30 Commits

Author SHA1 Message Date
Takashi Kajinami
263fee246a Ensure db initialization is not executed by puppet
Each puppet module provides the sync_db parameter to run commands to
initialize database schema. This change ensures the feature is disabled
as we have independent tasks to run the same.

Change-Id: I8ccf4ddd40a0d1a9bff9c1ca001284eda25dc9b2
2022-03-02 14:13:06 +09:00
Brent Eagles
acf032a098 Designate: miniDNS and bind9 instances on the proper networks
This changes the listen/bind address for the designate's miniDNS
instances from "all" to the internal API network. It also properly
configures the designate BIND backend to be on the external network.
(Both will default to ctlplane if it is absent)

Change-Id: I5e900354676a30ae8cf53d0a2f4db0201f05207d
2022-02-03 19:41:23 +00:00
Zuul
4bdaa20405 Merge "Role specific container support" 2022-01-28 04:04:46 +00:00
Brent Eagles
6ff47463b4 Configure logging for designate bind backend
Configure logging for the designate bind backend. Adds
DesignateBindQueryLogging to enable query logging.

Change-Id: I50ba4689b8113a22b7f134508d390f9dbbd2b254
2022-01-22 00:41:33 +00:00
Alex Schultz
ebab335f38 Role specific container support
We may want to be able to specific different containers at a role level.
This requires switching the container image parameters to be role
specific too allow for role based overrides.

Change-Id: I4090e889a32abd51e7c11139737a7a18e27d18e7
2022-01-21 14:18:02 -07:00
Zuul
ea4d002dde Merge "Use public endpoint for [keystone_authtoken] www_authenticate_uri" 2022-01-04 05:34:40 +00:00
Zuul
ec5b798cd2 Merge "Run designate-api under apache" 2021-12-20 20:45:50 +00:00
Takashi Kajinami
160936df13 Use public endpoint for [keystone_authtoken] www_authenticate_uri
According to the parameter description, www_authenticate_uri should be
complete public Identity endpoint, which is accessible by all end
users.
This change replaces internal endpoint by public endpoint to meet that
requirement.

Closes-Bug: #1955397
Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382
2021-12-20 10:51:05 +00:00
Brent Eagles
efdbece134 Run designate-api under apache
Designate should run under apache for production deployments.

Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/819648
Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/816894
Change-Id: I15bba65fa5054513b74c6bfbf88e8fede33b74b5
2021-12-02 15:47:52 -03:30
Takashi Kajinami
3b80985e56 Assign project-scoped service role for token validation
When SRBAC is enforced(*1), keystone requires one of the following
conditions for validate token api.
 1) The user has the service role assigned
 2) The user is a system reader
 3) The user generated the token

When authtoken middleware validates tokens in requests, it uses service
users to call the validate_token API of Keystone. In this case
the condition 3 is never met(The token is generated by an external user
while it is validated by the service user used in API). In addition,
currently all credentials used for authtoken middleware are
project-scoped, not system-scoped, so condition 2 is never met(*2) if
SRBAC is enforced.

This change adds the project-scoped service role to all service
users so that all service users can use the validate_token API even
if SRBAC is enforced. An alternative approach would be assign
the system-scoped reader role for these users and replace credentials
for authtoken middleware by system scoped one, but we are likely to
need additional considerations to establish proper design of
system-scoped role assignment.

(*1)
When scope evaluation is enforced(enforce_scope=True) and new rules
are enforced(enforce_new_defaults=True)

(*2)
There are a few exceptions like the nova user which already have
the project-scoped service role to use the service token feature.

Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24
2021-11-25 13:16:14 +09:00
Brent Eagles
7f04caaf46 Use a designate specific directory for the bind persistent storage
Give the designate bind instance it's own persistent storage path to
avoid collisions with non-tripleo-owned bind instances.

Change-Id: Id05b48c97d5d9f2cdeba5dfad67616bf97b7fcae
2021-11-08 16:11:23 -03:30
Zuul
f0276850f9 Merge "Enable enable_proxy_headers_parsing in Designate API" 2021-11-03 09:36:28 +00:00
Zuul
006a5a9f8c Merge "Simplify mysql users creation" 2021-09-15 19:52:35 +00:00
Damien Ciabrini
f2015da4b5 Simplify mysql users creation
Openstack users are configured with openstacklib, which in turns
drive puppet-mysql to create several DB user for each db service:
<service>@'%' <service>@<ip> and <service>@<mysql_vip>.

We create several users because we use two different parameters
host and allowed_hosts in openstacklib, which only has the effect
of creating a list of users per openstack service.

However since we always create a user '%', this wildcard host
will always allow connection to the DB, so the other users are
currently not useful as they don't get any additional grants or
restrictions.

Simplify the entire mysql user creation to only generate one
user per service, with a wildcard host.

Change-Id: I928b03f06c702a13f4bd957eaa79153aa711cee4
Closes-Bug: #1943440
Closes-Bug: #1943330
2021-09-15 12:23:30 +02:00
Zuul
3827f4a42a Merge "Configure api_base_uri to DesignateEndpoint URI" 2021-09-15 07:49:48 +00:00
David Hill
33d9d19a49 Configure api_base_uri to DesignateEndpoint URI
Configure api_base_uri to DesignateEndpoint URI because default
127.0.0.1:9001 is returned instead of a valid endpoint URI.   This
behavior breaks openstacksdk starting with 0.31.2 but wasn't seen
with previous version.

Change-Id: Ie531ea68a3d8e98e40a58d9c5ee484eb134abb96
2021-09-09 09:31:01 -04:00
Brent Eagles
a0f3083245 Allow configuration of the managed resource email address
Adds a parameter for configuring the managed resource email address used
to configure the email address included in DNS zone SOAs.

Change-Id: Ic7a0f5d21f138b9e522e8729163e01bfb9ae69dc
2021-09-07 15:42:05 -02:30
rabi
6d2901345a Add <service>_api_paste_ini in puppet_tags
Most of the services are either missing or using deprecated tags for
paste deploy configuration. Add those for us to be able to customize
paste deploy.

Also, removes the unnecessary tag from nova-compute.

Change-Id: I699b9283c7dbdb59923007488b4ac6c359d6eced
2021-08-11 12:33:02 +09:00
Zuul
1eafa78e2c Merge "Designate: Clean up deprecated Rabbit* parameters" 2021-08-03 17:50:03 +00:00
Zuul
b1824a00ff Merge "Add support for setting min TTL limit in designate" 2021-07-27 12:00:29 +00:00
Brent Eagles
b6148410bd Add support for setting min TTL limit in designate
This patch adds support for conditionally setting a minimum allowed TTL value with designate.

Note: also cleans up a previous conditional to take advantage of a new
wallaby heat template syntax for if's that don't have an 'else'.

Change-Id: Id80e5b07ff3080835162c2a301a7a48be9787959
2021-07-26 19:04:51 +00:00
Brent Eagles
e5ba54102b Set stop grace periods for designate services
Many of the designate services perform background syncrhonization
tasks and can lag a bit on shutdown, especially on heavily loaded or
large scale systems. Increasing the stop grace periods reduces the
likelihood that the system might get into a non-consistent state or a
state where a great deal of reconciling needs to occur on restart.

Change-Id: If521662eb4c47ada45cf0a9edd0a58db8a1d038d
2021-07-26 13:44:03 -02:30
Takashi Kajinami
ccacb548e2 Enable enable_proxy_headers_parsing in Designate API
... so that Designate API can detect the actual endpoint and client
ip.

Depends-on: https://review.opendev.org/800740
Change-Id: Ice5d00a8fab57a8533df287fc0ab98c84eb2cc2d
2021-07-14 11:16:16 +09:00
Takashi Kajinami
4dca2a4834 Allow tuning rpc_response_timeout
Sometimes we need to tune the rpc_response_timeout parameter to avoid
frequent error caused by tiemout, and it's useful to provide a native
interface to tune the timeout values.

Change-Id: I4e5c122540ff66a2782e557eb246adffcac16c99
2021-07-03 16:12:56 +09:00
Takashi Kajinami
3da4283521 Designate: Clean up deprecated Rabbit* parameters
The Rabbit* parameters in designate templates were deprecated when
the Rabbit* parameters were deprecated[1] in all template files, but
these parameters were not removed by the clean up commit later.

This change removes these leftovers because these parameters have
been ineffective for a while.

[1] 405366fa32583e88c34417e5f46fa574ed8f4e98

Change-Id: If071cb8b99698f511d692263f196e1a9f9c78b1e
2021-06-27 01:53:03 +09:00
Brent Eagles
b991086fea Move designate from experimental
A lot of work has been done on designate in the wallaby cycle and its
basic functionality deploys normally. There is an active team working on
the component and the deployment support.

Change-Id: I5cda7df93cc56dd9691a9d5857de455d0f539897
2021-06-14 13:18:50 -02:30
Emilien Macchi
f1ab762ed1 Move Designate to Experimental
Designate is a great service but unfortunatly, we don't have
full time maintainers therefore we can't certify the service will be
tested and work correctly.

In this patch, we create an experimental folder and put Designate in it.

Change-Id: I8a587ebdca2c7e64ab8348155cf75c2dbb65a5ed
2019-03-12 15:12:27 +00:00
Dan Prince
b3fef6678f Fix logging config on misc services
Some of these were missing or got dropped due to recent flattening
efforts.

Change-Id: I46a62e5f9290673884c76c03dfef80929c95495e
2019-03-04 07:52:56 -05:00
Dan Prince
6090dc6677 step2: flatten the designate service configurations
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the designate Producer, Worker, and Mdns services.

Change-Id: Ibbd14996eb6fc9b2e45dd9f24d3b7156c42da990
Related-Blueprint: services-yaml-flattening
2019-02-18 08:11:17 -05:00
Dan Prince
b8d2dd3ac6 step1: flatten the designate service configurations
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the designate API, Central, and Sink services.

Related-Blueprint: services-yaml-flattening

Change-Id: I1c18780b252ce118836462b0857040fe1a3e8789
2019-02-06 09:42:16 -05:00