aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-12-15 16:20:40 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-01-25 00:33:11 +0200
commit80086fd342032ec448a84ecf7c5dbe98d381450a (patch)
tree401b9f6d0e6f80930c90a0a48bcd3c435a03b8e7
parent00938b0accff3a07954ff058e205f21a51583b56 (diff)
Add metadata settings for needed kerberos principals
These are only used for TLS-everywhere, and fills up the kerberos principals that will need to be created for the certs used by the overcloud. With this, the metadata hook will format these principals correctly and will further pass them on to the nova metadata service. Where they can be used if there's a plugin enabled. bp tls-via-certmonger bp novajoin Change-Id: I873094bb69200052febda629fda698a7a782c031
-rw-r--r--extraconfig/nova_metadata/krb-service-principals.yaml84
-rw-r--r--puppet/services/aodh-api.yaml2
-rw-r--r--puppet/services/apache-internal-tls-certmonger.yaml35
-rw-r--r--puppet/services/apache.yaml2
-rw-r--r--puppet/services/barbican-api.yaml2
-rw-r--r--puppet/services/ceilometer-api.yaml2
-rw-r--r--puppet/services/cinder-api.yaml2
-rw-r--r--puppet/services/database/mysql-internal-tls-certmonger.yaml4
-rw-r--r--puppet/services/database/mysql.yaml2
-rw-r--r--puppet/services/gnocchi-api.yaml2
-rw-r--r--puppet/services/haproxy-internal-tls-certmonger.yaml35
-rw-r--r--puppet/services/haproxy-public-tls-certmonger.yaml4
-rw-r--r--puppet/services/haproxy.yaml6
-rw-r--r--puppet/services/keystone.yaml5
-rw-r--r--puppet/services/nova-api.yaml2
-rw-r--r--puppet/services/pacemaker/database/mysql.yaml2
-rw-r--r--puppet/services/pacemaker/haproxy.yaml2
-rw-r--r--puppet/services/panko-api.yaml2
18 files changed, 175 insertions, 20 deletions
diff --git a/extraconfig/nova_metadata/krb-service-principals.yaml b/extraconfig/nova_metadata/krb-service-principals.yaml
new file mode 100644
index 00000000..c66e6460
--- /dev/null
+++ b/extraconfig/nova_metadata/krb-service-principals.yaml
@@ -0,0 +1,84 @@
+heat_template_version: ocata
+description: 'Generates the relevant service principals for a server'
+
+parameters:
+ RoleData:
+ type: json
+ description: the list containing the 'role_data' output for the ServiceChain
+
+ # Coming from parameter_defaults
+ CloudName:
+ default: overcloud.localdomain
+ description: The DNS name of this cloud. E.g. ci-overcloud.tripleo.org
+ type: string
+ CloudNameInternal:
+ default: overcloud.internalapi.localdomain
+ description: >
+ The DNS name of this cloud's internal API endpoint. E.g.
+ 'ci-overcloud.internalapi.tripleo.org'.
+ type: string
+ CloudNameStorage:
+ default: overcloud.storage.localdomain
+ description: >
+ The DNS name of this cloud's storage endpoint. E.g.
+ 'ci-overcloud.storage.tripleo.org'.
+ type: string
+ CloudNameStorageManagement:
+ default: overcloud.storagemgmt.localdomain
+ description: >
+ The DNS name of this cloud's storage management endpoint. E.g.
+ 'ci-overcloud.storagemgmt.tripleo.org'.
+ type: string
+ CloudNameCtlplane:
+ default: overcloud.ctlplane.localdomain
+ description: >
+ The DNS name of this cloud's storage management endpoint. E.g.
+ 'ci-overcloud.management.tripleo.org'.
+ type: string
+
+resources:
+
+ IncomingMetadataSettings:
+ type: OS::Heat::Value
+ properties:
+ value:
+ yaql:
+ # Filter null values and values that contain don't contain
+ # 'metadata_settings', get the values from that key and get the
+ # unique ones.
+ expression: list($.data.where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct())
+ data: {get_param: RoleData}
+
+ # Generates entries for nova metadata with the following format:
+ # 'managed_service_<id>' : <service>/<fqdn>
+ # Depending on the requested network
+ IndividualServices:
+ type: OS::Heat::Value
+ properties:
+ value:
+ yaql:
+ expression: let(fqdns => $.data.fqdns) -> dict($.data.metadata.where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))]))
+ data:
+ metadata: {get_attr: [IncomingMetadataSettings, value]}
+ fqdns:
+ external: {get_param: CloudName}
+ internal_api: {get_param: CloudNameInternal}
+ storage: {get_param: CloudNameStorage}
+ storage_mgmt: {get_param: CloudNameStorageManagement}
+ ctlplane: {get_param: CloudNameCtlplane}
+
+ CompactServices:
+ type: OS::Heat::Value
+ properties:
+ value:
+ yaql:
+ expression: dict($.data.where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1]))
+ data: {get_attr: [IncomingMetadataSettings, value]}
+
+outputs:
+ metadata:
+ description: actual metadata entries that will be passed to the server.
+ value:
+ map_merge:
+ - {get_attr: [IndividualServices, value]}
+ - compact_services: {get_attr: [CompactServices, value]}
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index 4e735b45..2c44f4df 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -83,3 +83,5 @@ outputs:
get_attr: [AodhBase, role_data, service_config_settings]
step_config: |
include tripleo::profile::base::aodh::api
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
index 07ec1b3c..97d6ff8e 100644
--- a/puppet/services/apache-internal-tls-certmonger.yaml
+++ b/puppet/services/apache-internal-tls-certmonger.yaml
@@ -21,6 +21,22 @@ parameters:
via parameter_defaults in the resource registry.
type: json
+resources:
+
+ ApacheNetworks:
+ type: OS::Heat::Value
+ properties:
+ value:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # network will be handled in another template.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
+
outputs:
role_data:
description: Role data for the Apache role.
@@ -38,13 +54,12 @@ outputs:
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
for_each:
- NETWORK:
- # NOTE(jaosorior) Get unique network names to create
- # certificates for those. We skip the tenant network since
- # we don't need a certificate for that, and the external
- # network will be handled in another template.
- yaql:
- expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
- data:
- map:
- get_param: ServiceNetMap
+ NETWORK: {get_attr: [ApacheNetworks, value]}
+ metadata_settings:
+ repeat:
+ template:
+ - service: HTTP
+ network: $NETWORK
+ type: node
+ for_each:
+ $NETWORK: {get_attr: [ApacheNetworks, value]}
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index 2e95dcb0..82e0c5ff 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -64,3 +64,5 @@ outputs:
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
+ metadata_settings:
+ get_attr: [ApacheTLS, role_data, metadata_settings]
diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml
index 000a744c..1f220e6b 100644
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@@ -144,3 +144,5 @@ outputs:
get_param: [EndpointMap, BarbicanInternal, uri]
cinder::api::keymgr_encryption_auth_url:
get_param: [EndpointMap, KeystoneV3Internal, uri]
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index 63e02d4f..f774167f 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -90,3 +90,5 @@ outputs:
get_attr: [CeilometerServiceBase, role_data, service_config_settings]
step_config: |
include ::tripleo::profile::base::ceilometer::api
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index eee04ce0..a5c912ed 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -146,6 +146,8 @@ outputs:
cinder::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
- name: check for cinder running under apache (post upgrade)
tags: step2
diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
index 56d037e7..9f7eaf57 100644
--- a/puppet/services/database/mysql-internal-tls-certmonger.yaml
+++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml
@@ -41,3 +41,7 @@ outputs:
template: "mysql/%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ metadata_settings:
+ - service: mysql
+ network: {get_param: [ServiceNetMap, MysqlNetwork]}
+ type: vip
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 7e12894f..8c4042d9 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -104,4 +104,6 @@ outputs:
- name: Start service
tags: step4
service: name=mariadb state=started
+ metadata_settings:
+ get_attr: [MySQLTLS, role_data, metadata_settings]
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index 3929e005..ae384ce0 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -131,3 +131,5 @@ outputs:
gnocchi::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]
diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml
index 77457593..ae226163 100644
--- a/puppet/services/haproxy-internal-tls-certmonger.yaml
+++ b/puppet/services/haproxy-internal-tls-certmonger.yaml
@@ -19,6 +19,22 @@ parameters:
via parameter_defaults in the resource registry.
type: json
+resources:
+
+ HAProxyNetworks:
+ type: OS::Heat::Value
+ properties:
+ value:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # network will be handled in another template.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
+
outputs:
role_data:
description: Role data for the HAProxy internal TLS via certmonger role.
@@ -39,13 +55,12 @@ outputs:
postsave_cmd: "" # TODO
principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
for_each:
- NETWORK:
- # NOTE(jaosorior) Get unique network names to create
- # certificates for those. We skip the tenant network since
- # we don't need a certificate for that, and the external
- # network will be handled in another template.
- yaql:
- expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
- data:
- map:
- get_param: ServiceNetMap
+ NETWORK: {get_attr: [HAProxyNetworks, value]}
+ metadata_settings:
+ repeat:
+ template:
+ - service: haproxy
+ network: $NETWORK
+ type: vip
+ for_each:
+ $NETWORK: {get_attr: [HAProxyNetworks, value]}
diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml
index 227697b9..6013b026 100644
--- a/puppet/services/haproxy-public-tls-certmonger.yaml
+++ b/puppet/services/haproxy-public-tls-certmonger.yaml
@@ -35,3 +35,7 @@ outputs:
hostname: "%{hiera('cloud_name_external')}"
postsave_cmd: "" # TODO
principal: "haproxy/%{hiera('cloud_name_external')}"
+ metadata_settings:
+ - service: haproxy
+ network: external
+ type: vip
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 9049c901..981a08d2 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -84,3 +84,9 @@ outputs:
- name: Start haproxy service
tags: step4 # Needed at step 4 for mysql
service: name=haproxy state=started
+ metadata_settings:
+ yaql:
+ expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))'
+ data:
+ public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
+ internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 434f0a33..b989d502 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -313,3 +313,8 @@ outputs:
- name: Sync keystone DB
tags: step5
command: keystone-manage db_sync
+ - name: Start keystone service (running under httpd)
+ tags: step6
+ service: name=httpd state=started
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index 36ac3e08..892e63dd 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -165,3 +165,5 @@ outputs:
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion}
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]
diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml
index 511a01ab..93bf5967 100644
--- a/puppet/services/pacemaker/database/mysql.yaml
+++ b/puppet/services/pacemaker/database/mysql.yaml
@@ -53,6 +53,8 @@ outputs:
get_param: [ServiceNetMap, MysqlNetwork]
step_config: |
include ::tripleo::profile::pacemaker::database::mysql
+ metadata_settings:
+ get_attr: [MysqlBase, role_data, metadata_settings]
upgrade_tasks:
- name: Check for galera root password
tags: step0
diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml
index 50da4119..598deaef 100644
--- a/puppet/services/pacemaker/haproxy.yaml
+++ b/puppet/services/pacemaker/haproxy.yaml
@@ -40,3 +40,5 @@ outputs:
tripleo::haproxy::mysql_clustercheck: true
step_config: |
include ::tripleo::profile::pacemaker::haproxy
+ metadata_settings:
+ get_attr: [LoadbalancerServiceBase, role_data, metadata_settings]
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
index 06284fb2..4b74ad45 100644
--- a/puppet/services/panko-api.yaml
+++ b/puppet/services/panko-api.yaml
@@ -82,3 +82,5 @@ outputs:
get_attr: [PankoBase, role_data, service_config_settings]
step_config: |
include tripleo::profile::base::panko::api
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]