Generate certificates using ansible role
This is using linux-system-roles.certificate ansible role, which replaces puppet-certmonger for submitting certificate requests to certmonger. Each service is configured through it's heat template. Partial-Implements: blueprint ansible-certmonger Depends-On: https://review.rdoproject.org/r/31713 Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
This commit is contained in:
Grzegorz Grasza
parent
72c4b8c126
commit
e329ca915e
|
|
@ -19,5 +19,4 @@ parameter_defaults:
|
|||
# DnsServers: ["ip_for_dns_server"]
|
||||
DnsSearchDomains: ["ooo.test"]
|
||||
LocalContainerRegistry: "192.168.24.1"
|
||||
InternalTLSVncProxyCAFile: /etc/pki/CA/certs/vnc-proxy.crt
|
||||
AddVipsToEtcHosts: True
|
||||
|
|
|
|||
|
|
@ -326,6 +326,8 @@ outputs:
|
|||
- { 'path': /var/log/containers/httpd/aodh-api, setype: container_file_t, 'mode': '0750' }
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
external_upgrade_tasks:
|
||||
- when:
|
||||
- step|int == 1
|
||||
|
|
|
|||
|
|
@ -70,12 +70,10 @@ resources:
|
|||
# We skip the tenant and management network (vip != false)
|
||||
# since we don't generate certificates for those.
|
||||
- ctlplane
|
||||
{%- for network in networks if network.enabled|default(true) %}
|
||||
{%- if network.vip | default(false) %}
|
||||
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
|
||||
- {{network.name_lower}}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
|
||||
{% raw -%}
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Apache role.
|
||||
|
|
@ -112,8 +110,6 @@ outputs:
|
|||
generate_service_certificates: true
|
||||
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
|
||||
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
|
||||
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
|
||||
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
|
||||
apache_certificates_specs:
|
||||
map_merge:
|
||||
repeat:
|
||||
|
|
@ -121,14 +117,6 @@ outputs:
|
|||
httpd-NETWORK:
|
||||
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
|
||||
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
|
||||
hostname: "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "pkill -USR1 httpd"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ApacheCertificateKeySize}
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- {}
|
||||
|
|
@ -145,3 +133,43 @@ outputs:
|
|||
$NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- null
|
||||
upgrade_tasks: []
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: Create dirs for certificates and keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
serole: object_r
|
||||
setype: cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- '/etc/pki/tls/certs/httpd'
|
||||
- '/etc/pki/tls/private/httpd'
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
repeat:
|
||||
template:
|
||||
name: httpd-NETWORK
|
||||
dns: "{{fqdn_NETWORK}}"
|
||||
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
run_after: |
|
||||
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
|
||||
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
|
||||
pkill -USR1 httpd
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ApacheCertificateKeySize}
|
||||
ca: ipa
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- null
|
||||
{%- endraw %}
|
||||
|
|
|
|||
|
|
@ -435,71 +435,73 @@ outputs:
|
|||
state: absent
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- hsm_enabled
|
||||
- list_concat:
|
||||
-
|
||||
if:
|
||||
- thales_hsm_enabled
|
||||
list_concat:
|
||||
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
- if:
|
||||
- hsm_enabled
|
||||
- list_concat:
|
||||
-
|
||||
- name: Thales client install
|
||||
when: step|int == 2
|
||||
block:
|
||||
- set_fact:
|
||||
my_thales_client_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"{{$NETWORK_ip}}"
|
||||
params:
|
||||
$NETWORK: {get_param: ThalesHSMNetworkName}
|
||||
- include_role:
|
||||
name: thales_hsm
|
||||
vars:
|
||||
map_merge:
|
||||
- thales_install_client: true
|
||||
- {get_param: ThalesVars}
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- atos_hsm_enabled
|
||||
-
|
||||
- name: ATOS client install
|
||||
when: step|int == 2
|
||||
block:
|
||||
- include_role:
|
||||
name: atos_hsm
|
||||
vars:
|
||||
{get_param: ATOSVars}
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- lunasa_hsm_enabled
|
||||
-
|
||||
- name: Lunasa client install
|
||||
when: step|int == 2
|
||||
block:
|
||||
- name: install the lunasa client
|
||||
include_role:
|
||||
name: lunasa_hsm
|
||||
vars:
|
||||
if:
|
||||
- lunasa_hsm_use_fqdn
|
||||
- map_merge:
|
||||
- {get_param: LunasaVars}
|
||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- map_merge:
|
||||
- {get_param: LunasaVars}
|
||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- lunasa_client_ip:
|
||||
if:
|
||||
- thales_hsm_enabled
|
||||
-
|
||||
- name: Thales client install
|
||||
when: step|int == 2
|
||||
block:
|
||||
- set_fact:
|
||||
my_thales_client_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"{{$NETWORK_ip}}"
|
||||
params:
|
||||
$NETWORK: {get_param: LunasaClientIPNetwork}
|
||||
- null
|
||||
- null
|
||||
template:
|
||||
"{{$NETWORK_ip}}"
|
||||
params:
|
||||
$NETWORK: {get_param: ThalesHSMNetworkName}
|
||||
- include_role:
|
||||
name: thales_hsm
|
||||
vars:
|
||||
map_merge:
|
||||
- thales_install_client: true
|
||||
- {get_param: ThalesVars}
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- atos_hsm_enabled
|
||||
-
|
||||
- name: ATOS client install
|
||||
when: step|int == 2
|
||||
block:
|
||||
- include_role:
|
||||
name: atos_hsm
|
||||
vars:
|
||||
{get_param: ATOSVars}
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- lunasa_hsm_enabled
|
||||
-
|
||||
- name: Lunasa client install
|
||||
when: step|int == 2
|
||||
block:
|
||||
- name: install the lunasa client
|
||||
include_role:
|
||||
name: lunasa_hsm
|
||||
vars:
|
||||
if:
|
||||
- lunasa_hsm_use_fqdn
|
||||
- map_merge:
|
||||
- {get_param: LunasaVars}
|
||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- map_merge:
|
||||
- {get_param: LunasaVars}
|
||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||
- lunasa_client_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"{{$NETWORK_ip}}"
|
||||
params:
|
||||
$NETWORK: {get_param: LunasaClientIPNetwork}
|
||||
- null
|
||||
- null
|
||||
docker_config:
|
||||
# db sync runs before permissions set by kolla_config
|
||||
step_2:
|
||||
|
|
|
|||
|
|
@ -152,32 +152,6 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_grafana|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
generate_service_certificates: true
|
||||
ceph_grafana_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ceph_grafana.crt'
|
||||
service_key: '/etc/pki/tls/private/ceph_grafana.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_grafana/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
|
|
@ -186,3 +160,39 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_grafana
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
run_after: |
|
||||
# Get grafana systemd unit
|
||||
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
||||
# Restart the grafana systemd unit
|
||||
if [ -z "$grafana_unit" ]; then
|
||||
systemctl restart "$grafana_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
|
|
|
|||
|
|
@ -144,32 +144,6 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_mgrs|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
generate_service_certificates: true
|
||||
ceph_dashboard_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ceph_dashboard.crt'
|
||||
service_key: '/etc/pki/tls/private/ceph_dashboard.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_dashboard/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
|
|
@ -178,3 +152,39 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_dashboard
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
run_after: |
|
||||
# Get mgr systemd unit
|
||||
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
|
||||
# Restart the mgr systemd unit
|
||||
if [ -n "$mgr_unit" ]; then
|
||||
systemctl restart "$mgr_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
|
|
|
|||
|
|
@ -165,33 +165,6 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
generate_service_certificates: true
|
||||
ceph_rgw_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ceph_rgw.crt'
|
||||
service_key: '/etc/pki/tls/private/ceph_rgw.key'
|
||||
service_pem: '/etc/pki/tls/certs/ceph_rgw.pem'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_rgw/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
|
|
@ -200,3 +173,44 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_rgw
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
run_after: |
|
||||
# Create PEM file
|
||||
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
|
||||
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
|
||||
chmod 0640 $pemfile
|
||||
chown 472:472 $pemfile
|
||||
# Get ceph rgw systemd unit
|
||||
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
|
||||
# Restart the rgw systemd unit
|
||||
if [ -n "$rgw_unit" ]; then
|
||||
systemctl restart "$rgw_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
|
|
|
|||
|
|
@ -1,80 +0,0 @@
|
|||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
Requests certificates using certmonger through Puppet
|
||||
|
||||
parameters:
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
DefaultCRLURL:
|
||||
default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
|
||||
description: URI where to get the CRL to be configured in the nodes.
|
||||
type: string
|
||||
# NOTE(jaosorior): This is being set as IPA as it's the first
|
||||
# CA we'll actually be testing out. But we can change this if
|
||||
# people request it.
|
||||
CertmongerCA:
|
||||
type: string
|
||||
default: 'IPA'
|
||||
# TODO: default to a dedicated CA once the ipa sub-CA setup has been
|
||||
# automated and upgrades are addressed
|
||||
CertmongerVncCA:
|
||||
type: string
|
||||
default: 'IPA'
|
||||
CertmongerQemuCA:
|
||||
type: string
|
||||
default: 'IPA'
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the certmonger-user service
|
||||
value:
|
||||
service_name: certmonger_user
|
||||
config_settings:
|
||||
map_merge:
|
||||
- certmonger_ca: {get_param: CertmongerCA}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
|
||||
certmonger_ca_vnc: {get_param: CertmongerVncCA}
|
||||
certmonger_ca_qemu: {get_param: CertmongerQemuCA}
|
||||
- {}
|
||||
step_config: |
|
||||
include tripleo::profile::base::certmonger_user
|
||||
host_prep_tasks:
|
||||
- name: create certificate rotation script for HA services
|
||||
copy:
|
||||
dest: /usr/bin/certmonger-ha-resource-refresh.sh
|
||||
setype: certmonger_unconfined_exec_t
|
||||
mode: "0700"
|
||||
content: |
|
||||
#!/bin/bash
|
||||
/var/lib/container-config-scripts/pacemaker_mutex_restart_bundle.sh --lock $* 2>&1 | logger -t certmonger
|
||||
|
|
@ -357,6 +357,8 @@ outputs:
|
|||
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -155,31 +155,6 @@ outputs:
|
|||
tripleo::profile::base::database::mysql::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/mysql.crt'
|
||||
service_key: '/etc/pki/tls/private/mysql.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
dnsnames:
|
||||
- str_replace:
|
||||
template: "%{hiera('cloud_name_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "mysql/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MysqlCertificateKeySize}
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
|
@ -199,3 +174,36 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: mysql
|
||||
dns:
|
||||
- str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
- str_replace:
|
||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "mysql/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MysqlCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
|
|
|
|||
|
|
@ -258,6 +258,8 @@ outputs:
|
|||
- null
|
||||
metadata_settings:
|
||||
get_attr: [MysqlBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
get_attr: [MysqlBase, role_data, deploy_steps_tasks]
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -307,28 +307,30 @@ outputs:
|
|||
metadata_settings:
|
||||
get_attr: [MysqlBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
- name: MySQL tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
container_image: {get_param: ContainerMysqlImage}
|
||||
container_image_latest: *mysql_image_pcmklatest
|
||||
- name: MySQL HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &mysql_puppet_bundle
|
||||
- name: Mysql puppet bundle
|
||||
list_concat:
|
||||
- get_attr: [MysqlBase, role_data, deploy_steps_tasks]
|
||||
- - name: MySQL tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: mysql
|
||||
tripleo_ha_wrapper_resource_name: galera
|
||||
tripleo_ha_wrapper_bundle_name: galera-bundle
|
||||
tripleo_ha_wrapper_resource_state: Master
|
||||
tripleo_ha_wrapper_puppet_config_volume: mysql
|
||||
tripleo_ha_wrapper_puppet_execute: '["Mysql_datadir", "Mysql_user", "Mysql_database", "Mysql_grant", "Mysql_plugin"].each |String $val| { noop_resource($val) }; include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::database::mysql_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
container_image: {get_param: ContainerMysqlImage}
|
||||
container_image_latest: *mysql_image_pcmklatest
|
||||
- name: MySQL HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &mysql_puppet_bundle
|
||||
- name: Mysql puppet bundle
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: mysql
|
||||
tripleo_ha_wrapper_resource_name: galera
|
||||
tripleo_ha_wrapper_bundle_name: galera-bundle
|
||||
tripleo_ha_wrapper_resource_state: Master
|
||||
tripleo_ha_wrapper_puppet_config_volume: mysql
|
||||
tripleo_ha_wrapper_puppet_execute: '["Mysql_datadir", "Mysql_user", "Mysql_database", "Mysql_grant", "Mysql_plugin"].each |String $val| { noop_resource($val) }; include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::database::mysql_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
|
||||
update_tasks:
|
||||
- name: Tear-down non-HA mysql container
|
||||
|
|
|
|||
|
|
@ -99,32 +99,6 @@ outputs:
|
|||
redis_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/redis.crt'
|
||||
service_key: '/etc/pki/tls/private/redis.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
dnsnames:
|
||||
- str_replace:
|
||||
template: "%{hiera('cloud_name_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "redis/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RedisCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
@ -221,6 +195,52 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: redis
|
||||
dns:
|
||||
- str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
- str_replace:
|
||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "redis/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy)
|
||||
service_crt="/etc/pki/tls/certs/redis.crt"
|
||||
service_key="/etc/pki/tls/private/redis.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt"
|
||||
{{container_cli}} exec "$container_name" chown memcached:memcached "$service_key"
|
||||
# Trigger a reload for stunnel to read the new certificate
|
||||
{{container_cli}} exec pkill -o -HUP stunnel
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RedisCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -280,28 +280,30 @@ outputs:
|
|||
content: |
|
||||
d /run/redis 0755 root root - -
|
||||
deploy_steps_tasks:
|
||||
- name: Redis tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
container_image: {get_param: ContainerRedisImage}
|
||||
container_image_latest: *redis_image_pcmklatest
|
||||
- name: Redis HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &redis_puppet_bundle
|
||||
- name: Redis puppet bundle
|
||||
list_concat:
|
||||
- get_attr: [RedisBase, role_data, deploy_steps_tasks]
|
||||
- - name: Redis tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: redis
|
||||
tripleo_ha_wrapper_resource_name: redis
|
||||
tripleo_ha_wrapper_bundle_name: redis-bundle
|
||||
tripleo_ha_wrapper_resource_state: Slave Master
|
||||
tripleo_ha_wrapper_puppet_config_volume: redis
|
||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::database::redis_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
container_image: {get_param: ContainerRedisImage}
|
||||
container_image_latest: *redis_image_pcmklatest
|
||||
- name: Redis HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &redis_puppet_bundle
|
||||
- name: Redis puppet bundle
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: redis
|
||||
tripleo_ha_wrapper_resource_name: redis
|
||||
tripleo_ha_wrapper_bundle_name: redis-bundle
|
||||
tripleo_ha_wrapper_resource_state: Slave Master
|
||||
tripleo_ha_wrapper_puppet_config_volume: redis
|
||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::database::redis_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
update_tasks:
|
||||
- name: redis_pacemaker_puppet_tmpfile_cleanup
|
||||
when: step|int == 1
|
||||
|
|
|
|||
|
|
@ -394,3 +394,5 @@ outputs:
|
|||
- { 'path': /var/log/containers/httpd/zaqar, 'setype': container_file_t, 'mode': '0750' }
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
|
|
|
|||
|
|
@ -129,32 +129,6 @@ outputs:
|
|||
tripleo::profile::base::etcd::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/etcd.crt'
|
||||
service_key: '/etc/pki/tls/private/etcd.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "etcd/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
dnsnames:
|
||||
- str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: EtcdCertificateKeySize}
|
||||
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
-
|
||||
|
|
@ -227,6 +201,57 @@ outputs:
|
|||
volumes:
|
||||
- /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro
|
||||
- /var/lib/etcd:/var/lib/etcd:ro
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: etcd
|
||||
dns:
|
||||
- str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
- str_replace:
|
||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "etcd/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
run_after: |
|
||||
# cinder uses etcd, so its containers also need to be refreshed
|
||||
container_names=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -E 'cinder|etcd')
|
||||
service_crt="/etc/pki/tls/certs/etcd.crt"
|
||||
service_key="/etc/pki/tls/private/etcd.key"
|
||||
kolla_dir="/var/lib/kolla/config_files/src-tls"
|
||||
# For each container, check whether the cert file needs to be updated.
|
||||
# The check is necessary because the original THT design directly bind mounted
|
||||
# the files to their final location, and did not copy them in via $kolla_dir.
|
||||
# Regardless of whether the container is directly using the files, or a copy,
|
||||
# there's no need to trigger a reload because the cert is not cached.
|
||||
for container_name in ${container_names[*]}; do
|
||||
{{container_cli}} exec -u root "$container_name" bash -c "
|
||||
[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
|
||||
[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
|
||||
true
|
||||
"
|
||||
done
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: EtcdCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create /var/lib/etcd
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -444,6 +444,8 @@ outputs:
|
|||
upgrade_tasks: []
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
external_upgrade_tasks:
|
||||
- when:
|
||||
- step|int == 1
|
||||
|
|
|
|||
|
|
@ -291,53 +291,62 @@ outputs:
|
|||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
deploy_steps_tasks:
|
||||
- name: Configure rsyslog for HAproxy container
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: Check if rsyslog exists
|
||||
shell: systemctl is-active rsyslog
|
||||
register: rsyslog_config
|
||||
- when:
|
||||
- rsyslog_config is changed
|
||||
- rsyslog_config.rc == 0
|
||||
list_concat:
|
||||
- - name: Configure rsyslog for HAproxy container
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: Forward logging to haproxy.log file
|
||||
blockinfile:
|
||||
content: |
|
||||
if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
|
||||
& stop
|
||||
create: yes
|
||||
path: /etc/rsyslog.d/openstack-haproxy.conf
|
||||
vars:
|
||||
facility: {get_param: HAProxySyslogFacility}
|
||||
register: logconfig
|
||||
- name: restart rsyslog service after logging conf change
|
||||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
when: logconfig is changed
|
||||
- name: Run puppet on the host to apply IPtables rules
|
||||
no_log: true
|
||||
when: step|int == 1
|
||||
register: puppet_host_outputs
|
||||
shell: |
|
||||
puppet apply {{ (puppet_debug|bool) | ternary('--debug --verbose', '') }} --detailed-exitcodes --summarize --color=false \
|
||||
--modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
|
||||
register: puppet_host_outputs
|
||||
changed_when: puppet_host_outputs.rc == 2
|
||||
failed_when: false
|
||||
vars:
|
||||
puppet_execute: include tripleo::profile::base::haproxy
|
||||
puppet_tags: tripleo::firewall::rule
|
||||
puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
|
||||
puppet_debug: {get_param: ConfigDebug}
|
||||
- name: "Debug output for task: Run puppet on the host to apply IPtables rules"
|
||||
debug:
|
||||
var: puppet_host_outputs.stdout_lines | default([]) | union(puppet_host_outputs.stderr_lines | default([]))
|
||||
when:
|
||||
- not (ansible_check_mode | bool)
|
||||
- puppet_host_outputs.rc is defined
|
||||
failed_when: puppet_host_outputs.rc not in [0, 2]
|
||||
- name: Check if rsyslog exists
|
||||
shell: systemctl is-active rsyslog
|
||||
register: rsyslog_config
|
||||
- when:
|
||||
- rsyslog_config is changed
|
||||
- rsyslog_config.rc == 0
|
||||
block:
|
||||
- name: Forward logging to haproxy.log file
|
||||
blockinfile:
|
||||
content: |
|
||||
if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
|
||||
& stop
|
||||
create: yes
|
||||
path: /etc/rsyslog.d/openstack-haproxy.conf
|
||||
vars:
|
||||
facility: {get_param: HAProxySyslogFacility}
|
||||
register: logconfig
|
||||
- name: restart rsyslog service after logging conf change
|
||||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
when: logconfig is changed
|
||||
- name: Run puppet on the host to apply IPtables rules
|
||||
no_log: true
|
||||
when: step|int == 1
|
||||
register: puppet_host_outputs
|
||||
shell: |
|
||||
puppet apply {{ (puppet_debug|bool) | ternary('--debug --verbose', '') }} --detailed-exitcodes --summarize --color=false \
|
||||
--modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
|
||||
register: puppet_host_outputs
|
||||
changed_when: puppet_host_outputs.rc == 2
|
||||
failed_when: false
|
||||
vars:
|
||||
puppet_execute: include tripleo::profile::base::haproxy
|
||||
puppet_tags: tripleo::firewall::rule
|
||||
puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
|
||||
puppet_debug: {get_param: ConfigDebug}
|
||||
- name: "Debug output for task: Run puppet on the host to apply IPtables rules"
|
||||
debug:
|
||||
var: puppet_host_outputs.stdout_lines | default([]) | union(puppet_host_outputs.stderr_lines | default([]))
|
||||
when:
|
||||
- not (ansible_check_mode | bool)
|
||||
- puppet_host_outputs.rc is defined
|
||||
failed_when: puppet_host_outputs.rc not in [0, 2]
|
||||
- if:
|
||||
- public_tls_enabled
|
||||
- get_attr: [HAProxyPublicTLS, role_data, deploy_steps_tasks]
|
||||
- []
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- get_attr: [HAProxyInternalTLS, role_data, deploy_steps_tasks]
|
||||
- []
|
||||
upgrade_tasks:
|
||||
- name: ensure we have haproxy log dir with the correct setype
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -59,12 +59,12 @@ resources:
|
|||
# we don't need a certificate for that, and the external
|
||||
# network will be handled in another template.
|
||||
- ctlplane
|
||||
{%- for network in networks if network.vip|default(false) %}
|
||||
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
|
||||
{%- if network.name_lower != 'external' and network.name_lower != 'tenant' %}
|
||||
- {{network.name_lower}}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
|
||||
{% raw -%}
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the HAProxy internal TLS via certmonger role.
|
||||
|
|
@ -73,10 +73,6 @@ outputs:
|
|||
config_settings:
|
||||
generate_service_certificates: true
|
||||
tripleo::haproxy::use_internal_certificates: true
|
||||
tripleo::certmonger::haproxy_dirs::certificate_dir:
|
||||
get_param: HAProxyInternalTLSCertsDirectory
|
||||
tripleo::certmonger::haproxy_dirs::key_dir:
|
||||
get_param: HAProxyInternalTLSKeysDirectory
|
||||
certificates_specs:
|
||||
map_merge:
|
||||
repeat:
|
||||
|
|
@ -87,27 +83,6 @@ outputs:
|
|||
- ''
|
||||
- - {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
- '/overcloud-haproxy-NETWORK.pem'
|
||||
service_certificate:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
- '/overcloud-haproxy-NETWORK.crt'
|
||||
service_key:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
- '/overcloud-haproxy-NETWORK.key'
|
||||
hostname: "%{hiera('fqdn_NETWORK')}"
|
||||
dnsnames:
|
||||
- "%{hiera('cloud_name_NETWORK')}"
|
||||
- "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
for_each:
|
||||
NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
metadata_settings:
|
||||
|
|
@ -121,3 +96,63 @@ outputs:
|
|||
type: node
|
||||
for_each:
|
||||
$NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
deploy_steps_tasks:
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: Create dirs for certificates and keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
serole: object_r
|
||||
setype: cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
- {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
repeat:
|
||||
template:
|
||||
name: haproxy-NETWORK-cert
|
||||
dns:
|
||||
- "{{fqdn_NETWORK}}"
|
||||
- "{{cloud_names.cloud_name_NETWORK}}"
|
||||
principal: "haproxy/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
run_after:
|
||||
str_replace:
|
||||
template: |
|
||||
# Copy crt and key for backward compatibility
|
||||
cp "/etc/pki/tls/certs/haproxy-NETWORK-cert.crt" "CERTSDIR/overcloud-haproxy-NETWORK.crt"
|
||||
cp "/etc/pki/tls/private/haproxy-NETWORK-cert.key" "KEYSDIR/overcloud-haproxy-NETWORK.key"
|
||||
|
||||
ca_path="/etc/ipa/ca.crt"
|
||||
service_crt="CERTSDIR/overcloud-haproxy-NETWORK.crt"
|
||||
service_key="KEYSDIR/overcloud-haproxy-NETWORK.key"
|
||||
service_pem="CERTSDIR/overcloud-haproxy-NETWORK.pem"
|
||||
|
||||
cat "$service_crt" "$ca_path" "$service_key" > "$service_pem"
|
||||
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
||||
# Refresh the pem at the mount-point
|
||||
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
||||
# Copy the new pem from the mount-point to the real path
|
||||
{{container_cli}} exec $container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec $container_name" chown haproxy:haproxy "$service_pem"
|
||||
# Trigger a reload for HAProxy to read the new certificates
|
||||
{{container_cli}} kill --signal HUP $container_name"
|
||||
params:
|
||||
CERTSDIR: {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
KEYSDIR: {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
ca: ipa
|
||||
for_each:
|
||||
NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
{%- endraw %}
|
||||
|
|
|
|||
|
|
@ -138,6 +138,24 @@ resources:
|
|||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
HAProxyPublicTLS:
|
||||
type: OS::TripleO::Services::HAProxyPublicTLS
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
HAProxyInternalTLS:
|
||||
type: OS::TripleO::Services::HAProxyInternalTLS
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the HAproxy role.
|
||||
|
|
@ -280,53 +298,62 @@ outputs:
|
|||
metadata_settings:
|
||||
{get_attr: [HAProxyBase, role_data, metadata_settings]}
|
||||
deploy_steps_tasks:
|
||||
- name: Configure rsyslog for HAproxy container managed by Pacemaker
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: Check if rsyslog exists
|
||||
shell: systemctl is-active rsyslog
|
||||
register: rsyslog_config
|
||||
- when:
|
||||
- rsyslog_config is changed
|
||||
- rsyslog_config.rc == 0
|
||||
list_concat:
|
||||
- - name: Configure rsyslog for HAproxy container managed by Pacemaker
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: Forward logging to haproxy.log file
|
||||
blockinfile:
|
||||
content: |
|
||||
if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
|
||||
& stop
|
||||
create: yes
|
||||
path: /etc/rsyslog.d/openstack-haproxy.conf
|
||||
vars:
|
||||
facility: {get_param: HAProxySyslogFacility}
|
||||
register: logconfig
|
||||
- name: restart rsyslog service after logging conf change
|
||||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
when: logconfig is changed
|
||||
- name: HAproxy tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
container_image: {get_param: ContainerHAProxyImage}
|
||||
container_image_latest: *haproxy_image_pcmklatest
|
||||
- name: HAproxy HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &haproxy_puppet_bundle
|
||||
- name: HAproxy puppet bundle
|
||||
- name: Check if rsyslog exists
|
||||
shell: systemctl is-active rsyslog
|
||||
register: rsyslog_config
|
||||
- when:
|
||||
- rsyslog_config is changed
|
||||
- rsyslog_config.rc == 0
|
||||
block:
|
||||
- name: Forward logging to haproxy.log file
|
||||
blockinfile:
|
||||
content: |
|
||||
if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
|
||||
& stop
|
||||
create: yes
|
||||
path: /etc/rsyslog.d/openstack-haproxy.conf
|
||||
vars:
|
||||
facility: {get_param: HAProxySyslogFacility}
|
||||
register: logconfig
|
||||
- name: restart rsyslog service after logging conf change
|
||||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
when: logconfig is changed
|
||||
- name: HAproxy tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: haproxy
|
||||
tripleo_ha_wrapper_resource_name: haproxy-bundle
|
||||
tripleo_ha_wrapper_bundle_name: haproxy-bundle
|
||||
tripleo_ha_wrapper_resource_state: Started
|
||||
tripleo_ha_wrapper_puppet_config_volume: haproxy
|
||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::haproxy_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
container_image: {get_param: ContainerHAProxyImage}
|
||||
container_image_latest: *haproxy_image_pcmklatest
|
||||
- name: HAproxy HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &haproxy_puppet_bundle
|
||||
- name: HAproxy puppet bundle
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: haproxy
|
||||
tripleo_ha_wrapper_resource_name: haproxy-bundle
|
||||
tripleo_ha_wrapper_bundle_name: haproxy-bundle
|
||||
tripleo_ha_wrapper_resource_state: Started
|
||||
tripleo_ha_wrapper_puppet_config_volume: haproxy
|
||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::haproxy_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
- if:
|
||||
- public_tls_enabled
|
||||
- get_attr: [HAProxyPublicTLS, role_data, deploy_steps_tasks]
|
||||
- []
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- get_attr: [HAProxyInternalTLS, role_data, deploy_steps_tasks]
|
||||
- []
|
||||
update_tasks:
|
||||
- name: Tear-down non-HA haproxy container
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -61,40 +61,100 @@ outputs:
|
|||
config_settings:
|
||||
generate_service_certificates: true
|
||||
tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
|
||||
tripleo::certmonger::haproxy_dirs::certificate_dir:
|
||||
get_param: HAProxyInternalTLSCertsDirectory
|
||||
tripleo::certmonger::haproxy_dirs::key_dir:
|
||||
get_param: HAProxyInternalTLSKeysDirectory
|
||||
certificates_specs:
|
||||
haproxy-external:
|
||||
service_pem: {get_param: DeployedSSLCertificatePath}
|
||||
service_certificate:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
- '/overcloud-haproxy-external.crt'
|
||||
service_key:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
- '/overcloud-haproxy-external.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('cloud_name_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "haproxy/%{hiera('cloud_name_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
metadata_settings:
|
||||
- service: haproxy
|
||||
network: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
type: vip
|
||||
deploy_steps_tasks:
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: make sure certmonger is installed
|
||||
package:
|
||||
name: certmonger
|
||||
state: present
|
||||
- name: make sure certmonger service is started
|
||||
systemd:
|
||||
state: started
|
||||
enabled: true
|
||||
masked: false
|
||||
name: certmonger.service
|
||||
- name: Create dirs for certificates and keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
serole: object_r
|
||||
setype: cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
- {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
- name: Extract and trust certmonger's local CA
|
||||
shell: |
|
||||
set -e
|
||||
ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
||||
if ! { test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}; }; then
|
||||
openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:''
|
||||
chmod 0644 ${ca_pem}
|
||||
update-ca-trust extract
|
||||
fi
|
||||
test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}
|
||||
retries: 5
|
||||
delay: 1
|
||||
until: result.rc == 0
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: haproxy-external-cert
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
ip:
|
||||
str_replace:
|
||||
template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
run_after:
|
||||
str_replace:
|
||||
template: |
|
||||
# Copy crt and key for backward compatibility
|
||||
cp "/etc/pki/tls/certs/haproxy-external-cert.crt" "CERTSDIR/overcloud-haproxy-external.crt"
|
||||
cp "/etc/pki/tls/private/haproxy-external-cert.key" "KEYSDIR/overcloud-haproxy-external.key"
|
||||
|
||||
ca_path="/etc/ipa/ca.crt"
|
||||
service_crt="CERTSDIR/overcloud-haproxy-external.crt"
|
||||
service_key="KEYSDIR/overcloud-haproxy-external.key"
|
||||
service_pem="PEMPATH"
|
||||
|
||||
cat "$service_crt" "$ca_path" "$service_key" > "$service_pem"
|
||||
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
||||
# Refresh the pem at the mount-point
|
||||
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
||||
# Copy the new pem from the mount-point to the real path
|
||||
{{container_cli}} exec $container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec $container_name" chown haproxy:haproxy "$service_pem"
|
||||
# Trigger a reload for HAProxy to read the new certificates
|
||||
{{container_cli}} kill --signal HUP $container_name"
|
||||
params:
|
||||
CERTSDIR: {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
KEYSDIR: {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
PEMPATH: {get_param: DeployedSSLCertificatePath}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
ca: "{{idm_realm|default|ternary('ipa','self-sign')}}"
|
||||
|
|
|
|||
|
|
@ -216,6 +216,8 @@ outputs:
|
|||
upgrade_tasks: []
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
external_upgrade_tasks:
|
||||
- when:
|
||||
- step|int == 1
|
||||
|
|
|
|||
|
|
@ -277,6 +277,8 @@ outputs:
|
|||
upgrade_tasks: []
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
external_upgrade_tasks:
|
||||
- when:
|
||||
- step|int == 1
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ outputs:
|
|||
tripleo_ipa_delegate_server: "{{ item }}"
|
||||
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}"
|
||||
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}"
|
||||
loop: "{{ groups.certmonger_user }}"
|
||||
loop: "{{ groups.ipaservice }}"
|
||||
- include_role:
|
||||
name: tripleo_ipa_dns
|
||||
vars:
|
||||
|
|
@ -117,51 +117,82 @@ outputs:
|
|||
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
||||
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
|
||||
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
||||
deploy_steps_tasks:
|
||||
- name: enroll the node as an ipa client
|
||||
#NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger
|
||||
when: step|int == 1
|
||||
vars:
|
||||
map_merge:
|
||||
-
|
||||
state: present
|
||||
ipaclient_otp: "{{ ipa_host_otp }}"
|
||||
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
||||
ipaclient_mkhomedir: {get_param: MakeHomeDir}
|
||||
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
|
||||
ipaclient_force: yes
|
||||
ipaclient_hostname: "{{ fqdn_canonical }}"
|
||||
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
|
||||
ipaclients:
|
||||
- "{{ inventory_hostname }}"
|
||||
-
|
||||
if:
|
||||
- idm_server_provided
|
||||
- ipaclient_servers: {get_param: IdMServer}
|
||||
ipaclient_domain: {get_param: IdMDomain}
|
||||
- {}
|
||||
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
|
||||
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
||||
block:
|
||||
- name: check if default.conf exists
|
||||
delegate_to: "{{ item }}"
|
||||
stat:
|
||||
path: /etc/ipa/default.conf
|
||||
register: ipa_conf_exists
|
||||
loop: "{{ groups.ipaservice }}"
|
||||
- name: install openssl-perl
|
||||
delegate_to: "{{ item }}"
|
||||
become: true
|
||||
package:
|
||||
name: openssl-perl
|
||||
state: present
|
||||
loop: "{{ groups.ipaservice }}"
|
||||
when:
|
||||
- ipaclient_install_packages|bool
|
||||
- block:
|
||||
- name: register as an ipa client
|
||||
import_role:
|
||||
name: ipaclient
|
||||
- name: restart certmonger service
|
||||
systemd:
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
name: certmonger.service
|
||||
- name: register as an ipa client
|
||||
include_role:
|
||||
name: ipaclient
|
||||
apply:
|
||||
delegate_to: "{{ outer_item.0 }}"
|
||||
become: true
|
||||
vars:
|
||||
map_merge:
|
||||
-
|
||||
state: present
|
||||
ipaclient_otp: "{{ hostvars[outer_item.0]['ipa_host_otp'] }}"
|
||||
ipaclient_mkhomedir: {get_param: MakeHomeDir}
|
||||
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
|
||||
ipaclient_force: yes
|
||||
ipaclient_hostname: "{{ hostvars[outer_item.0]['fqdn_canonical'] }}"
|
||||
ipaclients:
|
||||
- "{{ outer_item.0 }}"
|
||||
-
|
||||
if:
|
||||
- idm_server_provided
|
||||
- ipaclient_servers: {get_param: IdMServer}
|
||||
ipaclient_domain: {get_param: IdMDomain}
|
||||
- {}
|
||||
when:
|
||||
- idm_enroll_base_server|bool
|
||||
- not ipa_conf_exists.stat.exists
|
||||
- not outer_item.1.stat.exists
|
||||
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
|
||||
loop_control:
|
||||
loop_var: outer_item
|
||||
- name: restart certmonger service
|
||||
delegate_to: "{{ item.0 }}"
|
||||
become: true
|
||||
systemd:
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
name: certmonger.service
|
||||
when:
|
||||
- idm_enroll_base_server|bool
|
||||
- not item.1.stat.exists
|
||||
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
|
||||
- name: set discovered ipa realm
|
||||
delegate_to: "{{ item }}"
|
||||
delegate_facts: true
|
||||
set_fact:
|
||||
idm_realm:
|
||||
str_replace:
|
||||
template:
|
||||
"{{ lookup('ini', 'realm default=DEFAULT section=global file=/etc/ipa/default.conf')}}"
|
||||
params:
|
||||
DEFAULT:
|
||||
yaql:
|
||||
expression: $.data.toUpper()
|
||||
data: {get_param: IdMDomain}
|
||||
loop: "{{ groups.ipaservice }}"
|
||||
scale_tasks:
|
||||
- when: step|int == 1
|
||||
tags: down
|
||||
|
|
|
|||
|
|
@ -285,6 +285,8 @@ outputs:
|
|||
with_items:
|
||||
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
external_upgrade_tasks:
|
||||
- when: step|int == 1
|
||||
block: &ironic_online_db_migration
|
||||
|
|
|
|||
|
|
@ -777,22 +777,24 @@ outputs:
|
|||
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
|
||||
batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
|
||||
deploy_steps_tasks:
|
||||
- name: validate keystone container state
|
||||
podman_container_info:
|
||||
name: keystone
|
||||
register: keystone_infos
|
||||
failed_when:
|
||||
- keystone_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in keystone_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-keystone
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 4
|
||||
list_concat:
|
||||
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
- - name: validate keystone container state
|
||||
podman_container_info:
|
||||
name: keystone
|
||||
register: keystone_infos
|
||||
failed_when:
|
||||
- keystone_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in keystone_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-keystone
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 4
|
||||
container_puppet_tasks:
|
||||
# Keystone endpoint creation occurs only on single node
|
||||
step_3:
|
||||
|
|
|
|||
|
|
@ -254,6 +254,8 @@ outputs:
|
|||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
host_prep_tasks:
|
||||
- name: Create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -180,22 +180,6 @@ outputs:
|
|||
tripleo::profile::base::memcached::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/memcached.crt'
|
||||
service_key: '/etc/pki/tls/private/memcached.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "memcached/%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MemcachedCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
collectd:
|
||||
|
|
@ -268,6 +252,50 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: memcached
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "memcached/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep memcached)
|
||||
service_crt="/etc/pki/tls/certs/memcached.crt"
|
||||
service_key="/etc/pki/tls/private/memcached.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_key"
|
||||
# Send refresh_certs command to memcached to read the new certificate
|
||||
memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen_ip.0 127.0.0.1)"
|
||||
memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)"
|
||||
echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MemcachedCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -229,39 +229,6 @@ outputs:
|
|||
- if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
tripleo::metrics::qdr::service_certificate: '/etc/pki/tls/certs/metrics_qdr.crt'
|
||||
tripleo::metrics::qdr::service_key: '/etc/pki/tls/private/metrics_qdr.key'
|
||||
tripleo::profile::base::metrics::qdr::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/metrics_qdr.crt'
|
||||
service_key: '/etc/pki/tls/private/metrics_qdr.key'
|
||||
postsave_cmd: "/usr/bin/certmonger-metrics-qdr-refresh.sh"
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "metrics_qdr/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QdrCertificateKeySize}
|
||||
tripleo::profile::base::metrics::qdr::ssl_profiles:
|
||||
list_concat:
|
||||
- get_param: MetricsQdrSSLProfiles
|
||||
|
|
@ -359,6 +326,60 @@ outputs:
|
|||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: metrics_qdr
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_NETWORK}}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
|
||||
service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
|
||||
service_key="/etc/pki/tls/private/metrics_qdr.key
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
|
||||
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
||||
# Trigger a container restart to read the new certificate
|
||||
{{container_cli}} restart "$container_name"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QdrCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent logs directory
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -391,30 +391,12 @@ outputs:
|
|||
-
|
||||
generate_service_certificates: true
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::protocol: 'ssl'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_private_key: '/etc/pki/tls/private/neutron_ovn.key'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/neutron_ovn.crt'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_private_key: '/etc/pki/tls/private/neutron_ovn.key'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/neutron_ovn.crt'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
|
||||
neutron_ovn_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_neutron_client.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
|
|
@ -459,11 +441,11 @@ outputs:
|
|||
- path: /var/log/neutron
|
||||
owner: neutron:neutron
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/ovn_neutron_client.crt
|
||||
- path: /etc/pki/tls/certs/neutron_ovn.crt
|
||||
owner: neutron:neutron
|
||||
optional: true
|
||||
perm: '0644'
|
||||
- path: /etc/pki/tls/private/ovn_neutron_client.key
|
||||
- path: /etc/pki/tls/private/neutron_ovn.key
|
||||
owner: neutron:neutron
|
||||
optional: true
|
||||
perm: '0644'
|
||||
|
|
@ -529,8 +511,8 @@ outputs:
|
|||
- if:
|
||||
- ovn_and_tls
|
||||
-
|
||||
- /etc/pki/tls/certs/ovn_neutron_client.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_neutron_client.crt:ro
|
||||
- /etc/pki/tls/private/ovn_neutron_client.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_neutron_client.key:ro
|
||||
- /etc/pki/tls/certs/neutron_ovn.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron_ovn.crt:ro
|
||||
- /etc/pki/tls/private/neutron_ovn.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron_ovn.key:ro
|
||||
- null
|
||||
environment:
|
||||
map_merge:
|
||||
|
|
@ -565,6 +547,35 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- ovn_and_tls
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: neutron_ovn
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "neutron_ovn/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
external_upgrade_tasks:
|
||||
- when:
|
||||
- step|int == 1
|
||||
|
|
|
|||
|
|
@ -253,25 +253,6 @@ outputs:
|
|||
neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
|
||||
neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
|
||||
generate_service_certificates: true
|
||||
tripleo::profile::base::neutron::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/neutron.crt'
|
||||
service_key: '/etc/pki/tls/private/neutron.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "neutron/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronDhcpCertificateKeySize}
|
||||
- {}
|
||||
- if:
|
||||
- dhcp_ovs_intergation_bridge_unset
|
||||
|
|
@ -401,6 +382,48 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: neutron
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
|
||||
# The certificate is also installed on the computes, but neutron_dhcp is only
|
||||
# present on the controllers, so we exit if the container could not be found.
|
||||
[[ -z $container_name ]] && exit 0
|
||||
|
||||
service_crt="/etc/pki/tls/certs/neutron.crt"
|
||||
service_key="/etc/pki/tls/private/neutron.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
|
||||
# No need to trigger a reload for neutron dhcpd since the cert is not cached
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronDhcpCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||
|
|
|
|||
|
|
@ -491,22 +491,24 @@ outputs:
|
|||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
- name: validate nova-api container state
|
||||
podman_container_info:
|
||||
name: nova_api
|
||||
register: nova_api_infos
|
||||
failed_when:
|
||||
- nova_api_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in nova_api_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-nova
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 4
|
||||
list_concat:
|
||||
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
- - name: validate nova-api container state
|
||||
podman_container_info:
|
||||
name: nova_api
|
||||
register: nova_api_infos
|
||||
failed_when:
|
||||
- nova_api_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in nova_api_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-nova
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 4
|
||||
host_prep_tasks: {get_attr: [NovaApiLogging, host_prep_tasks]}
|
||||
external_upgrade_tasks:
|
||||
- when:
|
||||
|
|
|
|||
|
|
@ -102,15 +102,15 @@ parameters:
|
|||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
InternalTLSNbdCAFile:
|
||||
default: '/etc/pki/qemu/ca-cert.pem'
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for NBD TLS.
|
||||
InternalTLSVncCAFile:
|
||||
default: '/etc/pki/CA/certs/vnc.crt'
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for VNC TLS.
|
||||
InternalTLSQemuCAFile:
|
||||
default: '/etc/pki/CA/certs/qemu.pem'
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for qemu.
|
||||
CertificateKeySize:
|
||||
|
|
@ -462,97 +462,6 @@ outputs:
|
|||
"%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
tripleo::certmonger::ca::libvirt::origin_ca_pem:
|
||||
if:
|
||||
- libvirt_specific_ca_unset
|
||||
- get_param: InternalTLSCAFile
|
||||
- get_param: LibvirtCACert
|
||||
tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
|
||||
tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
|
||||
libvirt_certificates_specs:
|
||||
libvirt-server-cert:
|
||||
service_certificate: '/etc/pki/libvirt/servercert.pem'
|
||||
service_key: '/etc/pki/libvirt/private/serverkey.pem'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
libvirt-client-cert:
|
||||
service_certificate: '/etc/pki/libvirt/clientcert.pem'
|
||||
service_key: '/etc/pki/libvirt/private/clientkey.pem'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtCertificateKeySize}
|
||||
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
|
||||
# is not enabled this allows us to enable it even at a later time without
|
||||
# restart of instances
|
||||
tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
|
||||
tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
|
||||
tripleo::certmonger::ca::qemu::origin_ca_pem:
|
||||
if:
|
||||
- qemu_specific_ca_unset
|
||||
- get_param: InternalTLSQemuCAFile
|
||||
- get_param: QemuCACert
|
||||
qemu_certificates_specs:
|
||||
qemu-server-cert:
|
||||
cacertfile:
|
||||
if:
|
||||
- qemu_specific_ca_unset
|
||||
- get_param: InternalTLSQemuCAFile
|
||||
- null
|
||||
service_certificate: '/etc/pki/qemu/server-cert.pem'
|
||||
service_key: '/etc/pki/qemu/server-key.pem'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_server_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuServerCertificateKeySize}
|
||||
qemu-nbd-client-cert:
|
||||
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
|
||||
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_client_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuClientCertificateKeySize}
|
||||
-
|
||||
nova::migration::libvirt::live_migration_inbound_addr:
|
||||
str_replace:
|
||||
|
|
@ -567,36 +476,6 @@ outputs:
|
|||
nova::compute::libvirt::qemu::vnc_tls: true
|
||||
nova::compute::libvirt::qemu::vnc_tls_verify: true
|
||||
generate_service_certificates: true
|
||||
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
|
||||
if:
|
||||
- libvirt_vnc_specific_ca_unset
|
||||
- get_param: InternalTLSVncCAFile
|
||||
- get_param: LibvirtVncCACert
|
||||
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
|
||||
libvirt_vnc_certificates_specs:
|
||||
libvirt-vnc-server-cert:
|
||||
cacertfile:
|
||||
if:
|
||||
- libvirt_vnc_specific_ca_unset
|
||||
- get_param: InternalTLSVncCAFile
|
||||
- null
|
||||
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
|
||||
service_key: '/etc/pki/libvirt-vnc/server-key.pem'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCServerCertificateKeySize}
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
|
@ -821,22 +700,178 @@ outputs:
|
|||
SECRET_KEY: {get_param: CephClientKey}
|
||||
- {}
|
||||
deploy_steps_tasks:
|
||||
- name: validate nova-libvirt container state
|
||||
podman_container_info:
|
||||
name: nova_libvirt
|
||||
register: nova_libvirt_infos
|
||||
failed_when:
|
||||
- nova_libvirt_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in nova_libvirt_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-nova
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 4
|
||||
list_concat:
|
||||
- - name: validate nova-libvirt container state
|
||||
podman_container_info:
|
||||
name: nova_libvirt
|
||||
register: nova_libvirt_infos
|
||||
failed_when:
|
||||
- nova_libvirt_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in nova_libvirt_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-nova
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 4
|
||||
- if:
|
||||
- use_tls_for_live_migration
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- name: Create dirs for certificates and keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
serole: object_r
|
||||
setype: cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- '/etc/pki/libvirt'
|
||||
- '/etc/pki/libvirt/private'
|
||||
- '/etc/pki/qemu'
|
||||
- '/etc/pki/libvirt-nbd'
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: libvirt-server-cert
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "libvirt/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
run_after: |
|
||||
# Copy cert and key to libvirt dirs
|
||||
cp /etc/pki/tls/certs/libvirt-server-cert.crt /etc/pki/libvirt/servercert.pem
|
||||
cp /etc/pki/tls/private/libvirt-server-cert.key /etc/pki/libvirt/private/serverkey.pem
|
||||
systemctl reload libvirtd
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtCertificateKeySize}
|
||||
ca: ipa
|
||||
- name: libvirt-client-cert
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "libvirt/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
run_after: |
|
||||
# Copy cert and key to libvirt dirs
|
||||
cp /etc/pki/tls/certs/libvirt-client-cert.crt /etc/pki/libvirt/clientcert.pem
|
||||
cp /etc/pki/tls/private/libvirt-client-cert.key /etc/pki/libvirt/private/clientkey.pem
|
||||
systemctl reload libvirtd
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtCertificateKeySize}
|
||||
ca: ipa
|
||||
- name: qemu-server-cert
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "qemu/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
run_after: |
|
||||
# Copy cert and key to qemu dir
|
||||
cp /etc/pki/tls/certs/qemu-server-cert.crt /etc/pki/qemu/server-cert.pem
|
||||
cp /etc/pki/tls/private/qemu-server-cert.key /etc/pki/qemu/server-key.pem
|
||||
systemctl reload libvirtd
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_server_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuServerCertificateKeySize}
|
||||
ca: ipa
|
||||
- name: qemu-nbd-client-cert
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "qemu/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
run_after: |
|
||||
# Copy cert and key to libvirt-nbd dir
|
||||
cp /etc/pki/tls/certs/qemu-nbd-client-cert.crt /etc/pki/libvirt-nbd/client-cert.pem
|
||||
cp /etc/pki/tls/private/qemu-nbd-client-cert.key /etc/pki/libvirt-nbd/client-key.pem
|
||||
systemctl reload libvirtd
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_client_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuClientCertificateKeySize}
|
||||
ca: ipa
|
||||
- []
|
||||
- if:
|
||||
- use_tls_for_vnc
|
||||
-
|
||||
- name: Create dirs for certificates and keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
serole: object_r
|
||||
setype: cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- '/etc/pki/libvirt-vnc'
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: libvirt-vnc-server-cert
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "libvirt-vnc/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
run_after: |
|
||||
# Copy cert and key to libvirt-vnc dir
|
||||
cp /etc/pki/tls/certs/libvirt-vnc-server-cert.crt /etc/pki/libvirt-vnc/server-cert.pem
|
||||
cp /etc/pki/tls/private/libvirt-vnc-server-cert.key /etc/pki/libvirt-vnc/server-key.pem
|
||||
chmod 0644 /etc/pki/libvirt-vnc/server-cert.pem
|
||||
chmod 0640 /etc/pki/libvirt-vnc/server-key.pem
|
||||
chgrp qemu /etc/pki/libvirt-vnc/server-key.pem
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCServerCertificateKeySize}
|
||||
ca: ipa
|
||||
- []
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NovaLibvirtLogging, host_prep_tasks]}
|
||||
|
|
|
|||
|
|
@ -262,22 +262,24 @@ outputs:
|
|||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
deploy_steps_tasks:
|
||||
- name: validate nova-metadata container state
|
||||
podman_container_info:
|
||||
name: nova_metadata
|
||||
register: nova_metadata_infos
|
||||
failed_when:
|
||||
- nova_metadata_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in nova_metadata_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-nova
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 5
|
||||
list_concat:
|
||||
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
- - name: validate nova-metadata container state
|
||||
podman_container_info:
|
||||
name: nova_metadata
|
||||
register: nova_metadata_infos
|
||||
failed_when:
|
||||
- nova_metadata_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in nova_metadata_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-nova
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 5
|
||||
host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]}
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ parameters:
|
|||
enable TLS transaport for libvirt VNC and configure the
|
||||
relevant keys for libvirt.
|
||||
InternalTLSVncProxyCAFile:
|
||||
default: '/etc/pki/CA/certs/vnc.crt'
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for VNC TLS.
|
||||
CertificateKeySize:
|
||||
|
|
@ -75,7 +75,7 @@ parameters:
|
|||
default: ''
|
||||
description: This specifies the CA certificate to use for VNC TLS.
|
||||
This file will be symlinked to the default CA path,
|
||||
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
||||
which is /etc/pki/CA/certs/vnc.crt.
|
||||
This parameter should be used if the default (which comes from
|
||||
the InternalTLSVncProxyCAFile parameter) is not desired. The current
|
||||
default reflects TripleO's default CA, which is FreeIPA.
|
||||
|
|
@ -202,9 +202,9 @@ outputs:
|
|||
-
|
||||
nova::vncproxy::allow_vencrypt: true
|
||||
nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]}
|
||||
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
|
||||
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
|
||||
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
|
||||
nova::vncproxy::vencrypt_key: /etc/pki/tls/private/libvirt-vnc-client-cert.key
|
||||
nova::vncproxy::vencrypt_cert: /etc/pki/tls/certs/libvirt-vnc-client-cert.crt
|
||||
nova::vncproxy::vencrypt_ca: /etc/pki/CA/certs/vnc.crt
|
||||
nova::ssl_only: true
|
||||
nova::console_ssl_ciphers:
|
||||
if:
|
||||
|
|
@ -212,58 +212,9 @@ outputs:
|
|||
- null
|
||||
- get_param: NovaVNCProxySSLCiphers
|
||||
nova::console_ssl_minimum_version: {get_param: NovaVNCProxySSLMinimumVersion}
|
||||
nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
|
||||
nova::key: /etc/pki/tls/private/novnc_proxy.key
|
||||
nova::cert: /etc/pki/tls/certs/novnc-proxy.crt
|
||||
nova::key: /etc/pki/tls/private/novnc-proxy.key
|
||||
generate_service_certificates: true
|
||||
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
|
||||
if:
|
||||
- libvirt_vnc_specific_ca_unset
|
||||
- get_param: InternalTLSVncProxyCAFile
|
||||
- get_param: LibvirtVncCACert
|
||||
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
|
||||
libvirt_vnc_certificates_specs:
|
||||
libvirt-vnc-client-cert:
|
||||
cacertfile:
|
||||
if:
|
||||
- libvirt_vnc_specific_ca_unset
|
||||
- get_param: InternalTLSVncProxyCAFile
|
||||
- null
|
||||
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
|
||||
service_key: '/etc/pki/libvirt-vnc/client-key.pem'
|
||||
notify_service: '%{::nova::params::vncproxy_service_name}'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCClientCertificateKeySize}
|
||||
novnc_proxy_certificates_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
|
||||
service_key: '/etc/pki/tls/private/novnc_proxy.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_novavnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NovaVNCCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
||||
|
|
@ -304,8 +255,12 @@ outputs:
|
|||
- path: /var/log/nova
|
||||
owner: nova:nova
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/private/novnc_proxy.key
|
||||
- path: /etc/pki/tls/certs/novnc-proxy.crt
|
||||
owner: root:root
|
||||
perm: '0644'
|
||||
- path: /etc/pki/tls/private/novnc-proxy.key
|
||||
owner: root:nova
|
||||
perm: '0640'
|
||||
docker_config:
|
||||
step_4:
|
||||
nova_vnc_proxy:
|
||||
|
|
@ -327,17 +282,17 @@ outputs:
|
|||
- use_tls_for_vnc
|
||||
-
|
||||
- str_replace:
|
||||
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
||||
template: "CACERT:/etc/pki/CA/certs/vnc.crt:ro"
|
||||
params:
|
||||
CACERT:
|
||||
if:
|
||||
- libvirt_vnc_specific_ca_unset
|
||||
- get_param: InternalTLSVncProxyCAFile
|
||||
- get_param: LibvirtVncCACert
|
||||
- /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
|
||||
- /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
|
||||
- /etc/pki/tls/certs/novnc_proxy.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/novnc_proxy.crt:ro
|
||||
- /etc/pki/tls/private/novnc_proxy.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/novnc_proxy.key:ro
|
||||
- /etc/pki/tls/certs/libvirt-vnc-client-cert.crt:/etc/pki/tls/certs/libvirt-vnc-client-cert.crt:ro
|
||||
- /etc/pki/tls/private/libvirt-vnc-client-cert.key:/etc/pki/tls/private/libvirt-vnc-client-cert.key:ro
|
||||
- /etc/pki/tls/certs/novnc-proxy.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/novnc-proxy.crt:ro
|
||||
- /etc/pki/tls/private/novnc-proxy.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/novnc-proxy.key:ro
|
||||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
|
|
@ -353,22 +308,83 @@ outputs:
|
|||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
- name: validate nova-vnc-proxy container state
|
||||
podman_container_info:
|
||||
name: nova_vnc_proxy
|
||||
register: nova_vnc_proxy_infos
|
||||
failed_when:
|
||||
- nova_vnc_proxy_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in nova_vnc_proxy_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-nova
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 5
|
||||
list_concat:
|
||||
- - name: validate nova-vnc-proxy container state
|
||||
podman_container_info:
|
||||
name: nova_vnc_proxy
|
||||
register: nova_vnc_proxy_infos
|
||||
failed_when:
|
||||
- nova_vnc_proxy_infos.containers.0.Healthcheck.Status is defined
|
||||
- "'healthy' not in nova_vnc_proxy_infos.containers.0.Healthcheck.Status"
|
||||
retries: 10
|
||||
delay: 30
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-nova
|
||||
when:
|
||||
- container_cli == 'podman'
|
||||
- not container_healthcheck_disabled
|
||||
- step|int == 5
|
||||
- if:
|
||||
- use_tls_for_vnc
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: libvirt-vnc-client-cert
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_NETWORK}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "libvirt-vnc/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCClientCertificateKeySize}
|
||||
ca: ipa
|
||||
- name: novnc-proxy
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "novnc-proxy/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep nova_vnc_proxy)
|
||||
service_crt="/etc/pki/tls/certs/novnc-proxy.crt"
|
||||
service_key="/etc/pki/tls/private/novnc-proxy.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
|
||||
# Set permissions
|
||||
{{container_cli}} exec -u root "$container_name" chmod 0644 $service_crt
|
||||
{{container_cli}} exec -u root "$container_name" chmod 0640 $service_key
|
||||
{{container_cli}} exec -u root "$container_name" chgrp nova $service_key
|
||||
|
||||
# No need to trigger a reload for novnc proxy since the cert is not cached
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NovaVNCCertificateKeySize}
|
||||
ca: ipa
|
||||
- []
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NovaLogging, host_prep_tasks]}
|
||||
|
|
|
|||
|
|
@ -292,6 +292,8 @@ outputs:
|
|||
volumes:
|
||||
- /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
|
||||
metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
|
||||
deploy_steps_tasks:
|
||||
get_attr: [OctaviaProviderConfig, role_data, deploy_steps_tasks]
|
||||
docker_config:
|
||||
# Kolla_bootstrap/db_sync runs before permissions set by kolla_config
|
||||
step_2:
|
||||
|
|
|
|||
|
|
@ -81,24 +81,6 @@ outputs:
|
|||
tripleo::profile::base::octavia::provider::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_octavia.crt'
|
||||
tripleo::profile::base::octavia::provider::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_octavia.key'
|
||||
generate_service_certificates: true
|
||||
ovn_octavia_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_octavia.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_octavia.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OctaviaCertificateKeySize}
|
||||
- {}
|
||||
puppet_tags: octavia_ovn_provider_config
|
||||
provider_driver_labels:
|
||||
|
|
@ -145,3 +127,32 @@ outputs:
|
|||
merge: true
|
||||
preserve_properties: true
|
||||
- []
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- ovn_and_tls
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_octavia
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_octavia/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OctaviaCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
|
|
|
|||
|
|
@ -185,24 +185,6 @@ outputs:
|
|||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'
|
||||
ovn_controller_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_controller.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_controller.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ContainerOvnCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
@ -308,6 +290,35 @@ outputs:
|
|||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_controller
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ContainerOvnCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -181,24 +181,6 @@ outputs:
|
|||
get_param: InternalTLSCAFile
|
||||
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'
|
||||
tripleo::profile::pacemaker::ovn_dbs_bundle::enable_internal_tls: true
|
||||
ovn_dbs_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_dbs.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_dbs.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnDBSCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
@ -242,29 +224,57 @@ outputs:
|
|||
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
|
||||
deploy_steps_tasks:
|
||||
- name: OVN DBS tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
container_image: {get_param: ContainerOvnDbsImage}
|
||||
container_image_latest: *ovn_dbs_image_pcmklatest
|
||||
- name: OVNDbs HA Wrappers Step
|
||||
when: step|int == 3
|
||||
block: &ovn_dbs_puppet_bundle
|
||||
- name: Ovn dbs puppet bundle
|
||||
list_concat:
|
||||
- - name: OVN DBS tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: ovn_dbs
|
||||
tripleo_ha_wrapper_resource_name: ovndbs_servers
|
||||
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
|
||||
tripleo_ha_wrapper_resource_state: Slave Master
|
||||
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
|
||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
|
||||
container_image: {get_param: ContainerOvnDbsImage}
|
||||
container_image_latest: *ovn_dbs_image_pcmklatest
|
||||
- name: OVNDbs HA Wrappers Step
|
||||
when: step|int == 3
|
||||
block: &ovn_dbs_puppet_bundle
|
||||
- name: Ovn dbs puppet bundle
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: ovn_dbs
|
||||
tripleo_ha_wrapper_resource_name: ovndbs_servers
|
||||
tripleo_ha_wrapper_bundle_name: ovn-dbs-bundle
|
||||
tripleo_ha_wrapper_resource_state: Slave Master
|
||||
tripleo_ha_wrapper_puppet_config_volume: ovn_dbs
|
||||
tripleo_ha_wrapper_puppet_execute: 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::ovn_dbs_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_dbs
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnDBSCertificateKeySize}
|
||||
ca: ipa
|
||||
- []
|
||||
update_tasks:
|
||||
- name: Tear-down non-HA ovn-dbs containers
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -206,24 +206,6 @@ outputs:
|
|||
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
|
||||
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_private_key: '/etc/pki/tls/private/ovn_metadata.key'
|
||||
generate_service_certificates: true
|
||||
ovn_metadata_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_metadata.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnMetadataCertificateKeySize}
|
||||
- {}
|
||||
|
||||
puppet_config:
|
||||
|
|
@ -354,6 +336,35 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_metadata
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnMetadataCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||
|
|
|
|||
|
|
@ -302,4 +302,6 @@ outputs:
|
|||
data:
|
||||
debug: {get_param: Debug}
|
||||
host_prep_tasks: {get_attr: [PlacementLogging, host_prep_tasks]}
|
||||
deploy_steps_tasks:
|
||||
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||
upgrade_tasks: []
|
||||
|
|
|
|||
|
|
@ -208,22 +208,6 @@ outputs:
|
|||
tripleo::profile::base::rabbitmq::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
|
||||
service_key: '/etc/pki/tls/private/rabbitmq.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqCertificateKeySize}
|
||||
- {}
|
||||
- rabbitmq::admin_enable: false
|
||||
rabbitmq::management_enable: true
|
||||
|
|
@ -350,6 +334,48 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -153,22 +153,6 @@ outputs:
|
|||
tripleo::profile::base::rabbitmq::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
|
||||
service_key: '/etc/pki/tls/private/rabbitmq.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqMessageCertificateKeySize}
|
||||
- {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
@ -285,6 +269,48 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqMessageCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -238,28 +238,30 @@ outputs:
|
|||
metadata_settings:
|
||||
get_attr: [RabbitmqBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
- name: RabbitMQ tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
container_image: {get_param: ContainerRabbitmqImage}
|
||||
container_image_latest: *rabbitmq_image_pcmklatest
|
||||
- name: RabbitMQ Notify HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &oslo_messaging_notify_puppet_bundle
|
||||
- name: RabbitMQ notify puppet bundle
|
||||
list_concat:
|
||||
- get_attr: [RabbitmqBase, role_data, deploy_steps_tasks]
|
||||
- - name: RabbitMQ tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: oslo_messaging_notify
|
||||
tripleo_ha_wrapper_resource_name: rabbitmq
|
||||
tripleo_ha_wrapper_bundle_name: rabbitmq-bundle
|
||||
tripleo_ha_wrapper_resource_state: Started
|
||||
tripleo_ha_wrapper_puppet_config_volume: rabbitmq
|
||||
tripleo_ha_wrapper_puppet_execute: '["Rabbitmq_policy", "Rabbitmq_user"].each |String $val| { noop_resource($val) }; include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::rabbitmq_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
container_image: {get_param: ContainerRabbitmqImage}
|
||||
container_image_latest: *rabbitmq_image_pcmklatest
|
||||
- name: RabbitMQ Notify HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &oslo_messaging_notify_puppet_bundle
|
||||
- name: RabbitMQ notify puppet bundle
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: oslo_messaging_notify
|
||||
tripleo_ha_wrapper_resource_name: rabbitmq
|
||||
tripleo_ha_wrapper_bundle_name: rabbitmq-bundle
|
||||
tripleo_ha_wrapper_resource_state: Started
|
||||
tripleo_ha_wrapper_puppet_config_volume: rabbitmq
|
||||
tripleo_ha_wrapper_puppet_execute: '["Rabbitmq_policy", "Rabbitmq_user"].each |String $val| { noop_resource($val) }; include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::rabbitmq_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
|
||||
update_tasks:
|
||||
- name: Tear-down non-HA rabbitmq container
|
||||
|
|
|
|||
|
|
@ -238,28 +238,30 @@ outputs:
|
|||
metadata_settings:
|
||||
get_attr: [RabbitMQServiceBase, role_data, metadata_settings]
|
||||
deploy_steps_tasks:
|
||||
- name: RabbitMQ tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
container_image: {get_param: ContainerRabbitmqImage}
|
||||
container_image_latest: *rabbitmq_image_pcmklatest
|
||||
- name: RabbitMQ HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &rabbitmq_puppet_bundle
|
||||
- name: Rabbitmq puppet bundle
|
||||
list_concat:
|
||||
- get_attr: [RabbitMQServiceBase, role_data, deploy_steps_tasks]
|
||||
- - name: RabbitMQ tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: rabbitmq
|
||||
tripleo_ha_wrapper_resource_name: rabbitmq
|
||||
tripleo_ha_wrapper_bundle_name: rabbitmq-bundle
|
||||
tripleo_ha_wrapper_resource_state: Started
|
||||
tripleo_ha_wrapper_puppet_config_volume: rabbitmq
|
||||
tripleo_ha_wrapper_puppet_execute: '["Rabbitmq_policy", "Rabbitmq_user"].each |String $val| { noop_resource($val) }; include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::rabbitmq_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
container_image: {get_param: ContainerRabbitmqImage}
|
||||
container_image_latest: *rabbitmq_image_pcmklatest
|
||||
- name: RabbitMQ HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &rabbitmq_puppet_bundle
|
||||
- name: Rabbitmq puppet bundle
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: rabbitmq
|
||||
tripleo_ha_wrapper_resource_name: rabbitmq
|
||||
tripleo_ha_wrapper_bundle_name: rabbitmq-bundle
|
||||
tripleo_ha_wrapper_resource_state: Started
|
||||
tripleo_ha_wrapper_puppet_config_volume: rabbitmq
|
||||
tripleo_ha_wrapper_puppet_execute: '["Rabbitmq_policy", "Rabbitmq_user"].each |String $val| { noop_resource($val) }; include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::rabbitmq_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
|
||||
update_tasks:
|
||||
- name: Tear-down non-HA rabbitmq container
|
||||
|
|
|
|||
|
|
@ -153,22 +153,6 @@ outputs:
|
|||
tripleo::profile::base::rabbitmq::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
|
||||
service_key: '/etc/pki/tls/private/rabbitmq.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RpcCertificateKeySize}
|
||||
- {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
@ -285,6 +269,48 @@ outputs:
|
|||
network: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: Certificate generation
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: rabbitmq
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
run_after: |
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RpcCertificateKeySize}
|
||||
ca: ipa
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -238,28 +238,30 @@ outputs:
|
|||
echo 'export ERL_EPMD_PORT=4370' >> /etc/rabbitmq/rabbitmq-env.conf
|
||||
for pid in $(pgrep epmd --ns 1 --nslist pid); do kill $pid; done
|
||||
deploy_steps_tasks:
|
||||
- name: RabbitMQ tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
container_image: {get_param: ContainerRabbitmqImage}
|
||||
container_image_latest: *rabbitmq_image_pcmklatest
|
||||
- name: RabbitMQ RPC HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &oslo_messaging_rpc_puppet_bundle
|
||||
- name: Rabbitmq rpc puppet bundle
|
||||
list_concat:
|
||||
- get_attr: [RabbitmqBase, role_data, deploy_steps_tasks]
|
||||
- - name: RabbitMQ tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
name: tripleo_container_tag
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: oslo_messaging_rpc
|
||||
tripleo_ha_wrapper_resource_name: rabbitmq
|
||||
tripleo_ha_wrapper_bundle_name: rabbitmq-bundle
|
||||
tripleo_ha_wrapper_resource_state: Started
|
||||
tripleo_ha_wrapper_puppet_config_volume: rabbitmq
|
||||
tripleo_ha_wrapper_puppet_execute: '["Rabbitmq_policy", "Rabbitmq_user"].each |String $val| { noop_resource($val) }; include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::rabbitmq_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
container_image: {get_param: ContainerRabbitmqImage}
|
||||
container_image_latest: *rabbitmq_image_pcmklatest
|
||||
- name: RabbitMQ RPC HA Wrappers Step
|
||||
when: step|int == 2
|
||||
block: &oslo_messaging_rpc_puppet_bundle
|
||||
- name: Rabbitmq rpc puppet bundle
|
||||
import_role:
|
||||
name: tripleo_ha_wrapper
|
||||
vars:
|
||||
tripleo_ha_wrapper_service_name: oslo_messaging_rpc
|
||||
tripleo_ha_wrapper_resource_name: rabbitmq
|
||||
tripleo_ha_wrapper_bundle_name: rabbitmq-bundle
|
||||
tripleo_ha_wrapper_resource_state: Started
|
||||
tripleo_ha_wrapper_puppet_config_volume: rabbitmq
|
||||
tripleo_ha_wrapper_puppet_execute: '["Rabbitmq_policy", "Rabbitmq_user"].each |String $val| { noop_resource($val) }; include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::rabbitmq_bundle'
|
||||
tripleo_ha_wrapper_puppet_tags: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
|
||||
tripleo_ha_wrapper_puppet_debug: {get_param: ConfigDebug}
|
||||
|
||||
update_tasks:
|
||||
- name: Tear-down non-HA rabbitmq container
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ parameter_defaults:
|
|||
- OS::TripleO::Services::Aide
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::Timesync
|
||||
|
|
|
|||
|
|
@ -34,7 +34,6 @@ parameter_defaults:
|
|||
# End static parameters
|
||||
# *********************
|
||||
resource_registry:
|
||||
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
|
||||
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
|
||||
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
|
||||
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
|
||||
|
|
|
|||
|
|
@ -303,7 +303,10 @@ resource_registry:
|
|||
OS::TripleO::Services::Docker: OS::Heat::None
|
||||
OS::TripleO::Services::DockerRegistry: OS::Heat::None
|
||||
OS::TripleO::Services::ContainerImagePrepare: deployment/container-image-prepare/container-image-prepare-baremetal-ansible.yaml
|
||||
OS::TripleO::Services::CertmongerUser: deployment/certs/certmonger-user-baremetal-puppet.yaml
|
||||
|
||||
# TODO(xek): Remove this in Y as we switched to requesting certificates inside the relevant service's templates with ansible
|
||||
OS::TripleO::Services::CertmongerUser: OS::Heat::None
|
||||
|
||||
OS::TripleO::Services::Clustercheck: deployment/pacemaker/clustercheck-container-puppet.yaml
|
||||
OS::TripleO::Services::Rsyslog: OS::Heat::None
|
||||
OS::TripleO::Services::RsyslogSidecar: OS::Heat::None
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@
|
|||
- OS::TripleO::Services::BlockStorageCinderVolume
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderBackendVRTSHyperScale
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@
|
|||
- OS::TripleO::Services::Aide
|
||||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Clustercheck
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ContainerImagePrepare
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@
|
|||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@
|
|||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephMds
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@
|
|||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@
|
|||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
|
|
@ -39,7 +39,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CollectdAlt
|
||||
- OS::TripleO::Services::ComputeCeilometerAgentAlt
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@
|
|||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -32,7 +32,6 @@
|
|||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@
|
|||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeInstanceHA
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -31,7 +31,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -36,7 +36,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -59,7 +59,6 @@
|
|||
- OS::TripleO::Services::CephMon
|
||||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderApi
|
||||
- OS::TripleO::Services::CinderBackendDellSc
|
||||
- OS::TripleO::Services::CinderBackendDellEMCPowerFlex
|
||||
|
|
|
|||
|
|
@ -42,7 +42,6 @@
|
|||
- OS::TripleO::Services::CephMon
|
||||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderApi
|
||||
- OS::TripleO::Services::CinderBackup
|
||||
- OS::TripleO::Services::CinderHPELeftHandISCSI
|
||||
|
|
|
|||
|
|
@ -47,7 +47,6 @@
|
|||
- OS::TripleO::Services::CeilometerAgentNotification
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderApi
|
||||
- OS::TripleO::Services::CinderBackendDellSc
|
||||
- OS::TripleO::Services::CinderBackendDellEMCPowerFlex
|
||||
|
|
|
|||
|
|
@ -41,7 +41,6 @@
|
|||
- OS::TripleO::Services::CephMon
|
||||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderApi
|
||||
- OS::TripleO::Services::CinderBackendDellSc
|
||||
- OS::TripleO::Services::CinderBackendDellEMCPowerFlex
|
||||
|
|
|
|||
|
|
@ -47,7 +47,6 @@
|
|||
- OS::TripleO::Services::CephMon
|
||||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderApi
|
||||
- OS::TripleO::Services::CinderBackup
|
||||
- OS::TripleO::Services::CinderHPELeftHandISCSI
|
||||
|
|
|
|||
|
|
@ -56,7 +56,6 @@
|
|||
- OS::TripleO::Services::CephMon
|
||||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderApi
|
||||
- OS::TripleO::Services::CinderBackendDellPs
|
||||
- OS::TripleO::Services::CinderBackendDellSc
|
||||
|
|
|
|||
|
|
@ -57,7 +57,6 @@
|
|||
- OS::TripleO::Services::CephMon
|
||||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderApi
|
||||
- OS::TripleO::Services::CinderBackendDellSc
|
||||
- OS::TripleO::Services::CinderBackendDellEMCPowerFlex
|
||||
|
|
|
|||
|
|
@ -58,7 +58,6 @@
|
|||
- OS::TripleO::Services::CephNfs
|
||||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderApi
|
||||
- OS::TripleO::Services::CinderBackendDellSc
|
||||
- OS::TripleO::Services::CinderBackendDellEMCPowerFlex
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@
|
|||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::Clustercheck
|
||||
- OS::TripleO::Services::IpaClient
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderVolumeEdge
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
|
|
|
|||
|
|
@ -34,7 +34,6 @@
|
|||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::CinderVolumeEdge
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
|
|
|
|||
|
|
@ -37,7 +37,6 @@
|
|||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@
|
|||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@
|
|||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CephClient
|
||||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -34,7 +34,6 @@
|
|||
- OS::TripleO::Services::CephRbdMirror
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@
|
|||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CephMds
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -30,7 +30,6 @@
|
|||
- OS::TripleO::Services::CephMgr
|
||||
- OS::TripleO::Services::CephMon
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@
|
|||
- OS::TripleO::Services::CephExternal
|
||||
- OS::TripleO::Services::CephRgw
|
||||
- OS::TripleO::Services::CephOSD
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::ComputeCeilometerAgent
|
||||
- OS::TripleO::Services::ComputeNeutronCorePlugin
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@
|
|||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@
|
|||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@
|
|||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
- OS::TripleO::Services::Kernel
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@
|
|||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@
|
|||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::Docker
|
||||
- OS::TripleO::Services::IpaClient
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@
|
|||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@
|
|||
- OS::TripleO::Services::AuditD
|
||||
- OS::TripleO::Services::BootParams
|
||||
- OS::TripleO::Services::CACerts
|
||||
- OS::TripleO::Services::CertmongerUser
|
||||
- OS::TripleO::Services::Collectd
|
||||
- OS::TripleO::Services::IpaClient
|
||||
- OS::TripleO::Services::Ipsec
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue