Browse Source

Fix broken metadata_settings for redis templates

metadata_settings in docker/services/redis.yaml was returning a list
of two items rather than one as expected. As a result, the compact/
mangedby service principals were not being created by novajoin service.
This results ina permission issue during overcloud deploy as the
`getcert` request will hit a permissions issue during Step2.

Note that this only affects Rocky and earlier branches. The issue was
resolved in Stein when redis service was flattened[1,2].

- Push tls logic into redis-base and consume in child templates.
- Move away from use_tls_proxy to more accurate internal_tls_enabled
- Ensure redis service has both service principals created if internal
  tls is enabled
[1] - https://review.opendev.org/#/c/635930/
[2] - https://review.opendev.org/640944

Change-Id: Ic781905b63a0635b7bd0c7079fa84ca1e7f93989
Partial-bug: #1838679
tags/9.4.1
Harry Rybacki 1 month ago
parent
commit
b96b049f98

+ 0
- 10
docker/services/database/redis.yaml View File

@@ -198,16 +198,6 @@ outputs:
198 198
                 - {}
199 199
       metadata_settings:
200 200
         get_attr: [RedisBase, role_data, metadata_settings]
201
-        if:
202
-          - internal_tls_enabled
203
-          -
204
-            - service: redis
205
-              network: {get_param: [ServiceNetMap, RedisNetwork]}
206
-              type: vip
207
-            - service: redis
208
-              network: {get_param: [ServiceNetMap, RedisNetwork]}
209
-              type: node
210
-          - null
211 201
       host_prep_tasks:
212 202
         - name: create persistent directories
213 203
           file:

+ 14
- 3
puppet/services/database/redis-base.yaml View File

@@ -47,7 +47,7 @@ parameters:
47 47
     type: boolean
48 48
 
49 49
 conditions:
50
-  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
50
+  internal_tls_enabled: {equals : [{get_param: EnableInternalTLS}, true]}
51 51
   redis_ipv6: {get_param: RedisIPv6}
52 52
 
53 53
 outputs:
@@ -69,7 +69,7 @@ outputs:
69 69
         # proxy in front.
70 70
         redis::bind:
71 71
           if:
72
-          - use_tls_proxy
72
+          - internal_tls_enabled
73 73
           - if:
74 74
             - redis_ipv6
75 75
             - '::1'
@@ -85,7 +85,7 @@ outputs:
85 85
         redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
86 86
         redis::sentinel::sentinel_bind:
87 87
           if:
88
-          - use_tls_proxy
88
+          - internal_tls_enabled
89 89
           - if:
90 90
             - redis_ipv6
91 91
             - '::1'
@@ -96,3 +96,14 @@ outputs:
96 96
               params:
97 97
                 $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
98 98
         redis::ulimit: {get_param: RedisFDLimit}
99
+      metadata_settings:
100
+        if:
101
+          - internal_tls_enabled
102
+          -
103
+            - service: mysql
104
+              network: {get_param: [ServiceNetMap, MysqlNetwork]}
105
+              type: vip
106
+            - service: mysql
107
+              network: {get_param: [ServiceNetMap, MysqlNetwork]}
108
+              type: node
109
+          - null

+ 3
- 9
puppet/services/database/redis.yaml View File

@@ -35,7 +35,7 @@ parameters:
35 35
     default: false
36 36
 
37 37
 conditions:
38
-  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
38
+  internal_tls_enabled: {equals : [{get_param: EnableInternalTLS}, true]}
39 39
 
40 40
 resources:
41 41
 
@@ -77,7 +77,7 @@ outputs:
77 77
                   $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
78 78
             tripleo::profile::base::database::redis::tls_proxy_port: 6379
79 79
           - if:
80
-            - use_tls_proxy
80
+            - internal_tls_enabled
81 81
             - tripleo::redis::service_certificate: '/etc/pki/tls/certs/redis.crt'
82 82
               redis_certificate_specs:
83 83
                 service_certificate: '/etc/pki/tls/certs/redis.crt'
@@ -97,13 +97,7 @@ outputs:
97 97
       step_config: |
98 98
         include ::tripleo::profile::base::database::redis
99 99
       metadata_settings:
100
-        if:
101
-          - use_tls_proxy
102
-          -
103
-            - service: redis
104
-              network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
105
-              type: vip
106
-          - null
100
+        get_attr: [RedisBase, role_data, metadata_settings]
107 101
       upgrade_tasks:
108 102
         - name: Check if redis is deployed
109 103
           command: systemctl is-enabled redis

Loading…
Cancel
Save