- block: - file: path: '{{ item }}' serole: object_r setype: cert_t seuser: system_u state: directory name: Create dirs for certificates and keys with_items: - /etc/pki/tls/certs/httpd - /etc/pki/tls/private/httpd - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{ fqdn_ctlplane }}' key_size: '2048' name: httpd-ctlplane principal: HTTP/{{ fqdn_ctlplane }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-ctlplane.crt /etc/pki/tls/certs/httpd/httpd-ctlplane.crt cp /etc/pki/tls/private/httpd-ctlplane.key /etc/pki/tls/private/httpd/httpd-ctlplane.key pkill -USR1 httpd ' - ca: ipa dns: '{{ fqdn_storage }}' key_size: '2048' name: httpd-storage principal: HTTP/{{ fqdn_storage }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-storage.crt /etc/pki/tls/certs/httpd/httpd-storage.crt cp /etc/pki/tls/private/httpd-storage.key /etc/pki/tls/private/httpd/httpd-storage.key pkill -USR1 httpd ' - ca: ipa dns: '{{ fqdn_storage_mgmt }}' key_size: '2048' name: httpd-storage_mgmt principal: HTTP/{{ fqdn_storage_mgmt }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-storage_mgmt.crt /etc/pki/tls/certs/httpd/httpd-storage_mgmt.crt cp /etc/pki/tls/private/httpd-storage_mgmt.key /etc/pki/tls/private/httpd/httpd-storage_mgmt.key pkill -USR1 httpd ' - ca: ipa dns: '{{ fqdn_internal_api }}' key_size: '2048' name: httpd-internal_api principal: HTTP/{{ fqdn_internal_api }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-internal_api.crt /etc/pki/tls/certs/httpd/httpd-internal_api.crt cp /etc/pki/tls/private/httpd-internal_api.key /etc/pki/tls/private/httpd/httpd-internal_api.key pkill -USR1 httpd ' - ca: ipa dns: '{{ fqdn_external }}' key_size: '2048' name: httpd-external principal: HTTP/{{ fqdn_external }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-external.crt /etc/pki/tls/certs/httpd/httpd-external.crt cp /etc/pki/tls/private/httpd-external.key /etc/pki/tls/private/httpd/httpd-external.key pkill -USR1 httpd ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - import_role: name: tripleo_container_tag name: Cinder Backup tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-cinder-backup:17.1 container_image_latest: cluster.common.tag/cinder-backup:pcmklatest when: step|int == 1 - import_role: name: tripleo_container_tag name: Cinder Volume tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-cinder-volume:17.1 container_image_latest: cluster.common.tag/cinder-volume:pcmklatest when: step|int == 1 - name: set enable_sensubility fact set_fact: enable_sensubility: false - block: - include_role: name: tripleo_podman tasks_from: tripleo_podman_service name: create podman socket and appropriate systemd service vars: tripleo_podman_socket_path: /var/lib/tripleo-podman/collectd/podman.sock - ansible.builtin.copy: content: '[Unit] Description=ACL setting for /var/lib/tripleo-podman/collectd/podman.sock Requires=tripleo_collectd.service After=tripleo_podman.service After=tripleo_collectd.service [Service] Type=oneshot ExecStart=/usr/bin/podman exec -it collectd setfacl -m m:rwx /run/podman/podman.sock ExecStart=/usr/bin/podman exec -it collectd setfacl -R -m u:collectd:rwx /run/podman ExecStart=/usr/bin/podman exec -it collectd setfacl -d -m u:collectd:rwx /run/podman [Install] WantedBy=multi-user.target ' dest: /etc/systemd/system/tripleo_podman_collectd_acl.service mode: 420 become: true name: create systemd service for ensuring socket file ACL contains collectd - ansible.builtin.service: enabled: true name: tripleo_podman_collectd_acl.service name: enable podman.sock ACL service - file: mode: '0755' path: /var/lib/container-user-scripts setype: container_file_t state: directory name: create directory for downloads of users' scripts - ansible.builtin.get_url: checksum: '{{ item.checksum }}' dest: /var/lib/container-user-scripts/{{ item.name }} mode: '0755' url: '{{ item.source }}' name: download exec scripts with_items: [] name: create podman socket for sensubility purposes when: - enable_sensubility|bool - step|int == 1 - block: - name: Check if rsyslog exists register: rsyslog_config shell: systemctl is-active rsyslog - block: - blockinfile: content: 'if $syslogfacility-text == ''{{facility}}'' and $programname == ''haproxy'' then -/var/log/containers/haproxy/haproxy.log & stop ' create: true path: /etc/rsyslog.d/openstack-haproxy.conf name: Forward logging to haproxy.log file register: logconfig vars: facility: local0 - name: restart rsyslog service after logging conf change service: name: rsyslog state: restarted when: logconfig is changed when: - rsyslog_config is changed - rsyslog_config.rc == 0 name: Configure rsyslog for HAproxy container managed by Pacemaker when: step|int == 1 - import_role: name: tripleo_container_tag name: HAproxy tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-haproxy:17.1 container_image_latest: cluster.common.tag/haproxy:pcmklatest when: step|int == 1 - block: - name: make sure certmonger is installed package: name: certmonger state: present - name: make sure certmonger service is started systemd: enabled: true masked: false name: certmonger.service state: started - file: path: '{{ item }}' serole: object_r setype: cert_t seuser: system_u state: directory name: Create dirs for certificates and keys with_items: - /etc/pki/tls/certs/haproxy - /etc/pki/tls/private/haproxy - delay: 1 name: Extract and trust certmonger's local CA register: local_ca_extract_result retries: 5 shell: 'set -e ca_pem=''/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'' openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:'''' chmod 0644 ${ca_pem} update-ca-trust extract test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem} ' until: local_ca_extract_result.rc == 0 when: certmonger_ca != 'IPA' and (ipa_realm is not defined) - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: '{{ (certmonger_ca == ''IPA'' or idm_realm is defined) | ternary(''ipa'', ''self-sign'') }}' dns: '{{cloud_names.cloud_name_external}}' ip: '{{[cloud_names.cloud_name_external]|ipaddr}}' key_size: '2048' name: haproxy-external-cert principal: haproxy/{{cloud_names.cloud_name_external}}@{{idm_realm|default('UNDERCLOUD')}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-external-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt\"\ncp \"/etc/pki/tls/private/haproxy-external-cert.key\"\ \ \"/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key\"\n\nca_type={{\ \ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign')\ \ }}\nif [ \"$ca_type\" = \"self-sign\" ]; then\n # refresh the ca cert\ \ just in case the ca cert has been renewed\n ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'\n\ \ openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys\ \ -nodes -passin pass:''\n chmod 0644 ${ca_pem}\n update-ca-trust extract\n\ \ test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}\n\ \ openssl x509 -in ${ca_pem} -out /tmp/cm-local-ca.pem\n ca_path=\"/tmp/cm-local-ca.pem\"\ \nelse\n ca_path=\"/etc/ipa/ca.crt\"\nfi\n\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key\"\ \nservice_pem=\"/etc/pki/tls/private/overcloud_endpoint.pem\"\n\ncat \"\ $service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\n\ncontainer_name=$({{container_cli}}\ \ ps --format=\\{\\{.Names\\}\\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n\ # Inject the new pem into the running container\nif echo \"$container_name\"\ \ | grep -q \"^haproxy-bundle\"; then\n # lp#1917868: Do not use podman\ \ cp with HA containers as they get\n # frozen temporarily and that can\ \ make pacemaker operation fail.\n tar -c \"$service_pem\" | {{container_cli}}\ \ exec -i \"$container_name\" tar -C / -xv\n # no need to update the mount\ \ point, because pacemaker\n # recreates the container when it's restarted\n\ else\n # Refresh the pem at the mount-point\n {{container_cli}} cp $service_pem\ \ \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\n\ \ # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" name: Certificate generation vars: certmonger_ca: '' when: step|int == 1 - block: - file: path: '{{ item }}' serole: object_r setype: cert_t seuser: system_u state: directory name: Create dirs for certificates and keys with_items: - /etc/pki/tls/certs/haproxy - /etc/pki/tls/private/haproxy - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: - '{{fqdn_ctlplane}}' - '{{cloud_names.cloud_name_ctlplane}}' key_size: '2048' name: haproxy-ctlplane-cert principal: haproxy/{{fqdn_ctlplane}}@{{idm_realm}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-ctlplane-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.crt\"\ncp \"/etc/pki/tls/private/haproxy-ctlplane-cert.key\"\ \ \"/etc/pki/tls/private/haproxy/overcloud-haproxy-ctlplane.key\"\n\nca_path=\"\ /etc/ipa/ca.crt\"\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-ctlplane.key\"\ \nservice_pem=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.pem\"\ \n\ncat \"$service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\ \n\ncontainer_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} |\ \ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n# Inject the new pem into the\ \ running container\nif echo \"$container_name\" | grep -q \"^haproxy-bundle\"\ ; then\n # lp#1917868: Do not use podman cp with HA containers as they\ \ get\n # frozen temporarily and that can make pacemaker operation fail.\n\ \ tar -c \"$service_pem\" | {{container_cli}} exec -i \"$container_name\"\ \ tar -C / -xv\n # no need to update the mount point, because pacemaker\n\ \ # recreates the container when it's restarted\nelse\n # Refresh the\ \ pem at the mount-point\n {{container_cli}} cp $service_pem \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\ \n # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" - ca: ipa dns: - '{{fqdn_storage}}' - '{{cloud_names.cloud_name_storage}}' key_size: '2048' name: haproxy-storage-cert principal: haproxy/{{fqdn_storage}}@{{idm_realm}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-storage-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.crt\"\ncp \"/etc/pki/tls/private/haproxy-storage-cert.key\"\ \ \"/etc/pki/tls/private/haproxy/overcloud-haproxy-storage.key\"\n\nca_path=\"\ /etc/ipa/ca.crt\"\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-storage.key\"\ \nservice_pem=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.pem\"\ \n\ncat \"$service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\ \n\ncontainer_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} |\ \ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n# Inject the new pem into the\ \ running container\nif echo \"$container_name\" | grep -q \"^haproxy-bundle\"\ ; then\n # lp#1917868: Do not use podman cp with HA containers as they\ \ get\n # frozen temporarily and that can make pacemaker operation fail.\n\ \ tar -c \"$service_pem\" | {{container_cli}} exec -i \"$container_name\"\ \ tar -C / -xv\n # no need to update the mount point, because pacemaker\n\ \ # recreates the container when it's restarted\nelse\n # Refresh the\ \ pem at the mount-point\n {{container_cli}} cp $service_pem \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\ \n # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" - ca: ipa dns: - '{{fqdn_storage_mgmt}}' - '{{cloud_names.cloud_name_storage_mgmt}}' key_size: '2048' name: haproxy-storage_mgmt-cert principal: haproxy/{{fqdn_storage_mgmt}}@{{idm_realm}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-storage_mgmt-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.crt\"\ncp\ \ \"/etc/pki/tls/private/haproxy-storage_mgmt-cert.key\" \"/etc/pki/tls/private/haproxy/overcloud-haproxy-storage_mgmt.key\"\ \n\nca_path=\"/etc/ipa/ca.crt\"\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-storage_mgmt.key\"\ \nservice_pem=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.pem\"\ \n\ncat \"$service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\ \n\ncontainer_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} |\ \ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n# Inject the new pem into the\ \ running container\nif echo \"$container_name\" | grep -q \"^haproxy-bundle\"\ ; then\n # lp#1917868: Do not use podman cp with HA containers as they\ \ get\n # frozen temporarily and that can make pacemaker operation fail.\n\ \ tar -c \"$service_pem\" | {{container_cli}} exec -i \"$container_name\"\ \ tar -C / -xv\n # no need to update the mount point, because pacemaker\n\ \ # recreates the container when it's restarted\nelse\n # Refresh the\ \ pem at the mount-point\n {{container_cli}} cp $service_pem \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\ \n # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" - ca: ipa dns: - '{{fqdn_internal_api}}' - '{{cloud_names.cloud_name_internal_api}}' key_size: '2048' name: haproxy-internal_api-cert principal: haproxy/{{fqdn_internal_api}}@{{idm_realm}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-internal_api-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.crt\"\ncp\ \ \"/etc/pki/tls/private/haproxy-internal_api-cert.key\" \"/etc/pki/tls/private/haproxy/overcloud-haproxy-internal_api.key\"\ \n\nca_path=\"/etc/ipa/ca.crt\"\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-internal_api.key\"\ \nservice_pem=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.pem\"\ \n\ncat \"$service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\ \n\ncontainer_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} |\ \ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n# Inject the new pem into the\ \ running container\nif echo \"$container_name\" | grep -q \"^haproxy-bundle\"\ ; then\n # lp#1917868: Do not use podman cp with HA containers as they\ \ get\n # frozen temporarily and that can make pacemaker operation fail.\n\ \ tar -c \"$service_pem\" | {{container_cli}} exec -i \"$container_name\"\ \ tar -C / -xv\n # no need to update the mount point, because pacemaker\n\ \ # recreates the container when it's restarted\nelse\n # Refresh the\ \ pem at the mount-point\n {{container_cli}} cp $service_pem \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\ \n # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" name: Certificate generation when: step|int == 1 - include_role: name: tripleo_lvmfilter name: Run lvmfilter role when: - step|int == 1 - import_role: name: tripleo_container_tag name: Manila Share tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-manila-share:17.1 container_image_latest: cluster.common.tag/manila-share:pcmklatest when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: memcached principal: memcached/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep memcached) service_crt="/etc/pki/tls/certs/memcached.crt" service_key="/etc/pki/tls/private/memcached.key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set appropriate permissions {{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_crt" {{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_key" # Send refresh_certs command to memcached to read the new certificate memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen_ip.0 127.0.0.1)" memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)" echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port ' name: Certificate generation when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: metrics_qdr principal: metrics_qdr/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr) service_crt="/etc/pki/tls/certs/metrics_qdr.crt" service_key="/etc/pki/tls/private/metrics_qdr.key # Copy the new cert from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set appropriate permissions {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt" {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key" # Trigger a container restart to read the new certificate {{container_cli}} restart "$container_name" ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: - '{{fqdn_internal_api}}' - '{{cloud_names.cloud_name_internal_api}}' key_size: '2048' name: mysql principal: mysql/{{fqdn_internal_api}}@{{idm_realm}} name: Certificate generation when: - step|int == 1 - enable_internal_tls - import_role: name: tripleo_container_tag name: MySQL tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-mariadb:17.1 container_image_latest: cluster.common.tag/mariadb:pcmklatest when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: neutron_ovn principal: neutron_ovn/{{fqdn_internal_api}}@{{idm_realm}} name: Certificate generation when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate loop: - key_size: '{{ libvirt_vnc_key_size | default(cert_key_size, true) }}' name: libvirt-vnc-client-cert principal: libvirt-vnc/{{ libvirt_network }}@{{ idm_realm }} - key_size: '{{ nova_vnc_key_size | default(cert_key_size, true) }}' name: novnc-proxy principal: novnc-proxy/{{ libvirt_network }}@{{ idm_realm }} loop_control: loop_var: cert name: Execute system role for Nova/Libvirt VNC certs vars: certificate_requests: - ca: ipa dns: '{{ libvirt_network }}' key_size: '{{ cert.key_size }}' name: '{{ cert.name }}' principal: '{{ cert.principal }}' run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep nova_vnc_proxy) service_crt="/etc/pki/tls/certs/{{ cert.name }}.crt" service_key="/etc/pki/tls/private/{{ cert.name }}.key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set permissions {{container_cli}} exec -u root "$container_name" chmod 0644 $service_crt {{container_cli}} exec -u root "$container_name" chmod 0640 $service_key {{container_cli}} exec -u root "$container_name" chgrp qemu $service_key # No need to trigger a reload for novnc proxy since the cert is not cached ' name: Certificate generation vars: cert_key_size: '2048' libvirt_network: '{{ fqdn_internal_api }}' libvirt_vnc_key_size: '' nova_vnc_key_size: '' when: step|int == 1 - name: set is_ovn_dbs_bootstrap_node fact set_fact: is_ovn_dbs_bootstrap_node={{ovn_dbs_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}} when: - step|int == 1 - ansible.builtin.service_facts: null name: Populate ansible service facts so we can check for pacemaker service when: - is_ovn_dbs_bootstrap_node | bool - step|int == 1 - block: - name: Fetch ovn-dbs-bundle register: ovn_dbs shell: 'pcs status |grep ovn-dbs-bundle ||true ' - name: Fetch ovn VIP register: ovn_vip shell: 'pcs constraint config |grep "with ovn-dbs-bundle" |awk ''{print $1}'' ' - name: Remove OVNDBs from pacemaker pacemaker_resource: resource: ovn-dbs-bundle state: delete when: ovn_dbs.stdout |length > 0 - name: Remove OVNDBs VIP from pacemaker pacemaker_resource: resource: '{{ ovn_vip.stdout }}' state: delete when: ovn_vip.stdout |length > 0 - name: Clean up pacemaker remote nodes cache shell: 'pcs cluster node clear ovn-dbs-bundle-0 pcs cluster node clear ovn-dbs-bundle-1 pcs cluster node clear ovn-dbs-bundle-2 crm_attribute --name OVN_REPL_INFO --delete ' - loop: '{{ ovn_dbs_short_node_names }}' name: Remove pacemaker attributes shell: 'pcs node attribute "{{ item }}" ovn-dbs-role= || true ' name: Remove OVNDBs from Pacemaker when: - step|int == 1 - is_ovn_dbs_bootstrap_node | bool - ansible_facts['services']['pacemaker.service']['state'] | default('unknown') == 'running' - block: - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: ovn_dbs principal: ovn_dbs/{{fqdn_internal_api}}@{{idm_realm}} name: Certificate generation when: enable_internal_tls | bool - block: - include_role: name: tripleo_ovn_cluster name: Configure OVN DBs and northd vars: tripleo_ovn_cluster_dbs_protocol: '{{ enable_internal_tls | ternary(''ssl'', ''tcp'', ''tcp'') }}' tripleo_ovn_cluster_nb_db_port: 6641 tripleo_ovn_cluster_nb_local_port: 6643 tripleo_ovn_cluster_nb_remote_port: 6643 tripleo_ovn_cluster_nb_ssl_ca_cert: /etc/ipa/ca.crt tripleo_ovn_cluster_network: internal_api tripleo_ovn_cluster_northd_ssl_ca_cert: /etc/ipa/ca.crt tripleo_ovn_cluster_sb_db_port: 6642 tripleo_ovn_cluster_sb_local_port: 6644 tripleo_ovn_cluster_sb_remote_port: 6644 tripleo_ovn_cluster_sb_ssl_ca_cert: /etc/ipa/ca.crt name: Prepare OVN cluster when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: ovn_controller principal: ovn_controller/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'systemctl restart tripleo_ovn_controller ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: rabbitmq principal: rabbitmq/{{fqdn_internal_api}}@{{idm_realm}} run_after: "container_name=$({{container_cli}} ps --format=\\{\\{.Names\\\ }\\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')\nservice_crt=\"/etc/pki/tls/certs/rabbitmq.crt\"\ \nservice_key=\"/etc/pki/tls/private/rabbitmq.key\"\nif echo \"$container_name\"\ \ | grep -q \"^rabbitmq-bundle\"; then\n # lp#1917868: Do not use podman\ \ cp with HA containers as they get\n # frozen temporarily and that can\ \ make pacemaker operation fail.\n tar -c \"$service_crt\" \"$service_key\"\ \ | {{container_cli}} exec -i \"$container_name\" tar -C / -xv\n # no need\ \ to update the mount point, because pacemaker\n # recreates the container\ \ when it's restarted\nelse\n # Refresh the cert at the mount-point\n \ \ {{container_cli}} cp $service_crt \"$container_name:/var/lib/kolla/config_files/src-tls/$service_crt\"\ \n # Refresh the key at the mount-point\n {{container_cli}} cp $service_key\ \ \"$container_name:/var/lib/kolla/config_files/src-tls/$service_key\"\n\ \ # Copy the new cert from the mount-point to the real path\n {{container_cli}}\ \ exec -u root \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_crt\"\ \ \"$service_crt\"\n # Copy the new key from the mount-point to the real\ \ path\n {{container_cli}} exec -u root \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_key\"\ \ \"$service_key\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec -u root \"$container_name\" chown rabbitmq:rabbitmq \"$service_crt\"\ \n{{container_cli}} exec -u root \"$container_name\" chown rabbitmq:rabbitmq\ \ \"$service_key\"\n# Trigger a pem cache clear in RabbitMQ to read the\ \ new certificates\n{{container_cli}} exec \"$container_name\" rabbitmqctl\ \ eval \"ssl:clear_pem_cache().\"\n" name: Certificate generation when: - step|int == 1 - enable_internal_tls - import_role: name: tripleo_container_tag name: RabbitMQ tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-rabbitmq:17.1 container_image_latest: cluster.common.tag/rabbitmq:pcmklatest when: step|int == 1 - block: - become: true containers.podman.podman_image: force: true name: '{{ prefetch_image }}' validate_certs: false delay: 5 loop: '{{ lookup(''template'', tripleo_role_name + ''/docker_config.yaml'', errors=''ignore'') | default(''{}'', True) | from_yaml | recursive_get_key_from_dict(key=''image'') | unique }}' loop_control: loop_var: prefetch_image name: Pre-fetch all the containers register: result retries: 5 until: result is succeeded when: - (step|int) == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: - '{{fqdn_internal_api}}' - '{{cloud_names.cloud_name_internal_api}}' key_size: '2048' name: redis principal: redis/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy) service_crt="/etc/pki/tls/certs/redis.crt" service_key="/etc/pki/tls/private/redis.key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new cert from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set appropriate permissions {{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt" {{container_cli}} exec "$container_name" chown memcached:memcached "$service_key" # Trigger a reload for stunnel to read the new certificate {{container_cli}} exec pkill -o -HUP stunnel ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - import_role: name: tripleo_container_tag name: Redis tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-redis:17.1 container_image_latest: cluster.common.tag/redis:pcmklatest when: step|int == 1 - block: - name: Check if rsyslog exists register: swift_rsyslog_config shell: systemctl is-active rsyslog - copy: content: '# Fix for https://bugs.launchpad.net/tripleo/+bug/1776180 local2.* /var/log/containers/swift/swift.log & stop ' dest: /etc/rsyslog.d/openstack-swift.conf name: Forward logging to swift.log file register: swift_logconfig when: - swift_rsyslog_config is defined - swift_rsyslog_config.rc == 0 - name: Restart rsyslogd service after logging conf change service: name: rsyslog state: restarted when: - swift_logconfig is defined - swift_logconfig is changed name: Configure rsyslog for swift when: - step|int == 1