Run the SSL verification at step2 instead of host_prep as we need
to have CACerts injected before being able to validate the SSL
certificates. It looks like NodeTLSCerts is getting deprecated
and CI has already moved away from taht method .
Change-Id: I5e3491efd12ad2445a3d77f0907fbb766fe54466
Closes-bug: #1961056
Validate SSLCertificate is defined when PublicSSLCertificateAutogenerated
is False otherwise deployment fails at step4 without meaningful error
messages due to public SSL endpoints not being properly defined in
haproxy.cfg.
Change-Id: I9e0dc2913848eec9919c86372dd151ca5808fb30
We may want to be able to specific different containers at a role level.
This requires switching the container image parameters to be role
specific too allow for role based overrides.
Change-Id: I4090e889a32abd51e7c11139737a7a18e27d18e7
HAProxyEdge disables most haproxy bindings.
The metrics_qdr binding is missing, likely due to the fact it was
created after the HAProxyEdge service.
Change-Id: I5f3b678b30f6375844c0a4b094432c9be9d8e444
Services need to provide this rsyslog configuration in order for
their logs to get ingested by rsyslog for forwarding.
Closes-Bug: 1953672
Change-Id: I0da99239275fa7f53f032ca4a85460e6111738b4
In some containers we have double slashes in our paths. This has always
worked in podman 3.x but breaks with podman 4.x
* Working
[root@undercloud-0 step_1]# podman run -it --rm --net=host -v /etc/pki/tls/private/overcloud_endpoint.pem:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem undercloud-0.ctlplane.home.arpa:8787/tripleo_centos9/openstack-haproxy:latest bash
[root@undercloud-0 /]# exit
Broken (see the '//' before src-tls)
[root@undercloud-0 step_1]# podman run -it --rm --net=host -v /etc/pki/tls/private/overcloud_endpoint.pem:/var/lib/kolla/config_files//src-tls/etc/pki/tls/private/overcloud_endpoint.pem undercloud-0.ctlplane.home.arpa:8787/tripleo_centos9/openstack-haproxy:latest bash
Error: OCI runtime error: mount `/etc/pki/tls/private/overcloud_endpoint.pem` to `/var/lib/kolla/config_files//src-tls/etc/pki/tls/private/overcloud_endpoint.pem`: Not a directory
Closes-Bug: #1949888
Change-Id: Ic7c3469c69841293902f29d5772be202978fac32
Replace the filtering using the hard-coded "external"
network name with a yaql filter using the PublicNetwork in
ServiceNetMap instead.
This should allow fully custom network name/name_lower to be
used as long as service_net_map_replace is also used or the
ServiceNetMap is provided with appropriate overrides.
Also removes jinj2 filtering on 'tenant' network, this network
does not have a VIP by default so it is alreayd filtered by the
'and network.vip' in the jinj2 for loop. In the case 'tenant'
network does have VIP it would make sense to create a certificate
for it as well.
Related-Bug: #1946239
Change-Id: I7fa8e9931f27dbe3352b06c830441eac5bc3733e
Also correct how internal-tls detects external/tenant
This reverts commit f708ab7a827cc0db211b4709447f77126087347e.
This partial reverts commit 578bcb2ffad32c6a39d68b5dc360504e95972ffa.
Reason for revert: https://bugs.launchpad.net/tripleo/+bug/1886915/comments/8
Closes-Bug: #1886915
Change-Id: I8c692ae8419c8e537ec05ebc5d670202c57506ac
In ansible, usage of true/false for boolean values, instead of yes/no,
is considered as a best practise and is enforced by ansible-lint with
the "truthy value should be one of false, true (truthy)" rule.
This change replaces usage of yes/no by true/false to follow that
practise.
Change-Id: I3313278f1ef6cbee0f906aca0a77bde1a3c53784
Now that HAProxy configurations can leverage
frontend/backend statements [1], make this the new default
for this cycle, as it allows more complex proxying
scenario that are a prerequisite for optimizing the routing
of API calls in a HA control plane.
[1] Ieb36f90c6709934aa3aa6668d3929bff872c30f5
Change-Id: Ic25c258895872210e7cf2d760769b492842f0048
Related-Bug: #1941617
Zaqar was deprecated in Wallaby and is no longer in use on the
undercloud and it hasn't been officially supported in the
overcloud for some time.
Change-Id: I3bdcc72d6127ec96ff2307cafbf57f6178c3ef5c
Mistral was deprecated in Wallaby and is no longer in use on the
undercloud and it hasn't been officially supported in the overcloud for
some time.
Change-Id: I6963453f53cb554ca8fdb58706f04838bbd11ba0
Follows-up I4b40d73ab329dc219ee7a387201b0747a6233ed4
Do not fail if haproxy container UUID changes.
Reasoning behind: at the time the chgrp&HUP block is executed, the new
cert has already been deployed on the host, with the correct owner
already set. So if the container_id changes at this time, it will pick
up the new cert automatically. That means that by ignoring errors
caused by mismatching UUID we'd skip an unnecessary consequent restart
of the newly spawned container, ending up with the same result. So the
safest path here would provide a sort of a cascading failure for the
crasher->restarted->reloaded once again containers.
Related rhbz#1973674
Closes-bug: #1940729
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Change-Id: Ib0dd1516592428413452b8a260182f36e42d5b3d
The taken approach adds an unnecessary reloading of the just started
container, therefore a revert proposed.
Related-bug: #1940729
This reverts commit a22ef3a0bc6412fdd09048f6e68d64e89d3c11dd.
Change-Id: I47f2b0a6764218314a617bb224f599f2c567730c
It is possible that the UID of the container
changes between our first parse and the script
we execute to copy the TLS Cert. We can re-check
the container ID in the script to be safe.
Also, we need to fail appropriately if we can't
find the container, or can't restart it.
Related rhbz#1973674
Closes-Bug: #1940729
Change-Id: I1b8c8e83d7b4a14a8643d63a61519f6bbac5b3d6
Change-Id: Ifafb2e71da1a921eeba8d8c6197cfb74d1ee045e
There is a possibility that haproxy container crashed and restarted
with another UUID, while the deployment is trying to reload it
after reconfiguring the certificates, by sending a
`kill -HUP <uuid-of-the-container>`. In that case, ingore errors
for the commands block, since there is no longer need to reload the
newly created container.
Related rhbz#1973674
Change-Id: I4b40d73ab329dc219ee7a387201b0747a6233ed4
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
ec2api and panko are no longer supported by TripleO.
This change drops remaining usage of the removed tripleo::haproxy
parameters for these two services.
Change-Id: I3ceacb5e26a6878049fc13b24b541ebdc763c16a
This simplifies the ServiceNetMap/VipSubnetMap interfaces
to use parameter merge strategy and removes the *Defaults
interfaces.
Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
The podman container module expects security_opts to be a list but
ansible is magically handling this. Rather than rely on the ansible
behavior, let's explicitly specify it as a list.
Change-Id: Ib88ed7d17547209f383cdf2f0449c02d06e41e2d
During the extraction of the local certificate, the ansible
task uses the output of an unregistered variable, so it
passes based on a random input.
Change-Id: I9c08189aaa4c8d8b3e4dcde38b1b2cd4146ac8e5
Closes-Bug: #1925531
The glance_* parameters of the nova class have been deprecated in favor
of the new nova::glance class. This change replaced the deprecated
parameters with the new ones in that new class.
Depends-on: https://review.opendev.org/770684
Depends-on: https://review.opendev.org/772525
Change-Id: If1f6273f921fb1df62ebdc5a4654d892d919a5be
The local certmonger cert will renew after half its lifetime, which will
be after 6 months by default. The current code would extract the CA cert
to a PEM file (and trust it), only if the cert in the existing PEM file
was expired.
But this means that the certmonger local cert could be renewed after six
months and not be replaced in the PEM file until the existing cert
expired at the end of the year. If certs are issued in this time, they
will not be trusted and the update will fail.
This patch removes this condition, so that the extracted and trusted cert
always matches what is in the PEM file, and what is trusted.
Note, this only place this occurs is on the undercloud - because this is
where we could use the certmonger local cert. We assume that the haproxy
cert will be re-issued in an update.
This change has been added to puppet-tripleo for master and all previous
releases, but in master now, we do this directly in tht as we use
ansible to get the system certs.
Change-Id: Ia0ad0ac6d7a09858b56dcb419a3bec17b63779a4
We recently changed cert generation to use linux-system roles
to generate certs instead of puppet-certmonger. However, this broke
the ability to generate the haproxy cert on the undercloud using an
IPA server, because we relied in the ability to specify the CertmongerCA
and the hieradata to provide the correct ca, principals and dns entries.
This patch restores this ability through THT template parameters.
Change-Id: Ie2e181fcd9198ae5613fde7135230d4b4cf7343d
Injection of certificate in pacemaker-managed haproxy [1] is never
exercised due to a bad parsing of container name vs container id.
Closes-Bug: #1922106
[1] Id7308f028f33716be5e3df6699c3f2c12e33e344
Change-Id: Ic6e4264c5ad46bd2589cc907c365af2d42fde63d
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.
Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
- enable run of ansible-lint, with a temporary set of excludes
- fixes two problems reported by ansible-linter
Change-Id: Ibbe23db8fd5ac1008109f50f514df96686b0fa19
Bug: #1921409
- removes duplicate keys from yaml files by assuming that the last
one was the desired one (matches current loader behavior)
- prevent regressions by activating yaml lint rule that detects them
(yaml skip was silencing all yaml checks, so the long list seen
is in fact shorter than just 'yaml')
- includes sorting of some of the keys, was needed in order to spot
the duplicates.
Change-Id: Idf5c0041a0c6d3ed7d5d49fb68be856719916663
Do not inject public certificates in pacemaker bundles by means
of "podman cp", as this pauses the container for a short amount
of time and can make pacemaker operation fail during that time
window and impact cluster for no reason.
Keep "podman cp" for non-HA containers, as the freeze is short
and doesn't seem to impact podman monitoring anyway.
The new certificate injection only works for podman 1.9+, lower
version won't overwrite the existing certificate.
Closes-Bug: #1917868
Change-Id: Id7308f028f33716be5e3df6699c3f2c12e33e344
There are some typos in the post_script that gets called
when certmonger renews the HAProxy certificates. Fix them.
Change-Id: Ie9a64feddf7483036983f242d477fc8bdb6dbc1f
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.
Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
In order to ANSIBLE_INJECT_FACT_VARS=False we have to use ansible_facts
instead of ansible_* vars. This change switches our distribution and
hostname related items to use ansible_facts instead.
Change-Id: I49a2c42dcbb74671834f312798367f411c819813
Related-Bug: #1915761
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.
Reduces a number of heat resources.
Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
We already have the task to create persistent directories for haproxy
in the HAProxyBase resource, so we don't need to define the same task
in haproxy-pacemaker-puppet.yaml.
Note that haproxy-pacemaker-puppet.yaml used to create /var/log/haproxy
but this is removed by this change because that directory is never
used.
Change-Id: I8a846317512ad068caa297821105023a71dc2183
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.
Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
Sahara support was deprecated during previous Ussuri cycle[1], so we
can remove it completely now.
[1] f1d9b15c85fd1ed2250d40cea8184a18f458234f
Change-Id: Id047221cb912c09984cc3bf864196a26fd36736f