Revamp how etcd's cert and key are handled in containers
Use kolla_config to merge etcd's cert and key files into containers, and set the ownership so the corresponding service can read the files. Previously, etcd's cert and key files were directly bind mounted in the etcd and cinder containers that need the files. An ACL was added to ensure the corresponding services had read access to the files on the host, which are owned by root. The ACL was cumbersome, and required hardcoding the UID of each service. Change-Id: Ic606e751cb046c34d33a94a2acd4313f4043441f Depends-On: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d (cherry picked from commit7bcdd2448b
) (cherry picked from commit978c4e05de
)
This commit is contained in:
parent
71acbd5351
commit
a9e7a6fa92
|
@ -274,10 +274,19 @@ outputs:
|
||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/log/cinder
|
- path: /var/log/cinder
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
recurse: true
|
recurse: true
|
||||||
|
- path: /etc/pki/tls/certs/etcd.crt
|
||||||
|
owner: cinder:cinder
|
||||||
|
- path: /etc/pki/tls/private/etcd.key
|
||||||
|
owner: cinder:cinder
|
||||||
/var/lib/kolla/config_files/cinder_api_cron.json:
|
/var/lib/kolla/config_files/cinder_api_cron.json:
|
||||||
command: /usr/sbin/crond -n
|
command: /usr/sbin/crond -n
|
||||||
config_files:
|
config_files:
|
||||||
|
|
|
@ -165,6 +165,11 @@ outputs:
|
||||||
dest: "/etc/iscsi/"
|
dest: "/etc/iscsi/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/lib/cinder
|
- path: /var/lib/cinder
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
|
@ -180,6 +185,10 @@ outputs:
|
||||||
USER: {get_param: CephClientUserName}
|
USER: {get_param: CephClientUserName}
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
perm: '0600'
|
perm: '0600'
|
||||||
|
- path: /etc/pki/tls/certs/etcd.crt
|
||||||
|
owner: cinder:cinder
|
||||||
|
- path: /etc/pki/tls/private/etcd.key
|
||||||
|
owner: cinder:cinder
|
||||||
docker_config:
|
docker_config:
|
||||||
step_3:
|
step_3:
|
||||||
cinder_backup_init_logs:
|
cinder_backup_init_logs:
|
||||||
|
|
|
@ -163,6 +163,11 @@ outputs:
|
||||||
dest: "/etc/iscsi/"
|
dest: "/etc/iscsi/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/lib/cinder
|
- path: /var/lib/cinder
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
|
@ -170,6 +175,10 @@ outputs:
|
||||||
- path: /var/log/cinder
|
- path: /var/log/cinder
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
recurse: true
|
recurse: true
|
||||||
|
- path: /etc/pki/tls/certs/etcd.crt
|
||||||
|
owner: cinder:cinder
|
||||||
|
- path: /etc/pki/tls/private/etcd.key
|
||||||
|
owner: cinder:cinder
|
||||||
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
||||||
docker_config:
|
docker_config:
|
||||||
step_3:
|
step_3:
|
||||||
|
|
|
@ -114,8 +114,8 @@ outputs:
|
||||||
if:
|
if:
|
||||||
- cvol_active_active_tls_enabled
|
- cvol_active_active_tls_enabled
|
||||||
-
|
-
|
||||||
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
|
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
|
||||||
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
|
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
|
||||||
- []
|
- []
|
||||||
|
|
||||||
cinder_volume_host_prep_tasks:
|
cinder_volume_host_prep_tasks:
|
||||||
|
|
|
@ -101,10 +101,19 @@ outputs:
|
||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/log/cinder
|
- path: /var/log/cinder
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
recurse: true
|
recurse: true
|
||||||
|
- path: /etc/pki/tls/certs/etcd.crt
|
||||||
|
owner: cinder:cinder
|
||||||
|
- path: /etc/pki/tls/private/etcd.key
|
||||||
|
owner: cinder:cinder
|
||||||
docker_config:
|
docker_config:
|
||||||
step_2:
|
step_2:
|
||||||
cinder_scheduler_init_logs:
|
cinder_scheduler_init_logs:
|
||||||
|
|
|
@ -310,6 +310,11 @@ outputs:
|
||||||
dest: "/etc/iscsi/"
|
dest: "/etc/iscsi/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/log/cinder
|
- path: /var/log/cinder
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
|
@ -322,6 +327,10 @@ outputs:
|
||||||
USER: {get_param: CephClientUserName}
|
USER: {get_param: CephClientUserName}
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
perm: '0600'
|
perm: '0600'
|
||||||
|
- path: /etc/pki/tls/certs/etcd.crt
|
||||||
|
owner: cinder:cinder
|
||||||
|
- path: /etc/pki/tls/private/etcd.key
|
||||||
|
owner: cinder:cinder
|
||||||
docker_config:
|
docker_config:
|
||||||
step_3:
|
step_3:
|
||||||
cinder_volume_init_logs:
|
cinder_volume_init_logs:
|
||||||
|
@ -345,20 +354,3 @@ outputs:
|
||||||
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
|
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
|
||||||
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
|
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
|
||||||
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
|
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
|
||||||
deploy_steps_tasks:
|
|
||||||
- name: ensure cinder can access etcd's tls cert and key
|
|
||||||
become: true
|
|
||||||
acl:
|
|
||||||
path: "{{ item }}"
|
|
||||||
entity: "{{ 42407 | string }}"
|
|
||||||
etype: user
|
|
||||||
permissions: r
|
|
||||||
state: present
|
|
||||||
with_items:
|
|
||||||
- /etc/pki/tls/certs/etcd.crt
|
|
||||||
- /etc/pki/tls/private/etcd.key
|
|
||||||
vars:
|
|
||||||
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
|
|
||||||
when:
|
|
||||||
- cvol_active_active_tls_enabled|bool
|
|
||||||
- step|int == 3
|
|
||||||
|
|
|
@ -151,6 +151,10 @@ outputs:
|
||||||
dest: "/etc/iscsi/"
|
dest: "/etc/iscsi/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
|
||||||
|
# of etcd's TLS certificate and key. The etcd service is only used by
|
||||||
|
# cinder-volume when it's running active/active, and *not* when it's
|
||||||
|
# under pcmk control.
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/log/cinder
|
- path: /var/log/cinder
|
||||||
owner: cinder:cinder
|
owner: cinder:cinder
|
||||||
|
|
|
@ -131,6 +131,7 @@ outputs:
|
||||||
"%{hiera('NETWORK')}"
|
"%{hiera('NETWORK')}"
|
||||||
params:
|
params:
|
||||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||||
|
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
|
||||||
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||||
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||||
-
|
-
|
||||||
|
@ -154,10 +155,19 @@ outputs:
|
||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/lib/etcd
|
- path: /var/lib/etcd
|
||||||
owner: etcd:etcd
|
owner: etcd:etcd
|
||||||
recurse: true
|
recurse: true
|
||||||
|
- path: /etc/pki/tls/certs/etcd.crt
|
||||||
|
owner: etcd:etcd
|
||||||
|
- path: /etc/pki/tls/private/etcd.key
|
||||||
|
owner: etcd:etcd
|
||||||
docker_config:
|
docker_config:
|
||||||
step_2:
|
step_2:
|
||||||
etcd:
|
etcd:
|
||||||
|
@ -178,8 +188,8 @@ outputs:
|
||||||
if:
|
if:
|
||||||
- internal_tls_enabled
|
- internal_tls_enabled
|
||||||
-
|
-
|
||||||
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
|
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
|
||||||
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
|
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
|
||||||
- null
|
- null
|
||||||
environment:
|
environment:
|
||||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
|
@ -200,23 +210,6 @@ outputs:
|
||||||
path: /var/lib/etcd
|
path: /var/lib/etcd
|
||||||
state: directory
|
state: directory
|
||||||
setype: svirt_sandbox_file_t
|
setype: svirt_sandbox_file_t
|
||||||
deploy_steps_tasks:
|
|
||||||
- name: ensure etcd can access its tls cert and key
|
|
||||||
become: true
|
|
||||||
acl:
|
|
||||||
path: "{{ item }}"
|
|
||||||
entity: "{{ 42413 | string }}"
|
|
||||||
etype: user
|
|
||||||
permissions: r
|
|
||||||
state: present
|
|
||||||
with_items:
|
|
||||||
- /etc/pki/tls/certs/etcd.crt
|
|
||||||
- /etc/pki/tls/private/etcd.key
|
|
||||||
vars:
|
|
||||||
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
|
|
||||||
when:
|
|
||||||
- internal_tls_enabled|bool
|
|
||||||
- step|int == 2
|
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
metadata_settings:
|
metadata_settings:
|
||||||
if:
|
if:
|
||||||
|
|
Loading…
Reference in New Issue