summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Puppetfile_extras8
-rw-r--r--bindep.txt2
-rw-r--r--manifests/certmonger/haproxy.pp13
-rw-r--r--manifests/certmonger/rabbitmq.pp79
-rw-r--r--manifests/haproxy.pp15
-rw-r--r--manifests/haproxy/endpoint.pp2
-rw-r--r--manifests/profile/base/aodh/api.pp15
-rw-r--r--manifests/profile/base/barbican/api.pp13
-rw-r--r--manifests/profile/base/ceilometer/api.pp13
-rw-r--r--manifests/profile/base/ceilometer/collector.pp8
-rw-r--r--manifests/profile/base/ceph/rgw.pp2
-rw-r--r--manifests/profile/base/certmonger_user.pp77
-rw-r--r--manifests/profile/base/cinder/api.pp13
-rw-r--r--manifests/profile/base/cinder/volume/dellps.pp6
-rw-r--r--manifests/profile/base/database/mongodb.pp11
-rw-r--r--manifests/profile/base/database/mysql.pp21
-rw-r--r--manifests/profile/base/docker_registry.pp1
-rw-r--r--manifests/profile/base/etcd.pp7
-rw-r--r--manifests/profile/base/glance/api.pp13
-rw-r--r--manifests/profile/base/gnocchi/api.pp22
-rw-r--r--manifests/profile/base/haproxy.pp36
-rw-r--r--manifests/profile/base/heat/api.pp43
-rw-r--r--manifests/profile/base/heat/api_cfn.pp44
-rw-r--r--manifests/profile/base/heat/api_cloudwatch.pp44
-rw-r--r--manifests/profile/base/horizon.pp2
-rw-r--r--manifests/profile/base/ironic/conductor.pp7
-rw-r--r--manifests/profile/base/keystone.pp22
-rw-r--r--manifests/profile/base/neutron/bgpvpn.pp37
-rw-r--r--manifests/profile/base/neutron/l2gw.pp37
-rw-r--r--manifests/profile/base/neutron/opendaylight.pp30
-rw-r--r--manifests/profile/base/neutron/plugins/ml2/opendaylight.pp9
-rw-r--r--manifests/profile/base/neutron/plugins/ovs/opendaylight.pp14
-rw-r--r--manifests/profile/base/neutron/server.pp13
-rw-r--r--manifests/profile/base/neutron/sriov.pp2
-rw-r--r--manifests/profile/base/nova/api.pp13
-rw-r--r--manifests/profile/base/nova/compute.pp2
-rw-r--r--manifests/profile/base/nova/ec2api.pp1
-rw-r--r--manifests/profile/base/nova/placement.pp13
-rw-r--r--manifests/profile/base/panko.pp18
-rw-r--r--manifests/profile/base/panko/api.pp31
-rw-r--r--manifests/profile/base/qdr.pp54
-rw-r--r--manifests/profile/base/rabbitmq.pp65
-rw-r--r--manifests/profile/base/sahara.pp1
-rw-r--r--manifests/profile/base/securetty.pp48
-rw-r--r--manifests/profile/base/tuned.pp20
-rw-r--r--metadata.json2
-rw-r--r--releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml3
-rw-r--r--releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml5
-rw-r--r--releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml6
-rw-r--r--releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml5
-rw-r--r--releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml3
-rw-r--r--releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml6
-rw-r--r--releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml3
-rw-r--r--releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml3
-rw-r--r--releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml4
-rw-r--r--releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml6
-rw-r--r--releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml5
-rw-r--r--releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml6
-rw-r--r--releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml4
-rw-r--r--releasenotes/notes/securetty-6a10eefd601e45ca.yaml6
-rw-r--r--releasenotes/source/conf.py12
-rw-r--r--spec/classes/tripleo_certmonger_ca_local.rb46
-rw-r--r--spec/classes/tripleo_certmonger_httpd.rb63
-rw-r--r--spec/classes/tripleo_certmonger_mysql.rb64
-rw-r--r--spec/classes/tripleo_certmonger_rabbitmq.rb64
-rw-r--r--spec/classes/tripleo_profile_base_aodh_api_spec.rb8
-rw-r--r--spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb26
-rw-r--r--spec/classes/tripleo_profile_base_database_mysql_spec.rb75
-rw-r--r--spec/classes/tripleo_profile_base_horizon_spec.rb57
-rw-r--r--spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb88
-rw-r--r--spec/classes/tripleo_profile_base_nova_compute_spec.rb3
-rw-r--r--spec/classes/tripleo_profile_base_nova_placement_spec.rb4
-rw-r--r--spec/classes/tripleo_profile_base_securetty_spec.rb72
-rw-r--r--spec/classes/tripleo_profile_base_tuned_spec.rb44
-rw-r--r--spec/fixtures/hieradata/default.yaml1
-rw-r--r--templates/securetty/securetty.erb4
76 files changed, 1366 insertions, 279 deletions
diff --git a/Puppetfile_extras b/Puppetfile_extras
index 05586a3..0b617b9 100644
--- a/Puppetfile_extras
+++ b/Puppetfile_extras
@@ -40,3 +40,11 @@ mod 'certmonger',
mod 'ntp',
:git => 'https://github.com/puppetlabs/puppetlabs-ntp',
:ref => '4.2.x'
+
+mod 'systemd',
+ :git => 'https://github.com/camptocamp/puppet-systemd',
+ :ref => 'master'
+
+mod 'opendaylight',
+ :git => 'https://github.com/dfarrell07/puppet-opendaylight',
+ :ref => 'master'
diff --git a/bindep.txt b/bindep.txt
new file mode 100644
index 0000000..4f9b425
--- /dev/null
+++ b/bindep.txt
@@ -0,0 +1,2 @@
+# This is a cross-platform list tracking distribution packages needed by tests;
+# see http://docs.openstack.org/infra/bindep/ for additional information.
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index 3b8fd09..6668440 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
){
+ include ::certmonger
include ::haproxy::params
+ # This is only needed for certmonger's local CA. For any other CA this
+ # operation (trusting the CA) should be done by the deployer.
+ if $certmonger_ca == 'local' {
+ class { '::tripleo::certmonger::ca::local':
+ notify => Class['::tripleo::haproxy']
+ }
+ }
+
certmonger_certificate { "${title}-cert":
+ ensure => 'present',
+ ca => $certmonger_ca,
hostname => $hostname,
dnsname => $hostname,
certfile => $service_certificate,
keyfile => $service_key,
postsave_cmd => $postsave_cmd,
principal => $principal,
+ wait => true,
+ require => Class['::certmonger'],
}
concat { $service_pem :
ensure => present,
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
new file mode 100644
index 0000000..344adef
--- /dev/null
+++ b/manifests/certmonger/rabbitmq.pp
@@ -0,0 +1,79 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::rabbitmq
+#
+# Request a certificate for RabbitMQ and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*file_owner*]
+# (Optional) The user which the certificate and key files belong to.
+# Defaults to 'root'
+#
+# [*principal*]
+# (Optional) The service principal that is set for the service in kerberos.
+# Defaults to undef
+#
+class tripleo::certmonger::rabbitmq (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $principal = undef,
+) {
+ include ::certmonger
+ include ::rabbitmq::params
+
+ $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}"
+ certmonger_certificate { 'rabbitmq' :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ require => Class['::certmonger'],
+ }
+
+ file { $service_certificate :
+ owner => $::rabbitmq::params::rabbitmq_user,
+ group => $::rabbitmq::params::rabbitmq_group,
+ require => Certmonger_certificate['rabbitmq'],
+ }
+ file { $service_key :
+ owner => $::rabbitmq::params::rabbitmq_user,
+ group => $::rabbitmq::params::rabbitmq_group,
+ require => Certmonger_certificate['rabbitmq'],
+ }
+
+ File[$service_certificate] ~> Service<| title == $::rabbitmq::params::service_name |>
+ File[$service_key] ~> Service<| title == $::rabbitmq::params::service_name |>
+}
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 13d4ba5..e5d57e5 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -808,7 +808,7 @@ class tripleo::haproxy (
'ssl-default-bind-ciphers' => $ssl_cipher_suite,
'ssl-default-bind-options' => $ssl_options,
'stats' => [
- 'socket /var/run/haproxy.sock mode 600 level user',
+ 'socket /var/lib/haproxy/stats mode 600 level user',
'timeout 2m'
],
},
@@ -1265,6 +1265,7 @@ class tripleo::haproxy (
listen_options => $heat_options,
public_ssl_port => $ports[heat_api_ssl_port],
service_network => $heat_api_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
@@ -1279,6 +1280,7 @@ class tripleo::haproxy (
listen_options => $heat_options,
public_ssl_port => $ports[heat_cw_ssl_port],
service_network => $heat_cloudwatch_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
@@ -1293,6 +1295,7 @@ class tripleo::haproxy (
listen_options => $heat_options,
public_ssl_port => $ports[heat_cfn_ssl_port],
service_network => $heat_cfn_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
@@ -1374,7 +1377,7 @@ class tripleo::haproxy (
server_names => hiera('mysql_node_names', $controller_hosts_names_real),
options => $mysql_member_options_real,
}
- if hiera('manage_firewall', true) {
+ if hiera('tripleo::firewall::manage_firewall', true) {
include ::tripleo::firewall
$mysql_firewall_rules = {
'100 mysql_haproxy' => {
@@ -1459,7 +1462,7 @@ class tripleo::haproxy (
server_names => hiera('redis_node_names', $controller_hosts_names_real),
options => $haproxy_member_options,
}
- if hiera('manage_firewall', true) {
+ if hiera('tripleo::firewall::manage_firewall', true) {
include ::tripleo::firewall
$redis_firewall_rules = {
'100 redis_haproxy' => {
@@ -1592,6 +1595,12 @@ class tripleo::haproxy (
server_names => $controller_hosts_names_real,
mode => 'http',
public_ssl_port => $ports[ui_ssl_port],
+ listen_options => {
+ # NOTE(dtrainor): in addition to the zaqar_ws endpoint, the HTTPS
+ # (443/tcp) endpoint that answers for the UI must also use a long-lived
+ # tunnel timeout for the same reasons mentioned above.
+ 'timeout' => ['tunnel 3600s'],
+ },
}
}
if $contrail_config {
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index da2aba3..16e0bd1 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -147,7 +147,7 @@ define tripleo::haproxy::endpoint (
server_names => $server_names,
options => $member_options,
}
- if hiera('manage_firewall', true) {
+ if hiera('tripleo::firewall::manage_firewall', true) {
include ::tripleo::firewall
# This block will construct firewall rules only when we specify
# a port for the regular service and also the ssl port for the service.
diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp
index af4a5b3..22fc000 100644
--- a/manifests/profile/base/aodh/api.pp
+++ b/manifests/profile/base/aodh/api.pp
@@ -39,14 +39,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -57,17 +49,12 @@ class tripleo::profile::base::aodh::api (
$aodh_network = hiera('aodh_api_network', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
include ::tripleo::profile::base::aodh
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$aodh_network {
fail('aodh_api_network is not set in the hieradata.')
}
@@ -79,7 +66,7 @@ class tripleo::profile::base::aodh::api (
}
- if $step >= 4 {
+ if $step >= 3 {
include ::aodh::api
class { '::aodh::wsgi::apache':
ssl_cert => $tls_certfile,
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index 22984b1..71e4ea1 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -43,14 +43,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -105,7 +97,6 @@ class tripleo::profile::base::barbican::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
$oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
@@ -126,10 +117,6 @@ class tripleo::profile::base::barbican::api (
}
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$barbican_network {
fail('barbican_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp
index 6ef4748..28504c5 100644
--- a/manifests/profile/base/ceilometer/api.pp
+++ b/manifests/profile/base/ceilometer/api.pp
@@ -39,14 +39,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -56,16 +48,11 @@ class tripleo::profile::base::ceilometer::api (
$ceilometer_network = hiera('ceilometer_api_network', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
include ::tripleo::profile::base::ceilometer
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$ceilometer_network {
fail('ceilometer_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp
index 20eab54..6b58286 100644
--- a/manifests/profile/base/ceilometer/collector.pp
+++ b/manifests/profile/base/ceilometer/collector.pp
@@ -85,4 +85,12 @@ class tripleo::profile::base::ceilometer::collector (
include ::ceilometer::dispatcher::gnocchi
}
+ # Re-run ceilometer-upgrade again in step 5 so gnocchi resource types
+ # are created safely.
+ if $step >= 5 and $sync_db {
+ exec {'ceilometer-db-upgrade':
+ command => 'ceilometer-upgrade --skip-metering-database',
+ path => ['/usr/bin', '/usr/sbin'],
+ }
+ }
}
diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp
index 8443de0..d00f7cd 100644
--- a/manifests/profile/base/ceph/rgw.pp
+++ b/manifests/profile/base/ceph/rgw.pp
@@ -60,7 +60,7 @@ class tripleo::profile::base::ceph::rgw (
$rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway')
$civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip)
include ::ceph::params
- include ::ceph::profile::base
+ include ::ceph::profile::client
ceph::rgw { $rgw_name:
frontend_type => 'civetweb',
rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}",
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
new file mode 100644
index 0000000..586c7e4
--- /dev/null
+++ b/manifests/profile/base/certmonger_user.pp
@@ -0,0 +1,77 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == class: tripleo::profile::base::certmonger_user
+#
+# Profile that ensures that the relevant certmonger certificates have been
+# requested. The certificates come from the hiera set by the specific profiles
+# and come in a pre-defined format.
+# For a service that has several certificates (one per network name):
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "HTTP/<overcloud controller fqdn>"
+# For a service that uses a single certificate:
+# mysql_certificates_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+#
+# === Parameters
+#
+# [*apache_certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*haproxy_certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
+#
+# [*mysql_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*rabbitmq_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
+#
+class tripleo::profile::base::certmonger_user (
+ $apache_certificates_specs = hiera('apache_certificates_specs', {}),
+ $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+ $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+ $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
+) {
+ unless empty($apache_certificates_specs) {
+ ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+ }
+ unless empty($haproxy_certificates_specs) {
+ ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+ # The haproxy fronends (or listen resources) depend on the certificate
+ # existing and need to be refreshed if it changed.
+ Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
+ }
+ unless empty($mysql_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
+ }
+ unless empty($rabbitmq_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
+ }
+}
diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp
index 450a8e6..c432fd6 100644
--- a/manifests/profile/base/cinder/api.pp
+++ b/manifests/profile/base/cinder/api.pp
@@ -43,14 +43,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -61,7 +53,6 @@ class tripleo::profile::base::cinder::api (
$certificates_specs = hiera('apache_certificates_specs', {}),
$cinder_api_network = hiera('cinder_api_network', undef),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
@@ -73,10 +64,6 @@ class tripleo::profile::base::cinder::api (
include ::tripleo::profile::base::cinder
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$cinder_api_network {
fail('cinder_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/cinder/volume/dellps.pp b/manifests/profile/base/cinder/volume/dellps.pp
index 1338240..e825b61 100644
--- a/manifests/profile/base/cinder/volume/dellps.pp
+++ b/manifests/profile/base/cinder/volume/dellps.pp
@@ -41,9 +41,9 @@ class tripleo::profile::base::cinder::volume::dellps (
san_thin_provision => hiera('cinder::backend::eqlx::san_thin_provision', undef),
eqlx_group_name => hiera('cinder::backend::eqlx::eqlx_group_name', undef),
eqlx_pool => hiera('cinder::backend::eqlx::eqlx_pool', undef),
- eqlx_use_chap => hiera('cinder::backend::eqlx::eqlx_use_chap', undef),
- eqlx_chap_login => hiera('cinder::backend::eqlx::eqlx_chap_login', undef),
- eqlx_chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef),
+ use_chap_auth => hiera('cinder::backend::eqlx::eqlx_use_chap', undef),
+ chap_username => hiera('cinder::backend::eqlx::eqlx_chap_login', undef),
+ chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef),
}
}
diff --git a/manifests/profile/base/database/mongodb.pp b/manifests/profile/base/database/mongodb.pp
index 8967f5b..4740d67 100644
--- a/manifests/profile/base/database/mongodb.pp
+++ b/manifests/profile/base/database/mongodb.pp
@@ -30,10 +30,15 @@
# for more details.
# Defaults to hiera('step')
#
+# [*memory_limit*]
+# (Optional) Limit amount of memory mongodb can use
+# Defaults to 20G
+#
class tripleo::profile::base::database::mongodb (
$mongodb_replset,
$bootstrap_node = downcase(hiera('bootstrap_nodeid')),
$step = hiera('step'),
+ $memory_limit = '20G',
) {
if $step >= 2 {
@@ -56,5 +61,11 @@ class tripleo::profile::base::database::mongodb (
}
}
+ # Limit memory utilization
+ ::systemd::service_limits { 'mongod.service':
+ limits => {
+ 'MemoryLimit' => $memory_limit
+ }
+ }
}
}
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index a0193cf..b4ac8ac 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -47,12 +47,6 @@
# limit for the mysql service.
# Defaults to false
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# MySQL. This could be as many as specified by the $certificates_specs
-# variable.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*manage_resources*]
# (Optional) Whether or not manage root user, root my.cnf, and service.
# Defaults to true
@@ -62,6 +56,10 @@
# Should be an hash.
# Defaults to {}
#
+# [*mysql_max_connections*]
+# (Optional) Maximum number of connections to MySQL.
+# Defaults to hiera('mysql_max_connections', undef)
+#
# [*remove_default_accounts*]
# (Optional) Whether or not remove default MySQL accounts.
# Defaults to true
@@ -78,9 +76,9 @@ class tripleo::profile::base::database::mysql (
$certificate_specs = {},
$enable_internal_tls = hiera('enable_internal_tls', false),
$generate_dropin_file_limit = false,
- $generate_service_certificates = hiera('generate_service_certificates', false),
$manage_resources = true,
$mysql_server_options = {},
+ $mysql_max_connections = hiera('mysql_max_connections', undef),
$remove_default_accounts = true,
$step = hiera('step'),
) {
@@ -95,9 +93,6 @@ class tripleo::profile::base::database::mysql (
validate_hash($certificate_specs)
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs)
- }
$tls_certfile = $certificate_specs['service_certificate']
$tls_keyfile = $certificate_specs['service_key']
} else {
@@ -126,7 +121,7 @@ class tripleo::profile::base::database::mysql (
$mysql_server_default = {
'mysqld' => {
'bind-address' => $bind_address,
- 'max_connections' => hiera('mysql_max_connections'),
+ 'max_connections' => $mysql_max_connections,
'open_files_limit' => '-1',
'innodb_file_per_table' => 'ON',
'ssl' => $enable_internal_tls,
@@ -146,11 +141,11 @@ class tripleo::profile::base::database::mysql (
remove_default_accounts => $remove_default_accounts,
}
- if $generate_dropin_file_limit {
+ if $generate_dropin_file_limit and $manage_resources {
# Raise the mysql file limit
::systemd::service_limits { 'mariadb.service':
limits => {
- LimitNOFILE => 16384
+ 'LimitNOFILE' => 16384
}
}
}
diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp
index 0452575..2f1783d 100644
--- a/manifests/profile/base/docker_registry.pp
+++ b/manifests/profile/base/docker_registry.pp
@@ -43,6 +43,7 @@ class tripleo::profile::base::docker_registry (
}
package{'docker-distribution': }
package{'docker': }
+ package{'openstack-kolla': }
file { '/etc/docker-distribution/registry/config.yml' :
ensure => file,
content => template('tripleo/docker_distribution/registry_config.yml.erb'),
diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp
index 505e29f..fc4771f 100644
--- a/manifests/profile/base/etcd.pp
+++ b/manifests/profile/base/etcd.pp
@@ -47,19 +47,12 @@ class tripleo::profile::base::etcd (
$step = hiera('step'),
) {
if $step >= 1 {
- if count($nodes) > 1 {
- $cluster_enabled = true
- } else {
- $cluster_enabled = false
- }
-
class {'::etcd':
listen_client_urls => "http://${bind_ip}:${client_port}",
advertise_client_urls => "http://${bind_ip}:${client_port}",
listen_peer_urls => "http://${bind_ip}:${peer_port}",
initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}",
initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"),
- cluster_enabled => $cluster_enabled,
proxy => 'off',
}
}
diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp
index e5807f6..8ed7fb7 100644
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@@ -38,14 +38,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*glance_backend*]
# (Optional) Glance backend(s) to use.
# Defaults to downcase(hiera('glance_backend', 'swift'))
@@ -91,7 +83,6 @@ class tripleo::profile::base::glance::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$glance_backend = downcase(hiera('glance_backend', 'swift')),
$glance_network = hiera('glance_api_network', undef),
$glance_nfs_enabled = false,
@@ -102,10 +93,6 @@ class tripleo::profile::base::glance::api (
$tls_proxy_fqdn = undef,
$tls_proxy_port = 9292,
) {
- if $enable_internal_tls and $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
} else {
diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp
index 2fde1fc..79ee265 100644
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@@ -38,14 +38,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*gnocchi_backend*]
# (Optional) Gnocchi backend string file, swift or rbd
# Defaults to swift
@@ -64,7 +56,6 @@ class tripleo::profile::base::gnocchi::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
$gnocchi_network = hiera('gnocchi_api_network', undef),
$step = hiera('step'),
@@ -78,10 +69,6 @@ class tripleo::profile::base::gnocchi::api (
include ::tripleo::profile::base::gnocchi
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$gnocchi_network {
fail('gnocchi_api_network is not set in the hieradata.')
}
@@ -113,4 +100,13 @@ class tripleo::profile::base::gnocchi::api (
default: { fail('Unrecognized gnocchi_backend parameter.') }
}
}
+
+ # Re-run gnochci upgrade with storage as swift/ceph should be up at this
+ # stage.
+ if $step >= 5 and $sync_db {
+ exec {'run gnocchi upgrade with storage':
+ command => 'gnocchi-upgrade --config-file=/etc/gnocchi/gnocchi.conf',
+ path => ['/usr/bin', '/usr/sbin'],
+ }
+ }
}
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index f16ec1b..9a03487 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -32,22 +32,10 @@
# principal: "haproxy/<undercloud fqdn>"
# Defaults to {}.
#
-# [*certmonger_ca*]
-# (Optional) The CA that certmonger will use to generate the certificates.
-# Defaults to hiera('certmonger_ca', 'local').
-#
# [*enable_load_balancer*]
# (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true).
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -55,35 +43,11 @@
#
class tripleo::profile::base::haproxy (
$certificates_specs = {},
- $certmonger_ca = hiera('certmonger_ca', 'local'),
$enable_load_balancer = hiera('enable_load_balancer', true),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
if $step >= 1 {
if $enable_load_balancer {
- if str2bool($generate_service_certificates) {
- include ::certmonger
- # This is only needed for certmonger's local CA. For any other CA this
- # operation (trusting the CA) should be done by the deployer.
- if $certmonger_ca == 'local' {
- class { '::tripleo::certmonger::ca::local':
- notify => Class['::tripleo::haproxy']
- }
- }
-
- Certmonger_certificate {
- ca => $certmonger_ca,
- ensure => 'present',
- wait => true,
- require => Class['::certmonger'],
- }
- create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
- # The haproxy fronends (or listen resources) depend on the certificate
- # existing and need to be refreshed if it changed.
- Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
- }
-
class {'::tripleo::haproxy':
internal_certificates_specs => $certificates_specs,
}
diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp
index 7166298..8e2da7e 100644
--- a/manifests/profile/base/heat/api.pp
+++ b/manifests/profile/base/heat/api.pp
@@ -18,18 +18,57 @@
#
# === Parameters
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*heat_api_network*]
+# (Optional) The network name where the heat API endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('heat_api_network', undef)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::heat::api (
- $step = hiera('step'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $heat_api_network = hiera('heat_api_network', undef),
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::heat
- if $step >= 4 {
+ if $enable_internal_tls {
+ if !$heat_api_network {
+ fail('heat_api_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${heat_api_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${heat_api_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
+ if $step >= 3 {
include ::heat::api
+ class { '::heat::wsgi::apache_api':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ }
}
}
diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp
index c1adae6..02eb82a 100644
--- a/manifests/profile/base/heat/api_cfn.pp
+++ b/manifests/profile/base/heat/api_cfn.pp
@@ -18,18 +18,58 @@
#
# === Parameters
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*heat_api_cfn_network*]
+# (Optional) The network name where the heat cfn endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('heat_api_cfn_network', undef)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::heat::api_cfn (
- $step = hiera('step'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $heat_api_cfn_network = hiera('heat_api_cfn_network', undef),
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::heat
- if $step >= 4 {
+ if $enable_internal_tls {
+ if !$heat_api_cfn_network {
+ fail('heat_api_cfn_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${heat_api_cfn_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${heat_api_cfn_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
+ if $step >= 3 {
include ::heat::api_cfn
+
+ class { '::heat::wsgi::apache_api_cfn':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ }
}
}
diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp
index 3004db9..558d247 100644
--- a/manifests/profile/base/heat/api_cloudwatch.pp
+++ b/manifests/profile/base/heat/api_cloudwatch.pp
@@ -18,18 +18,58 @@
#
# === Parameters
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*heat_api_cloudwatch_network*]
+# (Optional) The network name where the heat cloudwatch endpoint is listening
+# on. This is set by t-h-t.
+# Defaults to hiera('heat_api_cloudwatch_network', undef)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::heat::api_cloudwatch (
- $step = hiera('step'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef),
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::heat
- if $step >= 4 {
+ if $enable_internal_tls {
+ if !$heat_api_cloudwatch_network {
+ fail('heat_api_cloudwatch_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${heat_api_cloudwatch_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${heat_api_cloudwatch_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
+ if $step >= 3 {
include ::heat::api_cloudwatch
+
+ class { '::heat::wsgi::apache_api_cloudwatch':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ }
}
}
diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp
index 278c25c..10eaaa6 100644
--- a/manifests/profile/base/horizon.pp
+++ b/manifests/profile/base/horizon.pp
@@ -31,7 +31,7 @@ class tripleo::profile::base::horizon (
$step = hiera('step'),
$neutron_options = hiera('horizon::neutron_options', {}),
) {
- if $step >= 4 {
+ if $step >= 3 {
# Horizon
include ::apache::mod::remoteip
include ::apache::mod::status
diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp
index 4824648..7f90da9 100644
--- a/manifests/profile/base/ironic/conductor.pp
+++ b/manifests/profile/base/ironic/conductor.pp
@@ -44,5 +44,12 @@ class tripleo::profile::base::ironic::conductor (
include ::ironic::drivers::ilo
include ::ironic::drivers::ipmi
include ::ironic::drivers::ssh
+
+ # Configure access to other services
+ include ::ironic::drivers::inspector
+ include ::ironic::glance
+ include ::ironic::neutron
+ include ::ironic::service_catalog
+ include ::ironic::swift
}
}
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 9b2fc51..bb3f387 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -43,14 +43,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*heat_admin_domain*]
# domain name for heat admin
# Defaults to undef
@@ -130,7 +122,6 @@ class tripleo::profile::base::keystone (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$heat_admin_domain = undef,
$heat_admin_email = undef,
$heat_admin_password = undef,
@@ -163,10 +154,6 @@ class tripleo::profile::base::keystone (
}
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$public_endpoint_network {
fail('keystone_public_api_network is not set in the hieradata.')
}
@@ -208,6 +195,10 @@ class tripleo::profile::base::keystone (
}),
}
+ if 'amqp' in [$oslomsg_rpc_proto, $oslomsg_notify_proto]{
+ include ::keystone::messaging::amqp
+ }
+
include ::keystone::config
class { '::keystone::wsgi::apache':
ssl_cert => $tls_certfile,
@@ -255,7 +246,10 @@ class tripleo::profile::base::keystone (
if hiera('barbican_api_enabled', false) {
include ::barbican::keystone::auth
}
- if hiera('ceilometer_api_enabled', false) {
+ # ceilometer user is needed even when ceilometer api
+ # not running, so it can authenticate with keystone
+ # and dispatch data.
+ if hiera('ceilometer_auth_enabled', false) {
include ::ceilometer::keystone::auth
}
if hiera('ceph_rgw_enabled', false) {
diff --git a/manifests/profile/base/neutron/bgpvpn.pp b/manifests/profile/base/neutron/bgpvpn.pp
new file mode 100644
index 0000000..d6fdf4e
--- /dev/null
+++ b/manifests/profile/base/neutron/bgpvpn.pp
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Ricardo Noriega <rnoriega@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::bgpvpn
+#
+# Neutron BGPVPN Service plugin profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::bgpvpn (
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 {
+ include ::neutron::services::bgpvpn
+ }
+}
diff --git a/manifests/profile/base/neutron/l2gw.pp b/manifests/profile/base/neutron/l2gw.pp
new file mode 100644
index 0000000..da71108
--- /dev/null
+++ b/manifests/profile/base/neutron/l2gw.pp
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Peng Liu <pliu@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::l2gw
+#
+# Neutron L2 Gateway Service plugin profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::l2gw (
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 {
+ include ::neutron::services::l2gw
+ }
+}
diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp
index 556fe63..b5e6d11 100644
--- a/manifests/profile/base/neutron/opendaylight.pp
+++ b/manifests/profile/base/neutron/opendaylight.pp
@@ -22,19 +22,35 @@
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
-# [*primary_node*]
-# (Optional) The hostname of the first node of this role type
-# Defaults to hiera('bootstrap_nodeid', undef)
+# [*odl_api_ips*]
+# (Optional) List of OpenStack Controller IPs for ODL API
+# Defaults to hiera('opendaylight_api_node_ips')
+#
+# [*node_name*]
+# (Optional) The short hostname of node
+# Defaults to hiera('bootstack_nodeid')
#
class tripleo::profile::base::neutron::opendaylight (
$step = hiera('step'),
- $primary_node = hiera('bootstrap_nodeid', undef),
+ $odl_api_ips = hiera('opendaylight_api_node_ips'),
+ $node_name = hiera('bootstack_nodeid')
) {
if $step >= 1 {
- # Configure ODL only on first node of the role where this service is
- # applied
- if $primary_node == downcase($::hostname) {
+ validate_array($odl_api_ips)
+ if empty($odl_api_ips) {
+ fail('No IPs assigned to OpenDaylight Api Service')
+ } elsif size($odl_api_ips) == 2 {
+ fail('2 node OpenDaylight deployments are unsupported. Use 1 or greater than 2')
+ } elsif size($odl_api_ips) > 2 {
+ $node_string = split($node_name, '-')
+ $ha_node_index = $node_string[-1] + 1
+ class { '::opendaylight':
+ enable_ha => true,
+ ha_node_ips => $odl_api_ips,
+ ha_node_index => $ha_node_index,
+ }
+ } else {
include ::opendaylight
}
}
diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
index c120931..2618d4f 100644
--- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
+++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
@@ -30,6 +30,10 @@
# (Optional) Password to configure for OpenDaylight
# Defaults to 'admin'
#
+# [*odl_url_ip*]
+# (Optional) Virtual IP address for ODL Api Service
+# Defaults to hiera('opendaylight_api_vip')
+#
# [*conn_proto*]
# (Optional) Protocol to use to for ODL REST access
# Defaults to hiera('opendaylight::nb_connection_protocol')
@@ -43,14 +47,13 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight (
$odl_port = hiera('opendaylight::odl_rest_port'),
$odl_username = hiera('opendaylight::username'),
$odl_password = hiera('opendaylight::password'),
+ $odl_url_ip = hiera('opendaylight_api_vip'),
$conn_proto = hiera('opendaylight::nb_connection_protocol'),
$step = hiera('step'),
) {
if $step >= 4 {
- $odl_url_ip = hiera('opendaylight_api_vip')
-
- if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') }
+ if ! $odl_url_ip { fail('OpenDaylight API VIP is Empty') }
class { '::neutron::plugins::ml2::opendaylight':
odl_username => $odl_username,
diff --git a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
index 91c5168..4da8df9 100644
--- a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
+++ b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
@@ -30,6 +30,10 @@
# (Optional) List of OpenStack Controller IPs for ODL API
# Defaults to hiera('opendaylight_api_node_ips')
#
+# [*odl_url_ip*]
+# (Optional) Virtual IP address for ODL Api Service
+# Defaults to hiera('opendaylight_api_vip')
+#
# [*conn_proto*]
# (Optional) Protocol to use to for ODL REST access
# Defaults to hiera('opendaylight::nb_connection_protocol')
@@ -43,25 +47,25 @@ class tripleo::profile::base::neutron::plugins::ovs::opendaylight (
$odl_port = hiera('opendaylight::odl_rest_port'),
$odl_check_url = hiera('opendaylight_check_url'),
$odl_api_ips = hiera('opendaylight_api_node_ips'),
+ $odl_url_ip = hiera('opendaylight_api_vip'),
$conn_proto = hiera('opendaylight::nb_connection_protocol'),
$step = hiera('step'),
) {
if $step >= 4 {
- $opendaylight_controller_ip = $odl_api_ips[0]
- $odl_url_ip = hiera('opendaylight_api_vip')
-
- if ! $opendaylight_controller_ip { fail('OpenDaylight Controller IP is Empty') }
+ if empty($odl_api_ips) { fail('No IPs assigned to OpenDaylight Api Service') }
if ! $odl_url_ip { fail('OpenDaylight API VIP is Empty') }
# Build URL to check if ODL is up before connecting OVS
$opendaylight_url = "${conn_proto}://${odl_url_ip}:${odl_port}/${odl_check_url}"
+ $odl_ovsdb_str = join(regsubst($odl_api_ips, '.+', 'tcp:\0:6640'), ' ')
+
class { '::neutron::plugins::ovs::opendaylight':
tunnel_ip => hiera('neutron::agents::ml2::ovs::local_ip'),
odl_check_url => $opendaylight_url,
- odl_ovsdb_iface => "tcp:${opendaylight_controller_ip}:6640",
+ odl_ovsdb_iface => $odl_ovsdb_str,
}
}
}
diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp
index 5d6909f..d67a40c 100644
--- a/manifests/profile/base/neutron/server.pp
+++ b/manifests/profile/base/neutron/server.pp
@@ -43,14 +43,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*l3_ha_override*]
# (Optional) Override the calculated value for neutron::server::l3_ha
# by default this is calculated to enable when DVR is not enabled
@@ -95,7 +87,6 @@ class tripleo::profile::base::neutron::server (
$certificates_specs = hiera('apache_certificates_specs', {}),
$dvr_enabled = hiera('neutron::server::router_distributed', false),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$l3_ha_override = '',
$l3_nodes = hiera('neutron_l3_short_node_names', []),
$neutron_network = hiera('neutron_api_network', undef),
@@ -104,10 +95,6 @@ class tripleo::profile::base::neutron::server (
$tls_proxy_fqdn = undef,
$tls_proxy_port = 9696,
) {
- if $enable_internal_tls and $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
} else {
diff --git a/manifests/profile/base/neutron/sriov.pp b/manifests/profile/base/neutron/sriov.pp
index 00ecc21..24c7b63 100644
--- a/manifests/profile/base/neutron/sriov.pp
+++ b/manifests/profile/base/neutron/sriov.pp
@@ -33,6 +33,8 @@ class tripleo::profile::base::neutron::sriov(
$mechanism_drivers = hiera('neutron::plugins::ml2::mechanism_drivers'),
) {
+ include ::tripleo::profile::base::neutron
+
if $step >= 4 {
if 'sriovnicswitch' in $mechanism_drivers {
include ::neutron::agents::ml2::sriov
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp
index cda2b66..95a1721 100644
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -36,14 +36,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*nova_api_network*]
# (Optional) The network name where the nova API endpoint is listening on.
# This is set by t-h-t.
@@ -63,7 +55,6 @@ class tripleo::profile::base::nova::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$nova_api_network = hiera('nova_api_network', undef),
$nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false),
$step = hiera('step'),
@@ -93,10 +84,6 @@ class tripleo::profile::base::nova::api (
# https://bugs.launchpad.net/nova/+bug/1661360
if $nova_api_wsgi_enabled {
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$nova_api_network {
fail('nova_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp
index 0eb2ed7..84b8bd5 100644
--- a/manifests/profile/base/nova/compute.pp
+++ b/manifests/profile/base/nova/compute.pp
@@ -48,10 +48,12 @@ class tripleo::profile::base::nova::compute (
# When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique
# https://bugzilla.redhat.com/show_bug.cgi?id=1244328
+ ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' })
exec { 'reset-iscsi-initiator-name':
command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi',
onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset',
before => File['/etc/iscsi/.initiator_reset'],
+ require => Package['iscsi-initiator-utils'],
}
file { '/etc/iscsi/.initiator_reset':
ensure => present,
diff --git a/manifests/profile/base/nova/ec2api.pp b/manifests/profile/base/nova/ec2api.pp
index f34b071..f8817d2 100644
--- a/manifests/profile/base/nova/ec2api.pp
+++ b/manifests/profile/base/nova/ec2api.pp
@@ -31,5 +31,6 @@ class tripleo::profile::base::nova::ec2api (
include ::ec2api::api
include ::ec2api::db::sync
include ::ec2api::metadata
+ include ::ec2api::keystone::authtoken
}
}
diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp
index 46658b8..16bfe17 100644
--- a/manifests/profile/base/nova/placement.pp
+++ b/manifests/profile/base/nova/placement.pp
@@ -36,14 +36,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*nova_placement_network*]
# (Optional) The network name where the nova placement endpoint is listening on.
# This is set by t-h-t.
@@ -58,7 +50,6 @@ class tripleo::profile::base::nova::placement (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$nova_placement_network = hiera('nova_placement_network', undef),
$step = hiera('step'),
) {
@@ -72,10 +63,6 @@ class tripleo::profile::base::nova::placement (
include ::tripleo::profile::base::nova::authtoken
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$nova_placement_network {
fail('nova_placement_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp
index 880cf7d..286e4ac 100644
--- a/manifests/profile/base/panko.pp
+++ b/manifests/profile/base/panko.pp
@@ -23,26 +23,12 @@
# for more details.
# Defaults to hiera('step')
#
-# [*bootstrap_node*]
-# (Optional) The hostname of the node responsible for bootstrapping tasks
-# Defaults to hiera('bootstrap_nodeid')
class tripleo::profile::base::panko (
- $step = hiera('step'),
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $step = hiera('step'),
) {
-
- if $::hostname == downcase($bootstrap_node) {
- $sync_db = true
- } else {
- $sync_db = false
- }
-
- if $step >= 4 or ($step >= 3 and $sync_db) {
+ if $step >= 3 {
include ::panko
- include ::panko::db
include ::panko::config
- include ::panko::db::sync
}
-
}
diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp
index 45ee0c0..90e80a2 100644
--- a/manifests/profile/base/panko/api.pp
+++ b/manifests/profile/base/panko/api.pp
@@ -18,6 +18,10 @@
#
# === Parameters
#
+# [*bootstrap_node*]
+# (Optional) The hostname of the node responsible for bootstrapping tasks
+# Defaults to hiera('bootstrap_nodeid')
+#
# [*certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@@ -34,14 +38,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*panko_network*]
# (Optional) The network name where the panko endpoint is listening on.
# This is set by t-h-t.
@@ -53,19 +49,21 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::panko::api (
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$panko_network = hiera('panko_api_network', undef),
$step = hiera('step'),
) {
+ if $::hostname == downcase($bootstrap_node) {
+ $sync_db = true
+ } else {
+ $sync_db = false
+ }
+
include ::tripleo::profile::base::panko
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$panko_network {
fail('panko_api_network is not set in the hieradata.')
}
@@ -76,8 +74,11 @@ class tripleo::profile::base::panko::api (
$tls_keyfile = undef
}
- if $step >= 4 {
- include ::panko::api
+ if $step >= 4 or ( $step >= 3 and $sync_db ) {
+ include ::panko::db
+ class { '::panko::api':
+ sync_db => $sync_db,
+ }
class { '::panko::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/qdr.pp b/manifests/profile/base/qdr.pp
new file mode 100644
index 0000000..9827f2e
--- /dev/null
+++ b/manifests/profile/base/qdr.pp
@@ -0,0 +1,54 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::qdr
+#
+# Qpid dispatch router profile for tripleo
+#
+# === Parameters
+#
+# [*qdr_username*]
+# Username for the qrouter daemon
+# Defaults to undef
+#
+# [*qdr_password*]
+# Password for the qrouter daemon
+# Defaults to undef
+#
+# [*qdr_listener_port*]
+# Port for the listener (not that we do not use qdr::listener_port
+# directly because it requires a string and we have a number.
+# Defaults to hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672)
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::qdr (
+ $qdr_username = undef,
+ $qdr_password = undef,
+ $qdr_listener_port = hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672),
+ $step = hiera('step'),
+) {
+ if $step >= 1 {
+ class { '::qdr':
+ listener_port => "${qdr_listener_port}",
+ } ->
+ qdr_user { $qdr_username:
+ ensure => present,
+ password => $qdr_password,
+ }
+ }
+}
diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp
index 1eaabf0..9d1417c 100644
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@@ -18,14 +18,35 @@
#
# === Parameters
#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'mysql' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::database::mysql::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+# Defaults to {}.
+#
# [*config_variables*]
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_config_variables').
#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to undef
+#
# [*environment*]
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_environment').
#
+# [*inet_dist_interface*]
+# (Optional) Address to bind the inter-cluster interface
+# to. It is the inet_dist_use_interface option in the kernel variables
+# Defaults to hiera('rabbitmq::interface', undef).
+#
# [*ipv6*]
# (Optional) Whether to deploy RabbitMQ on IPv6 network.
# Defaults to str2bool(hiera('rabbit_ipv6', false)).
@@ -34,11 +55,6 @@
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_environment').
#
-# [*inet_dist_interface*]
-# (Optional) Address to bind the inter-cluster interface
-# to. It is the inet_dist_use_interface option in the kernel variables
-# Defaults to hiera('rabbitmq::interface', undef).
-#
# [*nodes*]
# (Optional) Array of host(s) for RabbitMQ nodes.
# Defaults to hiera('rabbitmq_node_names', []).
@@ -61,17 +77,27 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::rabbitmq (
- $config_variables = hiera('rabbitmq_config_variables'),
- $environment = hiera('rabbitmq_environment'),
- $ipv6 = str2bool(hiera('rabbit_ipv6', false)),
- $kernel_variables = hiera('rabbitmq_kernel_variables'),
- $inet_dist_interface = hiera('rabbitmq::interface', undef),
- $nodes = hiera('rabbitmq_node_names', []),
- $rabbitmq_pass = hiera('rabbitmq::default_pass'),
- $rabbitmq_user = hiera('rabbitmq::default_user'),
- $stack_action = hiera('stack_action'),
- $step = hiera('step'),
+ $certificate_specs = {},
+ $config_variables = hiera('rabbitmq_config_variables'),
+ $enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t
+ $environment = hiera('rabbitmq_environment'),
+ $inet_dist_interface = hiera('rabbitmq::interface', undef),
+ $ipv6 = str2bool(hiera('rabbit_ipv6', false)),
+ $kernel_variables = hiera('rabbitmq_kernel_variables'),
+ $nodes = hiera('rabbitmq_node_names', []),
+ $rabbitmq_pass = hiera('rabbitmq::default_pass'),
+ $rabbitmq_user = hiera('rabbitmq::default_user'),
+ $stack_action = hiera('stack_action'),
+ $step = hiera('step'),
) {
+ if $enable_internal_tls {
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
# IPv6 environment, necessary for RabbitMQ.
if $ipv6 {
$rabbit_env = merge($environment, {
@@ -100,6 +126,9 @@ class tripleo::profile::base::rabbitmq (
config_kernel_variables => $real_kernel_variables,
config_variables => $config_variables,
environment_variables => $rabbit_env,
+ # TLS options
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
}
# when running multi-nodes without Pacemaker
if $manage_service {
@@ -116,8 +145,14 @@ class tripleo::profile::base::rabbitmq (
config_kernel_variables => $kernel_variables,
config_variables => $config_variables,
environment_variables => $rabbit_env,
+ # TLS options
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
}
}
+ }
+
+ if $step >= 2 {
# In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency
# to Service['rabbitmq-server'] will not work. Sticking with UPDATE action.
if $stack_action == 'UPDATE' {
diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp
index c9c656d..7f4ecbe 100644
--- a/manifests/profile/base/sahara.pp
+++ b/manifests/profile/base/sahara.pp
@@ -114,5 +114,6 @@ class tripleo::profile::base::sahara (
'ssl' => $oslomsg_use_ssl_real,
}),
}
+ include ::sahara::keystone::authtoken
}
}
diff --git a/manifests/profile/base/securetty.pp b/manifests/profile/base/securetty.pp
new file mode 100644
index 0000000..07f29f8
--- /dev/null
+++ b/manifests/profile/base/securetty.pp
@@ -0,0 +1,48 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::securetty
+#
+# Sets securetty Parameters
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+# [*tty_list*]
+# Hash of values for /etc/securetty console
+# Defaults to hiera('securetty::tty_list')
+#
+class tripleo::profile::base::securetty (
+ $step = hiera('step'),
+ $tty_list = hiera('tty_list', []),
+) {
+ validate_array($tty_list)
+
+ if $step >=1 {
+ $ttys = join($tty_list, "\n")
+
+ file { '/etc/securetty':
+ ensure => file,
+ content => template( 'tripleo/securetty/securetty.erb' ),
+ owner => 'root',
+ group => 'root',
+ mode => '0600'
+ }
+ }
+}
diff --git a/manifests/profile/base/tuned.pp b/manifests/profile/base/tuned.pp
new file mode 100644
index 0000000..8dfcea0
--- /dev/null
+++ b/manifests/profile/base/tuned.pp
@@ -0,0 +1,20 @@
+# == Class: tripleo::profile::base::tuned
+#
+# Configures tuned service.
+#
+# === Parameters:
+#
+# [*profile*]
+# (optional) tuned active profile.
+# Defaults to 'throughput-performance'
+#
+#
+class tripleo::profile::base::tuned (
+ $profile = 'throughput-performance'
+) {
+ exec { 'tuned-adm':
+ path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+ command => "tuned-adm profile ${profile}",
+ unless => "tuned-adm active | grep -q '${profile}'"
+ }
+}
diff --git a/metadata.json b/metadata.json
index 0db84c7..32b5d95 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
{
"name": "openstack-tripleo",
- "version": "6.2.0",
+ "version": "7.0.0",
"author": "OpenStack Contributors",
"summary": "Puppet module for TripleO",
"license": "Apache-2.0",
diff --git a/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml b/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml
new file mode 100644
index 0000000..2af6aa7
--- /dev/null
+++ b/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Add support for BGPVPN Neutron service plugin
diff --git a/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml b/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml
new file mode 100644
index 0000000..e0a6d35
--- /dev/null
+++ b/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - Adds OpenDaylight HA support. Now when ODL is applied to three or
+ more nodes ODL will be deployed as a cluster in HA, rather than
+ the previous behavior of only running on the first node.
diff --git a/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml b/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml
new file mode 100644
index 0000000..a1a04c1
--- /dev/null
+++ b/releasenotes/notes/add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - |
+ Add a tunnel timeout to the HAProxy tripleo-ui configuration to ensure
+ Zaqar WebSocket tunnels persist longer than two minutes
+ https://bugs.launchpad.net/tripleo/+bug/1672826
diff --git a/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml b/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml
new file mode 100644
index 0000000..07407f2
--- /dev/null
+++ b/releasenotes/notes/create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - We need ceilometer user in cases where ceilometer API is disabled.
+ This is to ensure other ceilometer services can still authenticate
+ with keystone.
diff --git a/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml b/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml
new file mode 100644
index 0000000..a50a27d
--- /dev/null
+++ b/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Heat APIs (api, cfn and cloudwatch) are now deployed over httpd.
diff --git a/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml b/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml
new file mode 100644
index 0000000..5c200dd
--- /dev/null
+++ b/releasenotes/notes/fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - |
+ Fixes horizon getting temporarily deconfigured during a stack update due
+ to the apache configuration occuring in step 3 but the horizon
+ configuration not occuring until step 4.
diff --git a/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml b/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml
new file mode 100644
index 0000000..012a16c
--- /dev/null
+++ b/releasenotes/notes/fix-sriov-neutron-base-3e32bd667886c474.yaml
@@ -0,0 +1,3 @@
+---
+fixes:
+ - Fixes missing neutron base class in sriov
diff --git a/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml b/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml
new file mode 100644
index 0000000..694f492
--- /dev/null
+++ b/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Add support for l2 gateway Neutron service plugin.
diff --git a/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml b/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml
new file mode 100644
index 0000000..b6f211c
--- /dev/null
+++ b/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - Include the amqp messaging class when the oslo.messaging rpc
+ protocol is enabled for AMQP 1.0.
diff --git a/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml
new file mode 100644
index 0000000..0857f63
--- /dev/null
+++ b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - The rabbitmq user check is moved to step >= 2 from step >= 1. There
+ is no guarantee that rabbitmq is running at step 1, especially if
+ updating a failed stack that never made it past step 1 to begin
+ with.
diff --git a/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml b/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml
new file mode 100644
index 0000000..c354431
--- /dev/null
+++ b/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - Re-run gnocchi and ceilometer upgrade in step5. This is required
+ for gnocchi resource types to be created in ceilometer and gnocchi
+ to function properly.
diff --git a/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml b/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml
new file mode 100644
index 0000000..1186bb9
--- /dev/null
+++ b/releasenotes/notes/restrict-mongodb-memory-c19d69638b63feb4.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - Add a way for mongodb to limit amount of memory it comsumes
+ with systemd. A new param memory_limit has been added to
+ tripleo::profile::base::database::mongodb class with
+ default limit of 20G.
diff --git a/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml
new file mode 100644
index 0000000..c744e0f
--- /dev/null
+++ b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - Sahara is now deployed with keystone_authtoken parameters and move
+ forward with Keystone v3 version.
diff --git a/releasenotes/notes/securetty-6a10eefd601e45ca.yaml b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml
new file mode 100644
index 0000000..e5cfcf5
--- /dev/null
+++ b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - |
+ Allows granular level of control over the `/etc/securetty` file.
+ By allowing operators to specify the values in securetty, they
+ can improve security by limiting root console access.
diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py
index 5cc0c41..e293b07 100644
--- a/releasenotes/source/conf.py
+++ b/releasenotes/source/conf.py
@@ -45,16 +45,16 @@ master_doc = 'index'
# General information about the project.
project = u'puppet-tripleo Release Notes'
-copyright = u'2016, Puppet TripleO Developers'
+copyright = u'2017, Puppet TripleO Developers'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
-version = '6.2.0'
+version = '7.0.0'
# The full version, including alpha/beta/rc tags.
-release = '6.2.0'
+release = '7.0.0'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
@@ -198,7 +198,7 @@ latex_elements = {
# author, documentclass [howto, manual, or own class]).
latex_documents = [
('index', 'puppet-tripleoReleaseNotes.tex', u'puppet-tripleo Release Notes Documentation',
- u'2016, Puppet TripleO Developers', 'manual'),
+ u'2017, Puppet TripleO Developers', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
@@ -228,7 +228,7 @@ latex_documents = [
# (source start file, name, description, authors, manual section).
man_pages = [
('index', 'puppet-tripleoreleasenotes', u'puppet-tripleo Release Notes Documentation',
- [u'2016, Puppet TripleO Developers'], 1)
+ [u'2017, Puppet TripleO Developers'], 1)
]
# If true, show URL addresses after external links.
@@ -242,7 +242,7 @@ man_pages = [
# dir menu entry, description, category)
texinfo_documents = [
('index', 'puppet-tripleoReleaseNotes', u'puppet-tripleo Release Notes Documentation',
- u'2016, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.',
+ u'2017, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.',
'Miscellaneous'),
]
diff --git a/spec/classes/tripleo_certmonger_ca_local.rb b/spec/classes/tripleo_certmonger_ca_local.rb
new file mode 100644
index 0000000..7ee9383
--- /dev/null
+++ b/spec/classes/tripleo_certmonger_ca_local.rb
@@ -0,0 +1,46 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::certmonger::ca::local' do
+
+ shared_examples_for 'tripleo::certmonger::ca::local' do
+ let :params do
+ {
+ :ca_pem => '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem',
+ }
+ end
+
+ it 'should extract CA cert' do
+ is_expected.to contain_exec('extract-and-trust-ca').with(
+ :creates => params[:ca_pem],
+ )
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({})
+ end
+
+ it_behaves_like 'tripleo::certmonger::ca::local'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_certmonger_httpd.rb b/spec/classes/tripleo_certmonger_httpd.rb
new file mode 100644
index 0000000..da5ce94
--- /dev/null
+++ b/spec/classes/tripleo_certmonger_httpd.rb
@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::certmonger::httpd' do
+
+ shared_examples_for 'tripleo::certmonger::httpd' do
+ let :params do
+ {
+ :name => 'httpd-cert',
+ :hostname => 'localhost',
+ :service_certificate => '/etc/pki/cert.crt',
+ :service_key => '/etc/pki/key.pem',
+ }
+ end
+
+ it 'should include the base for using certmonger' do
+ is_expected.to contain_class('certmonger')
+ end
+
+ it 'should include the httpd parameters' do
+ is_expected.to contain_class('apache::params')
+ end
+
+ it 'should request a certificate' do
+ is_expected.to contain_certmonger_certificate('httpd-cert').with(
+ :ensure => 'present',
+ :certfile => '/etc/pki/cert.crt',
+ :keyfile => '/etc/pki/key.pem',
+ :hostname => 'localhost',
+ :dnsname => 'localhost',
+ :ca => 'local',
+ :wait => true,
+ )
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({})
+ end
+
+ it_behaves_like 'tripleo::certmonger::httpd'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_certmonger_mysql.rb b/spec/classes/tripleo_certmonger_mysql.rb
new file mode 100644
index 0000000..23b1e4f
--- /dev/null
+++ b/spec/classes/tripleo_certmonger_mysql.rb
@@ -0,0 +1,64 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::certmonger::mysql' do
+
+ shared_examples_for 'tripleo::certmonger::mysql' do
+ let :params do
+ {
+ :hostname => 'localhost',
+ :service_certificate => '/etc/pki/cert.crt',
+ :service_key => '/etc/pki/key.pem',
+ }
+ end
+
+ it 'should include the base for using certmonger' do
+ is_expected.to contain_class('certmonger')
+ end
+
+ it 'should include the mysql parameters' do
+ is_expected.to contain_class('mysql::params')
+ end
+
+ it 'should request a certificate' do
+ is_expected.to contain_certmonger_certificate('mysql').with(
+ :ensure => 'present',
+ :certfile => '/etc/pki/cert.crt',
+ :keyfile => '/etc/pki/key.pem',
+ :hostname => 'localhost',
+ :dnsname => 'localhost',
+ :ca => 'local',
+ :wait => true,
+ )
+ is_expected.to contain_file('/etc/pki/cert.crt')
+ is_expected.to contain_file('/etc/pki/key.pem')
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({})
+ end
+
+ it_behaves_like 'tripleo::certmonger::mysql'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_certmonger_rabbitmq.rb b/spec/classes/tripleo_certmonger_rabbitmq.rb
new file mode 100644
index 0000000..5c011ce
--- /dev/null
+++ b/spec/classes/tripleo_certmonger_rabbitmq.rb
@@ -0,0 +1,64 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::certmonger::rabbitmq' do
+
+ shared_examples_for 'tripleo::certmonger::rabbitmq' do
+ let :params do
+ {
+ :hostname => 'localhost',
+ :service_certificate => '/etc/pki/cert.crt',
+ :service_key => '/etc/pki/key.pem',
+ }
+ end
+
+ it 'should include the base for using certmonger' do
+ is_expected.to contain_class('certmonger')
+ end
+
+ it 'should include the rabbitmq parameters' do
+ is_expected.to contain_class('rabbitmq::params')
+ end
+
+ it 'should request a certificate' do
+ is_expected.to contain_certmonger_certificate('rabbitmq').with(
+ :ensure => 'present',
+ :certfile => '/etc/pki/cert.crt',
+ :keyfile => '/etc/pki/key.pem',
+ :hostname => 'localhost',
+ :dnsname => 'localhost',
+ :ca => 'local',
+ :wait => true,
+ )
+ is_expected.to contain_file('/etc/pki/cert.crt')
+ is_expected.to contain_file('/etc/pki/key.pem')
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({})
+ end
+
+ it_behaves_like 'tripleo::certmonger::rabbitmq'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_profile_base_aodh_api_spec.rb b/spec/classes/tripleo_profile_base_aodh_api_spec.rb
index f2a26bf..a82cf49 100644
--- a/spec/classes/tripleo_profile_base_aodh_api_spec.rb
+++ b/spec/classes/tripleo_profile_base_aodh_api_spec.rb
@@ -22,8 +22,8 @@ describe 'tripleo::profile::base::aodh::api' do
"class { '::tripleo::profile::base::aodh': step => #{params[:step]}, oslomsg_rpc_hosts => ['localhost.localdomain'] }"
end
- context 'with step less than 4' do
- let(:params) { { :step => 3 } }
+ context 'with step less than 3' do
+ let(:params) { { :step => 2 } }
it 'should do nothing' do
is_expected.to contain_class('tripleo::profile::base::aodh::api')
@@ -33,9 +33,9 @@ describe 'tripleo::profile::base::aodh::api' do
end
end
- context 'with step 4' do
+ context 'with step 3' do
let(:params) { {
- :step => 4,
+ :step => 3,
} }
it 'should trigger complete configuration' do
diff --git a/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb b/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb
index 23b198a..0f9aad7 100644
--- a/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb
+++ b/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb
@@ -128,6 +128,32 @@ describe 'tripleo::profile::base::ceilometer::collector' do
is_expected.to contain_class('ceilometer::dispatcher::gnocchi')
end
end
+
+ context 'with step 5 on bootstrap node' do
+ let(:params) { {
+ :step => 5,
+ :bootstrap_node => 'node.example.com',
+ :mongodb_node_ips => ['127.0.0.1',],
+ :mongodb_replset => 'replicaset'
+ } }
+
+ it 'should trigger complete configuration' do
+ is_expected.to contain_exec('ceilometer-db-upgrade')
+ end
+ end
+
+ context 'with step 5 not on bootstrap node' do
+ let(:params) { {
+ :step => 5,
+ :bootstrap_node => 'somethingelse.example.com',
+ :mongodb_node_ips => ['127.0.0.1',],
+ :mongodb_replset => 'replicaset'
+ } }
+
+ it 'should trigger complete configuration' do
+ is_expected.to_not contain_exec('ceilometer-db-upgrade')
+ end
+ end
end
diff --git a/spec/classes/tripleo_profile_base_database_mysql_spec.rb b/spec/classes/tripleo_profile_base_database_mysql_spec.rb
new file mode 100644
index 0000000..b192f6c
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_database_mysql_spec.rb
@@ -0,0 +1,75 @@
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::database::mysql' do
+ let :params do
+ { :step => 2,
+ :mysql_max_connections => 4096,
+ }
+ end
+ shared_examples_for 'tripleo::profile::base::database::mysql' do
+ before :each do
+ facts.merge!({ :step => params[:step] })
+ end
+
+ context 'with noha and raise mariadb limit' do
+ before do
+ params.merge!({
+ :generate_dropin_file_limit => true
+ })
+ end
+ it 'should create limit file' do
+ is_expected.to contain_systemd__service_limits('mariadb.service').with(
+ :limits => { "LimitNOFILE" => 16384 })
+ end
+ end
+
+ context 'with noha and do not raise mariadb limit' do
+ before do
+ params.merge!({
+ :generate_dropin_file_limit => false
+ })
+ end
+ it 'should not create limit file' do
+ is_expected.to_not contain_systemd__service_limits('mariadb.service')
+ end
+ end
+
+ context 'with ha and raise mariadb limit' do
+ before do
+ params.merge!({
+ :generate_dropin_file_limit => true,
+ :manage_resources => false,
+ })
+ end
+ it 'should not create limit file in ha' do
+ is_expected.to_not contain_systemd__service_limits('mariadb.service')
+ end
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({ :hostname => 'node.example.com' })
+ end
+
+ it_behaves_like 'tripleo::profile::base::database::mysql'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_profile_base_horizon_spec.rb b/spec/classes/tripleo_profile_base_horizon_spec.rb
new file mode 100644
index 0000000..fb076b8
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_horizon_spec.rb
@@ -0,0 +1,57 @@
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::horizon' do
+ shared_examples_for 'tripleo::profile::base::horizon' do
+ let(:pre_condition) do
+ "class { '::tripleo::profile::base::aodh': step => #{params[:step]}, oslomsg_rpc_hosts => ['localhost.localdomain'] }"
+ end
+
+ context 'with step less than 3' do
+ let(:params) { { :step => 2 } }
+
+ it 'should do nothing' do
+ is_expected.to contain_class('tripleo::profile::base::horizon')
+ is_expected.to_not contain_class('horizon')
+ end
+ end
+
+ context 'with step 3' do
+ let(:params) { {
+ :step => 3,
+ } }
+
+ it 'should trigger complete configuration' do
+ is_expected.to contain_class('horizon')
+ is_expected.to contain_class('apache::mod::remoteip')
+ is_expected.to contain_class('apache::mod::status')
+ end
+ end
+ end
+
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({ :hostname => 'node.example.com' })
+ end
+
+ it_behaves_like 'tripleo::profile::base::horizon'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb b/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb
new file mode 100644
index 0000000..1eb79ae
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb
@@ -0,0 +1,88 @@
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::neutron::opendaylight' do
+ let :params do
+ { :step => 1,
+ :node_name => 'overcloud-controller-0',
+ }
+ end
+ shared_examples_for 'tripleo::profile::base::neutron::opendaylight' do
+ before :each do
+ facts.merge!({ :step => params[:step] })
+ end
+
+ context 'with noha' do
+ before do
+ params.merge!({
+ :odl_api_ips => ['192.0.2.5']
+ })
+ end
+ it 'should install and configure opendaylight' do
+ is_expected.to contain_class('opendaylight')
+ end
+ end
+
+ context 'with empty OpenDaylight API IPs' do
+ before do
+ params.merge!({
+ :odl_api_ips => []
+ })
+ end
+ it 'should fail to install OpenDaylight' do
+ is_expected.to compile.and_raise_error(/No IPs assigned to OpenDaylight Api Service/)
+ end
+ end
+
+ context 'with 2 OpenDaylight API IPs' do
+ before do
+ params.merge!({
+ :odl_api_ips => ['192.0.2.5', '192.0.2.6']
+ })
+ end
+ it 'should fail to install OpenDaylight' do
+ is_expected.to compile.and_raise_error(/2 node OpenDaylight deployments are unsupported. Use 1 or greater than 2/)
+ end
+ end
+
+ context 'with HA and 3 OpenDaylight API IPs' do
+ before do
+ params.merge!({
+ :odl_api_ips => ['192.0.2.5', '192.0.2.6', '192.0.2.7']
+ })
+ end
+ it 'should install and configure OpenDaylight in HA' do
+ is_expected.to contain_class('opendaylight').with(
+ :enable_ha => true,
+ :ha_node_ips => params[:odl_api_ips],
+ :ha_node_index => '1',
+ )
+ end
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({ :hostname => 'node.example.com' })
+ end
+
+ it_behaves_like 'tripleo::profile::base::neutron::opendaylight'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_profile_base_nova_compute_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_spec.rb
index d052682..545a1fa 100644
--- a/spec/classes/tripleo_profile_base_nova_compute_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_compute_spec.rb
@@ -27,6 +27,7 @@ describe 'tripleo::profile::base::nova::compute' do
is_expected.to_not contain_class('tripleo::profile::base::nova')
is_expected.to_not contain_class('nova::compute')
is_expected.to_not contain_class('nova::network::neutron')
+ is_expected.to_not contain_package('iscsi-initiator-utils')
is_expected.to_not contain_exec('reset-iscsi-initiator-name')
is_expected.to_not contain_file('/etc/iscsi/.initiator_reset')
}
@@ -51,6 +52,7 @@ eos
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova::compute')
is_expected.to contain_class('nova::network::neutron')
+ is_expected.to contain_package('iscsi-initiator-utils')
is_expected.to contain_exec('reset-iscsi-initiator-name')
is_expected.to contain_file('/etc/iscsi/.initiator_reset')
is_expected.to_not contain_package('nfs-utils')
@@ -66,6 +68,7 @@ eos
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova::compute')
is_expected.to contain_class('nova::network::neutron')
+ is_expected.to contain_package('iscsi-initiator-utils')
is_expected.to contain_exec('reset-iscsi-initiator-name')
is_expected.to contain_file('/etc/iscsi/.initiator_reset')
is_expected.to contain_package('nfs-utils')
diff --git a/spec/classes/tripleo_profile_base_nova_placement_spec.rb b/spec/classes/tripleo_profile_base_nova_placement_spec.rb
index 2a18320..04e032a 100644
--- a/spec/classes/tripleo_profile_base_nova_placement_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_placement_spec.rb
@@ -49,7 +49,6 @@ eos
let(:params) { {
:step => 1,
:enable_internal_tls => true,
- :generate_service_certificates => true,
:nova_placement_network => 'bar',
:certificates_specs => {
'httpd-bar' => {
@@ -63,7 +62,6 @@ eos
it {
is_expected.to contain_class('tripleo::profile::base::nova::placement')
is_expected.to contain_class('tripleo::profile::base::nova')
- is_expected.to contain_tripleo__certmonger__httpd('httpd-bar')
is_expected.to_not contain_class('nova::keystone::authtoken')
is_expected.to_not contain_class('nova::wsgi::apache_placement')
}
@@ -87,7 +85,6 @@ eos
let(:params) { {
:step => 3,
:enable_internal_tls => true,
- :generate_service_certificates => false,
:nova_placement_network => 'bar',
:certificates_specs => {
'httpd-bar' => {
@@ -102,7 +99,6 @@ eos
it {
is_expected.to contain_class('tripleo::profile::base::nova::placement')
is_expected.to contain_class('tripleo::profile::base::nova')
- is_expected.to_not contain_tripleo__certmonger__httpd('foo')
is_expected.to contain_class('nova::keystone::authtoken')
is_expected.to contain_class('nova::wsgi::apache_placement').with(
:ssl_cert => '/foo.pem',
diff --git a/spec/classes/tripleo_profile_base_securetty_spec.rb b/spec/classes/tripleo_profile_base_securetty_spec.rb
new file mode 100644
index 0000000..c57d8be
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_securetty_spec.rb
@@ -0,0 +1,72 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo::profile::base::securetty
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::securetty' do
+
+ shared_examples_for 'tripleo::profile::base::securetty' do
+
+ context 'with defaults step 1' do
+ let(:params) {{ :step => 1 }}
+ it { is_expected.to contain_class('tripleo::profile::base::securetty') }
+ it {
+ is_expected.to contain_file('/etc/securetty').with(
+ :content => ["# Managed by Puppet / TripleO Heat Templates",
+ "# A list of TTYs, from which root can log in",
+ "# see `man securetty` for reference",
+ "",
+ ""].join("\n"),
+ :owner => 'root',
+ :group => 'root',
+ :mode => '0600')
+ }
+ end
+
+ context 'it should configure securtty' do
+ let(:params) {{
+ :step => 1,
+ :tty_list => ['console', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6']
+ }}
+
+ it 'should configure securetty values' do
+ is_expected.to contain_file('/etc/securetty').with(
+ :owner => 'root',
+ :group => 'root',
+ :mode => '0600',
+ )
+ .with_content(/console/)
+ .with_content(/tty1/)
+ .with_content(/tty2/)
+ .with_content(/tty3/)
+ .with_content(/tty4/)
+ .with_content(/tty5/)
+ .with_content(/tty6/)
+ end
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let (:facts) {
+ facts
+ }
+ it_behaves_like 'tripleo::profile::base::securetty'
+ end
+ end
+end
diff --git a/spec/classes/tripleo_profile_base_tuned_spec.rb b/spec/classes/tripleo_profile_base_tuned_spec.rb
new file mode 100644
index 0000000..95b0f26
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_tuned_spec.rb
@@ -0,0 +1,44 @@
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::tuned' do
+
+ shared_examples_for 'tripleo::profile::base::tuned' do
+ context 'with profile' do
+ let :params do
+ {
+ :profile => 'virtual-compute'
+ }
+ end
+
+ it 'should run tuned-adm exec' do
+ is_expected.to contain_exec('tuned-adm')
+ end
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) {
+ facts
+ }
+
+ it_behaves_like 'tripleo::profile::base::tuned'
+ end
+ end
+end
diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml
index eadb444..9634e5d 100644
--- a/spec/fixtures/hieradata/default.yaml
+++ b/spec/fixtures/hieradata/default.yaml
@@ -39,3 +39,4 @@ memcached_node_ips:
- '127.0.0.1'
# octavia related items
octavia::rabbit_password: 'password'
+horizon::secret_key: 'secrete'
diff --git a/templates/securetty/securetty.erb b/templates/securetty/securetty.erb
new file mode 100644
index 0000000..c8c7b90
--- /dev/null
+++ b/templates/securetty/securetty.erb
@@ -0,0 +1,4 @@
+# Managed by Puppet / TripleO Heat Templates
+# A list of TTYs, from which root can log in
+# see `man securetty` for reference
+<%= @ttys %>