Merge "Add support for encrypting etcd service"
This commit is contained in:
Zuul
Gerrit Code Review
commit
ef38c505f8
@ -266,7 +266,8 @@ elasticsearch_port: "9200"
|
|||||||
|
|
||||||
etcd_client_port: "2379"
|
etcd_client_port: "2379"
|
||||||
etcd_peer_port: "2380"
|
etcd_peer_port: "2380"
|
||||||
etcd_protocol: "http"
|
etcd_enable_tls: "{{ kolla_enable_tls_backend }}"
|
||||||
|
etcd_protocol: "{{ 'https' if etcd_enable_tls | bool else 'http' }}"
|
||||||
|
|
||||||
fluentd_syslog_port: "5140"
|
fluentd_syslog_port: "5140"
|
||||||
|
|
||||||
|
|||||||
@ -18,6 +18,10 @@ etcd_services:
|
|||||||
ETCD_INITIAL_CLUSTER_STATE: "new"
|
ETCD_INITIAL_CLUSTER_STATE: "new"
|
||||||
ETCD_OUT_FILE: "/var/log/kolla/etcd/etcd.log"
|
ETCD_OUT_FILE: "/var/log/kolla/etcd/etcd.log"
|
||||||
KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
|
KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
|
||||||
|
ETCD_CERT_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-cert.pem{% endif %}"
|
||||||
|
ETCD_KEY_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-key.pem{% endif %}"
|
||||||
|
ETCD_PEER_CERT_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-cert.pem{% endif %}"
|
||||||
|
ETCD_PEER_KEY_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-key.pem{% endif %}"
|
||||||
image: "{{ etcd_image_full }}"
|
image: "{{ etcd_image_full }}"
|
||||||
volumes: "{{ etcd_default_volumes + etcd_extra_volumes }}"
|
volumes: "{{ etcd_default_volumes + etcd_extra_volumes }}"
|
||||||
dimensions: "{{ etcd_dimensions }}"
|
dimensions: "{{ etcd_dimensions }}"
|
||||||
|
|||||||
@ -25,5 +25,9 @@
|
|||||||
notify:
|
notify:
|
||||||
- Restart {{ item.key }} container
|
- Restart {{ item.key }} container
|
||||||
|
|
||||||
|
- include_tasks: copy-certs.yml
|
||||||
|
when:
|
||||||
|
- etcd_enable_tls | bool
|
||||||
|
|
||||||
- include_tasks: check-containers.yml
|
- include_tasks: check-containers.yml
|
||||||
when: kolla_action != "config"
|
when: kolla_action != "config"
|
||||||
|
|||||||
50
ansible/roles/etcd/tasks/copy-certs.yml
Normal file
50
ansible/roles/etcd/tasks/copy-certs.yml
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
---
|
||||||
|
- name: "{{ project_name }} | Copying over extra CA certificates"
|
||||||
|
become: true
|
||||||
|
copy:
|
||||||
|
src: "{{ kolla_certificates_dir }}/ca/"
|
||||||
|
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
|
||||||
|
mode: "0644"
|
||||||
|
when:
|
||||||
|
- kolla_copy_ca_into_containers | bool
|
||||||
|
with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
|
||||||
|
notify:
|
||||||
|
- "Restart {{ item.key }} container"
|
||||||
|
|
||||||
|
- name: "{{ project_name }} | Copying over etcd TLS certificate"
|
||||||
|
vars:
|
||||||
|
certs:
|
||||||
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-cert.pem"
|
||||||
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem"
|
||||||
|
- "{{ kolla_certificates_dir }}/{{ project_name }}-cert.pem"
|
||||||
|
- "{{ kolla_tls_backend_cert }}"
|
||||||
|
backend_tls_cert: "{{ lookup('first_found', certs) }}"
|
||||||
|
copy:
|
||||||
|
src: "{{ backend_tls_cert }}"
|
||||||
|
dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-cert.pem"
|
||||||
|
mode: "0644"
|
||||||
|
become: true
|
||||||
|
with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
|
||||||
|
notify:
|
||||||
|
- "Restart {{ item.key }} container"
|
||||||
|
when:
|
||||||
|
- etcd_enable_tls | bool
|
||||||
|
|
||||||
|
- name: "{{ project_name }} | Copying over etcd TLS key"
|
||||||
|
vars:
|
||||||
|
keys:
|
||||||
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-key.pem"
|
||||||
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem"
|
||||||
|
- "{{ kolla_certificates_dir }}/{{ project_name }}-key.pem"
|
||||||
|
- "{{ kolla_tls_backend_key }}"
|
||||||
|
backend_tls_key: "{{ lookup('first_found', keys) }}"
|
||||||
|
copy:
|
||||||
|
src: "{{ backend_tls_key }}"
|
||||||
|
dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-key.pem"
|
||||||
|
mode: "0600"
|
||||||
|
become: true
|
||||||
|
with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
|
||||||
|
notify:
|
||||||
|
- "Restart {{ item.key }} container"
|
||||||
|
when:
|
||||||
|
- etcd_enable_tls | bool
|
||||||
@ -1,3 +1,18 @@
|
|||||||
{
|
{
|
||||||
"command": "etcd"
|
"command": "etcd",
|
||||||
|
"config_files": [
|
||||||
|
{% if etcd_enable_tls | bool %}
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/etcd-cert.pem",
|
||||||
|
"dest": "/etc/etcd/certs/etcd-cert.pem",
|
||||||
|
"owner": "etcd",
|
||||||
|
"perm": "0600"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/etcd-key.pem",
|
||||||
|
"dest": "/etc/etcd/certs/etcd-key.pem",
|
||||||
|
"owner": "etcd",
|
||||||
|
"perm": "0600"
|
||||||
|
}{% endif %}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
6
releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml
Normal file
6
releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Add "etcd_enable_tls" configuration parameter which can be used to enable
|
||||||
|
TLS encryption for the etcd service. The default value of
|
||||||
|
"etcd_enable_tls" is set by the value of "kolla_enable_tls_backend".
|
||||||
Loading…
Reference in New Issue
Block a user