All TLS certificates are incorrectly generated in the 'certificates'
role. The generated certificates don't contain both the 'X509v3
extensions' and 'X509v3 Subject Alternative Name' blocks at all.
This change fixes the 'openssl x509' commands used to generate all the
certificates to include the 'Subject Alternative Name'.
Also, this change fixes both internal and external templates to
constantly use alternative names as described in the RFCs [1] [2].
We use DNS Name in SAN extension only when 'kolla_internal_fqdn' or
'kolla_external_fqdn' is set.
1. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
2. https://datatracker.ietf.org/doc/html/rfc6125#appendix-B.2
Closes-Bug: #1935978
Change-Id: Ie5d82a2e4575bd74674ac38a042df49cfe7f74c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
Sometimes, the registries may intermittently fail to deliver the
images. This is often seen in the CI, though it also happens with
production deployments, even those with internal registries and/or
registry mirrors - due to sheer load when trying to pull the
images from many hosts.
This patchs adds two new vars to control retry behaviour.
The default has been set to make users happier by default. :-)
Change-Id: I81ad7d8642654f8474f11084c6934aab40243d35
It seems to have been mistakenly introduced by
de00bf491dfbabc8e11009fce4410bce5c2110ed
"Simplify handler conditionals"
Change-Id: I65b6e322fa11a870f32099bbfd62150cbea4feb5
Kolla-ansible upgrade task is calling different
handlers as deploy task and these handlers are
missing healthcheck key. This patch is fixing
this.
Closes-Bug: #1939679
Change-Id: Id83d20bfd89c27ccf70a3a79938f428cdb5d40fc
We get a nice optimisation by using a filtered loop instead
of task skipping per service with 'when'.
Partially-Implements: blueprint performance-improvements
Change-Id: I8f68100870ab90cb2d6b68a66a4c97df9ea4ff52
Follow up for I0c7e9a28876a1d4278fb2ed8555c2b08472864b9 which added a
ironic_enable_keystone_integration variable to support Ironic in
multi-region environments. This change skips Keystone service
registration based on ironic_enable_keystone_integration rather than
enable_keystone. It also updates the ironic-inspector.conf template to
use the new variable.
Change-Id: I2ecba4999e194766258ac5beed62877d43829313
Basically, there are three main installation scenario:
Scenario 1:
Ironic installation together with other openstack services
including keystone. In this case variable enable_keystone
is set to true and keystone service will be installed
together with ironic installation. It is possible realise this
scenario, no fix needed
Scenario 2:
Ironic installation with connection to already installed
keystone. In this scenario we have to set enable_keystone
to “No” to prevent from new keystone service installation
during the ironic installation process. But in other hand,
we need to have correct sections in ironic.conf to provide
all information needed to connect to existing keystone.
But all sections for keystone are added to ironic.conf only
if enable_keystone var is set to “Yes”. It isn’t possible
to realise this scenario. Proposed fix provide support for
this scenario, where multiple regions share the same
keystone service.
Scenario 3:
No keystone integration. Ironic don't connect to Keystone.
It is possible realise this scenario, no fix needed
Proposed solution also keep the default behaviour: if no
enable_keystone_integration is manually defined by default
it takes value of enable_keystone variable and all behaviour
is the same. But if we don't want to install keystone and
want to connect to existing one at the same time, it will be
possible to set enable_keystone var to “No”
(preventing keystone from installation) and at the same
time set ironic_enable_keystone_integration to Yes to allow
needed section appear in ironic.conf through templating.
Change-Id: I0c7e9a28876a1d4278fb2ed8555c2b08472864b9
Elevated (root) privileges are required to set owner/group/mode when
target owner does not math the user running Ansible. Without it the
playbook fails with 'Permission denied' error.
Change-Id: Ie7455a5f1ed709dfb9c9d7c653c6f808c00af4c2
This patch is fixing docker healthcheck for horizon
by changing value of horizon_listen_port, so
both apache's virtualhost and healthcheck will have
same correct port always. Also removing useless
apache's redirect as all redirects are done on
haproxy side.
Closes-Bug: #1933846
Change-Id: Ibb5ad1a5d1bbc74bcb62610d77852d8124c4a323
Kolla-ansible install python docker library in role/baremetal
to group/baremetal, because of this get container facts
for timesync checks is failing on deployment host.
This patch adding when conditional, so deployment host
will be skipped as there is no need to run timesync
checks.
Closes-Bug: #1933347
Change-Id: Ifefb9c74ee6a80cdbc458992d0196850ddfe7ffa
This trivial patch is setting "timeout tunnel" in haproxy's
configuration for spicehtml5proxy. This option extends time
when spice's websocket connection is closed, so spice will
not be freezed. Default value is set to 1h as it is in novnc.
Closes-Bug: #1938549
Change-Id: I3a5cd98ecf4916ebd0748e7c08111ad0e4dca0b2
As mentioned in the Iced014acee7e590c10848e73feca166f48b622dc
commit message, in Ussuri+ we can use ``+sbwtdcpu none
+sbwtdio none`` as well. This is due to relying on RMQ-provided
erlang in version 23.x.
This change adds the extra arguments by default.
It should be backported down to Ussuri before we do a release with
Iced014acee7e590c10848e73feca166f48b622dc.
Change-Id: I32e247a6cb34d7f6763b544f247fd408dce2b3a2
