diff options
| -rw-r--r-- | manifests/glance/nfs_mount.pp | 80 | ||||
| -rw-r--r-- | manifests/haproxy.pp | 30 | ||||
| -rw-r--r-- | manifests/profile/base/barbican.pp | 36 | ||||
| -rw-r--r-- | manifests/profile/base/barbican/api.pp | 56 | ||||
| -rw-r--r-- | manifests/profile/base/glance/api.pp | 17 | ||||
| -rw-r--r-- | manifests/profile/base/heat.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 54 | ||||
| -rw-r--r-- | metadata.json | 2 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_barbican_api_spec.rb | 107 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_barbican_spec.rb | 56 | ||||
| -rw-r--r-- | spec/fixtures/hieradata/default.yaml | 3 |
11 files changed, 420 insertions, 23 deletions
diff --git a/manifests/glance/nfs_mount.pp b/manifests/glance/nfs_mount.pp new file mode 100644 index 0000000..035191d --- /dev/null +++ b/manifests/glance/nfs_mount.pp @@ -0,0 +1,80 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::glance::nfs_mount +# +# NFS mount for Glance image storage file backend +# +# === Parameters +# +# [*share*] +# NFS share to mount, in 'IP:PATH' format. +# +# [*options*] +# (Optional) NFS mount options. Defaults to +# 'intr,context=system_u:object_r:glance_var_lib_t:s0' +# +# [*edit_fstab*] +# (Optional) Whether to persist the mount info to fstab. +# Defaults to true. +# +# [*fstab_fstype*] +# (Optional) File system type to use in fstab for the mount. +# Defaults to 'nfs4'. +# +# [*fstab_prepend_options*] +# (Optional) Extra mount options for fstab (prepended to $options). +# Defaults to 'bg', so that a potentially failed mount doesn't +# prevent the machine from booting. +# +class tripleo::glance::nfs_mount ( + $share, + $options = 'intr,context=system_u:object_r:glance_var_lib_t:s0', + $edit_fstab = true, + $fstab_fstype = 'nfs4', + $fstab_prepend_options = 'bg' +) { + + $images_dir = '/var/lib/glance/images' + + if $options and $options != '' { + $options_part = "-o ${options}" + } else { + $options_part = '' + } + + if $fstab_prepend_options and $fstab_prepend_options != '' { + $fstab_prepend_part = "${fstab_prepend_options}," + } else { + $fstab_prepend_part = '' + } + + file { $images_dir: + ensure => directory, + } -> + exec { 'NFS mount for glance file backend': + path => ['/usr/sbin', '/usr/bin'], + command => "mount -t nfs '${share}' '${images_dir}' ${options_part}", + unless => "mount | grep ' ${images_dir} '", + } + + if $edit_fstab { + file_line { 'NFS for glance in fstab': + ensure => present, + line => "${share} ${images_dir} ${fstab_fstype} ${fstab_prepend_part}${options} 0 0", + match => " ${images_dir} ", + path => '/etc/fstab', + } + } +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 5f563ba..d925da0 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -182,6 +182,10 @@ # (optional) Enable or not Aodh API binding # Defaults to hiera('aodh_api_enabled', false) # +# [*barbican*] +# (optional) Enable or not Barbican API binding +# Defaults to false +# # [*gnocchi*] # (optional) Enable or not Gnocchi API binding # Defaults to hiera('gnocchi_api_enabled', false) @@ -271,6 +275,10 @@ # (optional) Specify the network aodh is running on. # Defaults to hiera('aodh_api_network', undef) # +# [*barbican_network*] +# (optional) Specify the network barbican is running on. +# Defaults to hiera('barbican_api_network', undef) +# # [*ceilometer_network*] # (optional) Specify the network ceilometer is running on. # Defaults to hiera('ceilometer_api_network', undef) @@ -376,6 +384,8 @@ # The available keys to modify the services' ports are: # 'aodh_api_port' (Defaults to 8042) # 'aodh_api_ssl_port' (Defaults to 13042) +# 'barbican_api_port' (Defaults to 9311) +# 'barbican_api_ssl_port' (Defaults to 13311) # 'ceilometer_api_port' (Defaults to 8777) # 'ceilometer_api_ssl_port' (Defaults to 13777) # 'cinder_api_port' (Defaults to 8776) @@ -464,6 +474,7 @@ class tripleo::haproxy ( $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false), $ceilometer = hiera('ceilometer_api_enabled', false), $aodh = hiera('aodh_api_enabled', false), + $barbican = hiera('barbican_api_enabled', false), $gnocchi = hiera('gnocchi_api_enabled', false), $mistral = hiera('mistral_api_enabled', false), $swift_proxy_server = hiera('swift_proxy_enabled', false), @@ -486,6 +497,7 @@ class tripleo::haproxy ( $zaqar_ws = hiera('zaqar_api_enabled', false), $ui = hiera('enable_ui', false), $aodh_network = hiera('aodh_api_network', undef), + $barbican_network = hiera('barbican_api_network', false), $ceilometer_network = hiera('ceilometer_api_network', undef), $ceph_rgw_network = hiera('ceph_rgw_network', undef), $cinder_network = hiera('cinder_api_network', undef), @@ -515,6 +527,8 @@ class tripleo::haproxy ( $default_service_ports = { aodh_api_port => 8042, aodh_api_ssl_port => 13042, + barbican_api_port => 9311, + barbican_api_ssl_port => 13311, ceilometer_api_port => 8777, ceilometer_api_ssl_port => 13777, cinder_api_port => 8776, @@ -922,6 +936,18 @@ class tripleo::haproxy ( } } + if $barbican { + ::tripleo::haproxy::endpoint { 'barbican': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('barbican_api_vip', $controller_virtual_ip), + service_port => $ports[barbican_api_port], + ip_addresses => hiera('barbican_api_node_ips', $controller_hosts_real), + server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + public_ssl_port => $ports[barbican_api_ssl_port], + service_network => $barbican_network + } + } + if $gnocchi { ::tripleo::haproxy::endpoint { 'gnocchi': public_virtual_ip => $public_virtual_ip, @@ -1197,8 +1223,8 @@ class tripleo::haproxy ( $opendaylight_api_vip = hiera('opendaylight_api_vip', $controller_virtual_ip) $opendaylight_bind_opts = { - "${opendaylight_api_vip}:8081" => [], - "${public_virtual_ip}:8081" => [], + "${opendaylight_api_vip}:8081" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8081" => $haproxy_listen_bind_param, } if $opendaylight { diff --git a/manifests/profile/base/barbican.pp b/manifests/profile/base/barbican.pp new file mode 100644 index 0000000..f4d6230 --- /dev/null +++ b/manifests/profile/base/barbican.pp @@ -0,0 +1,36 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::barbican +# +# Barbican profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# + +class tripleo::profile::base::barbican ( + $step = hiera('step'), +) { + + if $step >= 3 { + include ::barbican + include ::barbican::config + include ::barbican::client + } +} diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp new file mode 100644 index 0000000..470e649 --- /dev/null +++ b/manifests/profile/base/barbican/api.pp @@ -0,0 +1,56 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::barbican::api +# +# Barbican profile for tripleo api +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::barbican::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + include ::tripleo::profile::base::barbican + + if $step >= 3 and $sync_db { + include ::barbican::db::mysql + } + + if $step >= 4 or ( $step >= 3 and $sync_db ) { + class { '::barbican::api': + sync_db => $sync_db + } + include ::barbican::keystone::authtoken + include ::barbican::api::logging + include ::barbican::keystone::notification + include ::barbican::quota + include ::barbican::wsgi::apache + } +} diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index f3db396..a7d4487 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -22,6 +22,10 @@ # (Optional) Glance backend(s) to use. # Defaults to downcase(hiera('glance_backend', 'swift')) # +# [*glance_nfs_enabled*] +# (Optional) Whether to use NFS mount as 'file' backend storage location. +# Defaults to false +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -36,12 +40,17 @@ # Defaults to hiera('glance::notify::rabbitmq::rabbit_port', 5672) class tripleo::profile::base::glance::api ( - $glance_backend = downcase(hiera('glance_backend', 'swift')), - $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), - $rabbit_port = hiera('glance::notify::rabbitmq::rabbit_port', 5672), + $glance_backend = downcase(hiera('glance_backend', 'swift')), + $glance_nfs_enabled = false, + $step = hiera('step'), + $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_port = hiera('glance::notify::rabbitmq::rabbit_port', 5672), ) { + if $step >= 1 and $glance_nfs_enabled { + include ::tripleo::glance::nfs_mount + } + if $step >= 4 { case $glance_backend { 'swift': { $backend_store = 'glance.store.swift.Store' } diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index abb9f76..2babf4c 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -53,7 +53,7 @@ class tripleo::profile::base::heat ( ) { # Domain resources will be created at step5 on the node running keystone.pp # configure heat.conf at step3 and 4 but actually create the domain later. - if $step == 3 or $step == 4 { + if $step >= 3 { class { '::heat::keystone::domain': manage_domain => false, manage_user => false, diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 8a70110..e30f712 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -74,6 +74,23 @@ # for more details. # Defaults to hiera('step') # +# [*heat_admin_domain*] +# domain name for heat admin +# Defaults to hiera('heat::keystone::domain::domain_name', 'heat') +# +# [*heat_admin_user*] +# heat admin user name +# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin') +# +# [*heat_admin_email*] +# heat admin email address +# Defaults to hiera('heat::keystone::domain::domain_admin_email', +# 'heat_admin@localhost') +# +# [*heat_admin_password*] +# heat admin password +# Defaults to hiera('heat::keystone::domain::domain_password') +# class tripleo::profile::base::keystone ( $admin_endpoint_network = hiera('keystone_admin_api_network', undef), $bootstrap_node = hiera('bootstrap_nodeid', undef), @@ -85,6 +102,10 @@ class tripleo::profile::base::keystone ( $rabbit_hosts = hiera('rabbitmq_node_ips', undef), $rabbit_port = hiera('keystone::rabbit_port', 5672), $step = hiera('step'), + $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'), + $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'), + $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'), + $heat_admin_password = hiera('heat::keystone::domain::domain_password'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -153,22 +174,22 @@ class tripleo::profile::base::keystone ( if $step >= 5 and $manage_domain { if hiera('heat_engine_enabled', false) { - # if Heat and Keystone are collocated, so we want to - # both configure heat.conf and create Keystone resources. - # note: domain_password is given via Hiera. - if defined(Class['::tripleo::profile::base::heat']) { - include ::heat::keystone::domain - } else { - # if Heat and Keystone are not collocated, we want Puppet - # to only create Keystone resources on the Keystone node - # but not try to configure Heat, to avoid leaking the password. - class { '::heat::keystone::domain': - domain_name => $::os_service_default, - domain_admin => $::os_service_default, - domain_password => $::os_service_default, - } + # create these seperate and don't use ::heat::keystone::domain since + # that class writes out the configs + keystone_domain { $heat_admin_domain: + ensure => 'present', + enabled => true + } + keystone_user { "${heat_admin_user}::${heat_admin_domain}": + ensure => 'present', + enabled => true, + email => $heat_admin_email, + password => $heat_admin_password + } + keystone_user_role { "${heat_admin_user}::${heat_admin_domain}@::${heat_admin_domain}": + roles => ['admin'], + require => Class['::keystone::roles::admin'] } - Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain'] } } @@ -176,6 +197,9 @@ class tripleo::profile::base::keystone ( if hiera('aodh_api_enabled', false) { include ::aodh::keystone::auth } + if hiera('barbican_api_enabled', false) { + include ::barbican::keystone::auth + } if hiera('ceilometer_api_enabled', false) { include ::ceilometer::keystone::auth } diff --git a/metadata.json b/metadata.json index 1b135bd..c7f0e77 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "5.3.0", + "version": "5.4.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/spec/classes/tripleo_profile_base_barbican_api_spec.rb b/spec/classes/tripleo_profile_base_barbican_api_spec.rb new file mode 100644 index 0000000..169642e --- /dev/null +++ b/spec/classes/tripleo_profile_base_barbican_api_spec.rb @@ -0,0 +1,107 @@ +# +# Copyright (C) 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::barbican::api' do + shared_examples_for 'tripleo::profile::base::barbican::api' do + let(:pre_condition) do + "class { '::tripleo::profile::base::barbican': step => #{params[:step]} }" + end + + context 'with step less than 3' do + let(:params) { { :step => 1 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::barbican::api') + is_expected.to contain_class('tripleo::profile::base::barbican') + is_expected.to_not contain_class('barbican::api') + is_expected.to_not contain_class('barbican::api::logging') + is_expected.to_not contain_class('barbican::keystone::notification') + is_expected.to_not contain_class('barbican::quota') + is_expected.to_not contain_class('barbican::wsgi::apache') + end + end + + context 'with step 3 on bootstrap node' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com', + } } + + it 'should trigger complete configuration' do + is_expected.to contain_class('tripleo::profile::base::barbican::api') + is_expected.to contain_class('tripleo::profile::base::barbican') + is_expected.to contain_class('barbican::db::mysql') + is_expected.to contain_class('barbican::db::sync') + is_expected.to contain_class('barbican::api') + is_expected.to contain_class('barbican::api::logging') + is_expected.to contain_class('barbican::keystone::notification') + is_expected.to contain_class('barbican::quota') + is_expected.to contain_class('barbican::wsgi::apache') + end + end + + context 'with step 3 not on bootstrap node' do + let(:params) { { + :step => 3, + :bootstrap_node => 'other.example.com', + } } + + it 'should not trigger any configuration' do + is_expected.to contain_class('tripleo::profile::base::barbican::api') + is_expected.to contain_class('tripleo::profile::base::barbican') + is_expected.to_not contain_class('barbican::db::mysql') + is_expected.to_not contain_class('barbican::db::sync') + is_expected.to_not contain_class('barbican::api') + is_expected.to_not contain_class('barbican::api::logging') + is_expected.to_not contain_class('barbican::keystone::notification') + is_expected.to_not contain_class('barbican::quota') + is_expected.to_not contain_class('barbican::wsgi::apache') + end + end + + context 'with step 4 not on bootstrap node' do + let(:params) { { + :step => 4, + :bootstrap_node => 'other.example.com', + } } + + it 'should trigger complete configuration with out db items' do + is_expected.to_not contain_class('barbican::db::mysql') + # TODO(aschultz): barbican::api includes this automatically + #is_expected.to_not contain_class('barbican::db::sync') + is_expected.to contain_class('barbican::api') + is_expected.to contain_class('barbican::api::logging') + is_expected.to contain_class('barbican::keystone::notification') + is_expected.to contain_class('barbican::quota') + is_expected.to contain_class('barbican::wsgi::apache') + end + end + + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::barbican::api' + end + end +end diff --git a/spec/classes/tripleo_profile_base_barbican_spec.rb b/spec/classes/tripleo_profile_base_barbican_spec.rb new file mode 100644 index 0000000..470b2c2 --- /dev/null +++ b/spec/classes/tripleo_profile_base_barbican_spec.rb @@ -0,0 +1,56 @@ +# +# Copyright (C) 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::barbican' do + shared_examples_for 'tripleo::profile::base::barbican' do + context 'with step less than 3' do + let(:params) { { :step => 1 } } + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::barbican') + is_expected.to_not contain_class('barbican') + is_expected.to_not contain_class('barbican::config') + is_expected.to_not contain_class('barbican::client') + end + end + + context 'with step 3' do + let(:params) { { + :step => 3, + } } + + it 'should trigger complete configuration' do + is_expected.to contain_class('barbican').with( + :rabbit_hosts => params[:rabbit_hosts] + ) + is_expected.to contain_class('barbican') + is_expected.to contain_class('barbican::config') + is_expected.to contain_class('barbican::client') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::barbican' + end + end +end diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index f0f7f1c..87ae28c 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -8,6 +8,9 @@ redis_vip: '127.0.0.1' aodh::auth::auth_password: 'password' aodh::db::mysql::password: 'password' aodh::keystone::authtoken::password: 'password' +# babican profile required hieradata +barbican::db::mysql::password: 'password' +barbican::keystone::authtoken::password: 'password' ceilometer::keystone::authtoken::password: 'password' # ceph related items ceph::profile::params::mon_key: 'password' |