The "kolla_internal_address" variable is not documented or defined
anywhere. When "kolla_internal_vip_address" is undefined, the error
message is about "kolla_internal_address", which will confuse operators.
This change deprecates "kolla_internal_address", and adds a default
value for "kolla_internal_vip_address" when "kolla_internal_address" is
undefined.
Change-Id: I09694b38420ea67896bb8cf4ffd7ce6f131af10e
Closes-Bug: #1864206
This patch introduces an optional backend encryption for the Nova API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Nova service.
Change-Id: I48e1540b973016079d5686b328e82239dcffacfd
Partially-Implements: blueprint add-ssl-internal-network
Steps to reproduce:
* Deploy a cloud
* Add another controller to the inventory
* Deploy to the new controller using --limit:
kolla-ansible deploy --limit new-controller
Expected results:
The new controller uses the cluster's existing fernet keys.
Actual results:
New fernet keys are generated on the new controller, and pushed out to
the existing controllers. This invalidates tokens created from those
keys.
This change prevents the above scenario from happening, by failing the
deployment if there are no hosts with existing Ferney keys to
distribute, and not all Keystone hosts are in the target host list.
Closes-Bug: #1891364
Change-Id: If0c0e038b77fc010a3a017f9841a674d53b16457
This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.
Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network
Backport to Ussuri unmodified. Backport to Train and Stein without
DEFAULT_BOOT_SOURCE.
Closes-Bug: #1891024
Change-Id: If8fe490c3f698ab3eb37735fbfcb8ab0d5fa8a06
This fix was premature as it completely ignores
the previously-respected umask.
Let's discuss a proper fix and revert this one
since CI is fixed elsewhere [1].
[1] https://review.opendev.org/743502
This reverts commit 87efdce24bc802777d4da58f9f63c8d0838e7120.
Change-Id: If38adbf124e793574a21ae986f9ee146d587f820
Ansible changed the default mode for files, even in stable
releases. [1]
This change restores the previous default (with the common
umask).
[1] https://github.com/ansible/ansible/pull/70221
Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab
Closes-Bug: #1891145
There is a time once every 2 years when ubuntu team releases new LTS
release. And then UCA joins with binary packages for current OpenStack
development cycle.
It is this time for Ubuntu 20.04 'focal'.
Includes CI fix to pass:
[CI] Temporarily block new Ansible
The proper fix [1] needs fixing older branches before newer.
This one allows to fix CI first, in the usual order.
To revert after [1] gets merged in all relevant branches.
[1] https://review.opendev.org/745648
Old-Change-Id: Ifbd37d8addd4322773118e2e9d46494741a8ae66
Related-Bug: #1891145
Depends-on: https://review.opendev.org/#/c/738994/
Change-Id: Ib8b70ee40ec2d19509cc84c0f530612f81907721
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Previously we mounted /etc/timezone if the kolla_base_distro is debian
or ubuntu. This would fail prechecks if debian or ubuntu images were
deployed on CentOS. While this is not a supported combination, for
correctness we should fix the condition to reference the host OS rather
than the container OS, since that is where the /etc/timezone file is
located.
Change-Id: Ifc252ae793e6974356fcdca810b373f362d24ba5
Closes-Bug: #1882553
Add trove-guestagent.conf templates for trove-guestagent service.
Default the Guest Agent config file to be injected during instance creation.
Change-Id: Id0750b84fef8e19658b27f8ae16a857e1394216e
This patch is a continuation of
I6a174468bd91d214c08477b93c88032a45c137be for the nova-cell role, which
was missed.
The Castellan (Barbican client) has different parameters to control
the used CA file.
This patch uses them.
Moreover, this aligns Barbican with other services by defaulting
its client config to the internal endpoint.
See also [1].
[1] https://bugs.launchpad.net/castellan/+bug/1876102
Closes-Bug: #1886615
Change-Id: I056f3eebcf87bcbaaf89fdd0dc1f46d143db7785
Glance role copies glance-image-import.conf
when enabled to allow configuration of
glance interoperable image import. Property
protection can be enabled and file is copied.
Change-Id: I5106675da5228a5d7e630871f0882269603e6571
Closesl-Bug: #1889272
Signed-off-by: nikparasyr <nik.parasyr@protonmail.com>
Updated TLS documentation to reflect new features and configuration
options added in Ussuri.
Change-Id: I74550eaf394287b14fc521293cc4b5ea8074192c
Partially-Implements: blueprint add-ssl-internal-network
Some plays were not applied to all groups referenced by the services
they deploy. In most cases this works fine, but if the default inventory
is modified this may cause problems where containers are not deployed to
hosts in the missing groups, if they are not a member of other groups
that the play is targeted to.
This change syncs up the play hosts for all services.
Closes-Bug: #1889387
Change-Id: I6b92d8e53a29b06a065e0611840140d09c8a6695
Deprecated: Option "cafile" from group "keystone_authtoken" is deprecated.
Use option "cafile" from group "keystone_auth".
Change-Id: Ia372b1b73afc0bea6a68dcd156cf963c01e3f3ab
Masakari was introduced parallelly to deploy-containers action and
so we missed to add this functionality to it.
Change-Id: Ibef198d20d481bc92b38af786cdf0292b246bb12
Closes-Bug: #1889611
With an incorrectly named section, whatever's defined in here is
actually ignored which can result in unexpected behaviour.
Closes-Bug: 1889455
Change-Id: Ib2e2b53e9a3c0e62a2e997881c0cd1f92acfb39c
Signed-off-by: Nick Jones <nick@dischord.org>
