diff options
| -rw-r--r-- | lib/facter/netmask_ipv6.rb | 2 | ||||
| -rw-r--r-- | manifests/loadbalancer.pp | 31 | ||||
| -rw-r--r-- | manifests/profile/base/database/schemas.pp | 101 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 118 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/schemas.pp | 50 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/keystone.pp | 88 |
6 files changed, 386 insertions, 4 deletions
diff --git a/lib/facter/netmask_ipv6.rb b/lib/facter/netmask_ipv6.rb index 5261485..598641f 100644 --- a/lib/facter/netmask_ipv6.rb +++ b/lib/facter/netmask_ipv6.rb @@ -8,6 +8,8 @@ def netmask6(value) end if Facter.value('facterversion')[0].to_i < 3 + Facter::Util::IP::REGEX_MAP[:linux][:ipaddress6] = + /inet6 (?:addr: )?((?!(?:fe80|::1))(?>[0-9,a-f,A-F]*\:{1,2})+[0-9,a-f,A-F]{0,4})/ Facter::Util::IP.get_interfaces.each do |interface| Facter.add('netmask6_' + Facter::Util::IP.alphafy(interface)) do setcode do diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 140713b..8ee4445 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -313,6 +313,11 @@ # (optional) Enable or not Redis binding # Defaults to false # +# [*redis_password*] +# (optional) Password for Redis authentication, eventually needed by the +# specific monitoring we do from HAProxy for Redis +# Defaults to undef +# # [*midonet_api*] # (optional) Enable or not MidoNet API binding # Defaults to false @@ -420,6 +425,7 @@ class tripleo::loadbalancer ( $mysql_clustercheck = false, $rabbitmq = false, $redis = false, + $redis_password = undef, $midonet_api = false, $service_ports = {} ) { @@ -867,13 +873,25 @@ class tripleo::loadbalancer ( $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) if $horizon_bind_certificate { + # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the + # same, the first option takes precedence. Which is the case when network + # isolation is not enabled. This is not a problem as both options are + # identical. If network isolation is enabled, this works correctly and + # will add a TLS binding to both the horizon_vip and the + # public_virtual_ip. + # Even though for the public_virtual_ip the port 80 is listening, we + # redirect to https in the horizon_options below. $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]), + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]), } $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", } } else { $horizon_bind_opts = { @@ -1358,12 +1376,17 @@ class tripleo::loadbalancer ( } if $redis { + if $redis_password { + $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] + } else { + $redis_tcp_check_options = [] + } haproxy::listen { 'redis': bind => $redis_bind_opts, options => { 'balance' => 'first', 'option' => ['tcp-check',], - 'tcp-check' => ['send info\ replication\r\n','expect string role:master'], + 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']), }, collect_exported => false, } diff --git a/manifests/profile/base/database/schemas.pp b/manifests/profile/base/database/schemas.pp new file mode 100644 index 0000000..0821ae8 --- /dev/null +++ b/manifests/profile/base/database/schemas.pp @@ -0,0 +1,101 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::database::schemas +# +# OpenStack Database Schema profile for tripleo +# +# === Parameters +# +# [*ceilometer_backend*] +# (Optional) Name of the backend for ceilometer storage +# Defaults to hiera('ceilometer_backend') +# +# [*enable_ceilometer*] +# (Optional) Whether to create schemas for Ceilometer +# Defaults to true +# +# [*enable_cinder*] +# (Optional) Whether to create schemas for Cinder +# Defaults to true +# +# [*enable_heat*] +# (Optional) Whether to create schemas for Heat +# Defaults to true +# +# [*enable_keystone*] +# (Optional) Whether to create schemas for Keystone +# Defaults to true +# +# [*enable_glance*] +# (Optional) Whether to create schemas for Glance +# Defaults to true +# +# [*enable_nova*] +# (Optional) Whether to create schemas for Nova +# Defaults to true +# +# [*enable_neutron*] +# (Optional) Whether to create schemas for Neutron +# Defaults to true +# +# [*enable_sahara*] +# (Optional) Whether to create schemas for Sahara +# Defaults to true +# +class tripleo::profile::base::database::schemas ( + $ceilometer_backend = hiera('ceilometer_backend'), + $enable_ceilometer = true, + $enable_cinder = true, + $enable_heat = true, + $enable_keystone = true, + $enable_glance = true, + $enable_nova = true, + $enable_neutron = true, + $enable_sahara = true +) { + if $enable_ceilometer and downcase($ceilometer_backend) == 'mysql' { + include ::ceilometer::db::mysql + } + + if $enable_cinder { + include ::cinder::db::mysql + } + + if $enable_keystone { + include ::keystone::db::mysql + } + + if $enable_glance { + include ::glance::db::mysql + } + + if $enable_nova { + include ::nova::db::mysql + include ::nova::db::mysql_api + } + + if $enable_neutron { + include ::neutron::db::mysql + } + + if $enable_heat { + include ::heat::db::mysql + } + + if $enable_sahara { + include ::sahara::db::mysql + } + +} diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp new file mode 100644 index 0000000..f17bf30 --- /dev/null +++ b/manifests/profile/base/keystone.pp @@ -0,0 +1,118 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::keystone +# +# Keystone profile for tripleo +# +# === Parameters +# +# [*sync_db*] +# (Optional) Whether to run db sync +# Defaults to undef +# +# [*manage_service*] +# (Optional) Whether to manage the keystone service +# Defaults to undef +# +# [*enabled*] +# (Optional) Whether to enable the keystone service +# Defaults to undef +# +# [*bootstrap_master*] +# (Optional) The hostname of the node responsible for bootstrapping +# Defaults to hiera('bootstrap_nodeid') +# +# [*manage_roles*] +# (Optional) whether to create keystone admin role +# Defaults to true +# +# [*manage_endpoint*] +# (Optional) Whether to create keystone endpoints +# Defaults to true +# +# [*manage_db_purge*] +# (Optional) Whether keystone token flushing should be enabled +# Defaults to hiera('keystone_enable_db_purge', true) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::keystone ( + $sync_db = undef, + $manage_service = undef, + $enabled = undef, + $bootstrap_master = undef, + $manage_roles = true, + $manage_endpoint = true, + $manage_db_purge = hiera('keystone_enable_db_purge', true), + $step = hiera('step'), +) { + + if $step >= 4 { + class { '::keystone': + sync_db => $sync_db, + manage_service => $manage_service, + enabled => $enabled, + enable_bootstrap => $bootstrap_master, + } + + include ::keystone::config + include ::keystone::wsgi::apache + + if $manage_roles { + include ::keystone::roles::admin + } + + if $manage_endpoint { + include ::keystone::endpoint + } + + #TODO: need a cleanup-keystone-tokens.sh solution here + file { [ '/etc/keystone/ssl', '/etc/keystone/ssl/certs', '/etc/keystone/ssl/private' ]: + ensure => 'directory', + owner => 'keystone', + group => 'keystone', + require => Package['keystone'], + } + file { '/etc/keystone/ssl/certs/signing_cert.pem': + content => hiera('keystone_signing_certificate'), + owner => 'keystone', + group => 'keystone', + notify => Service['keystone'], + require => File['/etc/keystone/ssl/certs'], + } + file { '/etc/keystone/ssl/private/signing_key.pem': + content => hiera('keystone_signing_key'), + owner => 'keystone', + group => 'keystone', + notify => Service['keystone'], + require => File['/etc/keystone/ssl/private'], + } + file { '/etc/keystone/ssl/certs/ca.pem': + content => hiera('keystone_ca_certificate'), + owner => 'keystone', + group => 'keystone', + notify => Service['keystone'], + require => File['/etc/keystone/ssl/certs'], + } + } + + if $step >= 5 and $manage_db_purge { + include ::keystone::cron::token_flush + } +} + diff --git a/manifests/profile/pacemaker/database/schemas.pp b/manifests/profile/pacemaker/database/schemas.pp new file mode 100644 index 0000000..6aa5906 --- /dev/null +++ b/manifests/profile/pacemaker/database/schemas.pp @@ -0,0 +1,50 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::pacemaker::schemas +# +# OpenStack Database Schema Pacemaker HA profile for tripleo +# +# === Parameters +# +# [*ceilometer_backend*] +# (Optional) The backend used by ceilometer, usually either 'mysql' +# or 'mongodb' +# Defaults to hiera('ceilometer_backend') +# +# [*pacemaker_master*] +# (Optional) The hostname of the pacemaker master in this cluster +# Defaults to hiera('bootstrap_nodeid') +# +class tripleo::profile::pacemaker::database::schemas ( + $ceilometer_backend = hiera('ceilometer_backend'), + $pacemaker_master = hiera('bootstrap_nodeid') +) { + if downcase($pacemaker_master) == $::hostname { + include ::tripleo::profile::base::database::schemas + + if downcase($ceilometer_backend) == 'mysql' { + Exec['galera-ready'] -> Class['::ceilometer::db::mysql'] + } + + Exec['galera-ready'] -> Class['::cinder::db::mysql'] + Exec['galera-ready'] -> Class['::glance::db::mysql'] + Exec['galera-ready'] -> Class['::keystone::db::mysql'] + Exec['galera-ready'] -> Class['::nova::db::mysql'] + Exec['galera-ready'] -> Class['::nova::db::mysql_api'] + Exec['galera-ready'] -> Class['::neutron::db::mysql'] + Exec['galera-ready'] -> Class['::heat::db::mysql'] + Exec['galera-ready'] -> Class['::sahara::db::mysql'] + } +} diff --git a/manifests/profile/pacemaker/keystone.pp b/manifests/profile/pacemaker/keystone.pp new file mode 100644 index 0000000..0f007a5 --- /dev/null +++ b/manifests/profile/pacemaker/keystone.pp @@ -0,0 +1,88 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::pacemaker::keystone +# +# Keystone Pacemaker HA profile for tripleo +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*enable_load_balancer*] +# (Optional) Whether load balancing is enabled for this cluster +# Defaults to hiera('enable_load_balancer', true) +# +class tripleo::profile::pacemaker::keystone ( + $bootstrap_node = hiera('bootstrap_nodeid'), + $step = hiera('step'), + $enable_load_balancer = hiera('enable_load_balancer', true) +) { + + if $::hostname == downcase($bootstrap_node) { + $pacemaker_master = true + } else { + $pacemaker_master = false + } + + if $step >= 6 and $pacemaker_master { + $manage_roles = true + Pacemaker::Resource::Service[$::apache::params::service_name] -> Class['::keystone::roles::admin'] + Pacemaker::Resource::Service[$::apache::params::service_name] -> Class['::keystone::endpoint'] + } else { + $manage_roles = false + } + + if $step >= 4 { + class { '::tripleo::profile::base::keystone': + sync_db => $pacemaker_master, + manage_service => false, + enabled => false, + bootstrap_master => $pacemaker_master, + manage_roles => $manage_roles, + manage_endpoint => $manage_roles + } + } + + if $step >= 5 and $pacemaker_master and $enable_load_balancer { + pacemaker::constraint::base { 'haproxy-then-keystone-constraint': + constraint_type => 'order', + first_resource => 'haproxy-clone', + second_resource => 'openstack-core-clone', + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ocf['openstack-core']], + } + } + + if $step >= 5 and $pacemaker_master { + pacemaker::constraint::base { 'rabbitmq-then-keystone-constraint': + constraint_type => 'order', + first_resource => 'rabbitmq-clone', + second_resource => 'openstack-core-clone', + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Ocf['rabbitmq'], + Pacemaker::Resource::Ocf['openstack-core']], + } + } +} |