This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.
Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network
flake8 new release 3.8.0 added new checks and gate pep8
job start failing. hacking 3.0.1 fix the pinning of flake8 to
avoid bringing in a new version with new checks.
Though it is fixed in latest hacking but 2.0 and 3.0 has cap for
flake8 as <4.0.0 which mean flake8 new version 3.9.0 can also
break the pep8 job if new check are added.
To avoid similar gate break in future, we need to bump the hacking min
version.
- http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014828.html
Change-Id: I4b11eaad9eac9985342a00e583f16e379a2ad04a
Ansible 2.9.8 includes a regression on the fileglob plugin [1] that
causes the HAProxy role to fail.
This change blacklists Ansible 2.9.8 to work around the issue.
[1] https://github.com/ansible/ansible/issues/69450
Change-Id: I12ca3b154fc7fed6a221880596e0acb5f6278bb7
Related-Bug: #1878192
This provides a generic mechanism to include extra files
that you can reference in prometheus.yml, for example:
scrape_targets:
- job_name: ipmi
params:
module: default
scrape_interval: 1m
scrape_timeout: 30s
metrics_path: /ipmi
scheme: http
file_sd_configs:
- files:
- /etc/prometheus/extras/file_sd/ipmi-exporter-targets.yml
refresh_interval: 5m
Change-Id: Ie2f085204b71725b901a179ee51541f1f383c6fa
Related: blueprint custom-prometheus-targets
This provides a mechanism to scrape targets defined outside of kolla-ansible.
Depends-On: https://review.opendev.org/#/c/685671/
Change-Id: I0950341b147bb374b4128f09f807ef5a756f5dfa
Related: blueprint custom-prometheus-targets
This allows you to extend lists in yaml config. This is useful, for
example, in prometheus.yml, where it would be nice to be able to
extend the scrape_configs to include exporters that aren't packaged
with kolla-ansible. This would provide a mechanism to do so.
Change-Id: I7a10e363f42e8ffaae3c0d2c2a758853e2cab7e1
Related: blueprint custom-prometheus-targets
This causes non-local side effects that are hard to track down. E.g:
--- import errors ---
Failed to import test module: tests.test_merge_yaml
Traceback (most recent call last):
File "/home/will/.pyenv/versions/3.7.7/lib/python3.7/unittest/loader.py", line 436, in _find_test_path
module = self._get_module_from_name(name)
File "/home/will/.pyenv/versions/3.7.7/lib/python3.7/unittest/loader.py", line 377, in _get_module_from_name
__import__(name)
File "/home/will/code/kolla-ansible/tests/test_merge_yaml.py", line 19, in <module>
from ansible.errors import AnsibleModuleError
ModuleNotFoundError: No module named 'ansible.errors'; 'ansible' is not a package
This `'ansible' is not a package` message occurs because ansible is a Mock.
Depends-On: https://review.opendev.org/#/c/726768/
Change-Id: Iddbdd3d855daadbf12536cc990559e6b8e123051
The removal of Kolla Ceph deploy [1] broke gnocchi & external Ceph
integration - the variable gnocchi_pool_name is referenced in the config
template, but should now be ceph_gnocchi_pool_name.
This change fixes the issue.
Reported by Nick Wilson.
[1] https://review.opendev.org/#/c/704309/12/ansible/roles/gnocchi/defaults/main.yml
Change-Id: I7089781c0c4d7bce8a44cb8b1fca847dd0b7efd1
Closes-Bug: #1877974
install sg3-utils-udev if multipath is enabled, else SCSI_IDENT*
vars are missing in udev.
Closes-Bug: 1877509
Change-Id: Ib205f3cdb775c9cfa719325f702f4fad196d346b
Nova cells support introduced a slight regression that triggers
odd behaviour when we tried switching to Apache (httpd) [1].
Bootstrap no longer applied permissions recursively to all log
files, creating a discrepancy between normal and bootstrap runs
and also Nova and other services such as Cinder (regarding
bootstrap logging).
This patch fixes it.
Backport to Train.
Not creating reno nor a bug record because it does not affect
any current standard usage in any currently known way.
Note this only really hides (standardizes?) the global issue that
we don't control file permissions on newly created files too well.
[1] https://review.opendev.org/724793
Change-Id: I35e9924ccede5edd2e1307043379aba944725143
Needed-By: https://review.opendev.org/724793
This note refers to configuration changes done in
I626dc7afe9eabfbeb6c08137a3e6bbeebde2b332.
Change-Id: I75a37b9d3b28964f353977baa3a9f49fc424d866
Closes-Bug: #1876985
Switch URL composition from using VIP to FQDN to connect with Kibana and
Elasticsearch services.
Change-Id: I5d559ead1d6d5e928e76bb685e0f730868fd7b89
Closes-Bug: #1862419
This was addressed in I21689e22870c2f6206e37c60a3c33e19140f77ff but
accidentally reverted in I4f74bfe07d4b7ca18953b11e767cf0bb94dfd67e.
Change-Id: Id5fc458b0ca54bddfe9a43cb315dbcfeb2142395
Fixes:
- SB/NB DB address format (single host) for SB/NB DB daemon
- SB/NB DB address format (all hosts) for Neutron / northd /
ovn-ovs bootstrap
- OVN tests
Change-Id: I539773c48f89b731d068280c228ce11782bf5788
Closes-Bug: #1875222
This patch introduces an optional backend encryption for Horizon and
Placement services. When used in conjunction with enabling TLS for
service API endpoints, network communcation will be encrypted end to
end, from client through HAProxy to the Horizon and Placement services.
Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d
Partially-Implements: blueprint add-ssl-internal-network
Add TLS support for Glance api using HAProxy to perform TLS termination.
Change-Id: I77051baaeb5d3f7dd9002262534e7d35f3926809
Partially-Implements: blueprint add-ssl-internal-network
Zun has a new component "zun-cni-daemon" which should be
deployed in every compute nodes. It is basically an implementation
of CNI (Container Network Interface) that performs the neutron
port binding.
If users is using the capsule (pod) API, the recommended deployment
option is using "cri" as capsule driver. This is basically to use
a CRI runtime (i.e. CRI plugin for containerd) for supporting
capsules (pods). A CRI runtime needs a CNI plugin which is what
the "zun-cni-daemon" provides.
The configuration is based on the Zun installation guide [1].
It consits of the following steps:
* Configure the containerd daemon in the host. The "zun-compute"
container will use grpc to communicate with this service.
* Install the "zun-cni" binary at host. The containerd process
will invoke this binary to call the CNI plugin.
* Run a "zun-cni-daemon" container. The "zun-cni" binary will
communicate with this container via HTTP.
Relevant patches:
Blueprint: https://blueprints.launchpad.net/zun/+spec/add-support-cri-runtime
Install guide: https://review.opendev.org/#/c/707948/
Devstack plugin: https://review.opendev.org/#/c/705338/
Kolla image: https://review.opendev.org/#/c/708273/
[1] https://docs.openstack.org/zun/latest/install/index.html
Depends-On: https://review.opendev.org/#/c/721044/
Change-Id: I9c361a99b355af27907cf80f5c88d97191193495
Debian defaults to Python2 which is not complete in aarch64 images.
This patch changes CI to always use Python3.
We need to install several Python modules to have working ussuri jobs.
"Failed to import the required Python library (setuptools) on primary's Python /usr/bin/python3."
And then several Python2 ones for train->ussuri upgrade jobs:
"Unable to find any of pip2 to use. pip needs to be installed."
Change-Id: Ia0d3ff15d97d1cabbb0b8e7f32e8712ca3f94732
The octavia service communicates to the barbican service with
public endpoint_type by default[1], it should use internal
like other services.
[1] 0056b5175f/octavia/common/config.py (L533-L537)
Closes-Bug: #1875618
Change-Id: I90d2b0aeac090a3e2366341e260232fc1f0d6492
Fix-feature following up on the original check [1] to make it
test the correct interpreter.
Additionally, this change removes last, unneeded call to
random python - getting script directory is perfectly
doable in bash.
All checks are done from Python, not Ansible, due to its
performance. Python version feels snappy (0.2 s to check),
compared to sluggish Ansible (2.0 s to check).
What is more, relying on Ansible would require hacky solutions
to e.g. prevent custom config from interfering with it.
We might be willing to steer Ansible from Python in the future
anyhow.
[1] Icf0399d21b3fde8d530d73e6e7ee4a57665da276
Change-Id: Ib8f2e6b6672e7c06aa94bc226c4d72640d25d8c2
Closes-Bug: #1856346
Adds necessary "region_name" to octavia.conf when
"enable_barbican" is set to "true".
Closes-Bug: #1867926
Change-Id: Ida61cef4b9c9622a5e925bac4583fba281469a39
Since haproxy is orchestrated via site.yml in a single play,
it does not need flushing handlers as handlers run will
happen at the end of this play.
Change-Id: Ia3743575da707325be93c39b4a2bcae9211cacb2
Related-Bug: #1864810
Closes-Bug: #1875228
Follow-up on [1] "Avoid multiple haproxy restarts after
reconfiguration".
There is no need to duplicate handler name in listen.
The issue was because we had two handlers with the same
name in the same environment.
This causes Ansible not to mark handler as already run.
[1] https://review.opendev.org/708385
Change-Id: I5425a8037b6860ef71bce59becff8dfe5b601d4c
Related-Bug: #1864810
