Age | Commit message (Collapse) | Author | Files | Lines |
|
With these two services running over httpd in the containers, we can now
enable TLS for them.
bp tls-via-certmonger-containers
Change-Id: Ib8fc37a391e3b32feef0ac6492492c0088866d21
|
|
The non-containerized version will run over httpd [1], and for the
containerized TLS work, it is needed in the container version as well.
[1] Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3
bp tls-via-certmonger-containers
Depends-On: I1c5f13039414f17312f91a5e0fd02019aa08e00e
Change-Id: I2c39a2957fd95dd261b5b8c4df5e66e00a68d2f7
|
|
In non-containerized deployments, Galera can be configured to use TLS
for gcomm group communication when enable_internal_tls is set to true.
Fix the metadata service definition and update the Kolla configuration
to make gcomm use TLS in containers, if configured.
bp tls-via-certmonger-containers
Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Closes-Bug: #1708135
Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814
|
|
This de-couples public TLS from controllers to now run wherever HAProxy
is deployed.
Partially-Implements: blueprint composable-networks
Change-Id: I9e84a25a363899acf103015527787bdd8248949f
|
|
|
|
|
|
|
|
We allow using multiple registries (e.g. for OpenStack vs. Ceph
container images). We should allow it also in the insecure registry
configuration.
Change-Id: Icf4a51baf2a230b3fa0d5ced0e9cd1983cd93fb0
Closes-Bug: #1709310
Depends-On: I5cddd20a123a85516577bde1b793a30d43171285
|
|
I forgot to remove the existing entry in
I11232fc412adcc18087928c281ba82546388376e.
Change-Id: I40b12e857dc40881f5fe9cf73963ac90caacb17d
|
|
After creating glance image successfully, share location
was remaining empty because the NFS volume on controller was
not mounted to docker container.
Now, connecting NFS volume to the docker container.
Change-Id: Ib45f117cbbf2b7b2c0faf024e9a8b049c440d872
Closes-Bug: 1708629
|
|
|
|
In non-containerized deployments, HAProxy can be configured to use TLS for
proxying internal services.
Fix the creation of the of the haproxy bundle resource to enable TLS when
configured. The keys and certs files are all passed as configuration files and
must be copied by Kolla at container startup.
For the time being, disable the use of the CRL file until we find a means
of restarting the containerized HAProxy service when that file expires.
Change-Id: If307e3357dccb7e96bdb80c9c06d66a09b55f3bd
Depends-On: I4b72739446c63f0f0ac9f859314a4d6746e20255
Closes-Bug: #1709563
|
|
|
|
Run virsh secret-define and secret-set-value in an init step
instead of relying on the puppet-nova exec.
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Change-Id: Ic950e290af1c66d34b40791defbdf4f8afaa11da
Closes-Bug: #1709583
|
|
In non-containerized deployments, RabbitMQ can be configured to use TLS for
serving and mirroring traffic.
Fix the creation of the rabbitmq bundle resource to enable TLS when configured.
The key and cert are passed as other configuration files and must be copied by
Kolla at container startup.
Change-Id: I8af63a1cb710e687a593505c0202d717842d5496
Depends-On: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9
Closes-Bug: #1709558
|
|
In change If3989f24f077738845d2edbee405bd9198e7b7db we moved to jinja2
templating to render the networks. This change aims at doing so for the
IPv6 network isolation environment.
Change-Id: Ieebcff3db3f5756a5d23080ea3d09ce78de69e21
|
|
|
|
|
|
|
|
Right now when we deploy an HA bundle on a pacemaker remote node,
the deploy will fail due to the fact that the bundle includes
tripleo::profile::base::pacemaker which makes a call to
hiera('hacluster_pwd') which will fail on pcmk remote nodes.
While we could noop the profile on pcmk nodes, it's much simpler
to just make sure this hiera key exists on pcmk remote nodes.
Also make sure that pacemaker::corosync::manage_fw is set to false
on remote nodes, otherwise the mere inclusion of the pacemaker
profile will cause iptables-save to run in a container and thus failing.
Change-Id: I09b3e54a470cc2d600a701d23463962501c5c9d6
|
|
We were missing the square brackets around the list of arguments
for get_attr when building the networks cidr output.
This passed CI because Heat does not fail validation and Ceph (which
is consuming the cidr output) is tested with a single network (ctlplane)
which does not build the output using the same templates.
Change-Id: I40bba0784a30295cb0d4eda1fbff20ebac85db99
Closes-Bug: #1709464
|
|
We got to ensure that the cinder-manage db sync is run on only one
controller.
Change-Id: I88a6aa4c49d893b95a26795fbfcf163a780fd0bc
Closes-Bug: #1709315
|
|
some resources were missing, so this syncs up what's working right now.
bp tls-via-certmonger-containers
Change-Id: Ic8fe20d0240f1ad8f18218d66634029d522d4d5a
|
|
We had an history mapping for InternalApi to InternalNetwork. If we
remove it then heat will want to destroy InternalNetwork and create
InternalApi which cannot work during upgrade.
This adds compat name parameters to network_data.yaml.
Closes-Bug: #1709105
Change-Id: I8ce6419a5e13a13ee6e991db5ca2196763f52d7a
|
|
When using deployed servers, we want to create a standard
tripleo-admin user for Mistral's ssh tasks (e.g. running Ansible on
overcloud). This script wraps the respective Mistral workflow.
Change-Id: I2de698b4aae07f74569243a9e7c1c56eb578e700
Related-Bug: #1708180
Depends-On: Ibe8e54f7b38d8c6c8d944d2b13f0eed004c34c4c
|
|
this removes the hardcoded paths for the haproxy certs and keys and will
enable re-use. We'll use this in a further commit in the containterized
TLS work.
Change-Id: I602e5a569e2e7e60835deb80532abcedd7a1f63d
|
|
Using a string results in an erroneous check in puppet-keystone, which
sets up a zero where it shouldn't. So we change it to number to avoid
that. Note that there will also be a puppet-keystone fix for this.
Changing the value here assures that deployers only give valid values to
this parameter.
Change-Id: I00823e23358df91ce54f421c12636f05d4196e15
Closes-Bug: #1708584
|
|
|
|
|
|
|
|
|
|
|
|
This change modifies the templates to dynamically define the VIPs
based on network_data.yaml. If a network is defined and marked
with "vip: true" in network_data.yaml, it will be included in the
overcloud.yaml which defines the deployment-level resources.
This should make it possible to create custom networks and
use them for services which use high-availability through VIPs.
Also, extraconfig/nova_metadata/krb-service-pricipals.yaml
was modified to dynamically produce the FQDN map for VIPs on
isolated networks, to match overcloud.j2.yaml.
Depends-On: If074f87494a46305c990a0ea332c7b576d3c6ed8
Depends-On: Iab8aca2f1fcaba0c8f109717a4b3068f629c9aab
Partially-implements: blueprint composable-networks
Closes-bug: 1667104
Change-Id: I71339a6ac41133e95dbc3f93abb7a9fdeb0f2da0
|
|
services-docker/ironic"
|
|
|
|
This moves the directories containing the certs/keys for haproxy one step
further inside the hierarchy. This way we will be able to bind-mount
this certificate into the container without bind-mounting any other
certs/keys from other services.
bp tls-via-certmonger-containers
Depends-On: Iba3adb9464a755e67c6f87d1233b3affa8be565a
Change-Id: I73df8d442b361cb5ef4e343b4ea2a198a5b95da9
|
|
|
|
|
|
Since we now support zaqar:// publisher, Enhance the description to indicate
how to set the zaqar publisher.
Change-Id: Ib7eba98d199fade2346620672e33b74686d4685b
|
|
|
|
|
|
Adding composable services for Nuage mechanism driver for ML2. This
is separate from Nuage as the core plugin and intentional duplication
of Nuage under puppet services. Parameters required for working of
Nuage as mechanism driver are also added.
Change-Id: I2b564610721152c4f4dab9da79442256ba8d0b33
|
|
|
|
Change-Id: I072a3f582cdb978187d14233ea1ba636d12a1293
Closes-bug: #1708466
|
|
|
|
This change stops and disables the openstack-nova-compute service
on the compute nodes during the upgrade to the containers architecture.
Closes-bug: 1708371
Change-Id: I9ca909d4e91d0a0e4de15572f727f959d9185c64
|
|
|
|
|
|
|
|
|