From e6e7019add37e18092078ae1fd0738dcb23bc9cb Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Thu, 25 Feb 2021 09:58:17 +0100
Subject: [PATCH] Fix redis_tls_proxy

Since we merged the pcs-host patches we erroneously also removed
the sidecar container that does the tls stunneling for redis.
This is needed to allow the redis master stream the deplications to
its slaves via TLS.

Tested this and we now correctly get the working container and cluster
state:
[root@controller-0 ~]# podman ps -a |grep redis
4182a78811a2  undercloud-0.ctlplane.redhat.local:8787/openstack-redis:16.2_20210218.1-hotfixupdate2       /bin/bash /usr/lo...  3 minutes ago   Up 3 minutes ago                 redis-bundle-podman-0
604a086bb53c  undercloud-0.ctlplane.redhat.local:8787/openstack-redis:16.2_20210218.1-hotfixupdate2       kolla_start           8 minutes ago   Up 8 minutes ago                 redis_tls_proxy
[root@controller-0 ~]# pcs status |grep redis
  * GuestOnline: [ galera-bundle-0@database-1 galera-bundle-1@database-2 galera-bundle-2@database-0 ovn-dbs-bundle-0@controller-0 ovn-dbs-bundle-1@controller-1 ovn-dbs-bundle-2@controller-2 rabbitmq-bundle-0@messaging-0 rabbitmq-bundle-1@messaging-1 rabbitmq-bundle-2@messaging-2 redis-bundle-0@controller-0 redis-bundle-1@controller-1 redis-bundle-2@controller-2 ]
  * Container bundle set: redis-bundle [cluster.common.tag/openstack-redis:pcmklatest]:
    * redis-bundle-0    (ocf::heartbeat:redis):  Master controller-0
    * redis-bundle-1    (ocf::heartbeat:redis):  Slave controller-1
    * redis-bundle-2    (ocf::heartbeat:redis):  Slave controller-2

We also move the redis_tls_proxy from step_2/start_order: 3 to step_1
since it actually makes sense to have it run before we start the
redis pcmk bundle at step 2 (i.e. so the slave replica can work right
away from the start).

Closes-Bug: #1916873

Change-Id: I44df0ee32e5c35b87f74bdb75dcb384496dfb6ab
---
 .../database/redis-pacemaker-puppet.yaml      | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/deployment/database/redis-pacemaker-puppet.yaml b/deployment/database/redis-pacemaker-puppet.yaml
index cf4af3d0a3..5c1b4c5a8c 100644
--- a/deployment/database/redis-pacemaker-puppet.yaml
+++ b/deployment/database/redis-pacemaker-puppet.yaml
@@ -243,6 +243,28 @@ outputs:
               perm: '0600'
               optional: true
       container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
+      docker_config:
+        step_1:
+          if:
+            - internal_tls_enabled
+            - redis_tls_proxy:
+                start_order: 0
+                image: {get_param: ContainerRedisImage}
+                net: host
+                user: root
+                restart: always
+                volumes:
+                  list_concat:
+                    - {get_attr: [ContainersCommon, volumes]}
+                    -
+                      - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+                      - /var/lib/config-data/puppet-generated/redis:/var/lib/kolla/config_files/src:ro
+                      - /etc/pki/tls/certs/redis.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/redis.crt:ro
+                      - /etc/pki/tls/private/redis.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/redis.key:ro
+                      - /var/lib/container-config-scripts/wait-port-and-run.sh:/wait-port-and-run.sh:ro
+                environment:
+                  KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
+            - {}
       metadata_settings:
         get_attr: [RedisBase, role_data, metadata_settings]
       host_prep_tasks: