Fix broken metadata_settings for redis templates
metadata_settings in docker/services/redis.yaml was returning a list of two items rather than one as expected. As a result, the compact/ mangedby service principals were not being created by novajoin service. This results ina permission issue during overcloud deploy as the `getcert` request will hit a permissions issue during Step2. Note that this only affects Rocky and earlier branches. The issue was resolved in Stein when redis service was flattened[1,2]. - Push tls logic into redis-base and consume in child templates. - Move away from use_tls_proxy to more accurate internal_tls_enabled - Ensure redis service has both service principals created if internal tls is enabled [1] - https://review.opendev.org/#/c/635930/ [2] - https://review.opendev.org/640944 Change-Id: Ic781905b63a0635b7bd0c7079fa84ca1e7f93989 Partial-bug: #1838679
This commit is contained in:
parent
eb389f5cec
commit
b96b049f98
|
@ -198,16 +198,6 @@ outputs:
|
||||||
- {}
|
- {}
|
||||||
metadata_settings:
|
metadata_settings:
|
||||||
get_attr: [RedisBase, role_data, metadata_settings]
|
get_attr: [RedisBase, role_data, metadata_settings]
|
||||||
if:
|
|
||||||
- internal_tls_enabled
|
|
||||||
-
|
|
||||||
- service: redis
|
|
||||||
network: {get_param: [ServiceNetMap, RedisNetwork]}
|
|
||||||
type: vip
|
|
||||||
- service: redis
|
|
||||||
network: {get_param: [ServiceNetMap, RedisNetwork]}
|
|
||||||
type: node
|
|
||||||
- null
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -47,7 +47,7 @@ parameters:
|
||||||
type: boolean
|
type: boolean
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
internal_tls_enabled: {equals : [{get_param: EnableInternalTLS}, true]}
|
||||||
redis_ipv6: {get_param: RedisIPv6}
|
redis_ipv6: {get_param: RedisIPv6}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
|
@ -69,7 +69,7 @@ outputs:
|
||||||
# proxy in front.
|
# proxy in front.
|
||||||
redis::bind:
|
redis::bind:
|
||||||
if:
|
if:
|
||||||
- use_tls_proxy
|
- internal_tls_enabled
|
||||||
- if:
|
- if:
|
||||||
- redis_ipv6
|
- redis_ipv6
|
||||||
- '::1'
|
- '::1'
|
||||||
|
@ -85,7 +85,7 @@ outputs:
|
||||||
redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
|
redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
|
||||||
redis::sentinel::sentinel_bind:
|
redis::sentinel::sentinel_bind:
|
||||||
if:
|
if:
|
||||||
- use_tls_proxy
|
- internal_tls_enabled
|
||||||
- if:
|
- if:
|
||||||
- redis_ipv6
|
- redis_ipv6
|
||||||
- '::1'
|
- '::1'
|
||||||
|
@ -96,3 +96,14 @@ outputs:
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||||
redis::ulimit: {get_param: RedisFDLimit}
|
redis::ulimit: {get_param: RedisFDLimit}
|
||||||
|
metadata_settings:
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- service: mysql
|
||||||
|
network: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||||
|
type: vip
|
||||||
|
- service: mysql
|
||||||
|
network: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||||
|
type: node
|
||||||
|
- null
|
|
@ -35,7 +35,7 @@ parameters:
|
||||||
default: false
|
default: false
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
internal_tls_enabled: {equals : [{get_param: EnableInternalTLS}, true]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
|
@ -77,7 +77,7 @@ outputs:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||||
tripleo::profile::base::database::redis::tls_proxy_port: 6379
|
tripleo::profile::base::database::redis::tls_proxy_port: 6379
|
||||||
- if:
|
- if:
|
||||||
- use_tls_proxy
|
- internal_tls_enabled
|
||||||
- tripleo::redis::service_certificate: '/etc/pki/tls/certs/redis.crt'
|
- tripleo::redis::service_certificate: '/etc/pki/tls/certs/redis.crt'
|
||||||
redis_certificate_specs:
|
redis_certificate_specs:
|
||||||
service_certificate: '/etc/pki/tls/certs/redis.crt'
|
service_certificate: '/etc/pki/tls/certs/redis.crt'
|
||||||
|
@ -97,13 +97,7 @@ outputs:
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::database::redis
|
include ::tripleo::profile::base::database::redis
|
||||||
metadata_settings:
|
metadata_settings:
|
||||||
if:
|
get_attr: [RedisBase, role_data, metadata_settings]
|
||||||
- use_tls_proxy
|
|
||||||
-
|
|
||||||
- service: redis
|
|
||||||
network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
||||||
type: vip
|
|
||||||
- null
|
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
- name: Check if redis is deployed
|
- name: Check if redis is deployed
|
||||||
command: systemctl is-enabled redis
|
command: systemctl is-enabled redis
|
||||||
|
|
Loading…
Reference in New Issue