ff84292269
This patch introduces an optional backend encryption for Heat service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Heat service. Change-Id: Ic12f7574135dcaed2a462e902c775a55176ff03b Partially-Implements: blueprint add-ssl-internal-network Depends-On: https://review.opendev.org/722028/
115 lines
3.3 KiB
YAML
115 lines
3.3 KiB
YAML
---
|
|
- name: Ensuring config directories exist
|
|
become: true
|
|
file:
|
|
path: "{{ node_config_directory }}/{{ item.key }}"
|
|
state: "directory"
|
|
owner: "{{ config_owner_user }}"
|
|
group: "{{ config_owner_group }}"
|
|
mode: "0770"
|
|
when:
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
with_dict: "{{ heat_services }}"
|
|
|
|
- name: Check if policies shall be overwritten
|
|
stat:
|
|
path: "{{ item }}"
|
|
delegate_to: localhost
|
|
run_once: True
|
|
register: heat_policy
|
|
with_first_found:
|
|
- files: "{{ supported_policy_format_list }}"
|
|
paths:
|
|
- "{{ node_custom_config }}/heat/"
|
|
skip: true
|
|
|
|
- name: Set heat policy file
|
|
set_fact:
|
|
heat_policy_file: "{{ heat_policy.results.0.stat.path | basename }}"
|
|
heat_policy_file_path: "{{ heat_policy.results.0.stat.path }}"
|
|
when:
|
|
- heat_policy.results
|
|
|
|
- include_tasks: copy-certs.yml
|
|
when:
|
|
- kolla_copy_ca_into_containers | bool or heat_enable_tls_backend | bool
|
|
|
|
- name: Copying over config.json files for services
|
|
become: true
|
|
template:
|
|
src: "{{ item.key }}.json.j2"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
|
|
mode: "0660"
|
|
when:
|
|
- item.value.enabled | bool
|
|
- inventory_hostname in groups[item.value.group]
|
|
with_dict: "{{ heat_services }}"
|
|
notify:
|
|
- Restart {{ item.key }} container
|
|
|
|
- name: Copying over heat.conf
|
|
become: true
|
|
vars:
|
|
service_name: "{{ item.key }}"
|
|
merge_configs:
|
|
sources:
|
|
- "{{ role_path }}/templates/heat.conf.j2"
|
|
- "{{ node_custom_config }}/global.conf"
|
|
- "{{ node_custom_config }}/heat.conf"
|
|
- "{{ node_custom_config }}/heat/{{ item.key }}.conf"
|
|
- "{{ node_custom_config }}/heat/{{ inventory_hostname }}/heat.conf"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/heat.conf"
|
|
mode: "0660"
|
|
when:
|
|
- item.value.enabled | bool
|
|
- inventory_hostname in groups[item.value.group]
|
|
with_dict: "{{ heat_services }}"
|
|
notify:
|
|
- Restart {{ item.key }} container
|
|
|
|
- name: Copying over existing policy file
|
|
become: true
|
|
template:
|
|
src: "{{ heat_policy_file_path }}"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/{{ heat_policy_file }}"
|
|
mode: "0660"
|
|
when:
|
|
- heat_policy_file is defined
|
|
- item.value.enabled | bool
|
|
- inventory_hostname in groups[item.value.group]
|
|
with_dict: "{{ heat_services }}"
|
|
notify:
|
|
- Restart {{ item.key }} container
|
|
|
|
- name: Copying over heat-api wsgi config
|
|
vars:
|
|
service: "{{ heat_services['heat-api'] }}"
|
|
template:
|
|
src: "{{ role_path }}/templates/wsgi-heat-api.conf.j2"
|
|
dest: "{{ node_config_directory }}/heat-api/wsgi-heat-api.conf"
|
|
mode: "0660"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[service['group']]
|
|
- service.enabled | bool
|
|
notify:
|
|
- Restart heat-api container
|
|
|
|
- name: Copying over heat-api-cfn wsgi config
|
|
vars:
|
|
service: "{{ heat_services['heat-api-cfn'] }}"
|
|
template:
|
|
src: "{{ role_path }}/templates/wsgi-heat-api-cfn.conf.j2"
|
|
dest: "{{ node_config_directory }}/heat-api-cfn/wsgi-heat-api-cfn.conf"
|
|
mode: "0660"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[service['group']]
|
|
- service.enabled | bool
|
|
notify:
|
|
- Restart heat-api-cfn container
|
|
|
|
- include_tasks: check-containers.yml
|
|
when: kolla_action != "config"
|