openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Revamp how etcd's cert and key are handled in containers" into stable/train

This commit is contained in:
Zuul 2020-08-27 06:16:56 +00:00 committed by Gerrit Code Review
parent 9df0724543 a9e7a6fa92
commit 89e9937380
8 changed files with 63 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
deployment/cinder/cinder-api-container-puppet.yaml
View File

@ -274,10 +274,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
/var/lib/kolla/config_files/cinder_api_cron.json:
command: /usr/sbin/crond -n
config_files:

9
deployment/cinder/cinder-backup-container-puppet.yaml
View File

@ -165,6 +165,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/cinder
owner: cinder:cinder
@ -180,6 +185,10 @@ outputs:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_3:
cinder_backup_init_logs:

9
deployment/cinder/cinder-backup-pacemaker-puppet.yaml
View File

@ -163,6 +163,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/cinder
owner: cinder:cinder
@ -170,6 +175,10 @@ outputs:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_3:

4
deployment/cinder/cinder-common-container-puppet.yaml
View File

@ -114,8 +114,8 @@ outputs:
if:
- cvol_active_active_tls_enabled
-
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- []
cinder_volume_host_prep_tasks:

9
deployment/cinder/cinder-scheduler-container-puppet.yaml
View File

@ -101,10 +101,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_2:
cinder_scheduler_init_logs:

26
deployment/cinder/cinder-volume-container-puppet.yaml
View File

@ -310,6 +310,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
@ -322,6 +327,10 @@ outputs:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_3:
cinder_volume_init_logs:
@ -345,20 +354,3 @@ outputs:
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
deploy_steps_tasks:
- name: ensure cinder can access etcd's tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42407 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
when:
- cvol_active_active_tls_enabled|bool
- step|int == 3

4
deployment/cinder/cinder-volume-pacemaker-puppet.yaml
View File

@ -151,6 +151,10 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
# of etcd's TLS certificate and key. The etcd service is only used by
# cinder-volume when it's running active/active, and *not* when it's
# under pcmk control.
permissions:
- path: /var/log/cinder
owner: cinder:cinder

31
deployment/etcd/etcd-container-puppet.yaml
View File

@ -131,6 +131,7 @@ outputs:
"%{hiera('NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
-
@ -154,10 +155,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/etcd
owner: etcd:etcd
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: etcd:etcd
- path: /etc/pki/tls/private/etcd.key
owner: etcd:etcd
docker_config:
step_2:
etcd:
@ -178,8 +188,8 @@ outputs:
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
@ -200,23 +210,6 @@ outputs:
path: /var/lib/etcd
state: directory
setype: svirt_sandbox_file_t
deploy_steps_tasks:
- name: ensure etcd can access its tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42413 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
when:
- internal_tls_enabled|bool
- step|int == 2
upgrade_tasks: []
metadata_settings:
if: