diff options
| -rw-r--r-- | manifests/certmonger/mysql.pp | 84 | ||||
| -rw-r--r-- | manifests/firewall.pp | 7 | ||||
| -rw-r--r-- | manifests/firewall/rule.pp | 11 | ||||
| -rw-r--r-- | manifests/haproxy.pp | 55 | ||||
| -rw-r--r-- | manifests/network/os_net_config.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/aodh/api.pp | 12 | ||||
| -rw-r--r-- | manifests/profile/base/barbican/api.pp | 57 | ||||
| -rw-r--r-- | manifests/profile/base/ceph/rgw.pp | 20 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/api.pp | 57 | ||||
| -rw-r--r-- | manifests/profile/base/database/mysql.pp | 56 | ||||
| -rw-r--r-- | manifests/profile/base/keepalived.pp | 47 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 44 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/plugins/ml2/opendaylight.pp | 6 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/server.pp | 33 | ||||
| -rw-r--r-- | manifests/profile/base/panko.pp | 47 | ||||
| -rw-r--r-- | manifests/profile/base/panko/api.pp | 35 | ||||
| -rw-r--r-- | metadata.json | 2 | ||||
| -rw-r--r-- | spec/classes/tripleo_firewall_spec.rb | 4 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_aodh_api_spec.rb | 16 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_ceph_rgw_spec.rb | 16 |
20 files changed, 525 insertions, 95 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp new file mode 100644 index 0000000..62aff9a --- /dev/null +++ b/manifests/certmonger/mysql.pp @@ -0,0 +1,84 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::mysql +# +# Request a certificate for the MySQL/Mariadb service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*mysql_network*] +# (Optional) The network name where the mysql endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('mysql_network', undef) +# +# [*principal*] +# (Optional) The haproxy service principal that is set for MySQL in kerberos. +# Defaults to undef +# +class tripleo::certmonger::mysql ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $mysql_network = hiera('mysql_network', undef), + $principal = undef, +) { + include ::certmonger + include ::mysql::params + + if !$mysql_network { + fail('mysql_network is not set in the hieradata.') + } + + $postsave_cmd = "systemctl reload ${::mysql::params::service_name}" + certmonger_certificate { 'mysql' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + file { $service_certificate : + owner => 'mysql', + group => 'mysql', + require => Certmonger_certificate['mysql'], + } + file { $service_key : + owner => 'mysql', + group => 'mysql', + require => Certmonger_certificate['mysql'], + } + + File[$service_certificate] ~> Service<| title == $::mysql::params::service_name |> + File[$service_key] ~> Service<| title == $::mysql::params::service_name |> +} diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 3184cd3..8c6a53b 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -51,8 +51,6 @@ class tripleo::firewall( $firewall_post_extras = {}, ) { - include ::stdlib - if $manage_firewall { # Only purges IPv4 rules @@ -79,14 +77,15 @@ class tripleo::firewall( ensure_resource('class', 'tripleo::firewall::pre', { 'firewall_settings' => $firewall_pre_extras, - 'stage' => 'setup', }) ensure_resource('class', 'tripleo::firewall::post', { - 'stage' => 'runtime', 'firewall_settings' => $firewall_post_extras, }) + Class['tripleo::firewall::pre'] -> Class['tripleo::firewall::post'] + Service<||> -> Class['tripleo::firewall::post'] + # Allow composable services to load their own custom # example with Hiera. # NOTE(dprince): In the future when we have a better hiera diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index c63162b..6801dc4 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -83,14 +83,21 @@ define tripleo::firewall::rule ( 'sport' => $sport, 'proto' => $proto, 'action' => $action, - 'state' => $state, 'source' => $source, 'iniface' => $iniface, 'chain' => $chain, 'destination' => $destination, } + if $proto != 'gre' { + $state_rule = { + 'state' => $state + } + } else { + $state_rule = {} + } + - $rule = merge($basic, $extras) + $rule = merge($basic, $state_rule, $extras) validate_hash($rule) create_resources('firewall', { "${title}" => $rule }) diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 4d96e98..2f3f062 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -19,10 +19,6 @@ # # === Parameters: # -# [*keepalived*] -# Whether to configure keepalived to manage the VIPs or not. -# Defaults to true -# # [*haproxy_service_manage*] # Will be passed as value for service_manage to HAProxy module. # Defaults to true @@ -182,6 +178,10 @@ # (optional) Enable or not Aodh API binding # Defaults to hiera('aodh_api_enabled', false) # +# [*panko*] +# (optional) Enable or not Panko API binding +# Defaults to hiera('panko_api_enabled', false) +# # [*barbican*] # (optional) Enable or not Barbican API binding # Defaults to hiera('barbican_api_enabled', false) @@ -371,6 +371,10 @@ # (optional) Specify the network opendaylight is running on. # Defaults to hiera('opendaylight_api_network', undef) # +# [*panko_network*] +# (optional) Specify the network panko is running on. +# Defaults to hiera('panko_api_network', undef) +# # [*sahara_network*] # (optional) Specify the network sahara is running on. # Defaults to hiera('sahara_api_network', undef) @@ -430,6 +434,8 @@ # 'nova_metadata_port' (Defaults to 8775) # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) +# 'panko_api_port' (Defaults to 8779) +# 'panko_api_ssl_port' (Defaults to 13779) # 'sahara_api_port' (Defaults to 8386) # 'sahara_api_ssl_port' (Defaults to 13386) # 'swift_proxy_port' (Defaults to 8080) @@ -449,7 +455,6 @@ class tripleo::haproxy ( $controller_virtual_ip, $public_virtual_ip, - $keepalived = true, $haproxy_service_manage = true, $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, @@ -482,6 +487,7 @@ class tripleo::haproxy ( $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false), $ceilometer = hiera('ceilometer_api_enabled', false), $aodh = hiera('aodh_api_enabled', false), + $panko = hiera('panko_api_enabled', false), $barbican = hiera('barbican_api_enabled', false), $gnocchi = hiera('gnocchi_api_enabled', false), $mistral = hiera('mistral_api_enabled', false), @@ -527,6 +533,7 @@ class tripleo::haproxy ( $nova_metadata_network = hiera('nova_api_network', undef), $nova_novncproxy_network = hiera('nova_vnc_proxy_network', undef), $nova_osapi_network = hiera('nova_api_network', undef), + $panko_network = hiera('panko_api_network', undef), $sahara_network = hiera('sahara_api_network', undef), $swift_proxy_server_network = hiera('swift_proxy_network', undef), $trove_network = hiera('trove_api_network', undef), @@ -574,6 +581,8 @@ class tripleo::haproxy ( nova_metadata_port => 8775, nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, + panko_api_port => 8779, + panko_api_ssl_port => 13779, sahara_api_port => 8386, sahara_api_ssl_port => 13386, swift_proxy_port => 8080, @@ -605,13 +614,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles. - if $keepalived { - include ::tripleo::keepalived - # Make sure keepalive starts before haproxy. - Class['::keepalived::service'] -> Class['::haproxy'] - } - # TODO(bnemec): When we have support for SSL on private and admin endpoints, # have the haproxy stats endpoint use that certificate by default. if $haproxy_stats_certificate { @@ -784,6 +786,7 @@ class tripleo::haproxy ( service_port => $ports[neutron_api_port], ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), + mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', @@ -809,6 +812,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -819,6 +823,7 @@ class tripleo::haproxy ( service_port => $ports[manila_api_port], ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), + mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', @@ -934,6 +939,7 @@ class tripleo::haproxy ( service_port => $ports[ceilometer_api_port], ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), + mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', @@ -952,6 +958,7 @@ class tripleo::haproxy ( service_port => $ports[aodh_api_port], ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', @@ -963,15 +970,34 @@ class tripleo::haproxy ( } } + if $panko { + ::tripleo::haproxy::endpoint { 'panko': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('panko_api_vip', $controller_virtual_ip), + service_port => $ports[panko_api_port], + ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), + server_names => hiera('panko_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[panko_api_ssl_port], + service_network => $panko_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), + } + } + if $barbican { ::tripleo::haproxy::endpoint { 'barbican': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('barbican_api_vip', $controller_virtual_ip), service_port => $ports[barbican_api_port], ip_addresses => hiera('barbican_api_node_ips', $controller_hosts_real), - server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + server_names => hiera('barbican_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[barbican_api_ssl_port], - service_network => $barbican_network + service_network => $barbican_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -982,6 +1008,7 @@ class tripleo::haproxy ( service_port => $ports[gnocchi_api_port], ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), + mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', diff --git a/manifests/network/os_net_config.pp b/manifests/network/os_net_config.pp index 7e07f6c..3283b5f 100644 --- a/manifests/network/os_net_config.pp +++ b/manifests/network/os_net_config.pp @@ -30,6 +30,17 @@ class tripleo::network::os_net_config { Package['openvswitch'], Service['openvswitch'], ], + notify => Exec['trigger-keepalived-restart'], } + # By modifying the keepalived.conf file we ensure that puppet will + # trigger a restart of keepalived during the main stage. Adding back + # any lost conf during the os-net-config step. + exec { 'trigger-keepalived-restart': + command => '/usr/bin/echo "# Restart keepalived" >> /etc/keepalived/keepalived.conf', + path => '/usr/bin:/bin', + refreshonly => true, + # Only if keepalived is installed + onlyif => 'test -e /etc/keepalived/keepalived.conf', + } } diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 06dcfe5..af4a5b3 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -52,10 +52,6 @@ # for more details. # Defaults to hiera('step') # -# [*enable_combination_alarms*] -# (optional) Setting to enable combination alarms -# Defaults to: false -# class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), @@ -63,7 +59,6 @@ class tripleo::profile::base::aodh::api ( $enable_internal_tls = hiera('enable_internal_tls', false), $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), - $enable_combination_alarms = false, ) { include ::tripleo::profile::base::aodh @@ -90,12 +85,5 @@ class tripleo::profile::base::aodh::api ( ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, } - - #NOTE: Combination alarms are deprecated in newton and disabled by default. - # we need a way to override this setting for users still using this type - # of alarms. - aodh_config { - 'api/enable_combination_alarms' : value => $enable_combination_alarms; - } } } diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 470e649..b464317 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -18,18 +18,51 @@ # # === Parameters # +# [*barbican_network*] +# (Optional) The network name where the barbican endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('barbican_api_network', undef) +# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::barbican::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $barbican_network = hiera('barbican_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -37,6 +70,21 @@ class tripleo::profile::base::barbican::api ( $sync_db = false } + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$barbican_network { + fail('barbican_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${barbican_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${barbican_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + include ::tripleo::profile::base::barbican if $step >= 3 and $sync_db { @@ -51,6 +99,9 @@ class tripleo::profile::base::barbican::api ( include ::barbican::api::logging include ::barbican::keystone::notification include ::barbican::quota - include ::barbican::wsgi::apache + class { '::barbican::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 7cd2b6a..2ecca52 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -18,6 +18,14 @@ # # === Parameters # +# [*civetweb_bind_ip*] +# IP address where to bind the RGW civetweb instance +# (Optional) Defaults to 127.0.0.1 +# +# [*civetweb_bind_port*] +# PORT where to bind the RGW civetweb instance +# (Optional) Defaults to 8080 +# # [*keystone_admin_token*] # The keystone admin token # @@ -36,14 +44,22 @@ class tripleo::profile::base::ceph::rgw ( $keystone_admin_token, $keystone_url, $rgw_key, - $step = hiera('step'), + $civetweb_bind_ip = '127.0.0.1', + $civetweb_bind_port = '8080', + $step = hiera('step'), ) { include ::tripleo::profile::base::ceph if $step >= 3 { - include ::ceph::profile::rgw $rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway') + $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip) + include ::ceph::params + include ::ceph::profile::base + ceph::rgw { $rgw_name: + frontend_type => 'civetweb', + rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}" + } ceph::key { "client.${rgw_name}": secret => $rgw_key, cap_mon => 'allow *', diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 8fcc7d6..5ea2058 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -22,14 +22,47 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*cinder_api_network*] +# (Optional) The network name where the cinder API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('cinder_api_network', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::cinder::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $cinder_api_network = hiera('cinder_api_network', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -39,9 +72,27 @@ class tripleo::profile::base::cinder::api ( include ::tripleo::profile::base::cinder + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$cinder_api_network { + fail('cinder_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${cinder_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${cinder_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ($step >= 3 and $sync_db) { include ::cinder::api - include ::cinder::wsgi::apache + class { '::cinder::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } include ::cinder::ceilometer include ::cinder::glance } diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 9da1456..e5f366e 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -26,6 +26,28 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to {}. +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# MySQL. This could be as many as specified by the $certificates_specs +# variable. +# Defaults to hiera('generate_service_certificate', false). +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -45,12 +67,15 @@ # Defaults to hiera('step') # class tripleo::profile::base::database::mysql ( - $bind_address = $::hostname, - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $manage_resources = true, - $mysql_server_options = {}, - $remove_default_accounts = true, - $step = hiera('step'), + $bind_address = $::hostname, + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificate_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $manage_resources = true, + $mysql_server_options = {}, + $remove_default_accounts = true, + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -60,6 +85,18 @@ class tripleo::profile::base::database::mysql ( } validate_hash($mysql_server_options) + validate_hash($certificate_specs) + + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs) + } + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } # non-ha scenario if $manage_resources { @@ -84,6 +121,10 @@ class tripleo::profile::base::database::mysql ( 'bind-address' => $bind_address, 'max_connections' => hiera('mysql_max_connections'), 'open_files_limit' => '-1', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) @@ -143,6 +184,9 @@ class tripleo::profile::base::database::mysql ( if hiera('trove_api_enabled', false) { include ::trove::db::mysql } + if hiera('panko_api_enabled', false) { + include ::panko::db::mysql + } } } diff --git a/manifests/profile/base/keepalived.pp b/manifests/profile/base/keepalived.pp index f2063d6..8dd03dc 100644 --- a/manifests/profile/base/keepalived.pp +++ b/manifests/profile/base/keepalived.pp @@ -27,13 +27,54 @@ # for more details. # Defaults to hiera('step') # +# [*control_virtual_interface*] +# (Optional) Interface specified for control plane network +# Defaults to hiera('tripleo::keepalived::control_virtual_interface', false) +# +# [*control_virtual_ip*] +# Virtual IP address used for control plane network +# Defaults to hiera('tripleo::keepalived::controller_virtual_ip') +# +# [*public_virtual_interface*] +# (Optional) Interface specified for public/external network +# Defaults to hiera('tripleo::keepalived::public_virtual_interface', false) +# +# [*public_virtual_ip*] +# Virtual IP address used for public/ network +# Defaults to hiera('tripleo::keepalived::public_virtual_ip') +# class tripleo::profile::base::keepalived ( - $enable_load_balancer = hiera('enable_load_balancer', true), - $step = hiera('step'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $control_virtual_interface = hiera('tripleo::keepalived::control_virtual_interface', false), + $control_virtual_ip = hiera('tripleo::keepalived::controller_virtual_ip'), + $public_virtual_interface = hiera('tripleo::keepalived::public_virtual_interface', false), + $public_virtual_ip = hiera('tripleo::keepalived::public_virtual_ip'), + $step = hiera('step'), ) { if $step >= 1 { if $enable_load_balancer and hiera('enable_keepalived', true){ - include ::tripleo::keepalived + if ! $control_virtual_interface { + $control_detected_interface = interface_for_ip($control_virtual_ip) + if ! $control_detected_interface { + fail('Unable to find interface for control plane network') + } + } else { + $control_detected_interface = $control_virtual_interface + } + + if ! $public_virtual_interface { + $public_detected_interface = interface_for_ip($public_virtual_ip) + if ! $public_detected_interface { + fail('Unable to find interface for public network') + } + } else { + $public_detected_interface = $public_virtual_interface + } + + class { '::tripleo::keepalived': + control_virtual_interface => $control_detected_interface, + public_virtual_interface => $public_detected_interface, + } } } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 9801eb2..ff8d790 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -51,6 +51,22 @@ # creates the certificates. # Defaults to hiera('generate_service_certificate', false). # +# [*heat_admin_domain*] +# domain name for heat admin +# Defaults to undef +# +# [*heat_admin_email*] +# heat admin email address +# Defaults to undef +# +# [*heat_admin_password*] +# heat admin password +# Defaults to undef +# +# [*heat_admin_user*] +# heat admin user name +# Defaults to undef +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -74,38 +90,21 @@ # for more details. # Defaults to hiera('step') # -# [*heat_admin_domain*] -# domain name for heat admin -# Defaults to hiera('heat::keystone::domain::domain_name', 'heat') -# -# [*heat_admin_user*] -# heat admin user name -# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin') -# -# [*heat_admin_email*] -# heat admin email address -# Defaults to hiera('heat::keystone::domain::domain_admin_email', -# 'heat_admin@localhost') -# -# [*heat_admin_password*] -# heat admin password -# Defaults to hiera('heat::keystone::domain::domain_password') -# class tripleo::profile::base::keystone ( $admin_endpoint_network = hiera('keystone_admin_api_network', undef), $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $generate_service_certificates = hiera('generate_service_certificates', false), + $heat_admin_domain = undef, + $heat_admin_email = undef, + $heat_admin_password = undef, + $heat_admin_user = undef, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $rabbit_hosts = hiera('rabbitmq_node_ips', undef), $rabbit_port = hiera('keystone::rabbit_port', 5672), $step = hiera('step'), - $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'), - $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'), - $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'), - $heat_admin_password = hiera('heat::keystone::domain::domain_password'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -237,6 +236,9 @@ class tripleo::profile::base::keystone ( if hiera('nova_api_enabled', false) { include ::nova::keystone::auth } + if hiera('panko_api_enabled', false) { + include ::panko::keystone::auth + } if hiera('sahara_api_enabled', false) { include ::sahara::keystone::auth } diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp index 2eb09ae..c120931 100644 --- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp @@ -53,9 +53,9 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight ( if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') } class { '::neutron::plugins::ml2::opendaylight': - odl_username => $odl_username, - odl_password => $odl_password, - odl_url => "${conn_proto}://${odl_url_ip}:${odl_port}/controller/nb/v2/neutron"; + odl_username => $odl_username, + odl_password => $odl_password, + odl_url => "${conn_proto}://${odl_url_ip}:${odl_port}/controller/nb/v2/neutron"; } } } diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 82c2d5f..4667ae2 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -27,9 +27,30 @@ # for more details. # Defaults to hiera('step') # +# [*l3_ha_override*] +# (Optional) Override the calculated value for neutron::server::l3_ha +# by default this is calculated to enable when DVR is not enabled +# and the number of nodes running neutron api is more than one. +# Defaults to '' which aligns with the t-h-t default, and means use +# the calculated value. Other possible values are 'true' or 'false' +# +# [*l3_nodes*] +# (Optional) List of nodes running the l3 agent, used when no override +# is passed to l3_ha_override to calculate enabling l3 HA. +# Defaults to hiera('neutron_l3_short_node_names') or [] +# (we need to default neutron_l3_short_node_names to an empty list +# because some neutron backends disable the l3 agent) +# +# [*dvr_enabled*] +# (Optional) Is dvr enabled, used when no override is passed to +# l3_ha_override to calculate enabling l3 HA. +# Defaults to hiera('neutron::server::router_distributed') or false class tripleo::profile::base::neutron::server ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), + $l3_ha_override = '', + $l3_nodes = hiera('neutron_l3_short_node_names', []), + $dvr_enabled = hiera('neutron::server::router_distributed', false) ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -39,6 +60,16 @@ class tripleo::profile::base::neutron::server ( include ::tripleo::profile::base::neutron + # Calculate neutron::server::l3_ha based on the number of API nodes + # combined with if DVR is enabled. + if $l3_ha_override != '' { + $l3_ha = str2bool($l3_ha_override) + } elsif ! str2bool($dvr_enabled) { + $l3_ha = size($l3_nodes) > 1 + } else { + $l3_ha = false + } + # We start neutron-server on the bootstrap node first, because # it will try to populate tables and we need to make sure this happens # before it starts on other nodes @@ -48,12 +79,14 @@ class tripleo::profile::base::neutron::server ( # to true class { '::neutron::server': sync_db => $sync_db, + l3_ha => $l3_ha, } } if $step >= 5 and !$sync_db { include ::neutron::server::notifications class { '::neutron::server': sync_db => $sync_db, + l3_ha => $l3_ha, } } } diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp new file mode 100644 index 0000000..4abed56 --- /dev/null +++ b/manifests/profile/base/panko.pp @@ -0,0 +1,47 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::panko +# +# panko profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') + +class tripleo::profile::base::panko ( + $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), +) { + + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + if $step >= 4 or ($step >= 3 and $sync_db) { + include ::panko + include ::panko::config + include ::panko::db::sync + } + +} diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp new file mode 100644 index 0000000..32dfc38 --- /dev/null +++ b/manifests/profile/base/panko/api.pp @@ -0,0 +1,35 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::panko::api +# +# Panko API profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::panko::api ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::panko + + if $step >= 4 { + include ::panko::api + include ::panko::wsgi::apache + } +} diff --git a/metadata.json b/metadata.json index c7f0e77..a417f95 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "5.4.0", + "version": "6.0.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb index 1270aa7..3116a51 100644 --- a/spec/classes/tripleo_firewall_spec.rb +++ b/spec/classes/tripleo_firewall_spec.rb @@ -76,7 +76,8 @@ describe 'tripleo::firewall' do '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}, '302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'}, '303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'}, - '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'} + '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'}, + '305 add gre rule' => {'proto' => 'gre'} } ) end @@ -109,6 +110,7 @@ describe 'tripleo::firewall' do :action => 'accept', :state => ['NEW'], ) + is_expected.to contain_firewall('305 add gre rule').without(:state) end end diff --git a/spec/classes/tripleo_profile_base_aodh_api_spec.rb b/spec/classes/tripleo_profile_base_aodh_api_spec.rb index d1f0b6b..63dbe71 100644 --- a/spec/classes/tripleo_profile_base_aodh_api_spec.rb +++ b/spec/classes/tripleo_profile_base_aodh_api_spec.rb @@ -30,7 +30,6 @@ describe 'tripleo::profile::base::aodh::api' do is_expected.to contain_class('tripleo::profile::base::aodh') is_expected.to_not contain_class('aodh::api') is_expected.to_not contain_class('aodh::wsgi::apache') - is_expected.to_not contain_aodh_config('api/enable_combination_alarms') end end @@ -42,23 +41,8 @@ describe 'tripleo::profile::base::aodh::api' do it 'should trigger complete configuration' do is_expected.to contain_class('aodh::api') is_expected.to contain_class('aodh::wsgi::apache') - is_expected.to contain_aodh_config('api/enable_combination_alarms').with_value('false') end end - - context 'with step 4 and enable combo alarms' do - let(:params) { { - :step => 4, - :enable_combination_alarms => true - } } - - it 'should trigger complete configuration' do - is_expected.to contain_class('aodh::api') - is_expected.to contain_class('aodh::wsgi::apache') - is_expected.to contain_aodh_config('api/enable_combination_alarms').with_value('true') - end - end - end diff --git a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb index e9459d0..88f971b 100644 --- a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb +++ b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb @@ -30,7 +30,9 @@ describe 'tripleo::profile::base::ceph::rgw' do { :keystone_admin_token => 'token', :keystone_url => 'url', - :rgw_key => 'key' + :rgw_key => 'key', + :civetweb_bind_ip => '2001:db8:0:1234:0:567:8:1', + :civetweb_bind_port => '8888', } end @@ -39,7 +41,7 @@ describe 'tripleo::profile::base::ceph::rgw' do it 'should do nothing' do is_expected.to contain_class('tripleo::profile::base::ceph::rgw') is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to_not contain_class('ceph::profile::rgw') + is_expected.to_not contain_class('ceph::rgw') end end @@ -47,7 +49,10 @@ describe 'tripleo::profile::base::ceph::rgw' do let(:params) { default_params.merge({ :step => 3 }) } it 'should include rgw configuration' do is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to contain_class('ceph::profile::rgw') + is_expected.to contain_ceph__rgw('radosgw.gateway').with( + :frontend_type => 'civetweb', + :rgw_frontends => 'civetweb port=[2001:db8:0:1234:0:567:8:1]:8888' + ) is_expected.to contain_ceph__key('client.radosgw.gateway').with( :secret => 'key', :cap_mon => 'allow *', @@ -62,7 +67,10 @@ describe 'tripleo::profile::base::ceph::rgw' do let(:params) { default_params.merge({ :step => 4 }) } it 'should include rgw configuration' do is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to contain_class('ceph::profile::rgw') + is_expected.to contain_ceph__rgw('radosgw.gateway').with( + :frontend_type => 'civetweb', + :rgw_frontends => 'civetweb port=[2001:db8:0:1234:0:567:8:1]:8888' + ) is_expected.to contain_ceph__key('client.radosgw.gateway').with( :secret => 'key', :cap_mon => 'allow *', |