1d12ca545e
Various kolla-ansible TLS features (including backend TLS and custom CA certs) require certificates to be passed via $KOLLA_CONFIG_PATH/certificates/. Currently Kayobe does not support this. This change adds support for copying across files from $KAYOBE_CONFIG_PATH/kolla/certificates. It also uses the kolla-ansible default value for kolla_external_fqdn_cert and kolla_internal_fqdn_cert when kolla_external_tls_cert and kolla_internal_tls_cert are respectively not set. This allows for the standard kolla-ansible configuration approach of dropping these certificates into the $KAYOBE_CONFIG_PATH/kolla/certificates directory, rather than defining them as variables. This can be useful if using the kolla-ansible certificates command to generate certificates for testing. Change-Id: I646930ad8ea70991d6ffa00f15f93f72d922141b Story: 2007679 Task: 39790
194 lines
6.1 KiB
YAML
194 lines
6.1 KiB
YAML
---
|
|
# NOTE: We're not looping over the two inventory files to avoid having the file
|
|
# content displayed in the ansible-playbook output.
|
|
|
|
- name: Check whether the legacy Kolla overcloud inventory files exist
|
|
stat:
|
|
path: "{{ item }}"
|
|
get_attributes: no
|
|
get_checksum: no
|
|
get_mime: no
|
|
register: inventory_stat
|
|
with_items:
|
|
- "{{ kolla_seed_inventory_path }}"
|
|
- "{{ kolla_overcloud_inventory_path }}"
|
|
loop_control:
|
|
label: "{{ item | basename }}"
|
|
|
|
- name: Ensure the legacy Kolla overcloud inventory file is absent
|
|
file:
|
|
path: "{{ item.item }}"
|
|
state: absent
|
|
with_items: "{{ inventory_stat.results }}"
|
|
when:
|
|
- item.stat.exists
|
|
- item.stat.isreg
|
|
loop_control:
|
|
label: "{{ item.item | basename }}"
|
|
|
|
- name: Ensure the Kolla Ansible configuration directories exist
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: "{{ ansible_user_uid }}"
|
|
group: "{{ ansible_user_gid }}"
|
|
mode: 0750
|
|
become: True
|
|
with_items:
|
|
- "{{ kolla_config_path }}"
|
|
- "{{ kolla_seed_inventory_path }}/host_vars"
|
|
- "{{ kolla_overcloud_inventory_path }}/host_vars"
|
|
- "{{ kolla_overcloud_inventory_path }}/group_vars"
|
|
- "{{ kolla_node_custom_config_path }}"
|
|
|
|
- name: Ensure the Kolla global configuration file exists
|
|
template:
|
|
src: "globals.yml.j2"
|
|
dest: "{{ kolla_config_path }}/globals.yml"
|
|
mode: 0640
|
|
vars:
|
|
kolla_docker_custom_config: "{{ lookup('template', 'daemon.json.j2') }}"
|
|
|
|
- name: Ensure the Kolla seed inventory file exists
|
|
copy:
|
|
content: "{{ kolla_seed_inventory }}"
|
|
dest: "{{ kolla_seed_inventory_path }}/hosts"
|
|
mode: 0640
|
|
|
|
- name: Ensure the Kolla seed host vars files exist
|
|
template:
|
|
src: host-vars.j2
|
|
dest: "{{ kolla_seed_inventory_path }}/host_vars/{{ host }}"
|
|
mode: 0640
|
|
with_inventory_hostnames: "seed"
|
|
vars:
|
|
host_vars: "{{ kolla_seed_inventory_pass_through_host_vars }}"
|
|
host_vars_map: "{{ kolla_seed_inventory_pass_through_host_vars_map }}"
|
|
loop_control:
|
|
loop_var: host
|
|
|
|
- name: Ensure the Kolla overcloud inventory file exists
|
|
copy:
|
|
content: "{{ kolla_overcloud_inventory }}"
|
|
dest: "{{ kolla_overcloud_inventory_path }}/hosts"
|
|
mode: 0640
|
|
|
|
- name: Look for custom Kolla overcloud group vars
|
|
stat:
|
|
path: "{{ kolla_overcloud_group_vars_path }}"
|
|
register: kolla_ansible_custom_overcloud_group_vars
|
|
|
|
- name: Copy over custom Kolla overcloud group vars
|
|
copy:
|
|
src: "{{ kolla_overcloud_group_vars_path }}"
|
|
dest: "{{ kolla_overcloud_inventory_path }}/"
|
|
when: kolla_ansible_custom_overcloud_group_vars.stat.exists
|
|
|
|
- name: Ensure the Kolla overcloud host vars files exist
|
|
template:
|
|
src: host-vars.j2
|
|
dest: "{{ kolla_overcloud_inventory_path }}/host_vars/{{ host }}"
|
|
mode: 0640
|
|
with_inventory_hostnames: "{{ kolla_overcloud_top_level_groups }}"
|
|
vars:
|
|
host_vars: "{{ kolla_overcloud_inventory_pass_through_host_vars }}"
|
|
host_vars_map: "{{ kolla_overcloud_inventory_pass_through_host_vars_map }}"
|
|
loop_control:
|
|
loop_var: host
|
|
|
|
- name: Ensure the Kolla passwords file exists
|
|
vars:
|
|
# NOTE(mgoddard): Use the Python interpreter used to run ansible-playbook,
|
|
# since this has Python dependencies available to it (PyYAML). On CentOS 7
|
|
# we use the system Python to ensure that we can import SELinux bindings.
|
|
ansible_python_interpreter: >-
|
|
{{ '/usr/libexec/platform-python'
|
|
if ansible_os_family == 'RedHat' and ansible_distribution_major_version | int == 7
|
|
else ansible_playbook_python }}
|
|
kolla_passwords:
|
|
src: "{{ kolla_ansible_passwords_path }}"
|
|
dest: "{{ kolla_ansible_passwords_path }}"
|
|
mode: 0640
|
|
sample: "{{ kolla_ansible_install_dir }}/etc_examples/kolla/passwords.yml"
|
|
overrides: "{{ kolla_ansible_custom_passwords }}"
|
|
vault_password: "{{ kolla_ansible_vault_password }}"
|
|
virtualenv: "{{ kolla_ansible_venv or omit }}"
|
|
|
|
- name: Ensure the Kolla passwords file is copied into place
|
|
copy:
|
|
src: "{{ kolla_ansible_passwords_path }}"
|
|
dest: "{{ kolla_config_path }}/passwords.yml"
|
|
remote_src: True
|
|
|
|
- block:
|
|
- name: Ensure external HAProxy TLS directory exists
|
|
file:
|
|
path: "{{ kolla_external_fqdn_cert | dirname }}"
|
|
state: directory
|
|
recurse: yes
|
|
|
|
- name: Ensure the external HAProxy TLS certificate bundle is copied into place
|
|
copy:
|
|
content: "{{ kolla_external_tls_cert }}"
|
|
dest: "{{ kolla_external_fqdn_cert }}"
|
|
when:
|
|
- kolla_external_tls_cert is not none
|
|
- kolla_external_tls_cert | length > 0
|
|
|
|
- block:
|
|
- name: Ensure internal HAProxy TLS directory exists
|
|
file:
|
|
path: "{{ kolla_internal_fqdn_cert | dirname }}"
|
|
state: directory
|
|
recurse: yes
|
|
|
|
- name: Ensure the internal HAProxy TLS certificate bundle is copied into place
|
|
copy:
|
|
content: "{{ kolla_internal_tls_cert }}"
|
|
dest: "{{ kolla_internal_fqdn_cert }}"
|
|
when:
|
|
- kolla_internal_tls_cert is not none
|
|
- kolla_internal_tls_cert | length > 0
|
|
|
|
# Copy across all certificates in $KAYOBE_CONFIG_PATH/kolla/certificates.
|
|
|
|
- name: Find certificates
|
|
find:
|
|
path: "{{ kolla_ansible_certificates_path }}"
|
|
recurse: true
|
|
register: find_src_result
|
|
|
|
- name: Find previously copied certificates
|
|
find:
|
|
path: "{{ kolla_config_path }}/certificates"
|
|
recurse: true
|
|
register: find_dest_result
|
|
|
|
- name: Ensure certificates exist
|
|
copy:
|
|
src: "{{ kolla_ansible_certificates_path }}/"
|
|
dest: "{{ kolla_config_path }}/certificates"
|
|
mode: 0600
|
|
# If certificates are encrypted, don't decrypt them at the destination.
|
|
decrypt: false
|
|
when: find_src_result.files | length > 0
|
|
|
|
- name: Ensure unnecessary certificates are absent
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: absent
|
|
with_items: "{{ find_dest_result.files }}"
|
|
when:
|
|
- item.path | relpath(kolla_config_path ~ '/certificates/') not in src_files
|
|
- item.path != kolla_external_fqdn_cert
|
|
- item.path != kolla_internal_fqdn_cert
|
|
vars:
|
|
# Find the list of files in the source.
|
|
src_files: >-
|
|
{{ find_src_result.files |
|
|
map(attribute='path') |
|
|
map('relpath', kolla_ansible_certificates_path) |
|
|
list }}
|
|
loop_control:
|
|
label: "{{ item.path }}"
|