Fix redis_tls_proxy

Since we merged the pcs-host patches we erroneously also removed
the sidecar container that does the tls stunneling for redis.
This is needed to allow the redis master stream the deplications to
its slaves via TLS.

Tested this and we now correctly get the working container and cluster
state:
[root@controller-0 ~]# podman ps -a |grep redis
4182a78811a2  undercloud-0.ctlplane.redhat.local:8787/openstack-redis:16.2_20210218.1-hotfixupdate2       /bin/bash /usr/lo...  3 minutes ago   Up 3 minutes ago                 redis-bundle-podman-0
604a086bb53c  undercloud-0.ctlplane.redhat.local:8787/openstack-redis:16.2_20210218.1-hotfixupdate2       kolla_start           8 minutes ago   Up 8 minutes ago                 redis_tls_proxy
[root@controller-0 ~]# pcs status |grep redis
  * GuestOnline: [ galera-bundle-0@database-1 galera-bundle-1@database-2 galera-bundle-2@database-0 ovn-dbs-bundle-0@controller-0 ovn-dbs-bundle-1@controller-1 ovn-dbs-bundle-2@controller-2 rabbitmq-bundle-0@messaging-0 rabbitmq-bundle-1@messaging-1 rabbitmq-bundle-2@messaging-2 redis-bundle-0@controller-0 redis-bundle-1@controller-1 redis-bundle-2@controller-2 ]
  * Container bundle set: redis-bundle [cluster.common.tag/openstack-redis:pcmklatest]:
    * redis-bundle-0    (ocf:💓redis):  Master controller-0
    * redis-bundle-1    (ocf:💓redis):  Slave controller-1
    * redis-bundle-2    (ocf:💓redis):  Slave controller-2

We also move the redis_tls_proxy from step_2/start_order: 3 to step_1
since it actually makes sense to have it run before we start the
redis pcmk bundle at step 2 (i.e. so the slave replica can work right
away from the start).

Closes-Bug: #1916873

Change-Id: I44df0ee32e5c35b87f74bdb75dcb384496dfb6ab
This commit is contained in:
Michele Baldessari 2021-02-25 09:58:17 +01:00
parent 8872de03e3
commit badc6bc1ed

View File

@ -220,6 +220,28 @@ outputs:
perm: '0600' perm: '0600'
optional: true optional: true
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]} container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_1:
if:
- internal_tls_enabled
- redis_tls_proxy:
start_order: 0
image: {get_param: ContainerRedisImage}
net: host
user: root
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/redis:/var/lib/kolla/config_files/src:ro
- /etc/pki/tls/certs/redis.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/redis.crt:ro
- /etc/pki/tls/private/redis.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/redis.key:ro
- /var/lib/container-config-scripts/wait-port-and-run.sh:/wait-port-and-run.sh:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- {}
metadata_settings: metadata_settings:
get_attr: [RedisBase, role_data, metadata_settings] get_attr: [RedisBase, role_data, metadata_settings]
host_prep_tasks: host_prep_tasks: