diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index cca4efea6b..eb3de89f1c 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -263,10 +263,19 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/log/cinder owner: cinder:cinder recurse: true + - path: /etc/pki/tls/certs/etcd.crt + owner: cinder:cinder + - path: /etc/pki/tls/private/etcd.key + owner: cinder:cinder /var/lib/kolla/config_files/cinder_api_cron.json: command: /usr/sbin/crond -n config_files: diff --git a/deployment/cinder/cinder-backup-container-puppet.yaml b/deployment/cinder/cinder-backup-container-puppet.yaml index 4b2787c42d..3bbcd2404b 100644 --- a/deployment/cinder/cinder-backup-container-puppet.yaml +++ b/deployment/cinder/cinder-backup-container-puppet.yaml @@ -166,6 +166,11 @@ outputs: dest: "/etc/iscsi/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/lib/cinder owner: cinder:cinder @@ -181,6 +186,10 @@ outputs: USER: {get_param: CephClientUserName} owner: cinder:cinder perm: '0600' + - path: /etc/pki/tls/certs/etcd.crt + owner: cinder:cinder + - path: /etc/pki/tls/private/etcd.key + owner: cinder:cinder docker_config: step_3: cinder_backup_init_logs: diff --git a/deployment/cinder/cinder-backup-pacemaker-puppet.yaml b/deployment/cinder/cinder-backup-pacemaker-puppet.yaml index cebe428bb7..2b63c8c12c 100644 --- a/deployment/cinder/cinder-backup-pacemaker-puppet.yaml +++ b/deployment/cinder/cinder-backup-pacemaker-puppet.yaml @@ -163,6 +163,11 @@ outputs: dest: "/etc/iscsi/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/lib/cinder owner: cinder:cinder @@ -170,6 +175,10 @@ outputs: - path: /var/log/cinder owner: cinder:cinder recurse: true + - path: /etc/pki/tls/certs/etcd.crt + owner: cinder:cinder + - path: /etc/pki/tls/private/etcd.key + owner: cinder:cinder container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]} docker_config: step_3: diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml index f8103b58a3..2a0a9b182d 100644 --- a/deployment/cinder/cinder-common-container-puppet.yaml +++ b/deployment/cinder/cinder-common-container-puppet.yaml @@ -114,8 +114,8 @@ outputs: if: - cvol_active_active_tls_enabled - - - /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro - - /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro + - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro + - /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro - [] cinder_volume_host_prep_tasks: diff --git a/deployment/cinder/cinder-scheduler-container-puppet.yaml b/deployment/cinder/cinder-scheduler-container-puppet.yaml index a210192edb..03db220dee 100644 --- a/deployment/cinder/cinder-scheduler-container-puppet.yaml +++ b/deployment/cinder/cinder-scheduler-container-puppet.yaml @@ -101,10 +101,19 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/log/cinder owner: cinder:cinder recurse: true + - path: /etc/pki/tls/certs/etcd.crt + owner: cinder:cinder + - path: /etc/pki/tls/private/etcd.key + owner: cinder:cinder docker_config: step_2: cinder_scheduler_init_logs: diff --git a/deployment/cinder/cinder-volume-container-puppet.yaml b/deployment/cinder/cinder-volume-container-puppet.yaml index fb824b5a09..06531d0398 100644 --- a/deployment/cinder/cinder-volume-container-puppet.yaml +++ b/deployment/cinder/cinder-volume-container-puppet.yaml @@ -310,6 +310,11 @@ outputs: dest: "/etc/iscsi/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/log/cinder owner: cinder:cinder @@ -322,6 +327,10 @@ outputs: USER: {get_param: CephClientUserName} owner: cinder:cinder perm: '0600' + - path: /etc/pki/tls/certs/etcd.crt + owner: cinder:cinder + - path: /etc/pki/tls/private/etcd.key + owner: cinder:cinder docker_config: step_3: cinder_volume_init_logs: @@ -345,20 +354,3 @@ outputs: volumes: {get_attr: [CinderCommon, cinder_volume_volumes]} environment: {get_attr: [CinderCommon, cinder_volume_environment]} host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]} - deploy_steps_tasks: - - name: ensure cinder can access etcd's tls cert and key - become: true - acl: - path: "{{ item }}" - entity: "{{ 42407 | string }}" - etype: user - permissions: r - state: present - with_items: - - /etc/pki/tls/certs/etcd.crt - - /etc/pki/tls/private/etcd.key - vars: - cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]} - when: - - cvol_active_active_tls_enabled|bool - - step|int == 3 diff --git a/deployment/cinder/cinder-volume-pacemaker-puppet.yaml b/deployment/cinder/cinder-volume-pacemaker-puppet.yaml index abfeaf6477..63f9962288 100644 --- a/deployment/cinder/cinder-volume-pacemaker-puppet.yaml +++ b/deployment/cinder/cinder-volume-pacemaker-puppet.yaml @@ -152,6 +152,10 @@ outputs: dest: "/etc/iscsi/" merge: true preserve_properties: true + # NOTE(abishop): no need to copy any src-tls/* files or set ownership + # of etcd's TLS certificate and key. The etcd service is only used by + # cinder-volume when it's running active/active, and *not* when it's + # under pcmk control. permissions: - path: /var/log/cinder owner: cinder:cinder diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index f8e4bdaf0b..9822bf4bdb 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -131,6 +131,7 @@ outputs: "%{hiera('NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} + postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh' etcd::trusted_ca_file: {get_param: InternalTLSCAFile} etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile} - @@ -154,10 +155,19 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/lib/etcd owner: etcd:etcd recurse: true + - path: /etc/pki/tls/certs/etcd.crt + owner: etcd:etcd + - path: /etc/pki/tls/private/etcd.key + owner: etcd:etcd docker_config: step_2: etcd: @@ -178,8 +188,8 @@ outputs: if: - internal_tls_enabled - - - /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro - - /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro + - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro + - /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro - null environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS @@ -200,23 +210,6 @@ outputs: path: /var/lib/etcd state: directory setype: container_file_t - deploy_steps_tasks: - - name: ensure etcd can access its tls cert and key - become: true - acl: - path: "{{ item }}" - entity: "{{ 42413 | string }}" - etype: user - permissions: r - state: present - with_items: - - /etc/pki/tls/certs/etcd.crt - - /etc/pki/tls/private/etcd.key - vars: - internal_tls_enabled: {if: [internal_tls_enabled, true, false]} - when: - - internal_tls_enabled|bool - - step|int == 2 upgrade_tasks: [] metadata_settings: if: