167 Commits

Author SHA1 Message Date
David Hill
64a19091ab Run the SSL verification at step2
Run the SSL verification at step2 instead of host_prep as we need
to have CACerts injected before being able to validate the SSL
certificates.  It looks like NodeTLSCerts is getting deprecated
and CI has already moved away from taht method .

Change-Id: I5e3491efd12ad2445a3d77f0907fbb766fe54466
Closes-bug: #1961056
2022-02-16 21:03:58 -05:00
David Hill
d5701e6ceb Validate SSLCertificate is defined
Validate SSLCertificate is defined when PublicSSLCertificateAutogenerated
is False otherwise deployment fails at step4 without meaningful error
messages due to public SSL endpoints not being properly defined in
haproxy.cfg.

Change-Id: I9e0dc2913848eec9919c86372dd151ca5808fb30
2022-02-07 12:49:25 -05:00
Alex Schultz
ebab335f38 Role specific container support
We may want to be able to specific different containers at a role level.
This requires switching the container image parameters to be role
specific too allow for role based overrides.

Change-Id: I4090e889a32abd51e7c11139737a7a18e27d18e7
2022-01-21 14:18:02 -07:00
Oliver Walsh
4362c14ce8 Disable metrics_qdr binding in HAProxyEdge
HAProxyEdge disables most haproxy bindings.
The metrics_qdr binding is missing, likely due to the fact it was
created after the HAProxyEdge service.

Change-Id: I5f3b678b30f6375844c0a4b094432c9be9d8e444
2022-01-11 11:28:26 +00:00
Chris Sibbitt
c3bb913386 Missing rsyslog parameters for HAProxy
Services need to provide this rsyslog configuration in order for
their logs to get ingested by rsyslog for forwarding.

Closes-Bug: 1953672
Change-Id: I0da99239275fa7f53f032ca4a85460e6111738b4
2021-12-09 10:13:16 -05:00
Zuul
8cddfafbeb Merge "Remove double slashes in path" 2021-11-05 01:42:53 +00:00
Michele Baldessari
61a1dcc3b1 Remove double slashes in path
In some containers we have double slashes in our paths. This has always
worked in podman 3.x but breaks with podman 4.x

* Working

[root@undercloud-0 step_1]# podman run -it --rm --net=host -v /etc/pki/tls/private/overcloud_endpoint.pem:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem undercloud-0.ctlplane.home.arpa:8787/tripleo_centos9/openstack-haproxy:latest bash
[root@undercloud-0 /]# exit

Broken (see the '//' before src-tls)

[root@undercloud-0 step_1]# podman run -it --rm --net=host -v /etc/pki/tls/private/overcloud_endpoint.pem:/var/lib/kolla/config_files//src-tls/etc/pki/tls/private/overcloud_endpoint.pem undercloud-0.ctlplane.home.arpa:8787/tripleo_centos9/openstack-haproxy:latest bash
Error: OCI runtime error: mount `/etc/pki/tls/private/overcloud_endpoint.pem` to `/var/lib/kolla/config_files//src-tls/etc/pki/tls/private/overcloud_endpoint.pem`: Not a directory

Closes-Bug: #1949888
Change-Id: Ic7c3469c69841293902f29d5772be202978fac32
2021-11-04 18:35:09 +01:00
Michele Baldessari
52ed0f05b8 Remove old non-ha container removal tasks
Those were needed when we switched to HA by default via
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/359060

That happened during ussuri, so we can drop these tasks.

Change-Id: Ibb68ca300fd8ce4c7a8830bd2bab7c9ce5182b33
2021-10-29 08:22:50 +02:00
Harald Jensås
273b41a5da Use ServiceNetMap to filter PublicNetwork in haproxy-tls
Replace the filtering using the hard-coded "external"
network name with a yaql filter using the PublicNetwork in
ServiceNetMap instead.

This should allow fully custom network name/name_lower to be
used as long as service_net_map_replace is also used or the
ServiceNetMap is provided with appropriate overrides.

Also removes jinj2 filtering on 'tenant' network, this network
does not have a VIP by default so it is alreayd filtered by the
'and network.vip' in the jinj2 for loop. In the case 'tenant'
network does have VIP it would make sense to create a certificate
for it as well.

Related-Bug: #1946239
Change-Id: I7fa8e9931f27dbe3352b06c830441eac5bc3733e
2021-10-27 12:32:16 +02:00
Harald Jensås
82a0781b4d Revert "Fix TLS-e with custom network names"
This reverts commit 6bae260bcfa369365d9cfb3112c686f468fcef55.

Reason for revert: https://bugs.launchpad.net/tripleo/+bug/1948754
Closes-Bug: #1948754

Change-Id: I266f6a89be76a4e43add038e38236ca2dee664cd
2021-10-26 07:04:05 +00:00
Harald Jensås
6bae260bcf Fix TLS-e with custom network names
Also correct how internal-tls detects external/tenant

This reverts commit f708ab7a827cc0db211b4709447f77126087347e.
This partial reverts commit 578bcb2ffad32c6a39d68b5dc360504e95972ffa.

Reason for revert: https://bugs.launchpad.net/tripleo/+bug/1886915/comments/8

Closes-Bug: #1886915
Change-Id: I8c692ae8419c8e537ec05ebc5d670202c57506ac
2021-10-23 17:33:07 +02:00
Takashi Kajinami
76adfd4202 Use true/false for boolean values
In ansible, usage of true/false for boolean values, instead of yes/no,
is considered as a best practise and is enforced by ansible-lint with
the "truthy value should be one of false, true (truthy)" rule.

This change replaces usage of yes/no by true/false to follow that
practise.

Change-Id: I3313278f1ef6cbee0f906aca0a77bde1a3c53784
2021-10-12 09:35:38 +09:00
Damien Ciabrini
c354d21131 Use frontend/backend sections in HAProxy config
Now that HAProxy configurations can leverage
frontend/backend statements [1], make this the new default
for this cycle, as it allows more complex proxying
scenario that are a prerequisite for optimizing the routing
of API calls in a HA control plane.

[1] Ieb36f90c6709934aa3aa6668d3929bff872c30f5

Change-Id: Ic25c258895872210e7cf2d760769b492842f0048
Related-Bug: #1941617
2021-10-01 09:30:17 +02:00
Zuul
8ef66366de Merge "Fix the failure condition for HAproxy chgrp script" 2021-09-23 07:02:53 +00:00
Zuul
8a77ef118c Merge "Revert "Adjust HAProxy script to allow for ID change"" 2021-09-22 16:27:54 +00:00
Alex Schultz
0c167aedea Remove zaqar
Zaqar was deprecated in Wallaby and is no longer in use on the
undercloud and it hasn't been officially supported in the
overcloud for some time.

Change-Id: I3bdcc72d6127ec96ff2307cafbf57f6178c3ef5c
2021-09-16 15:12:29 -06:00
Alex Schultz
cb630d03be Remove mistral
Mistral was deprecated in Wallaby and is no longer in use on the
undercloud and it hasn't been officially supported in the overcloud for
some time.

Change-Id: I6963453f53cb554ca8fdb58706f04838bbd11ba0
2021-09-16 15:12:18 -06:00
Bogdan Dobrelya
a235b70b2e Fix the failure condition for HAproxy chgrp script
Follows-up I4b40d73ab329dc219ee7a387201b0747a6233ed4

Do not fail if haproxy container UUID changes.

Reasoning behind: at the time the chgrp&HUP block is executed, the new
cert has already been deployed on the host, with the correct owner
already set. So if the container_id changes at this time, it will pick
up the new cert automatically. That means that by ignoring errors
caused by mismatching UUID we'd skip an unnecessary consequent restart
of the newly spawned container, ending up with the same result. So the
safest path here would provide a sort of a cascading failure for the
crasher->restarted->reloaded once again containers.

Related rhbz#1973674
Closes-bug: #1940729
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>

Change-Id: Ib0dd1516592428413452b8a260182f36e42d5b3d
2021-09-01 16:05:45 +00:00
Bogdan Dobrelya
835c6a04bc Revert "Adjust HAProxy script to allow for ID change"
The taken approach adds an unnecessary reloading of the just started
container, therefore a revert proposed.

Related-bug: #1940729
This reverts commit a22ef3a0bc6412fdd09048f6e68d64e89d3c11dd.

Change-Id: I47f2b0a6764218314a617bb224f599f2c567730c
2021-09-01 17:59:31 +02:00
Brendan Shephard
a22ef3a0bc Adjust HAProxy script to allow for ID change
It is possible that the UID of the container
changes between our first parse and the script
we execute to copy the TLS Cert. We can re-check
the container ID in the script to be safe.

Also, we need to fail appropriately if we can't
find the container, or can't restart it.

Related rhbz#1973674
Closes-Bug: #1940729
Change-Id: I1b8c8e83d7b4a14a8643d63a61519f6bbac5b3d6

Change-Id: Ifafb2e71da1a921eeba8d8c6197cfb74d1ee045e
2021-08-23 14:03:44 +00:00
Bogdan Dobrelya
810b81991f Do not fail if haproxy container UUID changes
There is a possibility that haproxy container crashed and restarted
with another UUID, while the deployment is trying to reload it
after reconfiguring the certificates, by sending a
`kill -HUP <uuid-of-the-container>`. In that case, ingore errors
for the commands block, since there is no longer need to reload the
newly created container.

Related rhbz#1973674

Change-Id: I4b40d73ab329dc219ee7a387201b0747a6233ed4
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2021-07-26 11:07:11 +00:00
Takashi Kajinami
7d0320ad99 Drop usage of removed tripleo::haproxy parameters
ec2api and panko are no longer supported by TripleO.
This change drops remaining usage of the removed tripleo::haproxy
parameters for these two services.

Change-Id: I3ceacb5e26a6878049fc13b24b541ebdc763c16a
2021-06-04 23:26:19 +09:00
ramishra
b253d564f7 Use server side env merging for ServiceNetMap/VipSubnetMap
This simplifies the ServiceNetMap/VipSubnetMap interfaces
to use parameter merge strategy and removes the *Defaults
interfaces.

Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
2021-05-19 10:16:58 +05:30
Alex Schultz
89f5960125 Fix container security_opts type
The podman container module expects security_opts to be a list but
ansible is magically handling this. Rather than rely on the ansible
behavior, let's explicitly specify it as a list.

Change-Id: Ib88ed7d17547209f383cdf2f0449c02d06e41e2d
2021-05-12 13:32:17 +00:00
Zuul
ae7fcc707e Merge "Fix random redeploy failure during certificate extraction" 2021-04-24 03:12:26 +00:00
Zuul
f38a5b89d3 Merge "Simplify haproxy service templates" 2021-04-23 19:53:28 +00:00
Damien Ciabrini
0419c90064 Fix random redeploy failure during certificate extraction
During the extraction of the local certificate, the ansible
task uses the output of an unregistered variable, so it
passes based on a random input.

Change-Id: I9c08189aaa4c8d8b3e4dcde38b1b2cd4146ac8e5
Closes-Bug: #1925531
2021-04-23 10:41:22 +02:00
ramishra
15ce9b6a25 Simplify haproxy service templates
Change-Id: I9992a4d2b0e2d3efe4e1622cb8ae3023be30624b
2021-04-23 08:15:33 +05:30
Zuul
48e5e1d725 Merge "HA: fix injection of certificate in haproxy container" 2021-04-22 01:03:06 +00:00
Takashi Kajinami
e2b52f4a01 Use parameters of the nova::glance class
The glance_* parameters of the nova class have been deprecated in favor
of the new nova::glance class. This change replaced the deprecated
parameters with the new ones in that new class.

Depends-on: https://review.opendev.org/770684
Depends-on: https://review.opendev.org/772525
Change-Id: If1f6273f921fb1df62ebdc5a4654d892d919a5be
2021-04-18 13:48:02 +09:00
Zuul
6233d5f758 Merge "Enable ansible-lint" 2021-04-13 19:06:05 +00:00
Zuul
591a61ec75 Merge "Fix tls for undercloud with ipa" 2021-04-13 09:45:11 +00:00
Ade Lee
a65df66fb6 Always update the local certmonger ca cert
The local certmonger cert will renew after half its lifetime, which will
be after 6 months by default.  The current code would extract the CA cert
to a PEM file (and trust it), only if the cert in the existing PEM file
was expired.

But this means that the certmonger local cert could be renewed after six
months and not be replaced in the PEM file until the existing cert
expired at the end of the year.  If certs are issued in this time, they
will not be trusted and the update will fail.

This patch removes this condition, so that the extracted and trusted cert
always matches what is in the PEM file, and what is trusted.

Note, this only place this occurs is on the undercloud - because this is
where we could use the certmonger local cert.  We assume that the haproxy
cert will be re-issued in an update.

This change has been added to puppet-tripleo for master and all previous
releases, but in master now, we do this directly in tht as we use
ansible to get the system certs.

Change-Id: Ia0ad0ac6d7a09858b56dcb419a3bec17b63779a4
2021-04-06 13:51:41 -04:00
Ade Lee
26cd692ab7 Fix tls for undercloud with ipa
We recently changed cert generation to use linux-system roles
to generate certs instead of puppet-certmonger.  However, this broke
the ability to generate the haproxy cert on the undercloud using an
IPA server, because we relied in the ability to specify the CertmongerCA
and the hieradata to provide the correct ca, principals and dns entries.

This patch restores this ability through THT template parameters.

Change-Id: Ie2e181fcd9198ae5613fde7135230d4b4cf7343d
2021-04-06 11:50:33 -04:00
Damien Ciabrini
77358cbcce HA: fix injection of certificate in haproxy container
Injection of certificate in pacemaker-managed haproxy [1] is never
exercised due to a bad parsing of container name vs container id.

Closes-Bug: #1922106

[1] Id7308f028f33716be5e3df6699c3f2c12e33e344

Change-Id: Ic6e4264c5ad46bd2589cc907c365af2d42fde63d
2021-03-31 18:47:03 +02:00
ramishra
c9991c2e31 Use 'wallaby' heat_template_version
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
 e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.

Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
2021-03-31 17:35:12 +05:30
Sorin Sbarnea
a013f42e36 Enable ansible-lint
- enable run of ansible-lint, with a temporary set of excludes
- fixes two problems reported by ansible-linter

Change-Id: Ibbe23db8fd5ac1008109f50f514df96686b0fa19
Bug: #1921409
2021-03-30 09:18:15 +01:00
Sorin Sbarnea
27788212cc Remove duplicate keys from yaml files
- removes duplicate keys from yaml files by assuming that the last
  one was the desired one (matches current loader behavior)
- prevent regressions by activating yaml lint rule that detects them
  (yaml skip was silencing all yaml checks, so the long list seen
  is in fact shorter than just 'yaml')
- includes sorting of some of the keys, was needed in order to spot
  the duplicates.

Change-Id: Idf5c0041a0c6d3ed7d5d49fb68be856719916663
2021-03-29 13:56:31 +00:00
Damien Ciabrini
93e53b7429 HA: inject public certificates without blocking container
Do not inject public certificates in pacemaker bundles by means
of "podman cp", as this pauses the container for a short amount
of time and can make pacemaker operation fail during that time
window and impact cluster for no reason.

Keep "podman cp" for non-HA containers, as the freeze is short
and doesn't seem to impact podman monitoring anyway.

The new certificate injection only works for podman 1.9+, lower
version won't overwrite the existing certificate.

Closes-Bug: #1917868

Change-Id: Id7308f028f33716be5e3df6699c3f2c12e33e344
2021-03-25 10:51:59 +01:00
Damien Ciabrini
37a24bfe50 haproxy: fix typo after migration of TLS to ansible role
There are some typos in the post_script that gets called
when certmonger renews the HAProxy certificates. Fix them.

Change-Id: Ie9a64feddf7483036983f242d477fc8bdb6dbc1f
2021-03-22 18:23:10 +01:00
Carlos Goncalves
6e7e0ab48e Remove obsoleted generate_service_certificates
Remove traces of generate_service_certificates. It was removed during
Pike release cycle [1].

[1] https://review.opendev.org/c/openstack/puppet-tripleo/+/444891

Change-Id: Ib203b52547433ff73141df66641528c389b50361
2021-03-16 19:50:14 +01:00
Grzegorz Grasza
e329ca915e Generate certificates using ansible role
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.

Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
2021-03-10 16:28:22 +01:00
Alex Schultz
8d1fc85744 Use ansible_facts instead
In order to ANSIBLE_INJECT_FACT_VARS=False we have to use ansible_facts
instead of ansible_* vars. This change switches our distribution and
hostname related items to use ansible_facts instead.

Change-Id: I49a2c42dcbb74671834f312798367f411c819813
Related-Bug: #1915761
2021-02-22 17:57:17 +00:00
ramishra
7f195ff9a8 Remove DefaultPasswords interface
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30
Zuul
c2d92493d7 Merge "Remove duplicated tasks to create persisitent directries for haproxy" 2021-01-13 16:24:57 +00:00
Takashi Kajinami
49cebbb56c Remove duplicated tasks to create persisitent directries for haproxy
We already have the task to create persistent directories for haproxy
in the HAProxyBase resource, so we don't need to define the same task
in haproxy-pacemaker-puppet.yaml.

Note that haproxy-pacemaker-puppet.yaml used to create /var/log/haproxy
but this is removed by this change because that directory is never
used.

Change-Id: I8a846317512ad068caa297821105023a71dc2183
2020-12-31 14:44:21 +09:00
Raildo
9760977529 Adding key_size option on the certificate creation
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.

Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
2020-12-17 20:22:52 -03:00
Zuul
0519978254 Merge "Remove Sahara support" 2020-11-06 03:12:06 +00:00
Takashi Kajinami
4a7d56947a Remove Sahara support
Sahara support was deprecated during previous Ussuri cycle[1], so we
can remove it completely now.

[1] f1d9b15c85fd1ed2250d40cea8184a18f458234f
Change-Id: Id047221cb912c09984cc3bf864196a26fd36736f
2020-10-19 09:39:36 +09:00
Zuul
837f8cbb06 Merge "HA: option to use static pacemaker image name" 2020-10-14 18:20:25 +00:00