Skip to content

Commit

Permalink
Mount CA into Keystone + Magnum (#1255)
Browse files Browse the repository at this point in the history
Signed-off-by: Mohammed Naser <[email protected]>
  • Loading branch information
mnaser authored May 30, 2024
1 parent e01e231 commit 6a8b6ca
Show file tree
Hide file tree
Showing 14 changed files with 36 additions and 2 deletions.
2 changes: 1 addition & 1 deletion playbooks/infrastructure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
# under the License.

- name: Deploy Infrastructure
hosts: controllers[0]
hosts: controllers
become: true
roles:
- role: cert_manager
Expand Down
2 changes: 2 additions & 0 deletions roles/cluster_issuer/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Create self-signed cluster issuer
run_once: true
kubernetes.core.k8s:
state: present
definition:
Expand All @@ -30,6 +31,7 @@
when: cluster_issuer_type in ("self-signed", "ca")
block:
- name: Wait till the secret is created
run_once: true
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
Expand Down
1 change: 1 addition & 0 deletions roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Create ClusterIssuer
run_once: true
kubernetes.core.k8s:
state: present
definition:
Expand Down
1 change: 1 addition & 0 deletions roles/cluster_issuer/tasks/type/acme/solver/http01.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Create ClusterIssuer
run_once: true
kubernetes.core.k8s:
state: present
definition:
Expand Down
1 change: 1 addition & 0 deletions roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Create ClusterIssuer
run_once: true
kubernetes.core.k8s:
state: present
definition:
Expand Down
1 change: 1 addition & 0 deletions roles/cluster_issuer/tasks/type/acme/solver/route53.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Create ClusterIssuer
run_once: true
kubernetes.core.k8s:
state: present
definition:
Expand Down
1 change: 1 addition & 0 deletions roles/cluster_issuer/tasks/type/ca/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Create ClusterIssuer
run_once: true
kubernetes.core.k8s:
state: present
definition:
Expand Down
1 change: 1 addition & 0 deletions roles/cluster_issuer/tasks/type/self-signed/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Create ClusterIssuer
run_once: true
kubernetes.core.k8s:
state: present
definition:
Expand Down
3 changes: 3 additions & 0 deletions roles/cluster_issuer/tasks/type/venafi/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Create secret (username/password)
run_once: true
when:
- cluster_issuer_venafi_username is defined
- cluster_issuer_venafi_password is defined
Expand All @@ -30,6 +31,7 @@
password: "{{ cluster_issuer_venafi_password }}"

- name: Create secret (access token)
run_once: true
when:
- cluster_issuer_venafi_username is not defined
- cluster_issuer_venafi_password is not defined
Expand All @@ -46,6 +48,7 @@
access-token: "{{ cluster_issuer_venafi_access_token }}"

- name: Create ClusterIssuer
run_once: true
kubernetes.core.k8s:
state: present
definition:
Expand Down
3 changes: 3 additions & 0 deletions roles/defaults/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,6 @@ atmosphere_network_backend: openvswitch

# This is for override values in atmosphere_images
atmosphere_image_overrides: {}

defaults_ca_certificates_path: >-
{{ '/etc/ssl/certs/ca-certificates.crt' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' }}"
1 change: 1 addition & 0 deletions roles/keepalived/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# under the License.

- name: Deploy service
run_once: true
when: keepalived_enabled | bool
kubernetes.core.k8s:
state: present
Expand Down
3 changes: 3 additions & 0 deletions roles/keycloak/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
name: PyMySQL

- name: Check MySQL ready
run_once: true
community.mysql.mysql_info:
login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
login_user: root
Expand Down Expand Up @@ -56,6 +57,7 @@
priv: "{{ keycloak_database_name }}.*:ALL"

- name: Disable pxc strict mode
run_once: true
community.mysql.mysql_query:
login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
login_user: root
Expand Down Expand Up @@ -89,6 +91,7 @@
cert-manager.io/cluster-issuer: atmosphere

- name: Enable pxc strict mode
run_once: true
community.mysql.mysql_query:
login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
login_user: root
Expand Down
5 changes: 4 additions & 1 deletion roles/keystone/vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,14 @@ _keystone_helm_values:
mounts:
keystone_api:
keystone_api:
volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts }}"
volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts + [{'name': 'etc-ssl-certs', 'mountPath': '/etc/ssl/certs', 'readOnly': true}] }}"
volumes:
- name: keystone-openid-metadata
configMap:
name: keystone-openid-metadata
- name: etc-ssl-certs
hostPath:
path: "{{ defaults_ca_certificates_path }}"
conf:
keystone:
DEFAULT:
Expand Down
13 changes: 13 additions & 0 deletions roles/magnum/vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ _magnum_helm_values:
barbican_client:
endpoint_type: internalURL
region_name: "{{ openstack_helm_endpoints_barbican_region_name }}"
capi_client:
ca_file: /etc/ssl/certs/ca-certificates.crt
cinder_client:
endpoint_type: internalURL
region_name: "{{ openstack_helm_endpoints_cinder_region_name }}"
Expand Down Expand Up @@ -74,6 +76,17 @@ _magnum_helm_values:
replicas:
api: 3
conductor: 3
mounts:
magnum_conductor:
magnum_conductor:
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
readOnly: true
volumes:
- name: etc-ssl-certs
hostPath:
path: "{{ defaults_ca_certificates_path }}"
manifests:
ingress_api: false
service_ingress_api: false
Expand Down

0 comments on commit 6a8b6ca

Please sign in to comment.