openstack/tripleo-heat-templates
Code Issues Proposed changes
bec1ffeeb8
tripleo-heat-templates/deployment/etcd/etcd-container-puppet.yaml
Alex Schultz 8e052715c8 Use kolla_config for other actions 
Today for some services we mount in /var/lib/config-data/<service>/etc
which is actually an output from the container-puppet process. We should
be using kolla to ensure that we properly create the configurations
based on the puppet generated configurations and things in the
container.  Some services correctly leverage the kolla_config that the
associated api/service uses when running their db sync. This patch
aligns the rest to follow the similar pattern.

Change-Id: I0e3d5748a50937880a55413b75fe6eca479c9160
2021-06-02 08:34:05 -06:00

271 lines
10 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
Containerized etcd services
parameters:
ContainerEtcdImage:
description: image
type: string
ContainerEtcdConfigImage:
description: The container image to use for the etcd config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EtcdInitialClusterToken:
description: Initial cluster token for the etcd cluster during bootstrap.
type: string
hidden: true
MonitoringSubscriptionEtcd:
default: 'overcloud-etcd'
type: string
EnableInternalTLS:
type: boolean
default: false
EnableEtcdInternalTLS:
description: Controls whether etcd and the cinder-volume service use TLS
for cinder's lock manager, even when the rest of the internal
API network is using TLS.
type: boolean
default: true
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
EtcdCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- EnableEtcdInternalTLS
conditions:
internal_tls_enabled:
and:
- {get_param: EnableInternalTLS}
- {get_param: EnableEtcdInternalTLS}
key_size_override_set:
not: {equals: [{get_param: EtcdCertificateKeySize}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the etcd role.
value:
service_name: etcd
firewall_rules:
'141 etcd':
dport:
- 2379
- 2380
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
config_settings:
map_merge:
- etcd::etcd_name:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
tripleo::profile::base::etcd::bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
tripleo::profile::base::etcd::client_port: '2379'
tripleo::profile::base::etcd::peer_port: '2380'
etcd::debug: {get_param: Debug}
etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken}
etcd::manage_package: false
etcd::manage_service: false
- if:
- internal_tls_enabled
- tripleo::profile::base::etcd::certificate_specs:
service_certificate: '/etc/pki/tls/certs/etcd.crt'
service_key: '/etc/pki/tls/private/etcd.key'
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
# Ensure etcd and cinder-volume aren't configured to use TLS
- tripleo::profile::base::etcd::enable_internal_tls: false
tripleo::profile::base::cinder::volume::enable_internal_tls: false
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: etcd
config_image: &etcd_config_image {get_param: ContainerEtcdConfigImage}
step_config:
list_join:
- "\n"
- - "['Etcd_key'].each |String $val| { noop_resource($val) }"
- "include tripleo::profile::base::etcd"
kolla_config:
/var/lib/kolla/config_files/etcd.json:
command: /usr/bin/etcd --config-file /etc/etcd/etcd.yml
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/etcd
owner: etcd:etcd
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: etcd:etcd
- path: /etc/pki/tls/private/etcd.key
owner: etcd:etcd
docker_config:
step_2:
etcd:
image: {get_param: ContainerEtcdImage}
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/etcd:/var/lib/etcd
- /var/lib/kolla/config_files/etcd.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/etcd/:/var/lib/kolla/config_files/src:ro
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
container_puppet_tasks:
# Etcd keys initialization occurs only on single node
step_2:
config_volume: 'etcd_init_tasks'
puppet_tags: 'etcd_key'
step_config: |
include tripleo::profile::base::etcd
config_image: *etcd_config_image
# TODO(mwhahaha): need to check if this works correctly or we need to switch to a bootstrap execution
volumes:
- /var/lib/config-data/puppet-generated/etcd/etc/etcd/:/etc/etcd:ro
- /var/lib/etcd:/var/lib/etcd:ro
deploy_steps_tasks:
if:
- internal_tls_enabled
- - name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: etcd
dns:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
principal:
str_replace:
template: "etcd/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
run_after: |
# cinder uses etcd, so its containers also need to be refreshed
container_names=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -E 'cinder|etcd')
service_crt="/etc/pki/tls/certs/etcd.crt"
service_key="/etc/pki/tls/private/etcd.key"
kolla_dir="/var/lib/kolla/config_files/src-tls"
# For each container, check whether the cert file needs to be updated.
# The check is necessary because the original THT design directly bind mounted
# the files to their final location, and did not copy them in via $kolla_dir.
# Regardless of whether the container is directly using the files, or a copy,
# there's no need to trigger a reload because the cert is not cached.
for container_name in ${container_names[*]}; do
{{container_cli}} exec -u root "$container_name" bash -c "
[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
true
"
done
key_size:
if:
- key_size_override_set
- {get_param: EtcdCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create /var/lib/etcd
file:
path: /var/lib/etcd
state: directory
setype: container_file_t
external_deploy_tasks:
if:
- internal_tls_enabled
- - name: check if ipa server has required permissions
when: step|int == 1
import_role:
name: tls_everywhere
tasks_from: ipa-server-check
upgrade_tasks: []
metadata_settings:
if:
- internal_tls_enabled
- - service: etcd
network: {get_param: [ServiceNetMap, EtcdNetwork]}
type: vip
- service: etcd
network: {get_param: [ServiceNetMap, EtcdNetwork]}
type: node
View Git Blame Copy Permalink