7 Commits

Author SHA1 Message Date
ramishra
7f195ff9a8 Remove DefaultPasswords interface
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30
Shnaidman Sagi (Sergey)
ab1599765c Revert "Move CA cert injection to host_prep_tasks"
This reverts commit 8e5d5283cc466b07616a57eeeee28859300022ab.

Reason for revert: broke OVB periodic jobs
Closes-Bug: #1908976

Change-Id: I9e8c2c96706e9abf9739b8a857231f522542fa5f
2020-12-29 22:29:47 +00:00
Ade Lee
8e5d5283cc Move CA cert injection to host_prep_tasks
See https://bugzilla.redhat.com/show_bug.cgi?id=1840886

Depends-On: https://review.opendev.org/#/c/743620/
Change-Id: Id9e14913168fd57c73d36f48aa6c31ac444d7ab3
2020-11-18 11:53:15 -05:00
Damien Ciabrini
0f54889408 Rolling certificate update for HA services
There are certain HA clustered services (e.g. galera) that don't
have the ability natively to reload their TLS certificate without
being restarted. If too many replicas are restarted concurrently
this might result in full service disruption.

To ensure service availability, provide a means to ensure that
only one service replica is restarted at a time in the cluster.
This works by using pacemaker's CIB to implement a cluster-wide
restart lock for a service. The lock has a TTL so it's guaranteed
to be eventually released without requiring complex contingency
cleanup in case of failures.

Tested locally by running the following:
1. force recreate certificate on all nodes at once for galera
   (ipa-cert resubmit -i mysql), and verify that the resources
   restart one after the other

2. create a lock manually in pacemaker, recreate certificate for
   galera on all nodes, and verify that no resource is restarted
   before the manually created lock expires.

3. create a lock manually, let it expires, recreate a certificate,
   and verify that the resource is restarted appropriately and the
   lock gets cleaned up from pacemaker once the restart finished.

Closes-Bug: #1885113
Change-Id: Ib2b62e33b34cf72edfdae6299cf432259bf960a2
2020-07-30 16:51:48 +02:00
Takashi Kajinami
fffdcf0f30 Use absolute name to include puppet classes
Current puppet modules uses only absolute name to include classes,
so replace relative name by absolute name in template files so that
template description can be consistent with puppet implementation.

Change-Id: I7a704d113289d61ed05f7a31d65caf2908a7994a
2020-04-11 08:13:23 +09:00
Ade Lee
ed7d687398 Always set hieradata for certmonger_ca
In commit 37a339d2b0f0282bf1bac96587b10ca61868cec5 , the hieradata
parameter certmonger_ca was set to only be set when internal_tls was
enabled.

This breaks cert issuance by an non-local certmonger CA when the
issuing the haproxy cert on the undercloud eg. issuing this cert by
IPA, which relies on this hieradata being set.

There is no reason to restrict this data from being set, and doing so
fixes the problem. (rhbz#1793975)

The remaining data should be set only when internal_tls is enabled.
Change-Id: If3e3870dd7bd087984e433f7aa832d1bb0ac5b2b
Fixes-Bug: 1860718
2020-02-07 15:44:25 -05:00
Dan Prince
2e2750b72d Move auditd, ca-cert, certmonger to deployment
Change-Id: I152762c33ef31a580ce1c7fba5f5e81146b2f00b
Related-Blueprint: services-yaml-flattening
2019-05-30 20:37:25 +00:00