cff6378fb1
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.
Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
(cherry picked from commit 9760977529)
248 lines
8.5 KiB
YAML
248 lines
8.5 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Containerized etcd services
|
|
|
|
parameters:
|
|
ContainerEtcdImage:
|
|
description: image
|
|
type: string
|
|
ContainerEtcdConfigImage:
|
|
description: The container image to use for the etcd config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EtcdInitialClusterToken:
|
|
description: Initial cluster token for the etcd cluster during bootstrap.
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionEtcd:
|
|
default: 'overcloud-etcd'
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
EnableEtcdInternalTLS:
|
|
description: Controls whether etcd and the cinder-volume service use TLS
|
|
for cinder's lock manager, even when the rest of the internal
|
|
API network is using TLS.
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
EtcdCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
|
|
conditions:
|
|
internal_tls_enabled:
|
|
and:
|
|
- {equals: [{get_param: EnableInternalTLS}, true]}
|
|
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
|
|
key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the etcd role.
|
|
value:
|
|
service_name: etcd
|
|
firewall_rules:
|
|
'141 etcd':
|
|
dport:
|
|
- 2379
|
|
- 2380
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
|
|
config_settings:
|
|
map_merge:
|
|
-
|
|
etcd::etcd_name:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
|
tripleo::profile::base::etcd::bind_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
|
tripleo::profile::base::etcd::client_port: '2379'
|
|
tripleo::profile::base::etcd::peer_port: '2380'
|
|
etcd::debug: {get_param: Debug}
|
|
etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken}
|
|
etcd::manage_package: false
|
|
etcd::manage_service: false
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- generate_service_certificates: true
|
|
tripleo::profile::base::etcd::certificate_specs:
|
|
service_certificate: '/etc/pki/tls/certs/etcd.crt'
|
|
service_key: '/etc/pki/tls/private/etcd.key'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "etcd/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
|
dnsnames:
|
|
- str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
|
- str_replace:
|
|
template:
|
|
"%{hiera('NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
|
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
|
|
key_size:
|
|
if:
|
|
- key_size_override_unset
|
|
- {get_param: CertificateKeySize}
|
|
- {get_param: EtcdCertificateKeySize}
|
|
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
|
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
|
-
|
|
# Ensure etcd and cinder-volume aren't configured to use TLS
|
|
tripleo::profile::base::etcd::enable_internal_tls: false
|
|
tripleo::profile::base::cinder::volume::enable_internal_tls: false
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: etcd
|
|
config_image: &etcd_config_image {get_param: ContainerEtcdConfigImage}
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Etcd_key'].each |String $val| { noop_resource($val) }"
|
|
- "include tripleo::profile::base::etcd"
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/etcd.json:
|
|
command: /usr/bin/etcd --config-file /etc/etcd/etcd.yml
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/etcd
|
|
owner: etcd:etcd
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/etcd.crt
|
|
owner: etcd:etcd
|
|
- path: /etc/pki/tls/private/etcd.key
|
|
owner: etcd:etcd
|
|
docker_config:
|
|
step_2:
|
|
etcd:
|
|
image: {get_param: ContainerEtcdImage}
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/etcd:/var/lib/etcd
|
|
- /var/lib/kolla/config_files/etcd.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/etcd/:/var/lib/kolla/config_files/src:ro
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
-
|
|
- /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
|
|
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
|
|
- null
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
container_puppet_tasks:
|
|
# Etcd keys initialization occurs only on single node
|
|
step_2:
|
|
config_volume: 'etcd_init_tasks'
|
|
puppet_tags: 'etcd_key'
|
|
step_config: |
|
|
include tripleo::profile::base::etcd
|
|
config_image: *etcd_config_image
|
|
volumes:
|
|
- /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro
|
|
- /var/lib/etcd:/var/lib/etcd:ro
|
|
host_prep_tasks:
|
|
- name: create /var/lib/etcd
|
|
file:
|
|
path: /var/lib/etcd
|
|
state: directory
|
|
setype: container_file_t
|
|
external_deploy_tasks:
|
|
if:
|
|
- internal_tls_enabled
|
|
-
|
|
- name: check if ipa server has required permissions
|
|
when: step|int == 1
|
|
import_role:
|
|
name: tls_everywhere
|
|
tasks_from: ipa-server-check
|
|
- null
|
|
upgrade_tasks: []
|
|
metadata_settings:
|
|
if:
|
|
- internal_tls_enabled
|
|
-
|
|
- service: etcd
|
|
network: {get_param: [ServiceNetMap, EtcdNetwork]}
|
|
type: node
|
|
- null
|