diff options
-rw-r--r-- | lib/puppet/parser/functions/list_to_hash.rb | 31 | ||||
-rw-r--r-- | manifests/firewall/rule.pp | 38 | ||||
-rw-r--r-- | manifests/loadbalancer.pp | 2 | ||||
-rw-r--r-- | manifests/loadbalancer/endpoint.pp | 16 | ||||
-rw-r--r-- | manifests/profile/base/glance/api.pp | 68 | ||||
-rw-r--r-- | manifests/profile/base/glance/registry.pp | 64 | ||||
-rw-r--r-- | manifests/profile/pacemaker/glance.pp | 129 | ||||
-rw-r--r-- | spec/classes/tripleo_firewall_spec.rb | 7 |
8 files changed, 326 insertions, 29 deletions
diff --git a/lib/puppet/parser/functions/list_to_hash.rb b/lib/puppet/parser/functions/list_to_hash.rb new file mode 100644 index 0000000..c6449a9 --- /dev/null +++ b/lib/puppet/parser/functions/list_to_hash.rb @@ -0,0 +1,31 @@ +# This function is an hack because we are not enabling Puppet parser +# that would allow us to manipulate data iterations directly in manifests. +# +# Example: +# keystone_vips = ['192.168.0.1:5000', '192.168.0.2:5000'] +# $keystone_bind_opts = ['transparent'] +# +# Using this function: +# $keystone_vips_hash = list_to_hash($keystone_vips, $keystone_bind_opts) +# +# Would return: +# $keystone_vips_hash = { +# '192.168.0.1:5000' => ['transparent'], +# '192.168.0.2:5000' => ['transparent'], +# } +# +# Disclaimer: this function is an hack and will disappear once TripleO enable +# Puppet parser. +# + +module Puppet::Parser::Functions + newfunction(:list_to_hash, :type => :rvalue, :doc => <<-EOS + This function returns an hash from a specified array + EOS + ) do |argv| + arr1 = argv[0] + arr2 = argv[1] + h = arr1.each_with_object({}) { |v,h| h[v] = arr2 } + return h + end +end diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index 02afbc2..ca9c6d0 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -47,29 +47,35 @@ # (optional) The chain associated to the rule. # Defaults to 'INPUT' # -# [*extras*] +# [*destination*] +# (optional) The destination cidr associated to the rule. +# Defaults to undef +# +# [*extras*] # (optional) Hash of any puppetlabs-firewall supported parameters. # Defaults to {} # define tripleo::firewall::rule ( - $port = undef, - $proto = 'tcp', - $action = 'accept', - $state = ['NEW'], - $source = '0.0.0.0/0', - $iniface = undef, - $chain = 'INPUT', - $extras = {}, + $port = undef, + $proto = 'tcp', + $action = 'accept', + $state = ['NEW'], + $source = '0.0.0.0/0', + $iniface = undef, + $chain = 'INPUT', + $destination = undef, + $extras = {}, ) { $basic = { - 'port' => $port, - 'proto' => $proto, - 'action' => $action, - 'state' => $state, - 'source' => $source, - 'iniface' => $iniface, - 'chain' => $chain, + 'port' => $port, + 'proto' => $proto, + 'action' => $action, + 'state' => $state, + 'source' => $source, + 'iniface' => $iniface, + 'chain' => $chain, + 'destination' => $destination, } $rule = merge($basic, $extras) diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index e91e611..664590b 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -520,6 +520,7 @@ class tripleo::loadbalancer ( 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'option' => 'forwardfor', } } else { $horizon_bind_opts = { @@ -528,6 +529,7 @@ class tripleo::loadbalancer ( } $horizon_options = { 'cookie' => 'SERVERID insert indirect nocache', + 'option' => 'forwardfor', } } diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp index e6bb185..f75f79a 100644 --- a/manifests/loadbalancer/endpoint.pp +++ b/manifests/loadbalancer/endpoint.pp @@ -88,13 +88,9 @@ define tripleo::loadbalancer::endpoint ( # service exposed to the public network if $public_certificate { - $public_bind_opts = { - "${public_virtual_ip}:${public_ssl_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), - } + $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) } else { - $public_bind_opts = { - "${public_virtual_ip}:${service_port}" => $haproxy_listen_bind_param, - } + $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param) } } else { # internal service only @@ -102,13 +98,9 @@ define tripleo::loadbalancer::endpoint ( } if $internal_certificate { - $internal_bind_opts = { - "${internal_ip}:${service_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), - } + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) } else { - $internal_bind_opts = { - "${internal_ip}:${service_port}" => $haproxy_listen_bind_param, - } + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) } $bind_opts = merge($internal_bind_opts, $public_bind_opts) diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp new file mode 100644 index 0000000..22b4dc9 --- /dev/null +++ b/manifests/profile/base/glance/api.pp @@ -0,0 +1,68 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::glance::api +# +# Glance API profile for tripleo +# +# === Parameters +# +# [*manage_service*] +# (Optional) Whether to manage the glance service +# Defaults to undef +# +# [*enabled*] +# (Optional) Whether to enable the glance service +# Defaults to undef +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*glance_backend*] +# (Optional) Glance backend(s) to use. +# Defaults to downcase(hiera('glance_backend', 'swift')) +# +class tripleo::profile::base::glance::api ( + $manage_service = undef, + $enabled = undef, + $step = hiera('step'), + $glance_backend = downcase(hiera('glance_backend', 'swift')), +) { + + if $step >= 4 { + case $glance_backend { + 'swift': { $backend_store = 'glance.store.swift.Store' } + 'file': { $backend_store = 'glance.store.filesystem.Store' } + 'rbd': { $backend_store = 'glance.store.rbd.Store' } + default: { fail('Unrecognized glance_backend parameter.') } + } + $http_store = ['glance.store.http.Store'] + $glance_store = concat($http_store, $backend_store) + + # TODO: notifications, scrubber, etc. + include ::glance + include ::glance::config + class { '::glance::api': + known_stores => $glance_store, + manage_service => $manage_service, + enabled => $enabled, + } + include ::glance::notify::rabbitmq + include join(['::glance::backend::', $glance_backend]) + } + +} + diff --git a/manifests/profile/base/glance/registry.pp b/manifests/profile/base/glance/registry.pp new file mode 100644 index 0000000..bed4a5e --- /dev/null +++ b/manifests/profile/base/glance/registry.pp @@ -0,0 +1,64 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::glance::registry +# +# Glance Registry profile for tripleo +# +# === Parameters +# +# [*sync_db*] +# (Optional) Whether to run db sync +# Defaults to undef +# +# [*manage_service*] +# (Optional) Whether to manage the glance service +# Defaults to undef +# +# [*enabled*] +# (Optional) Whether to enable the glance service +# Defaults to undef +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*glance_backend*] +# (Optional) Glance backend(s) to use. +# Defaults to downcase(hiera('glance_backend', 'swift')) +# +class tripleo::profile::base::glance::registry ( + $sync_db = undef, + $manage_service = undef, + $enabled = undef, + $step = hiera('step'), + $glance_backend = downcase(hiera('glance_backend', 'swift')), +) { + + if $step >= 4 { + # TODO: notifications, scrubber, etc. + include ::glance + include ::glance::config + class { '::glance::registry' : + sync_db => $sync_db, + manage_service => $manage_service, + enabled => $enabled, + } + include ::glance::notify::rabbitmq + include join(['::glance::backend::', $glance_backend]) + } + +} + diff --git a/manifests/profile/pacemaker/glance.pp b/manifests/profile/pacemaker/glance.pp new file mode 100644 index 0000000..5727622 --- /dev/null +++ b/manifests/profile/pacemaker/glance.pp @@ -0,0 +1,129 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::pacemaker::glance +# +# Glance Pacemaker HA profile for tripleo +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*glance_backend*] +# (Optional) Glance backend(s) to use. +# Defaults to downcase(hiera('glance_backend', 'swift')) +# +# [*glance_file_pcmk_manage*] +# (Optional) Whether or not manage glance_file_pcmk. +# Defaults to hiera('glance_file_pcmk_manage', false) +# +# [*glance_file_pcmk_device*] +# (Optional) Device to mount glance file backend. +# Defaults to hiera('glance_file_pcmk_device', '') +# +# [*glance_file_pcmk_directory*] +# (Optional) Directory to mount glance file backend. +# Defaults to hiera('glance_file_pcmk_directory', '') +# +# [*glance_file_pcmk_fstype*] +# (Optional) Filesystem type to mount glance file backend. +# Defaults to hiera('glance_file_pcmk_fstype', '') +# +# [*glance_file_pcmk_options*] +# (Optional) pcmk options to mount Glance file backend.. +# Defaults to hiera('glance_file_pcmk_options', '') +# +class tripleo::profile::pacemaker::glance ( + $bootstrap_node = hiera('bootstrap_nodeid'), + $step = hiera('step'), + $glance_backend = downcase(hiera('glance_backend', 'swift')), + $glance_file_pcmk_manage = hiera('glance_file_pcmk_manage', false), + $glance_file_pcmk_device = hiera('glance_file_pcmk_device', ''), + $glance_file_pcmk_directory = hiera('glance_file_pcmk_directory', ''), + $glance_file_pcmk_fstype = hiera('glance_file_pcmk_fstype', ''), + $glance_file_pcmk_options = hiera('glance_file_pcmk_options', ''), +) { + + if $::hostname == downcase($bootstrap_node) { + $pacemaker_master = true + } else { + $pacemaker_master = false + } + + if $step >= 4 { + class { '::tripleo::profile::base::glance::api': + manage_service => false, + enabled => false, + } + class { '::tripleo::profile::base::glance::registry': + sync_db => $pacemaker_master, + manage_service => false, + enabled => false, + } + if $glance_backend == 'file' and $glance_file_pcmk_manage { + $secontext = 'context="system_u:object_r:glance_var_lib_t:s0"' + pacemaker::resource::filesystem { 'glance-fs': + device => $glance_file_pcmk_device, + directory => $glance_file_pcmk_directory, + fstype => $glance_file_pcmk_fstype, + fsoptions => join([$secontext, $glance_file_pcmk_options],','), + clone_params => '', + } + } + } + + if $step >= 5 and $pacemaker_master { + pacemaker::resource::service { $::glance::params::registry_service_name : + clone_params => 'interleave=true', + require => Pacemaker::Resource::Ocf['openstack-core'], + } + pacemaker::resource::service { $::glance::params::api_service_name : + clone_params => 'interleave=true', + } + + pacemaker::constraint::base { 'keystone-then-glance-registry-constraint': + constraint_type => 'order', + first_resource => 'openstack-core-clone', + second_resource => "${::glance::params::registry_service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::glance::params::registry_service_name], + Pacemaker::Resource::Ocf['openstack-core']], + } + pacemaker::constraint::base { 'glance-registry-then-glance-api-constraint': + constraint_type => 'order', + first_resource => "${::glance::params::registry_service_name}-clone", + second_resource => "${::glance::params::api_service_name}-clone", + first_action => 'start', + second_action => 'start', + require => [Pacemaker::Resource::Service[$::glance::params::registry_service_name], + Pacemaker::Resource::Service[$::glance::params::api_service_name]], + } + pacemaker::constraint::colocation { 'glance-api-with-glance-registry-colocation': + source => "${::glance::params::api_service_name}-clone", + target => "${::glance::params::registry_service_name}-clone", + score => 'INFINITY', + require => [Pacemaker::Resource::Service[$::glance::params::registry_service_name], + Pacemaker::Resource::Service[$::glance::params::api_service_name]], + } + } + +} diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb index 7d1d1ec..aa5d1d7 100644 --- a/spec/classes/tripleo_firewall_spec.rb +++ b/spec/classes/tripleo_firewall_spec.rb @@ -73,7 +73,8 @@ describe 'tripleo::firewall' do :manage_firewall => true, :firewall_rules => { '300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'}, - '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'} + '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}, + '302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'} } ) end @@ -90,6 +91,10 @@ describe 'tripleo::firewall' do :action => 'accept', :state => ['NEW'], ) + is_expected.to contain_firewall('302 fwd custom cidr 1').with( + :chain => 'FORWARD', + :destination => '192.0.2.0/24', + ) end end |