summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/certmonger/haproxy.pp5
-rw-r--r--manifests/certmonger/haproxy_dirs.pp55
-rw-r--r--manifests/haproxy.pp50
-rw-r--r--manifests/haproxy/endpoint.pp8
-rw-r--r--manifests/haproxy/stats.pp74
-rw-r--r--manifests/profile/base/certmonger_user.pp1
-rw-r--r--manifests/profile/base/cinder/volume.pp37
-rw-r--r--manifests/profile/base/cinder/volume/dellemc_unity.pp47
-rw-r--r--manifests/profile/base/docker.pp62
-rw-r--r--manifests/profile/base/haproxy.pp7
-rw-r--r--manifests/profile/base/nova/libvirt.pp17
-rw-r--r--manifests/profile/pacemaker/haproxy.pp10
-rw-r--r--releasenotes/notes/TLS-for-haproxy-stats-3ce3b7780f0ef5b7.yaml8
-rw-r--r--spec/classes/tripleo_haproxy_stats_spec.rb104
-rw-r--r--spec/classes/tripleo_profile_base_cinder_unity_spec.rb57
-rw-r--r--spec/classes/tripleo_profile_base_docker_spec.rb81
-rw-r--r--spec/classes/tripleo_profile_base_nova_libvirt_spec.rb45
17 files changed, 485 insertions, 183 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index a5d1bf8..3def337 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -84,6 +84,7 @@ define tripleo::certmonger::haproxy (
postsave_cmd => $postsave_cmd,
principal => $principal,
wait => true,
+ tag => 'haproxy-cert',
require => Class['::certmonger'],
}
concat { $service_pem :
@@ -91,12 +92,14 @@ define tripleo::certmonger::haproxy (
mode => '0640',
owner => 'haproxy',
group => 'haproxy',
+ tag => 'haproxy-cert',
require => Package[$::haproxy::params::package_name],
}
concat::fragment { "${title}-cert-fragment":
target => $service_pem,
source => $service_certificate,
order => '01',
+ tag => 'haproxy-cert',
require => Certmonger_certificate["${title}-cert"],
}
@@ -106,6 +109,7 @@ define tripleo::certmonger::haproxy (
target => $service_pem,
source => $ca_pem,
order => '10',
+ tag => 'haproxy-cert',
require => Class['tripleo::certmonger::ca::local'],
}
}
@@ -114,6 +118,7 @@ define tripleo::certmonger::haproxy (
target => $service_pem,
source => $service_key,
order => 20,
+ tag => 'haproxy-cert',
require => Certmonger_certificate["${title}-cert"],
}
}
diff --git a/manifests/certmonger/haproxy_dirs.pp b/manifests/certmonger/haproxy_dirs.pp
new file mode 100644
index 0000000..86058c3
--- /dev/null
+++ b/manifests/certmonger/haproxy_dirs.pp
@@ -0,0 +1,55 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the haproxy License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.haproxy.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# : = Class: tripleo::certmonger::haproxy_dirs
+#
+# Creates the necessary directories for haproxy's certificates and keys in the
+# assigned locations if specified. It also assigns the correct SELinux tags.
+#
+# === Parameters:
+#
+# [*certificate_dir*]
+# (Optional) Directory where haproxy's certificates will be stored. If left
+# unspecified, it won't be created.
+# Defaults to undef
+#
+# [*key_dir*]
+# (Optional) Directory where haproxy's keys will be stored.
+# Defaults to undef
+#
+class tripleo::certmonger::haproxy_dirs(
+ $certificate_dir = undef,
+ $key_dir = undef,
+){
+
+ if $certificate_dir {
+ file { $certificate_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
+ }
+
+ if $key_dir {
+ file { $key_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
+ }
+}
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 5a59c10..a3d088a 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -53,6 +53,11 @@
# Should haproxy run in daemon mode or not
# Defaults to true
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
# [*controller_hosts*]
# IPs of host or group of hosts to load-balance the services
# Can be a string or an array.
@@ -563,6 +568,7 @@ class tripleo::haproxy (
$haproxy_daemon = true,
$haproxy_stats_user = 'admin',
$haproxy_stats_password = undef,
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$controller_hosts = hiera('controller_node_ips'),
$controller_hosts_names = hiera('controller_node_names', undef),
$contrail_config_hosts = hiera('contrail_config_node_ips', undef),
@@ -766,12 +772,6 @@ class tripleo::haproxy (
$controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ',')))
}
- # TODO(bnemec): When we have support for SSL on private and admin endpoints,
- # have the haproxy stats endpoint use that certificate by default.
- if $haproxy_stats_certificate {
- $haproxy_stats_bind_certificate = $haproxy_stats_certificate
- }
-
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
if $service_certificate {
# NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
@@ -809,16 +809,6 @@ class tripleo::haproxy (
}
}
- if $haproxy_stats_bind_certificate {
- $haproxy_stats_bind_opts = {
- "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
- }
- } else {
- $haproxy_stats_bind_opts = {
- "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param,
- }
- }
-
$mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
$mysql_bind_opts = {
"${mysql_vip}:3306" => $haproxy_listen_bind_param,
@@ -881,22 +871,24 @@ class tripleo::haproxy (
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
listen_options => $default_listen_options,
+ manage_firewall => $manage_firewall,
}
if $haproxy_stats {
- $stats_base = ['enable', 'uri /']
- if $haproxy_stats_password {
- $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+ if $haproxy_stats_certificate {
+ $haproxy_stats_certificate_real = $haproxy_stats_certificate
+ } elsif $use_internal_certificates {
+ # NOTE(jaosorior): Right now it's hardcoded to use the ctlplane network
+ $haproxy_stats_certificate_real = $internal_certificates_specs["haproxy-ctlplane"]['service_pem']
} else {
- $stats_config = $stats_base
+ $haproxy_stats_certificate_real = undef
}
- haproxy::listen { 'haproxy.stats':
- bind => $haproxy_stats_bind_opts,
- mode => 'http',
- options => {
- 'stats' => $stats_config,
- },
- collect_exported => false,
+ class { '::tripleo::haproxy::stats':
+ haproxy_listen_bind_param => $haproxy_listen_bind_param,
+ ip => $controller_virtual_ip,
+ password => $haproxy_stats_password,
+ certificate => $haproxy_stats_certificate_real,
+ user => $haproxy_stats_user,
}
}
@@ -1361,7 +1353,7 @@ class tripleo::haproxy (
server_names => hiera('mysql_node_names', $controller_hosts_names_real),
options => $mysql_member_options_real,
}
- if hiera('tripleo::firewall::manage_firewall', true) {
+ if $manage_firewall {
include ::tripleo::firewall
$mysql_firewall_rules = {
'100 mysql_haproxy' => {
@@ -1443,7 +1435,7 @@ class tripleo::haproxy (
server_names => hiera('redis_node_names', $controller_hosts_names_real),
options => $haproxy_member_options,
}
- if hiera('tripleo::firewall::manage_firewall', true) {
+ if $manage_firewall {
include ::tripleo::firewall
$redis_firewall_rules = {
'100 redis_haproxy' => {
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index f1e80e8..9139061 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -86,6 +86,11 @@
# fetching the certificate for that specific network.
# Defaults to undef
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
define tripleo::haproxy::endpoint (
$internal_ip,
$service_port,
@@ -103,6 +108,7 @@ define tripleo::haproxy::endpoint (
$use_internal_certificates = false,
$internal_certificates_specs = {},
$service_network = undef,
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
) {
if $public_virtual_ip {
# service exposed to the public network
@@ -158,7 +164,7 @@ define tripleo::haproxy::endpoint (
server_names => $server_names,
options => $member_options,
}
- if hiera('tripleo::firewall::manage_firewall', true) {
+ if $manage_firewall {
include ::tripleo::firewall
# This block will construct firewall rules only when we specify
# a port for the regular service and also the ssl port for the service.
diff --git a/manifests/haproxy/stats.pp b/manifests/haproxy/stats.pp
new file mode 100644
index 0000000..f185c29
--- /dev/null
+++ b/manifests/haproxy/stats.pp
@@ -0,0 +1,74 @@
+# Copyright 2014 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::haproxy::stats
+#
+# Configure the HAProxy stats interface
+#
+# [*haproxy_listen_bind_param*]
+# A list of params to be added to the HAProxy listener bind directive.
+#
+# [*ip*]
+# IP Address on which the stats interface is listening on. This right now
+# assumes that it's in the ctlplane network.
+#
+# [*password*]
+# Password for haproxy stats authentication. When set, authentication is
+# enabled on the haproxy stats endpoint.
+# A string.
+# Defaults to undef
+#
+# [*certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the haproxy stats endpoint using the specified file.
+# Defaults to undef
+#
+# [*user*]
+# Username for haproxy stats authentication.
+# A string.
+# Defaults to 'admin'
+#
+class tripleo::haproxy::stats (
+ $haproxy_listen_bind_param,
+ $ip,
+ $password = undef,
+ $certificate = undef,
+ $user = 'admin'
+) {
+ if $certificate {
+ $haproxy_stats_bind_opts = {
+ "${ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $certificate]),
+ }
+ } else {
+ $haproxy_stats_bind_opts = {
+ "${ip}:1993" => $haproxy_listen_bind_param,
+ }
+ }
+
+ $stats_base = ['enable', 'uri /']
+ if $password {
+ $stats_config = union($stats_base, ["auth ${user}:${password}"])
+ } else {
+ $stats_config = $stats_base
+ }
+ haproxy::listen { 'haproxy.stats':
+ bind => $haproxy_stats_bind_opts,
+ mode => 'http',
+ options => {
+ 'stats' => $stats_config,
+ },
+ collect_exported => false,
+ }
+}
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 7a6559e..231a1d0 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -98,6 +98,7 @@ class tripleo::profile::base::certmonger_user (
ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs)
}
unless empty($haproxy_certificates_specs) {
+ include ::tripleo::certmonger::haproxy_dirs
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp
index bdfdd17..252bae1 100644
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@@ -26,6 +26,10 @@
# (Optional) Whether to enable the delsc backend
# Defaults to false
#
+# [*cinder_enable_dellemc_unity_backend*]
+# (Optional) Whether to enable the unity backend
+# Defaults to false
+#
# [*cinder_enable_hpelefthand_backend*]
# (Optional) Whether to enable the hpelefthand backend
# Defaults to false
@@ -68,18 +72,19 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::cinder::volume (
- $cinder_enable_pure_backend = false,
- $cinder_enable_dellsc_backend = false,
- $cinder_enable_hpelefthand_backend = false,
- $cinder_enable_dellps_backend = false,
- $cinder_enable_iscsi_backend = true,
- $cinder_enable_netapp_backend = false,
- $cinder_enable_nfs_backend = false,
- $cinder_enable_rbd_backend = false,
- $cinder_enable_scaleio_backend = false,
- $cinder_enable_vrts_hs_backend = false,
- $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
- $step = Integer(hiera('step')),
+ $cinder_enable_pure_backend = false,
+ $cinder_enable_dellsc_backend = false,
+ $cinder_enable_dellemc_unity_backend = false,
+ $cinder_enable_hpelefthand_backend = false,
+ $cinder_enable_dellps_backend = false,
+ $cinder_enable_iscsi_backend = true,
+ $cinder_enable_netapp_backend = false,
+ $cinder_enable_nfs_backend = false,
+ $cinder_enable_rbd_backend = false,
+ $cinder_enable_scaleio_backend = false,
+ $cinder_enable_vrts_hs_backend = false,
+ $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
+ $step = Integer(hiera('step')),
) {
include ::tripleo::profile::base::cinder
@@ -100,6 +105,13 @@ class tripleo::profile::base::cinder::volume (
$cinder_dellsc_backend_name = undef
}
+ if $cinder_enable_dellemc_unity_backend {
+ include ::tripleo::profile::base::cinder::volume::dellemc_unity
+ $cinder_dellemc_unity_backend_name = hiera('cinder::backend::dellemc_unity::volume_backend_name', 'tripleo_dellemc_unity')
+ } else {
+ $cinder_dellemc_unity_backend_name = undef
+ }
+
if $cinder_enable_hpelefthand_backend {
include ::tripleo::profile::base::cinder::volume::hpelefthand
$cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand')
@@ -161,6 +173,7 @@ class tripleo::profile::base::cinder::volume (
$cinder_pure_backend_name,
$cinder_dellps_backend_name,
$cinder_dellsc_backend_name,
+ $cinder_dellemc_unity_backend_name,
$cinder_hpelefthand_backend_name,
$cinder_netapp_backend_name,
$cinder_nfs_backend_name,
diff --git a/manifests/profile/base/cinder/volume/dellemc_unity.pp b/manifests/profile/base/cinder/volume/dellemc_unity.pp
new file mode 100644
index 0000000..fb9c36f
--- /dev/null
+++ b/manifests/profile/base/cinder/volume/dellemc_unity.pp
@@ -0,0 +1,47 @@
+# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::cinder::volume::dellemc_unity
+#
+# Cinder Volume dellemc_unity profile for tripleo
+#
+# === Parameters
+#
+# [*backend_name*]
+# (Optional) Name given to the Cinder backend stanza
+# Defaults to 'tripleo_dellemc_unity'
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::cinder::volume::dellemc_unity (
+ $backend_name = hiera('cinder::backend::dellemc_unity::volume_backend_name', 'tripleo_dellemc_unity'),
+ $step = Integer(hiera('step')),
+) {
+ include ::tripleo::profile::base::cinder::volume
+
+ if $step >= 4 {
+ cinder::backend::dellemc_unity { $backend_name :
+ san_ip => hiera('cinder::backend::dellemc_unity::san_ip', undef),
+ san_login => hiera('cinder::backend::dellemc_unity::san_login', undef),
+ san_password => hiera('cinder::backend::dellemc_unity::san_password', undef),
+ storage_protocol => hiera('cinder::backend::dellemc_unity::storage_protocol', undef),
+ unity_io_ports => hiera('cinder::backend::dellemc_unity::unity_io_ports', undef),
+ unity_storage_pool_names => hiera('cinder::backend::dellemc_unity::unity_storage_pool_names', undef),
+ }
+ }
+
+}
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index e042947..d230366 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,7 +32,7 @@
# OPTIONS that are used to startup the docker service. NOTE:
# --selinux-enabled is dropped due to recommendations here:
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
-# Defaults to '--log-driver=journald --signature-verification=false'
+# Defaults to '--log-driver=journald --signature-verification=false --iptables=false'
#
# [*configure_storage*]
# Boolean. Whether to configure a docker storage backend. Defaults to true.
@@ -43,18 +43,6 @@
# [*step*]
# step defaults to hiera('step')
#
-# [*configure_libvirt_polkit*]
-# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
-# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
-#
-# [*docker_nova_uid*]
-# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
-# Defaults to 42436
-#
-# [*services_enabled*]
-# List of TripleO services enabled on the role.
-# Defaults to hiera('services_names')
-#
# DEPRECATED PARAMETERS
#
# [*docker_namespace*]
@@ -69,24 +57,15 @@
class tripleo::profile::base::docker (
$insecure_registry_address = undef,
$registry_mirror = false,
- $docker_options = '--log-driver=journald --signature-verification=false',
+ $docker_options = '--log-driver=journald --signature-verification=false --iptables=false',
$configure_storage = true,
$storage_options = '-s overlay2',
$step = Integer(hiera('step')),
- $configure_libvirt_polkit = undef,
- $docker_nova_uid = 42436,
- $services_enabled = hiera('service_names', []),
# DEPRECATED PARAMETERS
$docker_namespace = undef,
$insecure_registry = false,
) {
- if $configure_libvirt_polkit == undef {
- $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
- } else {
- $configure_libvirt_polkit_real = $configure_libvirt_polkit
- }
-
if $step >= 1 {
package {'docker':
ensure => installed,
@@ -176,41 +155,4 @@ class tripleo::profile::base::docker (
}
}
- if ($step >= 4 and $configure_libvirt_polkit_real) {
- # Workaround for polkit authorization for libvirtd socket on host
- #
- # This creates a local user with the kolla nova uid, and sets the polkit rule to
- # allow both it and the nova user from the nova rpms, should it exist (uid 162).
-
- group { 'docker_nova_group':
- name => 'docker_nova',
- gid => $docker_nova_uid
- }
- -> user { 'docker_nova_user':
- name => 'docker_nova',
- uid => $docker_nova_uid,
- gid => $docker_nova_uid,
- shell => '/sbin/nologin',
- comment => 'OpenStack Nova Daemons',
- groups => ['nobody']
- }
-
- # Similar to the polkit rule in the openstack-nova rpm spec
- # but allow both the 'docker_nova' and 'nova' user
- $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
-polkit.addRule(function(action, subject) {
- if (action.id == "org.libvirt.unix.manage" &&
- /^(docker_)?nova$/.test(subject.user)) {
- return polkit.Result.YES;
- }
-});
-'
- package {'polkit':
- ensure => installed,
- }
- -> file {'/etc/polkit-1/rules.d/50-nova.rules':
- content => $docker_nova_polkit_rule,
- mode => '0644'
- }
- }
}
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index 4f3322c..145f283 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -36,6 +36,11 @@
# (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true).
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -44,12 +49,14 @@
class tripleo::profile::base::haproxy (
$certificates_specs = {},
$enable_load_balancer = hiera('enable_load_balancer', true),
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$step = Integer(hiera('step')),
) {
if $step >= 1 {
if $enable_load_balancer {
class {'::tripleo::haproxy':
internal_certificates_specs => $certificates_specs,
+ manage_firewall => $manage_firewall,
}
unless hiera('tripleo::haproxy::haproxy_service_manage', true) {
diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp
index 83f0c38..6c865dc 100644
--- a/manifests/profile/base/nova/libvirt.pp
+++ b/manifests/profile/base/nova/libvirt.pp
@@ -23,8 +23,13 @@
# for more details.
# Defaults to hiera('step')
#
+# [*libvirtd_config*]
+# (Optional) Overrides for libvirtd config options
+# Default to {}
+#
class tripleo::profile::base::nova::libvirt (
$step = Integer(hiera('step')),
+ $libvirtd_config = {},
) {
include ::tripleo::profile::base::nova::compute_libvirt_shared
@@ -33,6 +38,18 @@ class tripleo::profile::base::nova::libvirt (
include ::tripleo::profile::base::nova::migration::client
include ::nova::compute::libvirt::services
+ $libvirtd_config_default = {
+ unix_sock_group => {value => '"libvirt"'},
+ auth_unix_ro => {value => '"none"'},
+ auth_unix_rw => {value => '"none"'},
+ unix_sock_ro_perms => {value => '"0777"'},
+ unix_sock_rw_perms => {value => '"0770"'}
+ }
+
+ class { '::nova::compute::libvirt::config':
+ libvirtd_config => merge($libvirtd_config_default, $libvirtd_config)
+ }
+
file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
'/etc/libvirt/qemu/networks/default.xml']:
ensure => absent,
diff --git a/manifests/profile/pacemaker/haproxy.pp b/manifests/profile/pacemaker/haproxy.pp
index 7331071..5198243 100644
--- a/manifests/profile/pacemaker/haproxy.pp
+++ b/manifests/profile/pacemaker/haproxy.pp
@@ -26,6 +26,11 @@
# (Optional) Whether load balancing is enabled for this cluster
# Defaults to hiera('enable_load_balancer', true)
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -38,10 +43,13 @@
class tripleo::profile::pacemaker::haproxy (
$bootstrap_node = hiera('haproxy_short_bootstrap_node_name'),
$enable_load_balancer = hiera('enable_load_balancer', true),
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$step = Integer(hiera('step')),
$pcs_tries = hiera('pcs_tries', 20),
) {
- include ::tripleo::profile::base::haproxy
+ class {'::tripleo::profile::base::haproxy':
+ manage_firewall => $manage_firewall,
+ }
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
diff --git a/releasenotes/notes/TLS-for-haproxy-stats-3ce3b7780f0ef5b7.yaml b/releasenotes/notes/TLS-for-haproxy-stats-3ce3b7780f0ef5b7.yaml
new file mode 100644
index 0000000..2f981a1
--- /dev/null
+++ b/releasenotes/notes/TLS-for-haproxy-stats-3ce3b7780f0ef5b7.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - When TLS everywhere is enabled, the HAProxy stats interface will also use
+ TLS. This requires the user to access the interface through the ctlplane
+ FQDN (which is configured by the CloudNameCtlplane parameter in
+ tripleo-heat-templates). Note that one can still use the
+ haproxy_stats_certificate parameter from the haproxy class, and that one
+ will take precedence if set.
diff --git a/spec/classes/tripleo_haproxy_stats_spec.rb b/spec/classes/tripleo_haproxy_stats_spec.rb
new file mode 100644
index 0000000..bad5bf1
--- /dev/null
+++ b/spec/classes/tripleo_haproxy_stats_spec.rb
@@ -0,0 +1,104 @@
+#
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::haproxy::stats' do
+
+ shared_examples_for 'tripleo::haproxy::stats' do
+ let :pre_condition do
+ "Haproxy::Listen {
+ config_file => '/etc/haproxy.cfg'
+ }"
+ end
+
+ context 'with only required parameters' do
+ let(:params) do
+ {
+ :ip => '127.0.0.1',
+ :haproxy_listen_bind_param => ['transparent'],
+ }
+ end
+ it 'should configure basic stats frontend' do
+ is_expected.to contain_haproxy__listen('haproxy.stats').with(
+ :bind => {
+ "127.0.0.1:1993" => ['transparent']
+ },
+ :mode => 'http',
+ :options => {
+ 'stats' => ['enable', 'uri /']
+ },
+ :collect_exported => false
+ )
+ end
+ end
+
+ context 'with auth parameters' do
+ let(:params) do
+ {
+ :ip => '127.0.0.1',
+ :haproxy_listen_bind_param => ['transparent'],
+ :user => 'myuser',
+ :password => 'superdupersecret',
+ }
+ end
+ it 'should configure stats frontend with auth enabled' do
+ is_expected.to contain_haproxy__listen('haproxy.stats').with(
+ :bind => {
+ "127.0.0.1:1993" => ['transparent']
+ },
+ :mode => 'http',
+ :options => {
+ 'stats' => ['enable', 'uri /', 'auth myuser:superdupersecret']
+ },
+ :collect_exported => false
+ )
+ end
+ end
+
+ context 'with certificate parameter' do
+ let(:params) do
+ {
+ :ip => '127.0.0.1',
+ :haproxy_listen_bind_param => ['transparent'],
+ :certificate => '/path/to/cert',
+ }
+ end
+ it 'should configure stats frontend with TLS enabled' do
+ is_expected.to contain_haproxy__listen('haproxy.stats').with(
+ :bind => {
+ "127.0.0.1:1993" => ['transparent', 'ssl', 'crt', '/path/to/cert']
+ },
+ :mode => 'http',
+ :options => {
+ 'stats' => ['enable', 'uri /']
+ },
+ :collect_exported => false
+ )
+ end
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({})
+ end
+
+ it_behaves_like 'tripleo::haproxy::stats'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_profile_base_cinder_unity_spec.rb b/spec/classes/tripleo_profile_base_cinder_unity_spec.rb
new file mode 100644
index 0000000..38f362b
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_cinder_unity_spec.rb
@@ -0,0 +1,57 @@
+# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::cinder::volume::dellemc_unity' do
+ shared_examples_for 'tripleo::profile::base::cinder::volume::dellemc_unity' do
+ before :each do
+ facts.merge!({ :step => params[:step] })
+ end
+
+ context 'with step less than 4' do
+ let(:params) { { :step => 3 } }
+
+ it 'should do nothing' do
+ is_expected.to contain_class('tripleo::profile::base::cinder::volume::dellemc_unity')
+ is_expected.to contain_class('tripleo::profile::base::cinder::volume')
+ is_expected.to contain_class('tripleo::profile::base::cinder')
+ is_expected.to_not contain_cinder__backend__dellemc_unity('tripleo_dellemc_unity')
+ end
+ end
+
+ context 'with step 4' do
+ let(:params) { {
+ :step => 4,
+ } }
+
+ it 'should trigger complete configuration' do
+ # TODO(aschultz): check hiera parameters
+ is_expected.to contain_cinder__backend__dellemc_unity('tripleo_dellemc_unity')
+ end
+ end
+ end
+
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({ :hostname => 'node.example.com' })
+ end
+
+ it_behaves_like 'tripleo::profile::base::cinder::volume::dellemc_unity'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb
index dc5efa7..2a15362 100644
--- a/spec/classes/tripleo_profile_base_docker_spec.rb
+++ b/spec/classes/tripleo_profile_base_docker_spec.rb
@@ -28,7 +28,7 @@ describe 'tripleo::profile::base::docker' do
it { is_expected.to contain_service('docker') }
it {
is_expected.to contain_augeas('docker-sysconfig-options').with_changes([
- "set OPTIONS '\"--log-driver=journald --signature-verification=false\"'",
+ "set OPTIONS '\"--log-driver=journald --signature-verification=false --iptables=false\"'",
])
}
end
@@ -121,85 +121,6 @@ describe 'tripleo::profile::base::docker' do
}
end
- context 'with step 4 and configure_libvirt_polkit disabled' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => false
- } }
- it {
- is_expected.to_not contain_group('docker_nova_group')
- is_expected.to_not contain_user('docker_nova_user')
- is_expected.to_not contain_package('polkit')
- is_expected.to_not contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and configure_libvirt_polkit enabled' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => true
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 42436
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 42436,
- :gid => 42436,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and nova_compute service installed' do
- let(:params) { {
- :step => 4,
- :services_enabled => ['docker', 'nova_compute']
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 42436
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 42436,
- :gid => 42436,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and configure_libvirt_polkit enabled and docker_nova uid' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => true,
- :docker_nova_uid => 12345
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 12345
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 12345,
- :gid => 12345,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
end
on_supported_os.each do |os, facts|
diff --git a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
index 0734a0f..65aa8c1 100644
--- a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
@@ -69,6 +69,51 @@ eos
is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
is_expected.to contain_exec('libvirt-default-net-destroy')
+ is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+ "unix_sock_group" => {"value" => '"libvirt"'},
+ "auth_unix_ro" => {"value" => '"none"'},
+ "auth_unix_rw" => {"value" => '"none"'},
+ "unix_sock_ro_perms" => {"value" => '"0777"'},
+ "unix_sock_rw_perms" => {"value" => '"0770"'}
+ })
+ }
+ end
+
+ context 'with step 4 and libvirtd_config' do
+ let(:pre_condition) do
+ <<-eos
+ class { '::tripleo::profile::base::nova':
+ step => #{params[:step]},
+ oslomsg_rpc_hosts => [ '127.0.0.1' ],
+ }
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::migration::client':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::compute_libvirt_shared':
+ step => #{params[:step]}
+ }
+eos
+ end
+
+ let(:params) { { :step => 4, :libvirtd_config => { "unix_sock_group" => {"value" => '"foobar"'}} } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::libvirt')
+ is_expected.to contain_class('tripleo::profile::base::nova')
+ is_expected.to contain_class('nova::compute::libvirt::services')
+ is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
+ is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
+ is_expected.to contain_exec('libvirt-default-net-destroy')
+ is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+ "unix_sock_group" => {"value" => '"foobar"'},
+ "auth_unix_ro" => {"value" => '"none"'},
+ "auth_unix_rw" => {"value" => '"none"'},
+ "unix_sock_ro_perms" => {"value" => '"0777"'},
+ "unix_sock_rw_perms" => {"value" => '"0770"'}
+ })
}
end
end