Deprecate novajoin

Deprecate the services related to novajoin.

Depends-On: https://review.opendev.org/#/c/753856/
Change-Id: I7803cccc4b4bf8c7cc201372ec91f9254cef7eb3
changes/55/730355/17
Ade Lee 2 years ago
parent c52099b3c4
commit bf910512c3
  1. 0
      deployment/deprecated/novajoin/ipaclient-baremetal-ansible.yaml
  2. 2
      deployment/deprecated/novajoin/novajoin-container-puppet.yaml
  3. 10
      deployment/ipa/ipaservices-baremetal-ansible.yaml
  4. 60
      deployment/tls/undercloud-remove-novajoin.yaml
  5. 5
      environments/services/novajoin.yaml
  6. 4
      environments/services/undercloud-remove-novajoin.yaml
  7. 4
      environments/ssl/enable-internal-tls.j2.yaml
  8. 1
      overcloud-resource-registry-puppet.j2.yaml
  9. 28
      releasenotes/notes/deprecate-novajoin-ef06b1ca33a2b80c.yaml
  10. 1
      roles/Undercloud.yaml
  11. 1
      roles_data_undercloud.yaml
  12. 4
      sample-env-generator/ssl.yaml

@ -87,7 +87,7 @@ parameters:
resources:
ContainersCommon:
type: ../containers-common.yaml
type: ../../containers-common.yaml
outputs:
role_data:

@ -165,3 +165,13 @@ outputs:
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
tripleo_ipa_hosts_to_delete:
- "{{ fqdn_canonical }}"
external_upgrade_tasks:
- when: step|int == 1
block:
- name: check if ipa server has required permissions
import_role:
name: tls_everywhere
tasks_from: ipa-server-check
tags:
- opendev-validation
- opendev-validation-tls-everywhere

@ -0,0 +1,60 @@
heat_template_version: rocky
description: Deletes novajoin containers from undercloud
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: Role data for deleting novajoin containers from undercloud.
value:
service_name: undercloud-remove-novajoin
deploy_steps_tasks: []
upgrade_tasks:
- name: perform upgrade tasks in step 0
when: step|int == 0
block:
- name: Stop novajoin containers
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- novajoin_server
- novajoin_notifier
- name: Remove novajoin containers
import_role:
name: tripleo_container_rm
vars:
containers_to_rm:
- novajoin_server
- novajoin_notifier

@ -1,4 +1,5 @@
# A Heat environment file which can be used to enable
# Barbican with the default secret store backend.
# Novajoin to provide registration for TLS-E.
# As of Victoria, this service has been deprecated.
resource_registry:
OS::TripleO::Services::Novajoin: ../../deployment/nova/novajoin-container-puppet.yaml
OS::TripleO::Services::Novajoin: ../../deployment/deprecated/novajoin/novajoin-container-puppet.yaml

@ -0,0 +1,4 @@
# A Heat environment file which can be used to enable
# ipa services with an OTP provided
resource_registry:
OS::TripleO::Services::UndercloudRemoveNovajoin: ../../deployment/tls/undercloud-remove-novajoin.yaml

@ -36,9 +36,7 @@ parameter_defaults:
resource_registry:
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
# FIXME(xek): after removal of novajoin, switch to using this service instead
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
{%- for role in roles %}
OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml

@ -209,6 +209,7 @@ resource_registry:
OS::TripleO::Services::SwiftRingBuilder: deployment/swift/swift-ringbuilder-container-puppet.yaml
OS::TripleO::Services::Snmp: deployment/snmp/snmp-baremetal-puppet.yaml
OS::TripleO::Services::Timezone: deployment/time/timezone-baremetal-ansible.yaml
OS::TripleO::Services::UndercloudRemoveNovajoin: OS::Heat::None
OS::TripleO::Services::UndercloudTLS: OS::Heat::None
OS::TripleO::Services::CeilometerAgentCentral: OS::Heat::None
OS::TripleO::Services::CeilometerAgentIpmi: OS::Heat::None

@ -0,0 +1,28 @@
---
prelude: >
This change deprecates the novajoin and the composable service that
enables TLS-Everywhere using novajoin. Instead, TLS Everywhere will be
implemented using the tripleo-ipa ansible module.
upgrade:
- This change deprecates novajoin and the service that depends on novajoin
to enable TLS-Everywhere. From now on, TLS-Everywhere will be set up
using the tripleo-ansible ansible module instead.
- When the undercloud is upgraded, for TLS Everywhere systems, a new
composable service will run to remove the novajoin containers.
- A pre-upgrade validation has been written to ensure that some necessary
permissions and ACIs have been added to the IPA server. As these changes
require admin privileges, they cannot be automated in THT.
- The environments/ssl/enable-internal-tls.j2.yaml file has been modified
to automatically point to the new service that implements TLS-Everywhere
using tripleo-ansible. Assuming you are adding this environment file to
your templates (which is typically the case when setting up
TLS-Everywhere) no other changes are required.
deprecations:
- This change deprecates novajoin, the service that deploys it on the
undercloud, and the corresponding service that implements TLS-Everywhere
using novajoin. TLS everywhere will be implemented from now on using
the tripleo-ipa ansible module instead.
- These services are novajoin-container-puppet.yaml and
ipaclient-baremetal-ansible.yaml
- On undercloud upgrade, a new composable service will remove the novajoin
and novajoin-notifier containers from the undercloud.

@ -44,6 +44,7 @@
- OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::UndercloudTLS
- OS::TripleO::Services::UndercloudRemoveNovajoin
- OS::TripleO::Services::IronicApi
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicInspector

@ -47,6 +47,7 @@
- OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::UndercloudTLS
- OS::TripleO::Services::UndercloudRemoveNovajoin
- OS::TripleO::Services::IronicApi
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicInspector

@ -64,9 +64,7 @@ environments:
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
# We use apache as a TLS proxy
# FIXME(bogdando): switch it, once it is containerized
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
# FIXME(xek): after removal of novajoin, switch to using this service instead
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
# Creates nova metadata that will create the extra service principals per
# node.

Loading…
Cancel
Save