Revamp how etcd's cert and key are handled in containers

Use kolla_config to merge etcd's cert and key files into containers,
and set the ownership so the corresponding service can read the files.

Previously, etcd's cert and key files were directly bind mounted
in the etcd and cinder containers that need the files. An ACL was
added to ensure the corresponding services had read access to the
files on the host, which are owned by root. The ACL was cumbersome,
and required hardcoding the UID of each service.

Change-Id: Ic606e751cb046c34d33a94a2acd4313f4043441f
Depends-On: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d
(cherry picked from commit 7bcdd2448b)
This commit is contained in:
Alan Bishop 2020-07-13 13:18:59 -07:00
parent cf1739be2d
commit 978c4e05de
8 changed files with 63 additions and 38 deletions

View File

@ -263,10 +263,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
/var/lib/kolla/config_files/cinder_api_cron.json:
command: /usr/sbin/crond -n
config_files:

View File

@ -166,6 +166,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/cinder
owner: cinder:cinder
@ -181,6 +186,10 @@ outputs:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_3:
cinder_backup_init_logs:

View File

@ -163,6 +163,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/cinder
owner: cinder:cinder
@ -170,6 +175,10 @@ outputs:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_3:

View File

@ -114,8 +114,8 @@ outputs:
if:
- cvol_active_active_tls_enabled
-
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- []
cinder_volume_host_prep_tasks:

View File

@ -101,10 +101,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_2:
cinder_scheduler_init_logs:

View File

@ -310,6 +310,11 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
@ -322,6 +327,10 @@ outputs:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config:
step_3:
cinder_volume_init_logs:
@ -345,20 +354,3 @@ outputs:
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
deploy_steps_tasks:
- name: ensure cinder can access etcd's tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42407 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
when:
- cvol_active_active_tls_enabled|bool
- step|int == 3

View File

@ -152,6 +152,10 @@ outputs:
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
# of etcd's TLS certificate and key. The etcd service is only used by
# cinder-volume when it's running active/active, and *not* when it's
# under pcmk control.
permissions:
- path: /var/log/cinder
owner: cinder:cinder

View File

@ -131,6 +131,7 @@ outputs:
"%{hiera('NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
-
@ -154,10 +155,19 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/etcd
owner: etcd:etcd
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: etcd:etcd
- path: /etc/pki/tls/private/etcd.key
owner: etcd:etcd
docker_config:
step_2:
etcd:
@ -178,8 +188,8 @@ outputs:
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
@ -200,23 +210,6 @@ outputs:
path: /var/lib/etcd
state: directory
setype: container_file_t
deploy_steps_tasks:
- name: ensure etcd can access its tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42413 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
when:
- internal_tls_enabled|bool
- step|int == 2
upgrade_tasks: []
metadata_settings:
if: