... because these were deprecated during Pike[1] and were removed
during Stein[2] in favor of the new single KeystoneFernetKeys
parameter.
[1] 490e237f09d2c685903b173d3fd94efc450a9cb2
[2] 40ba776463b24afb7feec574999da66a5b63a028
Change-Id: Ieabac57383de4f6c8157c0b0c746ca8606237420
When the Galera is configured to use mariabackup, the
synchronization takes place by connecting to the
database with configuratble user credentials.
Generate a random password for this use case.
Related-Bug: #1973872
Change-Id: I1509bd30fbd253790b17e04ef15dca6c58de7311
... because support for the novajoin service was already removed[1].
Depends-on: https://review.opendev.org/833508
Change-Id: I54f739c396b29d6a84b4ed5d7fcad364910d3abc
tripleo-client stores generated passwords into a
file in a default location.
Other modules might need to know this location
(e.g. tripleo-passwords-rotate [1]), so expose
this default value in tripleo-common.
[1] I69361215efcca69c1bbeb24f427a0c309ff2806f
Related-Bug: #1960527
Change-Id: Ib799533e2a60413620639bc9d0af44ac31006159
Since libsodium cannot be used when FIPS is enabled,
auth_ed25519 support must be updated to use
py-cryptography. This library uses OpenSSL's ed25519
instead, and as a side effect, the only suitable
password that it can generate for auth_ed25519 are
32-bytes-long binary passwords.
Define new constant for DB-specific passwords, and
base64-encode them so they can be manipulated
easily in yaml and in hiera.
We also generate a new key EnableMysqlAuthEd25519 in
the returned passwords, so that the passwords can be
rotated properly when using tripleo_passwords_rotate.
Related-Bug: #1196027
Change-Id: I00d3d2a43d08d3d317a25c7ecb54d197e36a8f93
Various passwords used by pacemaker (pcsd,
pacemaker remote, clustercheck), cannot currently
be updated on one node without impacting communication
with the other nodes in the cluster (pacemaker), or
other clustered services (galera).
Do not rotate those cluster passwords by default, until
an orchestrated rotation is implemented specifically
for each of them.
Closes-Bug: #1960277
Change-Id: I4132f184454b9c2b907d3317256c3de185fd9da9
This change removes constants which are no longer used since we removed
Mistral workflows/actions from TripleO.
Change-Id: I8e8e9a3f2fb95d25bcf4cf2ba8f277d536c1799a
... because these constants are no longer used since validations
dependent on these parameters was split out to a separate validation
repository[1].
[1] 05a84782c4
Change-Id: I161f8389f7426cd575dc32d44a76de3097ac76e9
... because these constants are no longer used since TripleO UI was
removed during Rocky[1].
[1] 5566697549
Change-Id: I3b6afbc51c69a4c51e464ddc830b2e055ca4f0c3
The following services are no longer supported by TripleO and generated
passwords are no longer used.
- Congress
- EC2 API
- Panko
- Sahara
Change-Id: I0829edb19b8e1614b8000db7355fe6368bc169d7
Following the renaming in t-h-t, this change updates the list of
password parameters generated by tripleo-common. To keep the keystone
password during upgrade, AdminToken is automatically converted to
KeystonePassword during password generation.
Depends-on: https://review.opendev.org/799425
Change-Id: I6064e29541fdba93b2f23f96a21f52e7dfe82d2a
'/usr/share/openstack-tripleo-validations' doesn't exist anymore since
Train. Tripleo-validations installs its bits in '/usr/share/ansible/'.
It is now quite safe to remove the references to this legacy directory.
**Note**
This patch will be applied to master and stable/wallaby only. This logic
will be kept as is for stable/train like this directory may still be
present during an upgrade.
Change-Id: Ib96e2c0dd789be2be6bdaf66682b985cb864baf8
Signed-off-by: Gael Chamoulaud (Strider) <gchamoul@redhat.com>
The OVN Bridge MAC network causes the inventory generation
to be skipped due to MissingMandatoryNeutronResourceTag.
This nework should be ignored here.
Related: blueprint network-data-v2-ports
Partial-Bug: #1928469
Change-Id: Idb557d0c6c4356385cb05b2041b0bdaa5485367a
Heat does not support rotation of auth_encryption_key
for existing deployments with heat stacks. Once this
key has been rotated exisiting stacks can't be updated
or even deleted. Let's not allow them to be changed.
Change-Id: I19c1d166ca72465fd4ae3dad46de77bb095f73d4
Some node network_config options defined in the baremetal
deployment yaml definition can't be stored on neutron resources
as tags, because tag strings has a limited max lenght.
In the triple-ansible change https://review.opendev.org/772766
the baremetal deployment workflow put's this data into a config
file. With this change the config in the file source is merged
into the generated ansible inventory.
Partial-Implements: blueprint network-data-v2-ports
Change-Id: I1e339acb21d2acb1c336420af9f04d01f861aa91
When building the inventory from neutron resources,
set network related role_vars in the generated
ansible inventory. The following vars are set:
{{ network_name }}_cidr
{{ network_name }}_dns_nameservers
{{ network_name }}_gateway_ip
{{ network_name }}_host_routes
{{ network_name }}_mtu
{{ network_name }}_vlan_id
ctlplane_subnet_cidr
networks_all
networks_lower
role_networks
Partial-Implements: blueprint network-data-v2-ports
Change-Id: I3072895b44845736050255fb0b6d5f0bdd5c5f48
We'll use the existing stack environment instead.
When we move to ephemeral heat stack, we'll use
a file. Rotate passwords would generate an environment
with passwords which can then be used in subsequent
deployments.
Also removes the legacy heat resource passwords as we
probably allow ffw upgrades from queens to
wallaby and these passwords would already be in stack
environment.
Depends-On: https://review.opendev.org/c/openstack/python-tripleoclient/+/765808
Change-Id: I7e081a1831bc00e91cd6967c4c404c0037c85d17
The ceph external deploy tasks is using validation modules via
mistral.
We need to setup the correct new path for mistral in order to
get the module. (warn.py)
Change-Id: Ide21daaac9a558561d0943cc0a380952cf7e29b3
Resolves: rhbz#1885828
external_deploy_tasks will now be written out in per step files in the
config download directory. This will allow including the task files for
a specific step only at that step, and saving time by not having to skip
so many tasks.
Change-Id: I7ded2cb74afe73eab5c423fcb31ec9046ea47790
This will create update_tasks_stepX.yaml for X from 0 to 5 and
post_update_tasks_stepX.yaml for X from 0 to 3.
The usuals <ROLE>/post_update_tasks.yaml and <ROLE>/update_tasks.yaml
are still created so that patch won't break current deployment but it
will open the way to load each step file instead of looping over the
step.
Change-Id: Ibc7ba230bce3464482a91cfea3cc4791544e3abf
For upgrade and deployment we generate tasks files based on the step
tasks must run in.
By default, all tasks that doesn't have a matching conditional are
included in all step files.
We add a option to be able to control this behavior.
PER_STEP_TASKS becomes a dictionary with key being the current config
collected and the value is an array. Each element of the array map to
the steps: element 0 is step0 and so on. That element tell the
_write_tasks_per_step function if we include tasks with no
conditional when it is False or excluded when it is True.
This structure opens four possibilities:
- allow to have step task of different length: for instance if we
want to expand post update tasks which have a length of four (not
DEFAULT_STEPS_MAX)
- In testing, we can identify the tasks with no conditional by
putting all normal step to strict (set True for every step) and add
a extra one set to False. The extra one will have the steps with
no conditional.
- Identify when the conditional matcher in _write_tasks_per_step
fails.
- Eventually, set everything to strict to force the developer to
properly add conditional to every tasks.
As it is, the change has no impact and keep the current default
behavior.
Change-Id: I2033efd47c09707797a4b48a853517d42f584e76
we do not want the CephX keys to rotate by default, some cannot
be changed at all after the cluster has been deployed
Change-Id: Iefe87eb869e248ea1e98d9ae34cdeeea57aa5426
these are not necessary because ceph-ansible will generate them
randomly and completely ignored in recent versions of the templates
Change-Id: I2441d293c56775a723ae5979596d9e70ec1a4182
Depends-On: If77935345de70ae261b091b8bf49b997dc71a781
Related-Bug: 1878014
This patch adds constraints for identity api version and compute
api version, so that we can have all api version defined in one
place.
Change-Id: I5ff4a99b9cb69058c584d57d4332c423babc9597
The neutron-server-ovn image has been dropped by our upstream, kolla.
This change reacts to that development and pivots our ovn deployments
to use the "neutron-server" container image, where the OVN code base
has been relocated.
> Tests have been removed and updated to reflect the new image layout.
Depends-On: Ib2dbdd7e7d34f56985b7a5b2494c3b89034688cb
Change-Id: Ie48143ea33b21a8c9154d1c0552e8fc1272edfc4
Signed-off-by: Kevin Carter <kecarter@redhat.com>
deploy_steps_tasks will now be written out in per step files in the
config download directory. This will allow including the task files for
a specific step only at that step, and saving time by not having to skip
so many tasks.
Change-Id: Id5fdb4dd1a6290d1097d2d81523161c87ab6d4dd
The per step tasks generation was introduced by:
I4d864f374d6f840585fafef2c7678e55c154898e
This patch is refactoring a little bit so we can easily re-use that
interface for the other tasks.
It introduces a new constant: PER_STEP_TASKS
It's a list of tasks that are "per step" ready.
Note about the 'else' in tripleo_common/utils/config.py :
Once all tasks are adapted in THT to run per step, we will be able to move this
condition to the upper level
We include it here to allow the CI to pass until THT changed is not merged.
Change-Id: Ie03084bb599b7b06aeeb321d2a7938a908487788
We commented this out back in late 2017 since they reogranized the
containers. Since no one has picked up this effort, let's drop this dead
code.
Change-Id: I45f0787e92eca59ab7eec09b2b199c5b1dbc4855
Container build using buildah w/ push=True is consistently hitting
timeout exception "SystemError: The following jobs were incomplete"
Change-Id: Id1e983fcb18501d5e3afd5230b377ed5c2f5603e
This change ensures our use of the `process.execute` method from
"oslo_concurrency" always checks the return codes of a given command.
While the library is assumed to do this already, this change
enforces our expected behavior.
We're also changing our use of futures to return when there's
an exception. The build_all method was blocking until all
jobs were completed. Blocking on pipeline completion results
in us masking exceptions that may be raised duing the job
execution. To ensure we're capturing errors in our build
process the wait function now return on the first exception;
More on the futures constants can be seen here:[0]. The
return values will now be evaluated to ensure all jobs
completed successfully.
Unit tests have been added to ensure we're not breaking the
build all method and that it raise appropriate exceptions
when errors are encountered.
[0] - https://docs.python.org/3/library/concurrent.futures.html#module-functions
Related-Bug: #1836265
Change-Id: Ia05140142fa59e5b252cd92801244e4fc02f4bbc
Signed-off-by: Kevin Carter <kecarter@redhat.com>
It includes:
* mistral action for generating clouds.yaml once
overcloud deployment finishes.
* clouds_yaml.py library for generating clouds.yaml
* Moved global vars to tripleo-common constants.
https://review.opendev.org/#/c/664586/ adds the review in
python-tripleoclient to create the clouds.yaml for
overcloud by calling the above mistral actions.
Related-Bug: #1719369
Change-Id: Ie9004222ca5f77031795eaa4b4a757da8b409d05
Signed-off-by: Chandan Kumar (raukadah) <chkumar@redhat.com>
This review adds the grafana, prometheus, alertmanager
and node-exporter images to make them available as
parameters in the tht template. This also covers the
password generation for tht templates.
Depends-on: https://review.opendev.org/#/c/667837
Change-Id: I2927240638ad1a1d43450e2d94771436e2775637
Use the HostnameNetworkConfigMap stack output so that the full
NetworkConfig script can be saved per server into the config-download
directory.
Change-Id: Ie543782569de14d56bc41740611f7512e8357a22
Depends-On: I315f2e2eb880e9f3cb67d9f4cdc789f08c6c4021
implements: blueprint reduce-deployment-resources
This is to remove the unncessary slash when the line doesn't
exceed the length of 79, to make the code more readable.
Change-Id: I37a22d1732b1ce7ee1b4f0a35106148093ec8cf5
* Uploads now the contents of tripleo-validations/playbooks directory
instead of tripleo-validations/validations ones.
* Adds a new parameter to run-validation script to be able to properly
export Ansible variables:
- ANSIBLE_CALLBACK_PLUGINS
- ANSIBLE_LOOKUP_PLUGINS
- ANSIBLE_ROLES_PATH
- ANSIBLE_LIBRARY
Change-Id: I43cf796b0147a9b2054d3ff7941274a7497a14d9
Implements: blueprint validation-framework
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
A recent change[1] to Octavia added a parameter named
server_certs_key_passphrase, which means that we should generate a
password for it to avoid using the default value.
This patch adds OctaviaServerCertsKeyPassphrase to the list of
generated password/secrets, similarly to this past change[2].
Closes-Bug: #1821756
Related-Bug: #1821751
[1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
[2] I1dd1873b646e8569ed0a85c5ee7eb3bec3a8b1fa
Change-Id: I9699961faf8b3430e4372e4ff3ae2bf7e7ceea18
Split the existing upgrade_tasks into different plays with all
the tasks per step each. Turning into upgrade_tasks_step[0..5].yaml.
The way it's accomplished is by checking the when statement from
each ansible upgrade task. Each task will be included in its
corresponding step playbook. If the task doesn't have a step|int == X
condition defined then it will be included in all the playbooks.
Change-Id: I4d864f374d6f840585fafef2c7678e55c154898e