Browse Source

Make krb-service-principal metadata per-Role

Not all roles are connected to all networks, there is no
need to create metadata for networks not associated with
the role.

In edge/spine-and-leaf deployments the total number of
composable networks used can be high. Passing all the
networks we quickly go beyond the nova metadata fields
size limit (each field cannot exceed 256 bytes).

Also update tools/check-up-to-date.sh script to use the
simple yaml-diff.py instead of diff. The env generator
code will sort data, while jinja rendered environments
are not sorted, thus need to diff the data in yaml not
the text.

Closes-Bug: #1821377
Change-Id: I5ae3bc845b0a6ad6986d44b14ff4b0737a9b033b
Harald Jensås 4 weeks ago
parent
commit
d5ecc1f651

common/services.yaml → common/services/role.role.j2.yaml View File

@@ -58,7 +58,7 @@ resources:
58 58
     type: OS::TripleO::LoggingConfiguration
59 59
 
60 60
   ServiceServerMetadataHook:
61
-    type: OS::TripleO::ServiceServerMetadataHook
61
+    type: OS::TripleO::{{role.name}}ServiceServerMetadataHook
62 62
     properties:
63 63
       RoleData: {get_attr: [ServiceChain, role_data]}
64 64
 
@@ -70,7 +70,7 @@ resources:
70 70
         list_join:
71 71
           - "\n"
72 72
           - - str_replace:
73
-                template: {get_file: ../puppet/manifests/overcloud_common.pp}
73
+                template: {get_file: ../../puppet/manifests/overcloud_common.pp}
74 74
                 params:
75 75
                   __ROLE__: {get_param: RoleName}
76 76
             - yaql:

environments/ssl/enable-internal-tls.yaml → environments/ssl/enable-internal-tls.j2.yaml View File

@@ -34,8 +34,10 @@ parameter_defaults:
34 34
   # End static parameters
35 35
   # *********************
36 36
 resource_registry:
37
-  OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
38 37
   OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml
39 38
   OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
40 39
   OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml
41 40
   OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
41
+{%- for role in roles %}
42
+  OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml
43
+{%- endfor %}

extraconfig/nova_metadata/krb-service-principals.j2.yaml → extraconfig/nova_metadata/krb-service-principals/role.role.j2.yaml View File

@@ -1,11 +1,11 @@
1 1
 heat_template_version: rocky
2
-description: 'Generates the relevant service principals for a server'
2
+description: 'Generates the relevant service principals for a {{role.name}} server'
3 3
 
4 4
 parameters:
5 5
   RoleData:
6 6
      type: json
7 7
      description: the list containing the 'role_data' output for the ServiceChain
8
-{%- for network in networks if network.vip|default(false) %}
8
+{%- for network in networks if network.vip|default(false) and network.name in role.networks %}
9 9
 {%- if network.name == 'External' %}
10 10
   # Special case the External hostname param, which is CloudName
11 11
   CloudName:
@@ -69,7 +69,7 @@ resources:
69 69
           data:
70 70
             metadata: {get_attr: [IncomingMetadataSettings, value]}
71 71
             fqdns:
72
-{%- for network in networks if network.vip|default(false) %}
72
+{%- for network in networks if network.vip|default(false) and network.name in role.networks %}
73 73
 {%- if network.name == 'External' %}
74 74
               external: {get_param: CloudName}
75 75
 {%- elif network.name == 'InternalApi' %}
@@ -97,4 +97,3 @@ outputs:
97 97
       map_merge:
98 98
         - {get_attr: [IndividualServices, value]}
99 99
         - {get_attr: [CompactServices, value]}
100
-

+ 6
- 2
overcloud-resource-registry-puppet.j2.yaml View File

@@ -31,7 +31,9 @@ resource_registry:
31 31
   # in the jinja loop
32 32
   OS::TripleO::Controller::Net::SoftwareConfig: net-config-bridge.yaml
33 33
 
34
-  OS::TripleO::ServiceServerMetadataHook: OS::Heat::None
34
+{% for role in roles %}
35
+  OS::TripleO::{{role.name}}ServiceServerMetadataHook: OS::Heat::None
36
+{%- endfor %}
35 37
 
36 38
   OS::TripleO::Server: OS::Nova::Server
37 39
 {% for role in roles %}
@@ -100,7 +102,9 @@ resource_registry:
100 102
   OS::TripleO::WorkflowSteps: OS::Mistral::ExternalResource
101 103
 
102 104
   # services
103
-  OS::TripleO::Services: common/services.yaml
105
+{%- for role in roles %}
106
+  OS::TripleO::{{role.name}}Services: common/services/{{role.name.lower()}}-role.yaml
107
+{%- endfor %}
104 108
   OS::TripleO::Services::Aide: OS::Heat::None
105 109
   OS::TripleO::Services::Apache: deployment/apache/apache-baremetal-puppet.yaml
106 110
   OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml

+ 1
- 1
overcloud.j2.yaml View File

@@ -427,7 +427,7 @@ resources:
427 427
 {% for role in roles %}
428 428
   # Resources generated for {{role.name}} Role
429 429
   {{role.name}}ServiceChain:
430
-    type: OS::TripleO::Services
430
+    type: OS::TripleO::{{role.name}}Services
431 431
     properties:
432 432
       Services:
433 433
         get_param: {{role.name}}Services

+ 5
- 1
sample-env-generator/ssl.yaml View File

@@ -65,7 +65,11 @@ environments:
65 65
       OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
66 66
       # Creates nova metadata that will create the extra service principals per
67 67
       # node.
68
-      OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
68
+      OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml
69
+      OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml
70
+      OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml
71
+      OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml
72
+      OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml
69 73
   - name: ssl/inject-trust-anchor
70 74
     title: Inject SSL Trust Anchor on Overcloud Nodes
71 75
     description: |

+ 1
- 1
tools/check-up-to-date.sh View File

@@ -18,7 +18,7 @@ cd $tmpdir
18 18
 
19 19
 file_list=$(find environments -type f)
20 20
 for f in $file_list; do
21
-    if ! diff -q $f $base/$f; then
21
+    if ! $base/tools/yaml-diff.py $f $base/$f; then
22 22
         echo "ERROR: $base/$f is not up to date"
23 23
         diff $f $base/$f
24 24
         retval=1

+ 7
- 0
tools/process-templates.py View File

@@ -328,9 +328,16 @@ def clean_templates(base_path, role_data_path, network_data_path):
328 328
         host_config_and_reboot_path = os.path.join(
329 329
             'extraconfig', 'pre_network',
330 330
             '%s-host_config_and_reboot.yaml' % role['name'].lower())
331
+        krb_service_principals_path = os.path.join(
332
+            'extraconfig', 'nova_metadata', 'krb-service-principals',
333
+            '%s-role.yaml' % role['name'].lower())
334
+        common_services_path = os.path.join(
335
+            'common', 'services', '%s-role.yaml' % role['name'].lower())
331 336
 
332 337
         delete(role_path)
333 338
         delete(host_config_and_reboot_path)
339
+        delete(krb_service_principals_path)
340
+        delete(common_services_path)
334 341
 
335 342
         nic_config_dir = os.path.join(base_path, 'network', 'config')
336 343
         for sample_nic_config_dir in os.listdir(nic_config_dir):

+ 32
- 0
tools/yaml-diff.py View File

@@ -0,0 +1,32 @@
1
+#!/usr/bin/env python
2
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
3
+#    not use this file except in compliance with the License. You may obtain
4
+#    a copy of the License at
5
+#
6
+#         http://www.apache.org/licenses/LICENSE-2.0
7
+#
8
+#    Unless required by applicable law or agreed to in writing, software
9
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
10
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
11
+#    License for the specific language governing permissions and limitations
12
+#    under the License.
13
+
14
+import sys
15
+import yaml
16
+
17
+if len(sys.argv) != 3:
18
+    raise RuntimeError('Not enough arguemnts')
19
+
20
+FILE_A = sys.argv[1]
21
+FILE_B = sys.argv[2]
22
+
23
+with open(FILE_A, 'r') as file_a:
24
+    a = yaml.safe_load(file_a)
25
+
26
+with open(FILE_B, 'r') as file_b:
27
+    b = yaml.safe_load(file_b)
28
+
29
+if a != b:
30
+    sys.exit("Files are different")
31
+
32
+sys.exit(0)

Loading…
Cancel
Save