Add certmonger-user profile

This profile will request the certificates for the services on the node.
So with this, we will remove the requesting of these certs on the
services' profiles themselves.

The reasoning for this is that for a containerized environment, the
containers won't have credentials to the CA while the baremetal node
does. So, with this, we will have this profile that still gets executed
in the baremetal nodes, and we can subsequently pass the requested
certificates by bind-mounting them on the containers. On the other hand,
this approach still works well for the TLS-everywhere case when the
services are running on baremetal.

Change-Id: Ibf58dfd7d783090e927de6629e487f968f7e05b6
Depends-On: I4d2e62b5c1b893551f9478cf5f69173c334ac81f

diff --git a/deployed-server/deployed-server-roles-data.yaml b/deployed-server/deployed-server-roles-data.yaml
index 04da556..084c2f8 100644 (file)
--- a/deployed-server/deployed-server-roles-data.yaml
+++ b/deployed-server/deployed-server-roles-data.yaml
@@ -26,6 +26,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephMon
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::CephRgw
@@ -109,6 +110,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::Timezone
@@ -133,6 +135,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::BlockStorageCinderVolume
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -147,6 +150,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::SwiftStorage
@@ -162,6 +166,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephOSD
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp

diff --git a/environments/contrail/roles_data_contrail.yaml b/environments/contrail/roles_data_contrail.yaml
index 5f6c469..d6d6f29 100644 (file)
--- a/environments/contrail/roles_data_contrail.yaml
+++ b/environments/contrail/roles_data_contrail.yaml
@@ -29,6 +29,7 @@
   CountDefault: 1
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephMds
     - OS::TripleO::Services::CephMon
     - OS::TripleO::Services::CephExternal
@@ -115,6 +116,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::Timezone
@@ -140,6 +142,7 @@
 - name: BlockStorage
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::BlockStorageCinderVolume
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -156,6 +159,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::SwiftStorage
@@ -173,6 +177,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephOSD
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -188,6 +193,7 @@
 - name: ContrailController
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::ContrailConfig
     - OS::TripleO::Services::ContrailControl
     - OS::TripleO::Services::ContrailDatabase
@@ -203,6 +209,7 @@
 - name: ContrailAnalytics
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::ContrailAnalytics
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -215,6 +222,7 @@
 - name: ContrailAnalyticsDatabase
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::ContrailAnalyticsDatabase
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -227,6 +235,7 @@
 - name: ContrailTsn
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::ContrailTsn
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp

diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index f485e4a..e245a6a 100644 (file)
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -9,6 +9,8 @@ parameter_defaults:
     ipa_enroll: True
 
 resource_registry:
+  OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
+
   OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
   OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
   OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml

diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml
index f59b041..8f74ec3 100644 (file)
--- a/environments/hyperconverged-ceph.yaml
+++ b/environments/hyperconverged-ceph.yaml
@@ -6,6 +6,7 @@ resource_registry:
 parameter_defaults:
   ComputeServices:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::Timezone

diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 212e937..d9eaf8d 100644 (file)
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -252,6 +252,7 @@ resource_registry:
   OS::TripleO::Services::MySQLClient: puppet/services/database/mysql-client.yaml
   OS::TripleO::Services::Vpp: OS::Heat::None
   OS::TripleO::Services::Docker: OS::Heat::None
+  OS::TripleO::Services::CertmongerUser: OS::Heat::None
 
 parameter_defaults:
   EnablePackageInstall: false

diff --git a/puppet/services/certmonger-user.yaml b/puppet/services/certmonger-user.yaml
new file mode 100644 (file)
index 0000000..af9802b
--- /dev/null
+++ b/puppet/services/certmonger-user.yaml
@@ -0,0 +1,28 @@
+heat_template_version: ocata
+
+description: >
+  Requests certificates using certmonger through Puppet
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the certmonger-user service
+    value:
+      service_name: certmonger_user
+      step_config: |
+        include ::tripleo::profile::base::certmonger_user

diff --git a/roles_data.yaml b/roles_data.yaml
index e0c1c42..130451f 100644 (file)
--- a/roles_data.yaml
+++ b/roles_data.yaml
@@ -33,6 +33,7 @@
   CountDefault: 1
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephMds
     - OS::TripleO::Services::CephMon
     - OS::TripleO::Services::CephExternal
@@ -135,6 +136,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::Timezone
@@ -163,6 +165,7 @@
 - name: BlockStorage
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::BlockStorageCinderVolume
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -181,6 +184,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::SwiftStorage
@@ -199,6 +203,7 @@
 - name: CephStorage
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephOSD
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp