Merge "Revamp how etcd's cert and key are handled in containers" into stable/train

This commit is contained in:
Zuul 2020-08-27 06:16:56 +00:00 committed by Gerrit Code Review
commit 89e9937380
8 changed files with 63 additions and 38 deletions

View File

@ -274,10 +274,19 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
recurse: true recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
/var/lib/kolla/config_files/cinder_api_cron.json: /var/lib/kolla/config_files/cinder_api_cron.json:
command: /usr/sbin/crond -n command: /usr/sbin/crond -n
config_files: config_files:

View File

@ -165,6 +165,11 @@ outputs:
dest: "/etc/iscsi/" dest: "/etc/iscsi/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/lib/cinder - path: /var/lib/cinder
owner: cinder:cinder owner: cinder:cinder
@ -180,6 +185,10 @@ outputs:
USER: {get_param: CephClientUserName} USER: {get_param: CephClientUserName}
owner: cinder:cinder owner: cinder:cinder
perm: '0600' perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config: docker_config:
step_3: step_3:
cinder_backup_init_logs: cinder_backup_init_logs:

View File

@ -163,6 +163,11 @@ outputs:
dest: "/etc/iscsi/" dest: "/etc/iscsi/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/lib/cinder - path: /var/lib/cinder
owner: cinder:cinder owner: cinder:cinder
@ -170,6 +175,10 @@ outputs:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
recurse: true recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]} container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config: docker_config:
step_3: step_3:

View File

@ -114,8 +114,8 @@ outputs:
if: if:
- cvol_active_active_tls_enabled - cvol_active_active_tls_enabled
- -
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro - /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- [] - []
cinder_volume_host_prep_tasks: cinder_volume_host_prep_tasks:

View File

@ -101,10 +101,19 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
recurse: true recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config: docker_config:
step_2: step_2:
cinder_scheduler_init_logs: cinder_scheduler_init_logs:

View File

@ -310,6 +310,11 @@ outputs:
dest: "/etc/iscsi/" dest: "/etc/iscsi/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
@ -322,6 +327,10 @@ outputs:
USER: {get_param: CephClientUserName} USER: {get_param: CephClientUserName}
owner: cinder:cinder owner: cinder:cinder
perm: '0600' perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config: docker_config:
step_3: step_3:
cinder_volume_init_logs: cinder_volume_init_logs:
@ -345,20 +354,3 @@ outputs:
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]} volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
environment: {get_attr: [CinderCommon, cinder_volume_environment]} environment: {get_attr: [CinderCommon, cinder_volume_environment]}
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]} host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
deploy_steps_tasks:
- name: ensure cinder can access etcd's tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42407 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
when:
- cvol_active_active_tls_enabled|bool
- step|int == 3

View File

@ -151,6 +151,10 @@ outputs:
dest: "/etc/iscsi/" dest: "/etc/iscsi/"
merge: true merge: true
preserve_properties: true preserve_properties: true
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
# of etcd's TLS certificate and key. The etcd service is only used by
# cinder-volume when it's running active/active, and *not* when it's
# under pcmk control.
permissions: permissions:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder

View File

@ -131,6 +131,7 @@ outputs:
"%{hiera('NETWORK')}" "%{hiera('NETWORK')}"
params: params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
etcd::trusted_ca_file: {get_param: InternalTLSCAFile} etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile} etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
- -
@ -154,10 +155,19 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/lib/etcd - path: /var/lib/etcd
owner: etcd:etcd owner: etcd:etcd
recurse: true recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: etcd:etcd
- path: /etc/pki/tls/private/etcd.key
owner: etcd:etcd
docker_config: docker_config:
step_2: step_2:
etcd: etcd:
@ -178,8 +188,8 @@ outputs:
if: if:
- internal_tls_enabled - internal_tls_enabled
- -
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro - /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- null - null
environment: environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
@ -200,23 +210,6 @@ outputs:
path: /var/lib/etcd path: /var/lib/etcd
state: directory state: directory
setype: svirt_sandbox_file_t setype: svirt_sandbox_file_t
deploy_steps_tasks:
- name: ensure etcd can access its tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42413 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
when:
- internal_tls_enabled|bool
- step|int == 2
upgrade_tasks: [] upgrade_tasks: []
metadata_settings: metadata_settings:
if: if: