diff options
| -rw-r--r-- | docker/services/ceph-ansible/ceph-base.yaml | 2 | ||||
| -rw-r--r-- | docker/services/horizon.yaml | 17 | ||||
| -rw-r--r-- | docker/services/nova-libvirt.yaml | 2 | ||||
| -rw-r--r-- | docker/services/rabbitmq.yaml | 51 | ||||
| -rw-r--r-- | environments/docker-services-tls-everywhere.yaml | 2 | ||||
| -rw-r--r-- | environments/storage/external-ceph.yaml | 2 | ||||
| -rw-r--r-- | puppet/services/ceph-base.yaml | 18 | ||||
| -rw-r--r-- | puppet/services/ceph-external.yaml | 18 | ||||
| -rw-r--r-- | puppet/services/ceph-mds.yaml | 12 | ||||
| -rw-r--r-- | puppet/services/manila-backend-cephfs.yaml | 9 | ||||
| -rw-r--r-- | puppet/services/nova-compute.yaml | 2 | ||||
| -rw-r--r-- | puppet/services/nova-libvirt.yaml | 2 |
12 files changed, 121 insertions, 16 deletions
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml index 0399faf8..f09e98ce 100644 --- a/docker/services/ceph-ansible/ceph-base.yaml +++ b/docker/services/ceph-ansible/ceph-base.yaml @@ -94,7 +94,7 @@ parameters: default: vms type: string CephClientKey: - description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring. + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true CephClientUserName: diff --git a/docker/services/horizon.yaml b/docker/services/horizon.yaml index 3d3bc7c3..f2f2b8dc 100644 --- a/docker/services/horizon.yaml +++ b/docker/services/horizon.yaml @@ -36,6 +36,13 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -117,6 +124,16 @@ outputs: - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro - /var/log/containers/horizon:/var/log/horizon + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 62c25bb2..47414083 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -61,7 +61,7 @@ parameters: description: Whether to enable or not the Rbd backend for Cinder type: boolean CephClientKey: - description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring. + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true CephClusterFSID: diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml index 418c60d2..add78879 100644 --- a/docker/services/rabbitmq.yaml +++ b/docker/services/rabbitmq.yaml @@ -40,6 +40,18 @@ parameters: type: string default: '' hidden: true + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -66,6 +78,10 @@ outputs: map_merge: - {get_attr: [RabbitmqBase, role_data, config_settings]} - rabbitmq::admin_enable: false + - if: + - internal_tls_enabled + - tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here + - {} step_config: &step_config list_join: - "\n" @@ -85,10 +101,21 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/lib/rabbitmq owner: rabbitmq:rabbitmq recurse: true + - path: /etc/pki/tls/certs/rabbitmq.crt + owner: rabbitmq:rabbitmq + optional: true + - path: /etc/pki/tls/private/rabbitmq.key + owner: rabbitmq:rabbitmq + optional: true docker_config: # Kolla_bootstrap runs before permissions set by kolla_config step_1: @@ -115,6 +142,17 @@ outputs: - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /var/lib/rabbitmq:/var/lib/rabbitmq - /var/log/containers/rabbitmq:/var/log/rabbitmq + - if: + - internal_tls_enabled + - + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro + - /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True @@ -143,6 +181,17 @@ outputs: - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /var/lib/rabbitmq:/var/lib/rabbitmq - /var/log/containers/rabbitmq:/var/log/rabbitmq + - if: + - internal_tls_enabled + - + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro + - /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS docker_puppet_tasks: @@ -155,6 +204,8 @@ outputs: volumes: - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - /var/lib/rabbitmq:/var/lib/rabbitmq:ro + metadata_settings: + get_attr: [RabbitmqBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml index e977dff2..19a43623 100644 --- a/environments/docker-services-tls-everywhere.yaml +++ b/environments/docker-services-tls-everywhere.yaml @@ -21,6 +21,7 @@ resource_registry: OS::TripleO::Services::HeatApi: ../docker/services/heat-api.yaml OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml + OS::TripleO::Services::Horizon: ../docker/services/horizon.yaml OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml OS::TripleO::Services::NeutronApi: ../docker/services/neutron-api.yaml @@ -44,3 +45,4 @@ resource_registry: OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml OS::TripleO::Services::MySQL: ../docker/services/database/mysql.yaml + OS::TripleO::Services::RabbitMQ: ../docker/services/rabbitmq.yaml diff --git a/environments/storage/external-ceph.yaml b/environments/storage/external-ceph.yaml index f1c9d516..0f2d0396 100644 --- a/environments/storage/external-ceph.yaml +++ b/environments/storage/external-ceph.yaml @@ -13,7 +13,7 @@ parameter_defaults: # Type: string CephAdminKey: '' - # The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring. + # The Ceph client key. Can be created with ceph-authtool --gen-print-key. # Mandatory. This parameter must be set by the user. # Type: string CephClientKey: <None> diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml index ce9f9b9d..f6573f6c 100644 --- a/puppet/services/ceph-base.yaml +++ b/puppet/services/ceph-base.yaml @@ -11,7 +11,7 @@ parameters: type: string hidden: true CephClientKey: - description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring. + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true CephClientUserName: @@ -61,6 +61,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + ManilaCephFSNativeCephFSAuthId: + type: string + default: 'manila' + CephManilaClientKey: + default: '' + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. + type: string + hidden: true # DEPRECATED options for compatibility with overcloud.yaml # This should be removed and manipulation of the ControllerServices list # used instead, but we need client support for that first @@ -133,6 +141,14 @@ outputs: CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} GLANCE_POOL: {get_param: GlanceRbdPoolName} GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + MANILA_CLIENT_KEY: + mode: '0644' + secret: {get_param: CephManilaClientKey} + cap_mon: 'allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\"' + cap_mds: 'allow *' + cap_osd: 'allow rw' - keys: CEPH_CLIENT_KEY: list_join: ['.', ['client', {get_param: CephClientUserName}]] + MANILA_CLIENT_KEY: + list_join: ['.', ['client', {get_param: ManilaCephFSNativeCephFSAuthId}]] diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml index 97e44159..1459b851 100644 --- a/puppet/services/ceph-external.yaml +++ b/puppet/services/ceph-external.yaml @@ -5,7 +5,7 @@ description: > parameters: CephClientKey: - description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring. + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true CephClientUserName: @@ -68,6 +68,14 @@ parameters: image. Only applies to format 2 images. Set to '1' for Jewel clients using older Ceph servers. type: string + ManilaCephFSNativeCephFSAuthId: + type: string + default: 'manila' + CephManilaClientKey: + default: '' + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. + type: string + hidden: true outputs: role_data: @@ -94,9 +102,17 @@ outputs: CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} GLANCE_POOL: {get_param: GlanceRbdPoolName} GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + MANILA_CLIENT_KEY: + mode: '0644' + secret: {get_param: CephManilaClientKey} + cap_mon: 'allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\"' + cap_mds: 'allow *' + cap_osd: 'allow rw' - keys: CEPH_CLIENT_KEY: list_join: ['.', ['client', {get_param: CephClientUserName}]] + MANILA_CLIENT_KEY: + list_join: ['.', ['client', {get_param: ManilaCephFSNativeCephFSAuthId}]] ceph::profile::params::manage_repo: false # FIXME(gfidente): we should not have to list the packages explicitly in # the templates, but this should stay until the following is fixed: diff --git a/puppet/services/ceph-mds.yaml b/puppet/services/ceph-mds.yaml index c561ea0e..ad799edb 100644 --- a/puppet/services/ceph-mds.yaml +++ b/puppet/services/ceph-mds.yaml @@ -35,6 +35,15 @@ parameters: with ceph-authtool --gen-print-key. type: string hidden: true + ManilaCephFSDataPoolName: + default: manila_data + type: string + ManilaCephFSMetadataPoolName: + default: manila_metadata + type: string + ManilaCephFSNativeShareBackendName: + default: cephfs + type: string resources: CephBase: @@ -60,5 +69,8 @@ outputs: '112 ceph_mds': dport: - '6800-7300' + ceph::profile::params::fs_data_pool: {get_param: ManilaCephFSDataPoolName} + ceph::profile::params::fs_metadata_pool: {get_param: ManilaCephFSMetadataPoolName} + ceph::profile::params::fs_name: {get_param: ManilaCephFSNativeShareBackendName} step_config: | include ::tripleo::profile::base::ceph::mds diff --git a/puppet/services/manila-backend-cephfs.yaml b/puppet/services/manila-backend-cephfs.yaml index 9d6b508b..9207d99f 100644 --- a/puppet/services/manila-backend-cephfs.yaml +++ b/puppet/services/manila-backend-cephfs.yaml @@ -52,12 +52,6 @@ parameters: ManilaCephFSNativeCephFSEnableSnapshots: type: boolean default: false - ManilaCephFSDataPoolName: - default: manila_data - type: string - ManilaCephFSMetadataPoolName: - default: manila_metadata - type: string # (jprovazn) default value is set to assure this templates works with an # external ceph too (user/key is created only when ceph is deployed by # TripleO) @@ -81,7 +75,4 @@ outputs: manila::backend::cephfsnative::cephfs_cluster_name: {get_param: ManilaCephFSNativeCephFSClusterName} manila::backend::cephfsnative::cephfs_enable_snapshots: {get_param: ManilaCephFSNativeCephFSEnableSnapshots} manila::backend::cephfsnative::ceph_client_key: {get_param: CephManilaClientKey} - ceph::profile::params::fs_data_pool: {get_param: ManilaCephFSDataPoolName} - ceph::profile::params::fs_metadata_pool: {get_param: ManilaCephFSMetadataPoolName} - ceph::profile::params::fs_name: {get_param: ManilaCephFSNativeShareBackendName} step_config: diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index 36866a3a..22a743e0 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -37,7 +37,7 @@ parameters: default: openstack type: string CephClientKey: - description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring. + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true CephClusterFSID: diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index e1fe5aa9..df9e88fb 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -34,7 +34,7 @@ parameters: default: openstack type: string CephClientKey: - description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring. + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true CephClusterFSID: |