[stable/zed] Mount CA into Keystone + Magnum (#1299)
\n\nCloses #1274
diff --git a/playbooks/infrastructure.yml b/playbooks/infrastructure.yml
index db62f05..d1c8ea6 100644
--- a/playbooks/infrastructure.yml
+++ b/playbooks/infrastructure.yml
@@ -13,7 +13,7 @@
# under the License.
- name: Deploy Infrastructure
- hosts: controllers[0]
+ hosts: controllers
become: true
roles:
- role: cert_manager
diff --git a/roles/cluster_issuer/tasks/main.yml b/roles/cluster_issuer/tasks/main.yml
index 8516771..72e9ac4 100644
--- a/roles/cluster_issuer/tasks/main.yml
+++ b/roles/cluster_issuer/tasks/main.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Create self-signed cluster issuer
+ run_once: true
kubernetes.core.k8s:
state: present
definition:
@@ -30,6 +31,7 @@
when: cluster_issuer_type in ("self-signed", "ca")
block:
- name: Wait till the secret is created
+ run_once: true
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml b/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml
index 431b08e..c7cd8df 100644
--- a/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml
+++ b/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Create ClusterIssuer
+ run_once: true
kubernetes.core.k8s:
state: present
definition:
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/http01.yml b/roles/cluster_issuer/tasks/type/acme/solver/http01.yml
index 363dc64..ac93dc5 100644
--- a/roles/cluster_issuer/tasks/type/acme/solver/http01.yml
+++ b/roles/cluster_issuer/tasks/type/acme/solver/http01.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Create ClusterIssuer
+ run_once: true
kubernetes.core.k8s:
state: present
definition:
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml b/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml
index 60306ea..d706cb2 100644
--- a/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml
+++ b/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Create ClusterIssuer
+ run_once: true
kubernetes.core.k8s:
state: present
definition:
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/route53.yml b/roles/cluster_issuer/tasks/type/acme/solver/route53.yml
index fa805d6..2f056ed 100644
--- a/roles/cluster_issuer/tasks/type/acme/solver/route53.yml
+++ b/roles/cluster_issuer/tasks/type/acme/solver/route53.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Create ClusterIssuer
+ run_once: true
kubernetes.core.k8s:
state: present
definition:
diff --git a/roles/cluster_issuer/tasks/type/ca/main.yml b/roles/cluster_issuer/tasks/type/ca/main.yml
index a52b70a..d7a34a0 100644
--- a/roles/cluster_issuer/tasks/type/ca/main.yml
+++ b/roles/cluster_issuer/tasks/type/ca/main.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Create ClusterIssuer
+ run_once: true
kubernetes.core.k8s:
state: present
definition:
diff --git a/roles/cluster_issuer/tasks/type/self-signed/main.yml b/roles/cluster_issuer/tasks/type/self-signed/main.yml
index dd23773..a9bb496 100644
--- a/roles/cluster_issuer/tasks/type/self-signed/main.yml
+++ b/roles/cluster_issuer/tasks/type/self-signed/main.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Create ClusterIssuer
+ run_once: true
kubernetes.core.k8s:
state: present
definition:
diff --git a/roles/cluster_issuer/tasks/type/venafi/main.yml b/roles/cluster_issuer/tasks/type/venafi/main.yml
index 9baffca..f054951 100644
--- a/roles/cluster_issuer/tasks/type/venafi/main.yml
+++ b/roles/cluster_issuer/tasks/type/venafi/main.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Create secret (username/password)
+ run_once: true
when:
- cluster_issuer_venafi_username is defined
- cluster_issuer_venafi_password is defined
@@ -30,6 +31,7 @@
password: "{{ cluster_issuer_venafi_password }}"
- name: Create secret (access token)
+ run_once: true
when:
- cluster_issuer_venafi_username is not defined
- cluster_issuer_venafi_password is not defined
@@ -46,6 +48,7 @@
access-token: "{{ cluster_issuer_venafi_access_token }}"
- name: Create ClusterIssuer
+ run_once: true
kubernetes.core.k8s:
state: present
definition:
diff --git a/roles/defaults/defaults/main.yml b/roles/defaults/defaults/main.yml
index 1019593..58b1173 100644
--- a/roles/defaults/defaults/main.yml
+++ b/roles/defaults/defaults/main.yml
@@ -23,3 +23,6 @@
# This is for override values in atmosphere_images
atmosphere_image_overrides: {}
+
+defaults_ca_certificates_path: >-
+ {{ '/etc/ssl/certs/ca-certificates.crt' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' }}"
diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml
index 4eff179..ceaa88a 100644
--- a/roles/keepalived/tasks/main.yml
+++ b/roles/keepalived/tasks/main.yml
@@ -13,6 +13,7 @@
# under the License.
- name: Deploy service
+ run_once: true
when: keepalived_enabled | bool
kubernetes.core.k8s:
state: present
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index 609f3c8..ed85ea6 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -25,6 +25,7 @@
name: PyMySQL
- name: Check MySQL ready
+ run_once: true
community.mysql.mysql_info:
login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
login_user: root
@@ -56,6 +57,7 @@
priv: "{{ keycloak_database_name }}.*:ALL"
- name: Disable pxc strict mode
+ run_once: true
community.mysql.mysql_query:
login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
login_user: root
@@ -89,6 +91,7 @@
cert-manager.io/cluster-issuer: atmosphere
- name: Enable pxc strict mode
+ run_once: true
community.mysql.mysql_query:
login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
login_user: root
diff --git a/roles/keystone/vars/main.yml b/roles/keystone/vars/main.yml
index 625ff2f..1b67f80 100644
--- a/roles/keystone/vars/main.yml
+++ b/roles/keystone/vars/main.yml
@@ -22,11 +22,14 @@
mounts:
keystone_api:
keystone_api:
- volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts }}"
+ volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts + [{'name': 'etc-ssl-certs', 'mountPath': '/etc/ssl/certs', 'readOnly': true}] }}"
volumes:
- name: keystone-openid-metadata
configMap:
name: keystone-openid-metadata
+ - name: etc-ssl-certs
+ hostPath:
+ path: "{{ defaults_ca_certificates_path }}"
conf:
keystone:
DEFAULT:
diff --git a/roles/magnum/vars/main.yml b/roles/magnum/vars/main.yml
index eeee431..358d145 100644
--- a/roles/magnum/vars/main.yml
+++ b/roles/magnum/vars/main.yml
@@ -25,6 +25,8 @@
barbican_client:
endpoint_type: internalURL
region_name: "{{ openstack_helm_endpoints_barbican_region_name }}"
+ capi_client:
+ ca_file: /etc/ssl/certs/ca-certificates.crt
cinder_client:
endpoint_type: internalURL
region_name: "{{ openstack_helm_endpoints_cinder_region_name }}"
@@ -74,6 +76,17 @@
replicas:
api: 3
conductor: 3
+ mounts:
+ magnum_conductor:
+ magnum_conductor:
+ volumeMounts:
+ - name: etc-ssl-certs
+ mountPath: /etc/ssl/certs
+ readOnly: true
+ volumes:
+ - name: etc-ssl-certs
+ hostPath:
+ path: "{{ defaults_ca_certificates_path }}"
manifests:
ingress_api: false
service_ingress_api: false