Fix neutron api TLS issues

There are two tls issues currently in neutron: A) neutron_api is doing bind mounting tls certs directly from the host and then chowning them from then container. "Source": "/etc/pki/tls/private/ovn_neutron_client.key", "Destination": "/etc/pki/tls/private/ovn_neutron_client.key", "Source": "/etc/pki/tls/certs/ovn_neutron_client.crt", "Destination": "/etc/pki/tls/certs/ovn_neutron_client.crt", And then it thinks it can chown it inside the container via the kolla script: [root@controller-0 stdouts]# more /var/lib/kolla/config_files/neutron_api.json ... { "optional": true, "owner": "neutron:neutron", "path": "/etc/pki/tls/certs/ovn_neutron_client.crt", "perm": "0644" }, { "optional": true, "owner": "neutron:neutron", "path": "/etc/pki/tls/private/ovn_neutron_client.key", "perm": "0644" } What needs to happen here is that we drop the direct bind mounts, and copy in the certs via kolla. Just like galera is doing. Tested and with this patch I correctly get a Train/OSP16 TLS everywhere deployment with a working neutron: Before: (overcloud) [stack@undercloud-0 ~]$ openstack network list HttpException: 503: Server Error for url: https://overcloud.redhat.local:13696/v2.0/networks, No server is available to handle this request.: 503 Service Unavailable After: (overcloud) [stack@undercloud-0 ~]$ openstack network list (overcloud) [stack@undercloud-0 ~]$ B) The logging in the neutron_server_tls_proxy container is not persisted to the host Before: [root@controller-0 ~]# ls -l /var/log/containers/httpd/neutron-api/ [root@controller-0 ~]# After: [root@controller-0 ~]# ls -l /var/log/containers/httpd/neutron-api/ total 136 -rw-r--r--. 1 root root 400 Nov 15 17:43 error_log -rw-r--r--. 1 root root 72784 Nov 15 17:53 neutron-api-proxy_access_ssl.log -rw-r--r--. 1 root root 2748 Nov 15 17:43 neutron-api-proxy_error_ssl.log [root@controller-0 ~]# Change-Id: Ia1c22b8981fb735a052707516f73313c4e5ca93c Closes-Bug: #1852779
2019-11-15 18:50:28 +01:00 · 2019-11-15 18:50:28 +01:00 · a7db39af7c
parent 08f029cf7c
commit a7db39af7c
1 changed files with 8 additions and 2 deletions
--- a/deployment/neutron/neutron-api-container-puppet.yaml
+++ b/deployment/neutron/neutron-api-container-puppet.yaml
@ -420,6 +420,11 @@ outputs:
              dest: "/"
              merge: true
              preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-tls/*"
+              dest: "/"
+              merge: true
+              optional: true
+              preserve_properties: true
          permissions:
            - path: /var/log/neutron
              owner: neutron:neutron
@ -485,8 +490,8 @@ outputs:
                    - if:
                      - ovn_and_tls
                      -
-                        - /etc/pki/tls/certs/ovn_neutron_client.crt:/etc/pki/tls/certs/ovn_neutron_client.crt
-                        - /etc/pki/tls/private/ovn_neutron_client.key:/etc/pki/tls/private/ovn_neutron_client.key
+                        - /etc/pki/tls/certs/ovn_neutron_client.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_neutron_client.crt:ro
+                        - /etc/pki/tls/private/ovn_neutron_client.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_neutron_client.key:ro
                      - null
                environment:
                  map_merge:
@ -502,6 +507,7 @@ outputs:
                    volumes:
                      list_concat:
                        - {get_attr: [ContainersCommon, volumes]}
+                        - {get_attr: [NeutronLogging, volumes]}
                        -
                          - /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
                          - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro