Fix redis_tls_proxy

Since we merged the pcs-host patches we erroneously also removed the sidecar container that does the tls stunneling for redis. This is needed to allow the redis master stream the deplications to its slaves via TLS. Tested this and we now correctly get the working container and cluster state: [root@controller-0 ~]# podman ps -a |grep redis 4182a78811a2 undercloud-0.ctlplane.redhat.local:8787/openstack-redis:16.2_20210218.1-hotfixupdate2 /bin/bash /usr/lo... 3 minutes ago Up 3 minutes ago redis-bundle-podman-0 604a086bb53c undercloud-0.ctlplane.redhat.local:8787/openstack-redis:16.2_20210218.1-hotfixupdate2 kolla_start 8 minutes ago Up 8 minutes ago redis_tls_proxy [root@controller-0 ~]# pcs status |grep redis * GuestOnline: [ galera-bundle-0@database-1 galera-bundle-1@database-2 galera-bundle-2@database-0 ovn-dbs-bundle-0@controller-0 ovn-dbs-bundle-1@controller-1 ovn-dbs-bundle-2@controller-2 rabbitmq-bundle-0@messaging-0 rabbitmq-bundle-1@messaging-1 rabbitmq-bundle-2@messaging-2 redis-bundle-0@controller-0 redis-bundle-1@controller-1 redis-bundle-2@controller-2 ] * Container bundle set: redis-bundle [cluster.common.tag/openstack-redis:pcmklatest]: * redis-bundle-0 (ocf:💓redis): Master controller-0 * redis-bundle-1 (ocf:💓redis): Slave controller-1 * redis-bundle-2 (ocf:💓redis): Slave controller-2 We also move the redis_tls_proxy from step_2/start_order: 3 to step_1 since it actually makes sense to have it run before we start the redis pcmk bundle at step 2 (i.e. so the slave replica can work right away from the start). Closes-Bug: #1916873 Change-Id: I44df0ee32e5c35b87f74bdb75dcb384496dfb6ab
2021-02-25 09:58:17 +01:00 · 2021-02-25 09:58:17 +01:00 · e6e7019add
parent 0f47df7651
commit e6e7019add
1 changed files with 22 additions and 0 deletions
--- a/deployment/database/redis-pacemaker-puppet.yaml
+++ b/deployment/database/redis-pacemaker-puppet.yaml
@ -243,6 +243,28 @@ outputs:
              perm: '0600'
              optional: true
      container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
+      docker_config:
+        step_1:
+          if:
+            - internal_tls_enabled
+            - redis_tls_proxy:
+                start_order: 0
+                image: {get_param: ContainerRedisImage}
+                net: host
+                user: root
+                restart: always
+                volumes:
+                  list_concat:
+                    - {get_attr: [ContainersCommon, volumes]}
+                    -
+                      - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+                      - /var/lib/config-data/puppet-generated/redis:/var/lib/kolla/config_files/src:ro
+                      - /etc/pki/tls/certs/redis.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/redis.crt:ro
+                      - /etc/pki/tls/private/redis.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/redis.key:ro
+                      - /var/lib/container-config-scripts/wait-port-and-run.sh:/wait-port-and-run.sh:ro
+                environment:
+                  KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
+            - {}
      metadata_settings:
        get_attr: [RedisBase, role_data, metadata_settings]
      host_prep_tasks: