 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
when:
- internal_tls_enabled|bool
- step|int == 2
upgrade_tasks: []
metadata_settings:
if:


Loading…
Cancel
Save