OpenStack role tags: ‘primary’ and ‘controller’

You’ll see this in the roles_data.yaml file and might be wondering what they’re for. This post answers that question, but also outlines a ‘gotcha’ where the NodeTLSData resource will not be created for a role if that roles does not have the primary and controller tags set.

This applies to OpenStack Queens – in Rocky the NodeTLSData resource was changed to use Ansible for deployment of the public TLS certificate, and therefore this restriction doesn’t apply anymore.

These tags are used to identify which role is considered the ‘primary role’. The first server in this role will be considered the ‘bootstrap’ server and will be responsible for, among other things, running Ansible playbooks across the deployment (after all, we don’t need those to run on every host, just one host with access to all the others).

See /usr/share/openstack-tripleo-heat-templates/deploy-steps.j2.yaml for more.

If you have multiple roles with the primary and controller tags, then the last role with these tags wins and will be considered as the primary role. There can only be one.

OS::TripleO::NodeTLSData

There’s one snag with this. Take a look at this chunk out of puppet/role.role.j2.yaml:

  {%- if 'primary' in role.tags and 'controller' in role.tags %}
  # Resource for site-specific passing of private keys/certificates
  NodeTLSData:
    depends_on: NodeTLSCAData
    type: OS::TripleO::NodeTLSData
    properties:
      server: {get_resource: {{server_resource_name}}}
      NodeIndex: {get_param: NodeIndex}
  {%- endif -%}

In short, if the role does not have the primary and controller tags, then the NodeTLSData resource is not created for it.

Meaning if you are using a certificate on your public endpoints it will never be deployed on your node. I ran into this problem when my haproxy container failed to start with an error such as “bind has no certificate”; I’d missed these tags and so the NodeTLSData resource was never created for my Pacemaker role, meaning no overcloud.pem cert was deployed to my Pacemaker nodes.

The takeaway from this post: make sure you define the ‘primary’ and ‘controller’ tags on the role that hosts haproxy if you want a public TLS certificate (and you do, right?). Here’s what mine looks like, as an example:

- name: Pacemaker
  description: |
    Standalone database role with the database being managed via Pacemaker
  tags:
    - primary
    - controller
  networks:
    - InternalApi
	- Tenant
	- External
	- Storage
  HostnameFormatDefault: '%stackname%-pcmk-%index%'
  ServicesDefault:
  ... snip ...

Leave a Reply

Your email address will not be published. Required fields are marked *