starlingx/config
Code Issues Proposed changes

Merge "Separate CA for k8s and etcd"

Browse Source
This commit is contained in:
Zuul 2021-10-22 16:33:43 +00:00 committed by Gerrit Code Review
commit d221cafce0
4 changed files with 123 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py
View File

@ -714,24 +714,6 @@ def migrate_hiera_data(from_release, to_release, role=None):
"hieradata")
to_hiera_path = constants.HIERADATA_PERMDIR
# For simplex upgrade, we already set etcd security config during
# apply-bootstrap-manifest. Need to get it and update to target
# static.yaml.
static_file = os.path.join(to_hiera_path, "static.yaml")
etcd_security_config = {}
if os.path.exists(static_file):
with open(static_file, 'r') as yaml_file:
static_config = yaml.load(yaml_file)
if 'platform::etcd::params::security_enabled' in static_config.keys():
etcd_security_config['platform::etcd::params::security_enabled'] = \
static_config['platform::etcd::params::security_enabled']
etcd_security_config['platform::etcd::params::bind_address'] = \
static_config['platform::etcd::params::bind_address']
etcd_security_config['platform::etcd::params::bind_address_version'] = \
static_config['platform::etcd::params::bind_address_version']
shutil.rmtree(to_hiera_path, ignore_errors=True)
os.makedirs(to_hiera_path)

89
controllerconfig/controllerconfig/upgrade-scripts/71-enable-separate-etcd-ca.sh Normal file
View File

@ -0,0 +1,89 @@
#!/bin/bash
#
# Copyright (c) 2021 Intel Corporation.
#
# SPDX-License-Identifier: Apache-2.0
#
# Enable separate etcd ca during upgrade.
#
# Note: this can be removed in the release after STX6.0
. /etc/platform/platform.conf
# This will log to /var/log/platform.log
function log {
logger -p local1.info $1
}
FROM_REL=$1
TO_REL=$2
ACTION=$3
# below function is cloned from ../scripts/controller_config
get_ip()
{
HOST_NAME=$1
# Check /etc/hosts for the hostname
HOST_IP=$(cat /etc/hosts | grep "${HOST_NAME}" | awk '{print $1}')
if [ -n "${HOST_IP}" ]; then
echo "${HOST_IP}"
return
fi
# Try the DNS query
# Because dnsmasq can resolve both a hostname to both an IPv4 and an IPv6
# address in certain situations, and the last address is the IPv6, which
# would be the management, this is preferred over the IPv4 pxeboot address,
# so take the last address only.
HOST_IP=$(dig +short ANY $host|tail -1)
if [[ "${HOST_IP}" =~ ^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$ ]]; then
echo "${HOST_IP}"
return
fi
if [[ "${HOST_IP}" =~ ^[0-9a-z]*\:[0-9a-z\:]*$ ]]; then
echo "${HOST_IP}"
return
fi
}
enable_separate_etcd_ca()
{
STATIC_YAML="/opt/platform/puppet/${sw_version}/hieradata/static.yaml"
SYSTEM_YAML="/opt/platform/puppet/${sw_version}/hieradata/system.yaml"
if [[ ! -f ${STATIC_YAML} ]] || [[ ! -f ${SYSTEM_YAML} ]]; then
log "Could not find specific static/system yaml files in /opt/platform/puppet/${sw_version}/hieradata!"
exit 1
fi
CLUSTER_FLOATING_ADDRESS=$(grep "platform::network::cluster_host::params::controller_address" ${SYSTEM_YAML} | awk '{print $2}')
CLUSTER_FLOATING_ADDRESS_VERSION=$(grep "platform::network::cluster_host::params::subnet_version" ${SYSTEM_YAML} | awk '{print $2}')
HOST_ADDR=$(get_ip $(hostname))
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/separate_etcd_ca.yml \
-e "cluster_floating_address=${CLUSTER_FLOATING_ADDRESS}" \
-e "etcd_listen_address_version=${CLUSTER_FLOATING_ADDRESS_VERSION}" \
-e "puppet_permdir=/opt/platform/puppet/${sw_version}" \
-e "config_permdir=/opt/platform/config/${sw_version}" \
-e "ipaddress=${HOST_ADDR}" \
-e "etcd_root_ca_cert=''" \
-e "etcd_root_ca_key=''"
if [ $? -ne 0 ]; then
log "Failed to run ansible playbook!"
exit 1
fi
}
log "${0} invoked with from_release = ${FROM_REL} to_release = ${TO_REL} action = ${ACTION}"
if [ ${FROM_REL} == "21.05" -a ${ACTION} == "activate" ]; then
enable_separate_etcd_ca
else
log "Only execute this upgrade code when the activate action is being done and the from release is 21.05!"
fi
exit 0

33
sysinv/sysinv/sysinv/sysinv/conductor/manager.py
View File

@ -1611,6 +1611,36 @@ class ConductorManager(service.PeriodicService):
"Skipping deleting ceph monitor."
% str(host.hostname))
def _split_etcd_security_config(self, context):
"""Update the manifests for separating etcd ca
Note: this can be removed in the release after STX6.0
returns True if runtime manifests were applied
"""
controllers = self.dbapi.ihost_get_by_personality(constants.CONTROLLER)
for host in controllers:
if not utils.is_host_active_controller(host):
# Just update etcd certs on the standby controller.
# Etcd certs were updated on the active controller with
# migration script 71-enable-separate-etcd-ca.sh
personalities = [constants.CONTROLLER]
host_uuids = [host.uuid]
config_uuid = self._config_update_hosts(
context, personalities, host_uuids)
config_dict = {
"personalities": personalities,
"host_uuids": host_uuids,
"classes": ['platform::etcd::upgrade::runtime'],
puppet_common.REPORT_STATUS_CFG:
puppet_common.REPORT_UPGRADE_ACTIONS
}
self._config_apply_runtime_manifest(context,
config_uuid=config_uuid,
config_dict=config_dict)
return True
return False
def update_remotelogging_config(self, context):
"""Update the remotelogging configuration"""
@ -11214,6 +11244,9 @@ class ConductorManager(service.PeriodicService):
{'state': constants.UPGRADE_ACTIVATION_FAILED})
manifests_applied = False
if from_version == tsc.SW_VERSION_21_05:
# Apply etcd split ca puppet manifest for standby controller.
manifests_applied = self._split_etcd_security_config(context)
if manifests_applied:
LOG.info("Running upgrade activation manifests")

1
tsconfig/tsconfig/tsconfig/tsconfig.py
View File

@ -13,6 +13,7 @@ import six
from six.moves import configparser
SW_VERSION = ""
SW_VERSION_21_05 = "21.05"
nodetype = None
subfunctions = []