Commit Graph

52 Commits

Author SHA1 Message Date
Zuul
f7c88f625a Merge "Cleanup optional flag for conf.modules.d" 2021-05-22 15:52:58 +00:00
Alex Schultz
2aa1f6364b Cleanup optional flag for conf.modules.d
This was for a bug that has since been cleaned up via a promotion.

Change-Id: I1332dd82c60113cfa2e19878da66eb4170fbb4f7
Related-Bug: #1884115
2021-05-20 13:38:47 +00:00
ramishra
b253d564f7 Use server side env merging for ServiceNetMap/VipSubnetMap
This simplifies the ServiceNetMap/VipSubnetMap interfaces
to use parameter merge strategy and removes the *Defaults
interfaces.

Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
2021-05-19 10:16:58 +05:30
Douglas Mendizábal
3b4d488a6a Add new options for Barbican PKCS#11 backend
This patch adds two new parameters for deploying Barbican with the
PCKS#11 backend `BarbicanPkcs11CryptoTokenLabels` and
`BarbicanPkcs11CryptoOsLockingOk`.

The patch also deprecates `BarbicanPkcs11CryptoTokenLabel` in favor of
the new option that can be set to more than one label.

Depends-On: Iba7013dd6e1b1e4650b25cd4dd8dc1f355ceb538
Change-Id: I1c5059799f613a62a13379eb82ba516a8ed3a15a
2021-04-12 08:04:18 -05:00
ramishra
06efcbbd1f Simplify conditions in barbican service templates
Change-Id: I799c4d60a674af965971c763e437e4f7987b0dff
2021-04-06 16:04:11 +05:30
ramishra
c9991c2e31 Use 'wallaby' heat_template_version
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
 e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.

Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
2021-03-31 17:35:12 +05:30
ramishra
b4203a30eb Change all *Debug parameter types to boolean
This changes all these parameters as heat would correctly
parse all values. Also, drops all yaql shenanigans
used for their handling and heat conditions.

Also fixes wrong usage of non-existent NeutronWrapperDebug
parameter in ovn-metadata-container-puppet.yaml.

We had converted all ``Debug`` parameters to boolean with
Ib6c3969d4dd75d5fb2cc274266c060acff8d5571.

Change-Id: Ia2bffffde34aa248a4cc60c3895464f1f9d1ded2
2021-03-30 08:29:10 +05:30
Sorin Sbarnea
27788212cc Remove duplicate keys from yaml files
- removes duplicate keys from yaml files by assuming that the last
  one was the desired one (matches current loader behavior)
- prevent regressions by activating yaml lint rule that detects them
  (yaml skip was silencing all yaml checks, so the long list seen
  is in fact shorter than just 'yaml')
- includes sorting of some of the keys, was needed in order to spot
  the duplicates.

Change-Id: Idf5c0041a0c6d3ed7d5d49fb68be856719916663
2021-03-29 13:56:31 +00:00
Grzegorz Grasza
e329ca915e Generate certificates using ansible role
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.

Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
2021-03-10 16:28:22 +01:00
Zuul
ce1411de77 Merge "Stop barbican servics in unupgraded controllers" 2021-02-19 16:47:45 +00:00
Ade Lee
75857d3a28 Add parameters to allow multiple nshield HSMs
With this change, it is possible to configure Barbican to connect
to multiple nShield HSMs in HA mode.

Change-Id: Id086b5e661e01991913c20c0b354800a9b6e2674
2021-02-16 17:43:29 -05:00
ramishra
7f195ff9a8 Remove DefaultPasswords interface
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30
Zuul
4b3b7f6e36 Merge "Notification drivers need to be a list" 2020-12-22 19:42:16 +00:00
Michele Baldessari
48d0e4d9b6 Notification drivers need to be a list
Convert the NotificationDriver to a comma_delimited_list.
This will still not break existing templates because passing
a string is still completely valid. This is done so that the hiera keys
will be passed down as lists.

The oslo::messaging::notifications::driver expects a list anyway so this
won't break things and will allow us to actually specify multiple
notification drivers correctly. The change that allowed
oslo::notifications to use both strings and lists is
If65946412b42e0919456ed92fdd8e3788ad67872 (Messaging notifications
should be set as a list)

Related-Bug: #1851629

Change-Id: I24c860cd3121e5c307233864818ca86967ff6d72
2020-12-18 11:26:15 +00:00
Douglas Mendizábal
144eb67ca5 Remove Luna HSM clients on scaledown
This patch adds a scaledown task to remove the HSM
client when a Controller node is being removed.

Depends-On: I87f7cb2435f77814169fbad3bd0814d370a546a1
Change-Id: Ia8698702c9494d4303ede4fd2955c5975ab07af9
2020-12-15 22:26:17 +00:00
Douglas Mendizábal
04b4ec3866 Identify HSMs using labels instead of Slot ID
This patch adds support for two new options in barbican.conf for the
PKCS#11 backend plugin:  [p11_crypto]token_label and
[p11_crypto]token_serial_number by adding two new parameters
to the Barbican deployment BarbicanPkcs11CryptoTokenSerialNumber
and BarbicanPkcs11CryptoTokenLabel.

This patch also simplifies the use of barbican-manage to generate
the MKEK and PKEK in the HSM backend by using the values provided
in barbican.conf instead of duplicating them on the command line.

For the Thales Luna Network device, this patch uses the label
parameters to identify the partition to be used.  Because we are
using labels we no longer need to write the runtime generated
Slot ID of the HA group into hieradata.

Depends-On: I4e86e73bbdef0e16d3699cec1cc8f7e17dfb643b
Change-Id: Id05acb6516daa62279c9aade41256bcec7c5fce7
2020-11-30 14:11:10 +00:00
Takashi Kajinami
6f140b93be Stop barbican servics in unupgraded controllers
This change makes barbican services on unupgrade controller nodes get
stopped, because all services in the unupgrade controllers should be
stopped before we start the upgraded controller[1].

[1] 8529ce60da

Change-Id: I7031064b752450bacbb7775c0e357b98210a8929
2020-10-26 20:21:19 +09:00
Takashi Kajinami
37548ddb40 Enforce internal api for token verification
This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.

Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
2020-10-11 15:46:08 +09:00
Takashi Kajinami
afc0b731e0 Disable notification from services by default
Currently we disable Telemetry services like Ceilometer by defaut,
which means that we don't have any consumers for notification messages.
So NotificationDriver should be set as noop by default so that we don't
have unconsumed messages in notification queues.

Change-Id: I1d05749c94bd58ad4badafa7d9755009cb4b64af
Closes-Bug: #1869355
2020-09-30 09:51:08 +09:00
Douglas Mendizábal
8c358e2e7c Fix nCipher (aka thales) ansible role name
This patch fixes the role name used to run the ansible
role that configures nCipher (aka thales) HSM device when
Barbican is deployed with that backend.

The role was renamed from 'thales-hsm' to 'thales_hsm' [1]
but a couple of references were missed, which break the
deployment when using an nCipher device.

[1] https://review.opendev.org/#/c/724414

Change-Id: Ia9209cb4a781375577480c175126321515e7af7c
2020-08-31 14:28:33 +00:00
Alan Bishop
19402ff049 Consolidate the barbican-api client configurations
Replace the cinder, glance and nova service_config_settings in the
BarbicanApi template with a reference to the settings in the
BarbicanClient template. This consolidates the settings in one place.

Update the BarbicanClient's service_config_settings so it handles
all cinder services that access barbican (c-api, c-volume, c-backup).
This change takes advantage of a recent enhancement in puppet-cinder
(see https://review.opendev.org/739126).

Depends-On: Ie3c95da2c0dab83e3c4b7e10f8a3531301692da5
Change-Id: I42b7c4a2add1dc25083c4c0e8a162ca4a3880e2a
2020-08-04 08:53:46 -07:00
Douglas Mendizábal
ead85251e9 Add new Luna HSM parameter for Barbican
This patch adds a new parameter for deploying Barbican with
a Thales Luna Network HSM (LunasaClientIPNetwork).

LunasaClientIPNetwork can be used to register controller nodes
with the HSM using the controller's IP address on the given
network instead of its fqdn.

Co-Authored-By: Ade Lee <alee@redhat.com>
Depends-On: If0eb393ca970206cc95c7453641f33781eb698b2
Change-Id: I02d577939b0002b0e605ac0cbbda54e05e0b206f
2020-07-31 15:50:28 +00:00
Emilien Macchi
1a48fa61f4 Sync httpd conf.modules.d configs
For containers which run httpd, make sure conf.modules.d is also synced
into the container; so apache doesn't fail with:
AH00534: httpd: Configuration error: More than one MPM loaded.

This is now required since:
6425cc46a8

Change-Id: Ib315d10dbdbbad1628f536a74cd1fca371f018f5
Closes-Bug: #1884115
2020-06-24 03:32:02 +00:00
Ade Lee
1472d971af Add support for lunasa hsm in barbican
Change-Id: Ib3e82d641d0fa9e688a8a2c3b72c1ea28a21bf88
2020-05-01 14:17:17 -04:00
Takashi Kajinami
fffdcf0f30 Use absolute name to include puppet classes
Current puppet modules uses only absolute name to include classes,
so replace relative name by absolute name in template files so that
template description can be consistent with puppet implementation.

Change-Id: I7a704d113289d61ed05f7a31d65caf2908a7994a
2020-04-11 08:13:23 +09:00
Rajesh Tailor
62fbe15d0b Rename roles that we have missed
These roles were not renamed when we removed all of the hyphens.
This change removes the remaining hyphenated roles.

Change-Id: I3b25bfdef91b0bfc8d624d71a884d57508eaf004
2020-03-19 12:50:24 +05:30
Takashi Kajinami
8cc62c5f14 Remove deprecated authtoken::auth_uri
auth_uri parameter in authtoken was already removed from puppet modules[1],
so remove it from hieradata.

Also, some service templates missed www_authenticate_uri, which was
introduced as a replacement of auth_uri, so add it to make sure that
we have a correct parameter confugured.

[1] I12b4049e4942911c8d1d8027c579eb4c0d1a53eb

Change-Id: I1e8378f58662377344194916e8bc336df02d0591
2020-01-26 09:26:50 +09:00
Takashi Kajinami
26305fae91 Set region in authtoken middleware settings
While we can specify keystone region where all keystone resources
are created, currently we don't set the specified region correctly
in credential configurations used for authtoken middleware.

Configure region parameter for authtoken according to the parameter
KeystoneRegion so that we're consistent about the region where
we expect to have service users created.

Change-Id: Icc0ee9a859c2c67cae92339c6b4102946150269f
2020-01-18 21:59:49 +09:00
Emilien Macchi
7f40baabcd Manage all Keystone resources with Ansible
Depends-On: I557d8f33c9c699aed14b3b6fc1d1c0407365cd08
Depends-On: Ia68f8852662fb4abbd194954a246afb740bf3f71

Change-Id: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e
2020-01-06 22:33:05 +00:00
Sagi Shnaidman
016f7c6002 Remove unnecessary slash volume maps
When podman parses such volume map it removes the slash
automatically and shows in inspection volumes w/o slash.
When comparing configurations it turns to be a difference and
it breaks idempotency of containers, causing them to be recreated.

Change-Id: Ifdebecc8c7975b6f5cfefb14b0133be247b7abf0
2019-12-04 20:32:14 +02:00
Kevin Carter
50367fbe35 Convert firewall rules to use TripleO-Ansible
This change converts our filewall deployment practice to use
the tripleo-ansible firewall role. This change creates a new
"firewall_rules" object which is queried using YAQL from the
"FirewallRules" resource.

A new parameter has been added allowing users to input
additional firewall rules as needed. The new parameter is
`ExtraFirewallRules` and will be merged on top of the YAQL
interface.

Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-11-18 15:40:22 -06:00
Jose Luis Franco Arza
4cbae84c75 Get rid of docker removing in post_upgrade tasks.
When upgrading from Rocky to Stein we moved also from using the docker
container engine into Podman. To ensure that every single docker container
was removed after the upgrade a post_upgrade task was added which made
use of the tripleo-docker-rm role that removed the container. In this cycle,
from Stein to Train both the Undercloud and Overcloud work with Podman, so
there is no need to remove any docker container anymore.

This patch removes all the tripleo-docker-rm post-upgrade task and in those
services which only included a single task, the post-upgrade-tasks section
is also erased.

Change-Id: I5c9ab55ec6ff332056a426a76e150ea3c9063c6e
2019-11-12 16:33:38 +01:00
Zuul
814ca5ed32 Merge "Add SQLAlchemy-collectd support" 2019-10-21 19:38:56 +00:00
Emilien Macchi
81258ae551 Convert container environment from a list to a dict
Moving all the container environments from lists to dicts, so they can
be consumed later by the podman_container ansible module which uses
dict.

Using a dict is also easier to parse, since it doesn't involve "=" for
each item in the environment to export.

Change-Id: I894f339cdf03bc2a93c588f826f738b0b851a3ad
Depends-On: I98c75e03d78885173d829fa850f35c52c625e6bb
2019-10-16 01:29:31 +00:00
Mike Bayer
4bee12fea1 Add SQLAlchemy-collectd support
The SQLAlchemy-collectd plugin is now shipped in podman
containers under Kolla, this allows heat templates
to pull the plugin into the collectd configuration when
the collectd templates are being used.

A corresponding change in puppet-tripleo under the same change-id
adds support to enable the plugin on the puppet side.

The feature can be enabled for an overcloud by adding:

    EnableSQLAlchemyCollectd: true

to the heat configuration while also including one of the
collectd templates from environments/metrics.

The implementation requires that Openstack services which make
use of SQLAlchemy include directives for the plugin within
the SQLAlchemy URL, so this incurs a change in all templates
that include a MySQL database URL.

Change-Id: If598da717653a383a2d3b3373c56517f8bca832f
2019-10-11 10:16:30 -04:00
pavan.ind05@gmail.com
b9a3c9bf14 Fix default network in barbican deployment
This patch adds the default network for barbican_init_atos_directory
when atos hsm is enabled.

Change-Id: Ia7673a127a43b3a230b39ce70440d53609ca62bb
2019-08-09 15:37:20 +00:00
Zuul
29a499d665 Merge "Ensure libnsl dependency is available" 2019-08-05 23:57:05 +00:00
Douglas Mendizábal
06c8ab8bef Fix typo in barbican deployment
Change-Id: I33d62bbef3a19af0898f8047af436ed05c9a90a8
2019-08-05 12:30:22 +00:00
Bogdan Dobrelya (bogdando)
a1e580f039 Revert "Fix generating Apache configs by container-puppet"
fixes following issue coming on RHEL8 http://logs.rdoproject.org/openstack-periodic-master/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-rhel-8-standalone-master/11c7794/logs/undercloud/var/log/extra/podman/containers/keystone_db_sync/stdout.log.txt.gz

This reverts commit 80d12514d5.

Change-Id: Ice566e90e468bc919872d0954d2d696f4554e00b
2019-08-02 13:54:35 +02:00
Bogdan Dobrelya
80d12514d5 Fix generating Apache configs by container-puppet
The changes listed below provide a single unit of work required to
configure Apache backend for WSGI-based OpenStack API services
w/o conflicts causing containers startup failures.

W/o this change /etc/httpd/conf.modules.d/00-mpm.conf shipped with RPM
or other conflicting httpd modules might remain in the containers
and cause startup failures. While puppet removes such conflicts from
the configuration, f.e. when switching MPM 'prefork' to 'event', and we
expect it never gets into container configs.

Make kolla extended start properly enforcing the wanted state of
/etc/httpd, including conf.d and conf.modules.d, and also any of the
removed by puppet files, like conflicting Apache MPM modules.

Add container-puppet tasks to ensure apache MPM configs generated
before the main config steps that require Apache started in the
service container.

Additionally, ensure consistent mirroring across config-data
paths for the container-puppet tool. Purge obsoleted/irrelevant files
in the destingation (puppet-generated) before rsyncing new contents
into it.

Closes-Bug: #1835414

Change-Id: I3e5b4372a01b29bf13179d8a16acc36da9c5caab
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-07-31 10:18:30 +02:00
Douglas Mendizábal
af3208c743 Ensure libnsl dependency is available
libnsl is a dependency of the nfast client software, so it must
also be mounted on the container for the nfast tools to work.

Change-Id: Ic2fb37d6ff872840ec4fc506c6949327d2d9705c
2019-07-30 10:02:01 -05:00
Jose Luis Franco Arza
d1035703b7 Force removal of docker container in tripleo-docker-rm.
The tripleo-docker-rm role has been replaced by tripleo-container-rm [0].
This role will identify the docker engine via the container_cli variable
and perform a deletion of that container. However, these tasks inside the
post_upgrade_tasks section were thought to remove the old docker containers
after upgrading from rocky to stein, in which podman starts to be the
container engine by default.

For that reason, we need to ensure that the container engine in which the
containers are removed is docker, as otherwise we will be removing the
podman container and the deployment steps will fail.

Closes-Bug: #1836531
[0] - 2135446a35

Depends-On: https://review.opendev.org/#/c/671698/
Change-Id: Ib139a1d77f71fc32a49c9878d1b4a6d07564e9dc
2019-07-19 12:37:35 +00:00
Zuul
14998e6a5d Merge "Convert Docker*Image parameters" 2019-06-18 08:01:14 +00:00
Carlos Camacho
8c6bec227f Change all step checks to |int
There are still some step checks parsing the
string value, this change moves them all to |int

Change-Id: Ib91525c1aa0413b8af76a60456e31ad9a8eb7bda
2019-06-07 16:11:08 +02:00
Dan Prince
a68151d02a Convert Docker*Image parameters
This converts all Docker*Image parameter varients into
Container*Image varients.

The commit was autogenerated with the following shell commands:

for file in $(grep -lr Docker.*Image --include \*.yaml --exclude-dir releasenotes); do
  sed -e "s|Docker\([^ ]*Image\)|Container\1|g" -i $file
done

Change-Id: Iab06efa5616975b99aa5772a65b415629f8d7882
Depends-On: I7d62a3424ccb7b01dc101329018ebda896ea8ff3
Depends-On: Ib1dc0c08ce7971a03639acc42b1e738d93a52f98
2019-06-05 14:33:44 -06:00
Alan Bishop
e9c26b6d32 Consolidate RpcPort healthchecks
Update the templates with RpcPort healthchecks to use the resource in
containers-common.yaml.

Change-Id: Ic1cc0f59d812ddf0a6a1ce9bf852c22089fd19a4
2019-05-15 14:37:58 -04:00
Dan Prince
a52498ab4d Move containers-common.yaml into deployment
Change-Id: I8cc27cd8ed76a1e124cbb54c938bb86332956ac2
Related-Blueprint: services-yaml-flattening
2019-04-14 18:15:12 -04:00
Andrew Smith
405366fa32 Deprecate messaging params replaced by global oslo params
Depends-On: I03900b39ab257a9563db37e403254b54f846c056
Change-Id: Ib55c72c0bab9aa0ffc05752a680f573cc351ae17
2019-03-28 12:13:07 -06:00
Emilien Macchi
fc65d197c7 Move apache service under deployment directory
Move the apache service undercloud the deployment directory.

Change-Id: Iead4f910390cb75f56f96da2d24889a461275c9d
Related-Blueprint: services-yaml-flattening
2019-03-26 08:04:42 -04:00
Sergii Golovatiuk
2a8fcc4ddf Remove UpgradeRemoveUnusedPackages
UpgradeRemoveUnusedPackages is not used anymore. All packages are
supposed to be removed on undercloud upgrade to 14.

Change-Id: Ie6b739390ec0ae0c5773a5a6c63b49422195623a
2019-03-19 13:40:02 +00:00