Merge pull request #206 from stackhpc/upstream/zed-2023-11-20

Synchronise zed with upstream
stackhpc · Nov 20, 2023 · 79a3084 · 79a3084
2 parents 228d6d0 + 22307eb
commit 79a3084
Show file tree

Hide file tree

Showing 14 changed files with 137 additions and 57 deletions.
diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla
@@ -593,9 +593,15 @@ kolla_ansible_default_custom_passwords: >-
              if compute_libvirt_enabled | bool and compute_libvirt_enable_sasl | bool
              else {}) }}
 
+# Dictionary containing extra custom passwords to add or override in the Kolla
+# passwords file.
+kolla_ansible_extra_custom_passwords: {}
+
 # Dictionary containing custom passwords to add or override in the Kolla
 # passwords file.
-kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}"
+kolla_ansible_custom_passwords: >-
+  {{ kolla_ansible_default_custom_passwords |
+     combine(kolla_ansible_extra_custom_passwords) }}
 
 ###############################################################################
 # OpenStack API addresses.
@@ -632,7 +638,7 @@ kolla_external_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_external_fqdn_cacert:
+kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"
 
 # Internal API certificate bundle.
 #
@@ -645,7 +651,7 @@ kolla_internal_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_internal_fqdn_cacert:
+kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"
 
 ###############################################################################
 # Proxy configuration

diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml
@@ -91,13 +91,6 @@
         kolla_ansible_passwords_path: "{{ kayobe_env_config_path }}/kolla/passwords.yml"
         kolla_overcloud_group_vars_path: "{{ kayobe_env_config_path }}/kolla/inventory/group_vars"
         kolla_ansible_certificates_path: "{{ kayobe_env_config_path }}/kolla/certificates"
-        # NOTE: This differs from the default SELinux mode in kolla ansible,
-        # which is permissive. The justification for using this mode is twofold:
-        # 1. it avoids filling up the audit log
-        # 2. it avoids an issue seen when using diskimage-builder in the bifrost
-        # container.
-        # We could look at making the SELinux mode configurable in future.
-        kolla_selinux_state: disabled
         kolla_inspector_dhcp_pool_start: "{{ inspection_net_name | net_inspection_allocation_pool_start }}"
         kolla_inspector_dhcp_pool_end: "{{ inspection_net_name | net_inspection_allocation_pool_end }}"
         kolla_inspector_netmask: "{{ inspection_net_name | net_mask }}"

diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -165,8 +165,8 @@ kolla_enable_tls_external:
 kolla_enable_tls_internal:
 kolla_external_fqdn_cert:
 kolla_internal_fqdn_cert:
-kolla_external_fqdn_cacert:
-kolla_internal_fqdn_cacert:
+kolla_public_openrc_cacert:
+kolla_admin_openrc_cacert:
 
 #############################
 # Ironic options
@@ -274,12 +274,6 @@ kolla_ansible_custom_passwords: {}
 kolla_external_tls_cert:
 kolla_internal_tls_cert:
 
-###############################################################################
-# SELinux
-
-# Desired SELinux state.
-kolla_selinux_state:
-
 ###############################################################################
 # NTP
 

diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
@@ -206,8 +206,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
 {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
 kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
 {% endif %}
-kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
-kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
+kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}"
 
 ################
 # Region options
@@ -539,9 +538,9 @@ grafana_admin_username: "{{ grafana_local_admin_user_name }}"
 # Bootstrap-servers - Host Configuration
 #########################################
 
-{% if kolla_selinux_state is not none %}
-selinux_state: {{ kolla_selinux_state }}
-{% endif %}
+# Kayobe performs configuration of SELinux, so there is no need for Kolla
+# Ansible to repeat this.
+change_selinux: false
 
 {% if kolla_enable_host_ntp is not none %}
 enable_host_ntp: {{ kolla_enable_host_ntp | bool }}

diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml
@@ -121,6 +121,7 @@
             kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
             kolla_internal_tls_cert: |
               bogus internal certificate
+            kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
             kolla_openstack_logging_debug: True
             grafana_local_admin_user_name: "grafana-admin"
             kolla_inspector_dhcp_pool_start: "1.2.3.4"
@@ -240,6 +241,7 @@
               kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
               kolla_enable_tls_internal: True
               kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
+              kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
               openstack_logging_debug: True
               grafana_admin_username: "grafana-admin"
               ironic_dnsmasq_dhcp_ranges:

diff --git a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 b/ansible/roles/public-openrc/templates/public-openrc.sh.j2
@@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL
 export OS_MANILA_ENDPOINT_TYPE=publicURL
 {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
 export OS_MISTRAL_ENDPOINT_TYPE=publicURL
-{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %}
-export OS_CACERT={{ kolla_external_fqdn_cacert }}
+{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %}
+export OS_CACERT={{ kolla_public_openrc_cacert }}
 {% else %}
 {{ line }}
 {% endif %}

diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst
@@ -268,10 +268,6 @@ The following variables affect TLS encryption of the public API.
     A TLS certificate bundle to use for the public API endpoints, if
     ``kolla_enable_tls_external`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
-``kolla_external_fqdn_cacert``
-    Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
 
 The following variables affect TLS encryption of the internal API. Currently
 this requires all Kolla images to be built with the API's root CA trusted.
@@ -282,10 +278,18 @@ this requires all Kolla images to be built with the API's root CA trusted.
     A TLS certificate bundle to use for the internal API endpoints, if
     ``kolla_enable_tls_internal`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
-``kolla_internal_fqdn_cacert``
+
+The following variables affect the generated ``admin-openrc.sh`` and
+``public-openrc.sh`` environment files.
+
+``kolla_public_openrc_cacert``
+    Path to a CA certificate file to use for the ``OS_CACERT`` environment
+    variable in the ``public-openrc.sh`` file when TLS is enabled, instead of
+    ``kolla_admin_openrc_cacert``.
+``kolla_admin_openrc_cacert``
     Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
+    variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS
+    is enabled, instead of Kolla Ansible's default.
 
 Example: enabling TLS for the public API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -302,7 +306,7 @@ Here is an example:
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
-   kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
 
 Example: enabling TLS for the internal API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -319,7 +323,7 @@ Here is an example:
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
-   kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
 
 Other certificates
 ------------------
@@ -578,27 +582,35 @@ variable, if present. The file is generated to
 ``$KAYOBE_CONFIG_PATH/kolla/passwords.yml``, and should be stored along with
 other Kayobe configuration files. This file should not be manually modified.
 
-``kolla_ansible_custom_passwords``
-    Dictionary containing custom passwords to add or override in the Kolla
-    passwords file. Default is ``{{ kolla_ansible_default_custom_passwords
-    }}``, which contains SSH keys for use by Kolla Ansible and Bifrost.
-
 Configuring Custom Passwords
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-In order to write additional passwords to ``passwords.yml``, set the kayobe
-variable ``kolla_ansible_custom_passwords`` in
-``$KAYOBE_CONFIG_PATH/kolla.yml``.
+The following variables are used to configure custom passwords:
+
+* ``kolla_ansible_default_custom_passwords``: Dictionary containing default
+  custom passwords, required by Kolla Ansible. Contains SSH keys authorized by
+  kolla user on Kolla hosts, SSH keys authorized in hosts deployed by Bifrost,
+  Docker Registry password and compute libVirt custom passwords.
+* ``kolla_ansible_extra_custom_passwords``: Dictionary containing extra custom
+  passwords to add or override in the Kolla passwords file. Default is an empty
+  dictionary.
+* ``kolla_ansible_custom_passwords``: Dictionary containing custom passwords to
+  add or override in the Kolla passwords file. Default is the combination of
+  the ``kolla_ansible_default_custom_passwords`` and
+  ``kolla_ansible_extra_custom_passwords``.
+
+In this example we add our own ``my_custom_password`` and override
+``keystone_admin_password``:
 
 .. code-block:: yaml
    :caption: ``$KAYOBE_CONFIG_PATH/kolla.yml``
 
    ---
-   # Dictionary containing custom passwords to add or override in the Kolla
-   # passwords file.
-   kolla_ansible_custom_passwords: >
-     {{ kolla_ansible_default_custom_passwords |
-        combine({'my_custom_password': 'correcthorsebatterystaple'}) }}
+   # Dictionary containing extra custom passwords to add or override in the
+   # Kolla passwords file.
+   kolla_ansible_extra_custom_passwords:
+     my_custom_password: 'correcthorsebatterystaple'
+     keystone_admin_password: 'superduperstrongpassword'
 
 Control Plane Services
 ======================

diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
@@ -441,6 +441,10 @@
 # Kolla passwords file.
 #kolla_ansible_default_custom_passwords:
 
+# Dictionary containing extra custom passwords to add or override in the Kolla
+# passwords file.
+#kolla_ansible_extra_custom_passwords:
+
 # Dictionary containing custom passwords to add or override in the Kolla
 # passwords file.
 #kolla_ansible_custom_passwords:
@@ -480,7 +484,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_external_fqdn_cacert:
+#kolla_public_openrc_cacert:
 
 # Internal API certificate bundle.
 #
@@ -493,7 +497,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_internal_fqdn_cacert:
+#kolla_admin_openrc_cacert:
 
 ###############################################################################
 # Proxy configuration

diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py
@@ -105,15 +105,15 @@ def generate_kolla_ansible_config(self, parsed_args, install=False,
         tags = None if install else "config"
         playbooks = _build_playbook_list("kolla-ansible")
         self.run_kayobe_playbooks(parsed_args, playbooks, tags=tags,
-                                  ignore_limit=True)
+                                  ignore_limit=True, check=False)
         if service_config:
             playbooks = _build_playbook_list("kolla-openstack")
             self.run_kayobe_playbooks(parsed_args, playbooks,
-                                      ignore_limit=True)
+                                      ignore_limit=True, check=False)
         if bifrost_config:
             playbooks = _build_playbook_list("kolla-bifrost")
             self.run_kayobe_playbooks(parsed_args, playbooks,
-                                      ignore_limit=True)
+                                      ignore_limit=True, check=False)
 
 
 class KollaAnsibleMixin(object):
@@ -261,7 +261,7 @@ def take_action(self, parsed_args):
             ka_tags = "install"
         playbooks = _build_playbook_list("kolla-ansible")
         self.run_kayobe_playbooks(parsed_args, playbooks, tags=ka_tags,
-                                  ignore_limit=True)
+                                  ignore_limit=True, check=False)
 
         if passwords_exist:
             # If we are bootstrapping a control host for an existing
@@ -301,7 +301,7 @@ def take_action(self, parsed_args):
         self.run_kayobe_playbooks(parsed_args, playbooks, ignore_limit=True)
         playbooks = _build_playbook_list("kolla-ansible")
         self.run_kayobe_playbooks(parsed_args, playbooks, tags="install",
-                                  ignore_limit=True)
+                                  ignore_limit=True, check=False)
 
 
 class ConfigurationDump(KayobeAnsibleMixin, VaultMixin, Command):