openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "[FFWD][train-only] Ensure we get ovn_controller cert if needed" into stable/train

This commit is contained in:
Zuul 2021-10-25 18:15:56 +00:00 committed by Gerrit Code Review
parent 42f4b3acd2 75655715ea
commit c919e48bdc
2 changed files with 117 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
deployment/ovn/ovn-controller-container-puppet.yaml
View File

@ -398,6 +398,14 @@ outputs:
vars:
ovn_controller_image: {get_param: ContainerOvnControllerImage}
ovn_interaction_bridge: {get_param: OVNIntegrationBridge}
enable_internal_tls: {get_param: EnableInternalTLS}
internal_tls_ca: {get_param: InternalTLSCAFile}
ovn_cert_network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
ovn_cert_key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
tags:
- never
- nova_hybrid_state
@ -414,7 +422,33 @@ outputs:
- name: Implement the hybrid state for ovn_controller
when: hybrid_ovn_controller.rc != 0
block:
- name: Update the ovn_controller paunch image in config
- name: Get certificate if needed
when: enable_internal_tls|bool
shell: |
/usr/bin/getcert list -i ovn_controller || \
/usr/bin/getcert request -I ovn_controller \
-f /etc/pki/tls/certs/ovn_controller.crt \
-c IPA \
-N CN=$( hiera -c /etc/puppet/hiera.yaml fqdn_{{ovn_cert_network}} ) \
-K ovn_controller/$( hiera -c /etc/puppet/hiera.yaml fqdn_{{ovn_cert_network}} ) \
-D $( hiera -c /etc/puppet/hiera.yaml fqdn_{{ovn_cert_network}} ) \
-g {{ovn_cert_key_size}} \
-w -k /etc/pki/tls/private/ovn_controller.key
- name: Update the ovn_controller paunch image in config with TLS
when: enable_internal_tls|bool
shell: |
set -o pipefail
jq '.ovn_controller.image = "{{ ovn_controller_image }}" |
.ovn_controller.volumes += [ "/var/lib/openvswitch/ovn:/run/ovn:shared,z",
"/var/log/containers/openvswitch:/var/log/ovn:z",
"/etc/pki/tls/private/ovn_controller.key:/etc/pki/tls/private/ovn_controller.key",
"/etc/pki/tls/certs/ovn_controller.crt:/etc/pki/tls/certs/ovn_controller.crt",
"{{ internal_tls_ca }}:{{ internal_tls_ca}}" ] |
{"ovn_controller": .ovn_controller }' \
/var/lib/tripleo-config/docker-container-startup-config-step_4.json >\
/var/lib/tripleo-config/docker-container-hybrid_ovn_controller.json
- name: Update the ovn_controller paunch image in config without TLS
when: not enable_internal_tls|bool
shell: |
set -o pipefail
jq '.ovn_controller.image = "{{ ovn_controller_image }}" |
@ -422,6 +456,13 @@ outputs:
{"ovn_controller": .ovn_controller }' \
/var/lib/tripleo-config/docker-container-startup-config-step_4.json >\
/var/lib/tripleo-config/docker-container-hybrid_ovn_controller.json
- name: Modify /var/lib/kolla/config_files/ovn_controller.json for ssl
when: enable_internal_tls|bool
shell: |
set -o pipefail
jq '.command = "/usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock -p /etc/pki/tls/private/ovn_controller.key -c /etc/pki/tls/certs/ovn_controller.crt -C {{ internal_tls_ca }}"' \
/var/lib/kolla/config_files/ovn_controller.json > /var/lib/kolla/config_files/ovn_controller.json_new &&\
mv /var/lib/kolla/config_files/ovn_controller.json_new /var/lib/kolla/config_files/ovn_controller.json
- name: Make sure the Undercloud hostname is included in /etc/hosts
when:
- undercloud_hosts_entries is defined
@ -459,7 +500,7 @@ outputs:
docker_container:
name: ovn_controller
state: absent
- name: Apply paunch config if insecure registries are empty
- name: Apply paunch config for ovn_controller
shell: |
paunch apply --file /var/lib/tripleo-config/docker-container-hybrid_ovn_controller.json --config-id hybrid_ovn_controller
- name: Get ovn remote setting

76
deployment/ovn/ovn-metadata-container-puppet.yaml
View File

@ -383,12 +383,84 @@ outputs:
mode: 0755
content: {get_file: ../neutron/kill-script}
upgrade_tasks:
- name: Switch ovn remote setting
- name: Gather missing facts
setup:
gather_subset: "distribution"
when: >-
ansible_facts['distribution'] is not defined or
ansible_facts['distribution_major_version'] is not defined
tags:
- never
- nova_hybrid_state
when: step|int == 0
- name: Switch ovn remote setting
vars:
enable_internal_tls: {get_param: EnableInternalTLS}
internal_tls_ca: {get_param: InternalTLSCAFile}
ovn_cert_network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
ovn_cert_key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
tags:
- never
- nova_hybrid_state
when:
- step|int == 0
- ansible_facts['distribution'] == 'RedHat'
- ansible_facts['distribution_major_version'] is version('7', '==')
block:
- name: SSL setup into semi hybrid state
when: enable_internal_tls|bool
block:
- name: Get certificate for ovn_metadata
shell: |
set -o pipefail
/usr/bin/getcert list -i ovn_metadata || \
/usr/bin/getcert request -I ovn_metadata \
-f /etc/pki/tls/certs/ovn_metadata.crt \
-c IPA \
-N CN=$( hiera -c /etc/puppet/hiera.yaml fqdn_{{ovn_cert_network}} ) \
-K ovn_metadata/$( hiera -c /etc/puppet/hiera.yaml fqdn_{{ovn_cert_network}} ) \
-D $( hiera -c /etc/puppet/hiera.yaml fqdn_{{ovn_cert_network}} ) \
-g {{ovn_cert_key_size}} \
-w -k /etc/pki/tls/private/ovn_metadata.key
- name: Get GID of container neutron user on host by checking neutron.conf
stat:
path: /var/lib/config-data/puppet-generated/neutron/etc/neutron/neutron.conf
register: stat_neutron_conf
- name: Copy the certificate temporarly for hybrid state into ovn metadata agent container neutron dir
copy:
src: /etc/pki/tls/certs/ovn_metadata.crt
dest: /var/lib/config-data/puppet-generated/neutron/etc/neutron/ovn_metadata.crt
mode: '0640'
group: "{{ stat_neutron_conf.stat.gid }}"
remote_src: yes
- name: Copy the key temporarly for hybrid state into ovn metadata agent container neutron dir
copy:
src: /etc/pki/tls/private/ovn_metadata.key
dest: /var/lib/config-data/puppet-generated/neutron/etc/neutron/ovn_metadata.key
mode: '0640'
group: "{{ stat_neutron_conf.stat.gid }}"
remote_src: yes
- name: Set ovn cert setting in networking-ovn-metadata-agent.ini
ini_file:
path: /var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini
section: ovn
option: ovn_sb_certificate
value: /etc/neutron/ovn_metadata.crt
- name: Set ovn cert key setting in networking-ovn-metadata-agent.ini
ini_file:
path: /var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini
section: ovn
option: ovn_sb_private_key
value: /etc/neutron/ovn_metadata.key
- name: Set ovn cacert setting in networking-ovn-metadata-agent.ini
ini_file:
path: /var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini
section: ovn
option: ovn_sb_ca_cert
value: "{{ internal_tls_ca }}"
- name: Set fact - OVN SB connection string
set_fact:
ovn_sb_conn_str: "{{ [enable_internal_tls | bool | ternary('ssl','tcp'), ovn_dbs_vip | ipwrap, service_configs['ovn::southbound::port']] | join(':') }}"