Merge "Fix cinder and etcd running with internal TLS enabled"
This commit is contained in:
commit
f58516bed8
@ -111,6 +111,9 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
CinderCommon:
|
||||
type: ./cinder-common-container-puppet.yaml
|
||||
|
||||
ApacheServiceBase:
|
||||
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
||||
properties:
|
||||
@ -313,19 +316,15 @@ outputs:
|
||||
test: /openstack/healthcheck
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [CinderCommon, cinder_common_volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/cinder_api.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
|
||||
- /var/log/containers/cinder:/var/log/cinder:z
|
||||
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||
- []
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||
-
|
||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||
- []
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
|
@ -1,9 +1,8 @@
|
||||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
Provides the list of Docker volumes and environment to be used by the
|
||||
CinderVolume and CinderBackup services. The same list is used for
|
||||
HA and non-HA deployments.
|
||||
Provides the list of common container volumes and environment used by
|
||||
various cinder services.
|
||||
|
||||
parameters:
|
||||
EndpointMap:
|
||||
@ -52,10 +51,33 @@ parameters:
|
||||
default: false
|
||||
description: Whether to enable the multipath daemon
|
||||
type: boolean
|
||||
CinderVolumeCluster:
|
||||
default: ''
|
||||
description: >
|
||||
The cluster name used for deploying the cinder-volume service in an
|
||||
active-active (A/A) configuration. This configuration requires the
|
||||
Cinder backend drivers support A/A, and the cinder-volume service not
|
||||
be managed by pacemaker. If these criteria are not met then the cluster
|
||||
name must be left blank.
|
||||
type: string
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
EnableEtcdInternalTLS:
|
||||
description: Controls whether etcd and the cinder-volume service use TLS
|
||||
for cinder's lock manager, even when the rest of the internal
|
||||
API network is using TLS.
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
|
||||
multipathd_enabled: {equals: [{get_param: MultipathdEnable}, true]}
|
||||
cvol_active_active_tls_enabled:
|
||||
and:
|
||||
- not: {equals: [{get_param: CinderVolumeCluster}, '']}
|
||||
- equals: [{get_param: EnableInternalTLS}, true]
|
||||
- equals: [{get_param: EnableEtcdInternalTLS}, true]
|
||||
|
||||
resources:
|
||||
|
||||
@ -80,6 +102,22 @@ outputs:
|
||||
path: /etc/ceph
|
||||
state: directory
|
||||
|
||||
cinder_common_volumes:
|
||||
description: Common volumes for all cinder services
|
||||
value: &cinder_common_volumes
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
-
|
||||
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
|
||||
- /var/log/containers/cinder:/var/log/cinder:z
|
||||
-
|
||||
if:
|
||||
- cvol_active_active_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
|
||||
- []
|
||||
|
||||
cinder_volume_host_prep_tasks:
|
||||
description: Host prep tasks for the cinder-volume service (HA or non-HA)
|
||||
value:
|
||||
@ -158,11 +196,10 @@ outputs:
|
||||
description: Volumes for the cinder-volume container (HA or non-HA)
|
||||
value:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- *cinder_common_volumes
|
||||
- {get_param: CinderVolumeOptVolumes}
|
||||
-
|
||||
- /var/lib/kolla/config_files/cinder_volume.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
|
||||
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
|
||||
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
|
||||
- /lib/modules:/lib/modules:ro
|
||||
@ -171,7 +208,6 @@ outputs:
|
||||
- /sys:/sys
|
||||
- /var/lib/cinder:/var/lib/cinder:z
|
||||
- /var/lib/iscsi:/var/lib/iscsi:z
|
||||
- /var/log/containers/cinder:/var/log/cinder:z
|
||||
-
|
||||
if:
|
||||
- multipathd_enabled
|
||||
@ -194,10 +230,9 @@ outputs:
|
||||
description: Volumes for the cinder-backup container (HA or non-HA)
|
||||
value:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- *cinder_common_volumes
|
||||
-
|
||||
- /var/lib/kolla/config_files/cinder_backup.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
|
||||
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
|
||||
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
|
||||
- /dev/:/dev/
|
||||
@ -206,7 +241,6 @@ outputs:
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /var/lib/cinder:/var/lib/cinder:z
|
||||
- /var/lib/iscsi:/var/lib/iscsi:z
|
||||
- /var/log/containers/cinder:/var/log/cinder:z
|
||||
-
|
||||
if:
|
||||
- multipathd_enabled
|
||||
|
@ -63,6 +63,9 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
CinderCommon:
|
||||
type: ./cinder-common-container-puppet.yaml
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Cinder Scheduler role.
|
||||
@ -121,11 +124,9 @@ outputs:
|
||||
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [CinderCommon, cinder_common_volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/cinder_scheduler.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
|
||||
- /var/log/containers/cinder:/var/log/cinder:z
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
host_prep_tasks:
|
||||
|
@ -167,6 +167,23 @@ parameters:
|
||||
via the local IP for the Etcd network. If set to true, the ip
|
||||
on the local node will be used. If set to false, the VIP on the Etcd
|
||||
network will be used instead. Defaults to false.
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
EnableEtcdInternalTLS:
|
||||
description: Controls whether etcd and the cinder-volume service use TLS
|
||||
for cinder's lock manager, even when the rest of the internal
|
||||
API network is using TLS.
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
|
||||
cvol_active_active_tls_enabled:
|
||||
and:
|
||||
- not: {equals: [{get_param: CinderVolumeCluster}, '']}
|
||||
- equals: [{get_param: EnableInternalTLS}, true]
|
||||
- equals: [{get_param: EnableEtcdInternalTLS}, true]
|
||||
|
||||
resources:
|
||||
|
||||
@ -328,6 +345,23 @@ outputs:
|
||||
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
|
||||
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
|
||||
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
|
||||
deploy_steps_tasks:
|
||||
- name: ensure cinder can access etcd's tls cert and key
|
||||
become: true
|
||||
acl:
|
||||
path: "{{ item }}"
|
||||
entity: "{{ 42407 | string }}"
|
||||
etype: user
|
||||
permissions: r
|
||||
state: present
|
||||
with_items:
|
||||
- /etc/pki/tls/certs/etcd.crt
|
||||
- /etc/pki/tls/private/etcd.key
|
||||
vars:
|
||||
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
|
||||
when:
|
||||
- cvol_active_active_tls_enabled|bool
|
||||
- step|int == 3
|
||||
fast_forward_upgrade_tasks:
|
||||
- when:
|
||||
- step|int == 0
|
||||
|
@ -52,6 +52,15 @@ parameters:
|
||||
API network is using TLS.
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
Debug:
|
||||
default: false
|
||||
description: Set to True to enable debugging on all services.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled:
|
||||
@ -59,6 +68,10 @@ conditions:
|
||||
- {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the etcd role.
|
||||
@ -79,11 +92,6 @@ outputs:
|
||||
"%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
# for the given network; replacement examples (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
# internal_api_uri -> [IP]
|
||||
# internal_api_subnet - > IP/CIDR
|
||||
tripleo::profile::base::etcd::bind_ip:
|
||||
str_replace:
|
||||
template:
|
||||
@ -92,6 +100,7 @@ outputs:
|
||||
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
tripleo::profile::base::etcd::client_port: '2379'
|
||||
tripleo::profile::base::etcd::peer_port: '2380'
|
||||
etcd::debug: {get_param: Debug}
|
||||
etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken}
|
||||
etcd::manage_package: false
|
||||
etcd::manage_service: false
|
||||
@ -112,6 +121,18 @@ outputs:
|
||||
template: "etcd/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
dnsnames:
|
||||
- str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
-
|
||||
# Ensure etcd and cinder-volume aren't configured to use TLS
|
||||
tripleo::profile::base::etcd::enable_internal_tls: false
|
||||
@ -147,10 +168,19 @@ outputs:
|
||||
healthcheck:
|
||||
test: /openstack/healthcheck
|
||||
volumes:
|
||||
- /var/lib/etcd:/var/lib/etcd
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- /var/lib/kolla/config_files/etcd.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/etcd:/var/lib/kolla/config_files/src:ro
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
-
|
||||
- /var/lib/etcd:/var/lib/etcd
|
||||
- /var/lib/kolla/config_files/etcd.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/etcd/:/var/lib/kolla/config_files/src:ro
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro
|
||||
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro
|
||||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
container_puppet_tasks:
|
||||
@ -170,6 +200,23 @@ outputs:
|
||||
path: /var/lib/etcd
|
||||
state: directory
|
||||
setype: container_file_t
|
||||
deploy_steps_tasks:
|
||||
- name: ensure etcd can access its tls cert and key
|
||||
become: true
|
||||
acl:
|
||||
path: "{{ item }}"
|
||||
entity: "{{ 42413 | string }}"
|
||||
etype: user
|
||||
permissions: r
|
||||
state: present
|
||||
with_items:
|
||||
- /etc/pki/tls/certs/etcd.crt
|
||||
- /etc/pki/tls/private/etcd.key
|
||||
vars:
|
||||
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
|
||||
when:
|
||||
- internal_tls_enabled|bool
|
||||
- step|int == 2
|
||||
upgrade_tasks: []
|
||||
metadata_settings:
|
||||
if:
|
||||
|
Loading…
Reference in New Issue
Block a user