Enable etcd with security setting.

After upgrade from StarlingX 4.0 to 5.0, etcd will still keep insecurity before sending "system upgrade-activate". During upgrade activate stage, it will create etcd server/client certs and distribute them to all controllers before restart etcd and kube-apiserver with security enabled. Upgrade test pass on both simplex and duplex. Closes-Bug: 1894870 Depends-on: https://review.opendev.org/#/c/760510/ Change-Id: I27733a881a267e61502b36627dcab4136de23e3f Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>
2020-10-31 00:54:25 +08:00
parent 77de7dc969
commit bdf1888386
4 changed files with 204 additions and 4 deletions
--- a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py
+++ b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py
@@ -715,6 +715,23 @@ def migrate_hiera_data(from_release, to_release, role=None):
    from_hiera_path = os.path.join(PLATFORM_PATH, "puppet", from_release,
                                   "hieradata")
    to_hiera_path = constants.HIERADATA_PERMDIR
+
+    # For simplex upgrade, we already set etcd security config during
+    # apply-bootstrap-manifest. Need to get it and update to target
+    # static.yaml.
+    static_file = os.path.join(to_hiera_path, "static.yaml")
+    with open(static_file, 'r') as yaml_file:
+        static_config = yaml.load(yaml_file)
+
+    etcd_security_config = {}
+    if 'platform::etcd::params::security_enabled' in static_config.keys():
+        etcd_security_config['platform::etcd::params::security_enabled'] = \
+            static_config['platform::etcd::params::security_enabled']
+        etcd_security_config['platform::etcd::params::bind_address'] = \
+            static_config['platform::etcd::params::bind_address']
+        etcd_security_config['platform::etcd::params::bind_address_version'] = \
+            static_config['platform::etcd::params::bind_address_version']
+
    shutil.rmtree(to_hiera_path, ignore_errors=True)
    os.makedirs(to_hiera_path)

@@ -757,6 +774,9 @@ def migrate_hiera_data(from_release, to_release, role=None):
                'openstack::keystone::bootstrap::dc_services_project_id':
                    service_project_id
            })
+    # Just for upgrade from STX4.0 to STX5.0
+    if (from_release == SW_VERSION_20_06 and etcd_security_config):
+        static_config.update(etcd_security_config)

    with open(static_file, 'w') as yaml_file:
        yaml.dump(static_config, yaml_file, default_flow_style=False)
--- a/controllerconfig/controllerconfig/scripts/controller_config
+++ b/controllerconfig/controllerconfig/scripts/controller_config
@@ -282,6 +282,60 @@ start()
        fi
    fi

+    if [ -e $CONFIG_DIR/etcd/etcd-server.crt ]
+    then
+        cp $CONFIG_DIR/etcd/etcd-server.crt /etc/etcd/etcd-server.crt
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to copy $CONFIG_DIR/etcd/etcd-server.crt"
+        fi
+    fi
+
+    if [ -e $CONFIG_DIR/etcd/etcd-server.key ]
+    then
+        cp $CONFIG_DIR/etcd/etcd-server.key /etc/etcd/etcd-server.key
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to copy $CONFIG_DIR/etcd/etcd-server.key"
+        fi
+    fi
+
+    if [ -e $CONFIG_DIR/etcd/etcd-client.crt ]
+    then
+        cp $CONFIG_DIR/etcd/etcd-client.crt /etc/etcd/etcd-client.crt
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to copy $CONFIG_DIR/etcd/etcd-client.crt"
+        fi
+    fi
+
+    if [ -e $CONFIG_DIR/etcd/etcd-client.key ]
+    then
+        cp $CONFIG_DIR/etcd/etcd-client.key /etc/etcd/etcd-client.key
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to copy $CONFIG_DIR/etcd/etcd-client.key"
+        fi
+    fi
+
+    if [ -e $CONFIG_DIR/etcd/ca.crt ]
+    then
+        cp $CONFIG_DIR/etcd/ca.crt /etc/etcd/ca.crt
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to copy $CONFIG_DIR/etcd/ca.crt"
+        fi
+    fi
+
+    if [ -e $CONFIG_DIR/etcd/ca.key ]
+    then
+        cp $CONFIG_DIR/etcd/ca.key /etc/etcd/ca.key
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to copy $CONFIG_DIR/etcd/ca.key"
+        fi
+    fi
+
    if [ -e $CONFIG_DIR/registry-cert.key ]
    then
        cp $CONFIG_DIR/registry-cert.key /etc/ssl/private/registry-cert.key
--- a/controllerconfig/controllerconfig/upgrade-scripts/70_active-secured-etcd-after-upgrade.sh
+++ b/controllerconfig/controllerconfig/upgrade-scripts/70_active-secured-etcd-after-upgrade.sh
@@ -0,0 +1,86 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2020 Intel Corporation.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Active secured etcd after upgrade.
+#
+# Note: this can be removed in the release after STX5.0
+
+. /etc/platform/platform.conf
+
+FROM_REL=$1
+TO_REL=$2
+ACTION=$3
+
+# below function is cloned from ../scripts/controller_config
+get_ip()
+{
+    HOST_NAME=$1
+
+    # Check /etc/hosts for the hostname
+    HOST_IP=$(cat /etc/hosts | grep "${HOST_NAME}" | awk '{print $1}')
+    if [ -n "${HOST_IP}" ]; then
+        echo ${HOST_IP}
+        return
+    fi
+
+    # Try the DNS query
+    # Because dnsmasq can resolve both a hostname to both an IPv4 and an IPv6
+    # address in certain situations, and the last address is the IPv6, which
+    # would be the management, this is preferred over the IPv4 pxeboot address,
+    # so take the last address only.
+    HOST_IP=$(dig +short ANY $host|tail -1)
+    if [[ "${HOST_IP}" =~ ^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$ ]]; then
+        echo ${HOST_IP}
+        return
+    fi
+    if [[ "${HOST_IP}" =~ ^[0-9a-z]*\:[0-9a-z\:]*$ ]]; then
+        echo ${HOST_IP}
+        return
+    fi
+}
+
+enable_secured_etcd()
+{
+    STATIC_YAML="/opt/platform/puppet/${sw_version}/hieradata/static.yaml"
+    SYSTEM_YAML="/opt/platform/puppet/${sw_version}/hieradata/system.yaml"
+
+    if [[ ! -f ${STATIC_YAML} ]] || [[ ! -f ${SYSTEM_YAML} ]]; then
+        echo "Could not find specific static/system yaml files in "\
+             "/opt/platform/puppet/${sw_version}/hieradata!"
+        exit 1
+    fi
+
+    ETCD_SEC_ENABLED=$(grep "platform::etcd::params::security_enabled" ${STATIC_YAML} | awk '{print $2}')
+    CLUSTER_HOST_ADDRESS=$(grep "platform::network::cluster_host::params::subnet_start" ${SYSTEM_YAML} | awk '{print $2}')
+    CLUSTER_HOST_ADDRESS_VERSION=$(grep "platform::network::cluster_host::params::subnet_version" ${SYSTEM_YAML} | awk '{print $2}')
+    HOST_ADDR=$(get_ip $(hostname))
+
+    if [ "$ETCD_SEC_ENABLED" != "true" ]; then
+        ansible-playbook /usr/share/ansible/stx-ansible/playbooks/enable_secured_etcd.yml \
+            -e "default_cluster_host_start_address=${CLUSTER_HOST_ADDRESS}" \
+            -e "etcd_listen_address_version=${CLUSTER_HOST_ADDRESS_VERSION}" \
+            -e "puppet_permdir=/opt/platform/puppet/${sw_version}" \
+            -e "config_permdir=/opt/platform/config/${sw_version}" \
+            -e "ipaddress=${HOST_ADDR}" \
+            -e "k8s_root_ca_cert=''" \
+            -e "k8s_root_ca_key=''"
+        if [ $? -ne 0 ]; then
+            echo "Failed to run ansible playbook!"
+            exit 1
+        fi
+    fi
+}
+
+echo "${0} invoked with from_release = ${FROM_REL} to_release = ${TO_REL} action = ${ACTION}"
+
+if [ ${FROM_REL} == "20.06" -a ${ACTION} == "activate" ]; then
+    enable_secured_etcd
+else
+    echo "Only execute this upgrade code when the activate action is being done and the from release is 20.06!"
+fi
+
+exit 0