diff options
36 files changed, 759 insertions, 123 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp new file mode 100644 index 0000000..62aff9a --- /dev/null +++ b/manifests/certmonger/mysql.pp @@ -0,0 +1,84 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::mysql +# +# Request a certificate for the MySQL/Mariadb service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*mysql_network*] +# (Optional) The network name where the mysql endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('mysql_network', undef) +# +# [*principal*] +# (Optional) The haproxy service principal that is set for MySQL in kerberos. +# Defaults to undef +# +class tripleo::certmonger::mysql ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $mysql_network = hiera('mysql_network', undef), + $principal = undef, +) { + include ::certmonger + include ::mysql::params + + if !$mysql_network { + fail('mysql_network is not set in the hieradata.') + } + + $postsave_cmd = "systemctl reload ${::mysql::params::service_name}" + certmonger_certificate { 'mysql' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + file { $service_certificate : + owner => 'mysql', + group => 'mysql', + require => Certmonger_certificate['mysql'], + } + file { $service_key : + owner => 'mysql', + group => 'mysql', + require => Certmonger_certificate['mysql'], + } + + File[$service_certificate] ~> Service<| title == $::mysql::params::service_name |> + File[$service_key] ~> Service<| title == $::mysql::params::service_name |> +} diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 3184cd3..8c6a53b 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -51,8 +51,6 @@ class tripleo::firewall( $firewall_post_extras = {}, ) { - include ::stdlib - if $manage_firewall { # Only purges IPv4 rules @@ -79,14 +77,15 @@ class tripleo::firewall( ensure_resource('class', 'tripleo::firewall::pre', { 'firewall_settings' => $firewall_pre_extras, - 'stage' => 'setup', }) ensure_resource('class', 'tripleo::firewall::post', { - 'stage' => 'runtime', 'firewall_settings' => $firewall_post_extras, }) + Class['tripleo::firewall::pre'] -> Class['tripleo::firewall::post'] + Service<||> -> Class['tripleo::firewall::post'] + # Allow composable services to load their own custom # example with Hiera. # NOTE(dprince): In the future when we have a better hiera diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index c63162b..6801dc4 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -83,14 +83,21 @@ define tripleo::firewall::rule ( 'sport' => $sport, 'proto' => $proto, 'action' => $action, - 'state' => $state, 'source' => $source, 'iniface' => $iniface, 'chain' => $chain, 'destination' => $destination, } + if $proto != 'gre' { + $state_rule = { + 'state' => $state + } + } else { + $state_rule = {} + } + - $rule = merge($basic, $extras) + $rule = merge($basic, $state_rule, $extras) validate_hash($rule) create_resources('firewall', { "${title}" => $rule }) diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 7c5ff39..2f3f062 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -19,10 +19,6 @@ # # === Parameters: # -# [*keepalived*] -# Whether to configure keepalived to manage the VIPs or not. -# Defaults to true -# # [*haproxy_service_manage*] # Will be passed as value for service_manage to HAProxy module. # Defaults to true @@ -37,7 +33,7 @@ # # [*haproxy_default_timeout*] # The value to use as timeout in the HAProxy default config section. -# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] +# Defaults to [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ] # # [*haproxy_listen_bind_param*] # A list of params to be added to the HAProxy listener bind directive. By @@ -182,6 +178,10 @@ # (optional) Enable or not Aodh API binding # Defaults to hiera('aodh_api_enabled', false) # +# [*panko*] +# (optional) Enable or not Panko API binding +# Defaults to hiera('panko_api_enabled', false) +# # [*barbican*] # (optional) Enable or not Barbican API binding # Defaults to hiera('barbican_api_enabled', false) @@ -230,6 +230,14 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_member_options*] +# The options to use for the mysql HAProxy balancer members. +# If this parameter is undefined, the actual value configured will depend +# on the value of $mysql_clustercheck. If cluster checking is enabled, +# the mysql member options will be: "['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s']" +# and if mysql cluster checking is disabled, the member options will be: "union($haproxy_member_options, ['backup'])" +# Defaults to undef +# # [*rabbitmq*] # (optional) Enable or not RabbitMQ binding # Defaults to false @@ -363,6 +371,10 @@ # (optional) Specify the network opendaylight is running on. # Defaults to hiera('opendaylight_api_network', undef) # +# [*panko_network*] +# (optional) Specify the network panko is running on. +# Defaults to hiera('panko_api_network', undef) +# # [*sahara_network*] # (optional) Specify the network sahara is running on. # Defaults to hiera('sahara_api_network', undef) @@ -422,6 +434,8 @@ # 'nova_metadata_port' (Defaults to 8775) # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) +# 'panko_api_port' (Defaults to 8779) +# 'panko_api_ssl_port' (Defaults to 13779) # 'sahara_api_port' (Defaults to 8386) # 'sahara_api_ssl_port' (Defaults to 13386) # 'swift_proxy_port' (Defaults to 8080) @@ -441,11 +455,10 @@ class tripleo::haproxy ( $controller_virtual_ip, $public_virtual_ip, - $keepalived = true, $haproxy_service_manage = true, $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, - $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], + $haproxy_default_timeout = [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ], $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', @@ -474,6 +487,7 @@ class tripleo::haproxy ( $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false), $ceilometer = hiera('ceilometer_api_enabled', false), $aodh = hiera('aodh_api_enabled', false), + $panko = hiera('panko_api_enabled', false), $barbican = hiera('barbican_api_enabled', false), $gnocchi = hiera('gnocchi_api_enabled', false), $mistral = hiera('mistral_api_enabled', false), @@ -486,6 +500,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_member_options = undef, $rabbitmq = false, $docker_registry = hiera('enable_docker_registry', false), $redis = hiera('redis_enabled', false), @@ -518,6 +533,7 @@ class tripleo::haproxy ( $nova_metadata_network = hiera('nova_api_network', undef), $nova_novncproxy_network = hiera('nova_vnc_proxy_network', undef), $nova_osapi_network = hiera('nova_api_network', undef), + $panko_network = hiera('panko_api_network', undef), $sahara_network = hiera('sahara_api_network', undef), $swift_proxy_server_network = hiera('swift_proxy_network', undef), $trove_network = hiera('trove_api_network', undef), @@ -565,6 +581,8 @@ class tripleo::haproxy ( nova_metadata_port => 8775, nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, + panko_api_port => 8779, + panko_api_ssl_port => 13779, sahara_api_port => 8386, sahara_api_ssl_port => 13386, swift_proxy_port => 8080, @@ -596,11 +614,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles. - if $keepalived { - include ::tripleo::keepalived - } - # TODO(bnemec): When we have support for SSL on private and admin endpoints, # have the haproxy stats endpoint use that certificate by default. if $haproxy_stats_certificate { @@ -773,6 +786,12 @@ class tripleo::haproxy ( service_port => $ports[neutron_api_port], ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, } @@ -793,6 +812,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -803,6 +823,7 @@ class tripleo::haproxy ( service_port => $ports[manila_api_port], ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), + mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', @@ -881,6 +902,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -917,6 +939,12 @@ class tripleo::haproxy ( service_port => $ports[ceilometer_api_port], ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -930,21 +958,46 @@ class tripleo::haproxy ( service_port => $ports[aodh_api_port], ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } } + if $panko { + ::tripleo::haproxy::endpoint { 'panko': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('panko_api_vip', $controller_virtual_ip), + service_port => $ports[panko_api_port], + ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), + server_names => hiera('panko_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[panko_api_ssl_port], + service_network => $panko_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), + } + } + if $barbican { ::tripleo::haproxy::endpoint { 'barbican': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('barbican_api_vip', $controller_virtual_ip), service_port => $ports[barbican_api_port], ip_addresses => hiera('barbican_api_node_ips', $controller_hosts_real), - server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + server_names => hiera('barbican_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[barbican_api_ssl_port], - service_network => $barbican_network + service_network => $barbican_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -955,8 +1008,15 @@ class tripleo::haproxy ( service_port => $ports[gnocchi_api_port], ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1094,13 +1154,21 @@ class tripleo::haproxy ( 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', } - $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = ['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s'] + } } else { $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', } - $mysql_member_options = union($haproxy_member_options, ['backup']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = union($haproxy_member_options, ['backup']) + } } if $mysql { @@ -1114,7 +1182,7 @@ class tripleo::haproxy ( ports => '3306', ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), server_names => hiera('mysql_node_names', $controller_hosts_names_real), - options => $mysql_member_options, + options => $mysql_member_options_real, } } diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp index 515dcd0..0e9262d 100644 --- a/manifests/keepalived.pp +++ b/manifests/keepalived.pp @@ -158,8 +158,4 @@ class tripleo::keepalived ( priority => 101, } } - # Make sure keepalive starts before haproxy. - if (defined(Class['::haproxy'])) { - Class['::keepalived::service'] -> Class['::haproxy'] - } } diff --git a/manifests/network/os_net_config.pp b/manifests/network/os_net_config.pp index 7e07f6c..3283b5f 100644 --- a/manifests/network/os_net_config.pp +++ b/manifests/network/os_net_config.pp @@ -30,6 +30,17 @@ class tripleo::network::os_net_config { Package['openvswitch'], Service['openvswitch'], ], + notify => Exec['trigger-keepalived-restart'], } + # By modifying the keepalived.conf file we ensure that puppet will + # trigger a restart of keepalived during the main stage. Adding back + # any lost conf during the os-net-config step. + exec { 'trigger-keepalived-restart': + command => '/usr/bin/echo "# Restart keepalived" >> /etc/keepalived/keepalived.conf', + path => '/usr/bin:/bin', + refreshonly => true, + # Only if keepalived is installed + onlyif => 'test -e /etc/keepalived/keepalived.conf', + } } diff --git a/manifests/profile/base/aodh.pp b/manifests/profile/base/aodh.pp index 02c1d07..281e069 100644 --- a/manifests/profile/base/aodh.pp +++ b/manifests/profile/base/aodh.pp @@ -49,8 +49,9 @@ class tripleo::profile::base::aodh ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::aodh' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::aodh::auth include ::aodh::config diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 06dcfe5..af4a5b3 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -52,10 +52,6 @@ # for more details. # Defaults to hiera('step') # -# [*enable_combination_alarms*] -# (optional) Setting to enable combination alarms -# Defaults to: false -# class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), @@ -63,7 +59,6 @@ class tripleo::profile::base::aodh::api ( $enable_internal_tls = hiera('enable_internal_tls', false), $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), - $enable_combination_alarms = false, ) { include ::tripleo::profile::base::aodh @@ -90,12 +85,5 @@ class tripleo::profile::base::aodh::api ( ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, } - - #NOTE: Combination alarms are deprecated in newton and disabled by default. - # we need a way to override this setting for users still using this type - # of alarms. - aodh_config { - 'api/enable_combination_alarms' : value => $enable_combination_alarms; - } } } diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 470e649..b464317 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -18,18 +18,51 @@ # # === Parameters # +# [*barbican_network*] +# (Optional) The network name where the barbican endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('barbican_api_network', undef) +# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::barbican::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $barbican_network = hiera('barbican_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -37,6 +70,21 @@ class tripleo::profile::base::barbican::api ( $sync_db = false } + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$barbican_network { + fail('barbican_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${barbican_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${barbican_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + include ::tripleo::profile::base::barbican if $step >= 3 and $sync_db { @@ -51,6 +99,9 @@ class tripleo::profile::base::barbican::api ( include ::barbican::api::logging include ::barbican::keystone::notification include ::barbican::quota - include ::barbican::wsgi::apache + class { '::barbican::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/ceilometer.pp b/manifests/profile/base/ceilometer.pp index 959d86c..392d0c7 100644 --- a/manifests/profile/base/ceilometer.pp +++ b/manifests/profile/base/ceilometer.pp @@ -38,8 +38,9 @@ class tripleo::profile::base::ceilometer ( ) { if $step >= 3 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::ceilometer' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::ceilometer::config } diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 7cd2b6a..2ecca52 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -18,6 +18,14 @@ # # === Parameters # +# [*civetweb_bind_ip*] +# IP address where to bind the RGW civetweb instance +# (Optional) Defaults to 127.0.0.1 +# +# [*civetweb_bind_port*] +# PORT where to bind the RGW civetweb instance +# (Optional) Defaults to 8080 +# # [*keystone_admin_token*] # The keystone admin token # @@ -36,14 +44,22 @@ class tripleo::profile::base::ceph::rgw ( $keystone_admin_token, $keystone_url, $rgw_key, - $step = hiera('step'), + $civetweb_bind_ip = '127.0.0.1', + $civetweb_bind_port = '8080', + $step = hiera('step'), ) { include ::tripleo::profile::base::ceph if $step >= 3 { - include ::ceph::profile::rgw $rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway') + $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip) + include ::ceph::params + include ::ceph::profile::base + ceph::rgw { $rgw_name: + frontend_type => 'civetweb', + rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}" + } ceph::key { "client.${rgw_name}": secret => $rgw_key, cap_mon => 'allow *', diff --git a/manifests/profile/base/cinder.pp b/manifests/profile/base/cinder.pp index 9f7c453..8023fcc 100644 --- a/manifests/profile/base/cinder.pp +++ b/manifests/profile/base/cinder.pp @@ -52,8 +52,9 @@ class tripleo::profile::base::cinder ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::cinder' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::cinder::config } diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 8fcc7d6..5ea2058 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -22,14 +22,47 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*cinder_api_network*] +# (Optional) The network name where the cinder API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('cinder_api_network', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::cinder::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $cinder_api_network = hiera('cinder_api_network', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -39,9 +72,27 @@ class tripleo::profile::base::cinder::api ( include ::tripleo::profile::base::cinder + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$cinder_api_network { + fail('cinder_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${cinder_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${cinder_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ($step >= 3 and $sync_db) { include ::cinder::api - include ::cinder::wsgi::apache + class { '::cinder::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } include ::cinder::ceilometer include ::cinder::glance } diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 9da1456..e5f366e 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -26,6 +26,28 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to {}. +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# MySQL. This could be as many as specified by the $certificates_specs +# variable. +# Defaults to hiera('generate_service_certificate', false). +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -45,12 +67,15 @@ # Defaults to hiera('step') # class tripleo::profile::base::database::mysql ( - $bind_address = $::hostname, - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $manage_resources = true, - $mysql_server_options = {}, - $remove_default_accounts = true, - $step = hiera('step'), + $bind_address = $::hostname, + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificate_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $manage_resources = true, + $mysql_server_options = {}, + $remove_default_accounts = true, + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -60,6 +85,18 @@ class tripleo::profile::base::database::mysql ( } validate_hash($mysql_server_options) + validate_hash($certificate_specs) + + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs) + } + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } # non-ha scenario if $manage_resources { @@ -84,6 +121,10 @@ class tripleo::profile::base::database::mysql ( 'bind-address' => $bind_address, 'max_connections' => hiera('mysql_max_connections'), 'open_files_limit' => '-1', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) @@ -143,6 +184,9 @@ class tripleo::profile::base::database::mysql ( if hiera('trove_api_enabled', false) { include ::trove::db::mysql } + if hiera('panko_api_enabled', false) { + include ::panko::db::mysql + } } } diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index a7d4487..af3b0ac 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -67,9 +67,9 @@ class tripleo::profile::base::glance::api ( class { '::glance::api': stores => $glance_store, } - + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::glance::notify::rabbitmq' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include join(['::glance::backend::', $glance_backend]) } diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 9a08551..2fde1fc 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -22,19 +22,52 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*gnocchi_backend*] # (Optional) Gnocchi backend string file, swift or rbd # Defaults to swift # +# [*gnocchi_network*] +# (Optional) The network name where the gnocchi endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('gnocchi_api_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::gnocchi::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), + $gnocchi_network = hiera('gnocchi_api_network', undef), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -44,13 +77,31 @@ class tripleo::profile::base::gnocchi::api ( include ::tripleo::profile::base::gnocchi + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$gnocchi_network { + fail('gnocchi_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${gnocchi_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${gnocchi_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 3 and $sync_db { include ::gnocchi::db::sync } if $step >= 4 { include ::gnocchi::api - include ::gnocchi::wsgi::apache + class { '::gnocchi::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } class { '::gnocchi::storage': coordination_url => join(['redis://:', hiera('gnocchi_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']), diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index 2babf4c..00a9809 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -62,9 +62,10 @@ class tripleo::profile::base::heat ( } if $step >= 4 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::heat' : notification_driver => $notification_driver, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::heat::config include ::heat::cors diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index e63e4c6..7b44421 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -48,9 +48,10 @@ class tripleo::profile::base::ironic ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::ironic': sync_db => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::ironic::cors diff --git a/manifests/profile/base/keepalived.pp b/manifests/profile/base/keepalived.pp index f2063d6..8dd03dc 100644 --- a/manifests/profile/base/keepalived.pp +++ b/manifests/profile/base/keepalived.pp @@ -27,13 +27,54 @@ # for more details. # Defaults to hiera('step') # +# [*control_virtual_interface*] +# (Optional) Interface specified for control plane network +# Defaults to hiera('tripleo::keepalived::control_virtual_interface', false) +# +# [*control_virtual_ip*] +# Virtual IP address used for control plane network +# Defaults to hiera('tripleo::keepalived::controller_virtual_ip') +# +# [*public_virtual_interface*] +# (Optional) Interface specified for public/external network +# Defaults to hiera('tripleo::keepalived::public_virtual_interface', false) +# +# [*public_virtual_ip*] +# Virtual IP address used for public/ network +# Defaults to hiera('tripleo::keepalived::public_virtual_ip') +# class tripleo::profile::base::keepalived ( - $enable_load_balancer = hiera('enable_load_balancer', true), - $step = hiera('step'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $control_virtual_interface = hiera('tripleo::keepalived::control_virtual_interface', false), + $control_virtual_ip = hiera('tripleo::keepalived::controller_virtual_ip'), + $public_virtual_interface = hiera('tripleo::keepalived::public_virtual_interface', false), + $public_virtual_ip = hiera('tripleo::keepalived::public_virtual_ip'), + $step = hiera('step'), ) { if $step >= 1 { if $enable_load_balancer and hiera('enable_keepalived', true){ - include ::tripleo::keepalived + if ! $control_virtual_interface { + $control_detected_interface = interface_for_ip($control_virtual_ip) + if ! $control_detected_interface { + fail('Unable to find interface for control plane network') + } + } else { + $control_detected_interface = $control_virtual_interface + } + + if ! $public_virtual_interface { + $public_detected_interface = interface_for_ip($public_virtual_ip) + if ! $public_detected_interface { + fail('Unable to find interface for public network') + } + } else { + $public_detected_interface = $public_virtual_interface + } + + class { '::tripleo::keepalived': + control_virtual_interface => $control_detected_interface, + public_virtual_interface => $public_detected_interface, + } } } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index e30f712..ff8d790 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -51,6 +51,22 @@ # creates the certificates. # Defaults to hiera('generate_service_certificate', false). # +# [*heat_admin_domain*] +# domain name for heat admin +# Defaults to undef +# +# [*heat_admin_email*] +# heat admin email address +# Defaults to undef +# +# [*heat_admin_password*] +# heat admin password +# Defaults to undef +# +# [*heat_admin_user*] +# heat admin user name +# Defaults to undef +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -74,38 +90,21 @@ # for more details. # Defaults to hiera('step') # -# [*heat_admin_domain*] -# domain name for heat admin -# Defaults to hiera('heat::keystone::domain::domain_name', 'heat') -# -# [*heat_admin_user*] -# heat admin user name -# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin') -# -# [*heat_admin_email*] -# heat admin email address -# Defaults to hiera('heat::keystone::domain::domain_admin_email', -# 'heat_admin@localhost') -# -# [*heat_admin_password*] -# heat admin password -# Defaults to hiera('heat::keystone::domain::domain_password') -# class tripleo::profile::base::keystone ( $admin_endpoint_network = hiera('keystone_admin_api_network', undef), $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $generate_service_certificates = hiera('generate_service_certificates', false), + $heat_admin_domain = undef, + $heat_admin_email = undef, + $heat_admin_password = undef, + $heat_admin_user = undef, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $rabbit_hosts = hiera('rabbitmq_node_ips', undef), $rabbit_port = hiera('keystone::rabbit_port', 5672), $step = hiera('step'), - $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'), - $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'), - $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'), - $heat_admin_password = hiera('heat::keystone::domain::domain_password'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -143,10 +142,11 @@ class tripleo::profile::base::keystone ( } if $step >= 4 or ( $step >= 3 and $sync_db ) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::keystone': sync_db => $sync_db, enable_bootstrap => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::keystone::config @@ -236,6 +236,9 @@ class tripleo::profile::base::keystone ( if hiera('nova_api_enabled', false) { include ::nova::keystone::auth } + if hiera('panko_api_enabled', false) { + include ::panko::keystone::auth + } if hiera('sahara_api_enabled', false) { include ::sahara::keystone::auth } diff --git a/manifests/profile/base/manila.pp b/manifests/profile/base/manila.pp index 393dd52..3e16dff 100644 --- a/manifests/profile/base/manila.pp +++ b/manifests/profile/base/manila.pp @@ -47,8 +47,9 @@ class tripleo::profile::base::manila ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::manila' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::manila::config } diff --git a/manifests/profile/base/mistral.pp b/manifests/profile/base/mistral.pp index dcd9d0b..3da754c 100644 --- a/manifests/profile/base/mistral.pp +++ b/manifests/profile/base/mistral.pp @@ -48,8 +48,9 @@ class tripleo::profile::base::mistral ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::mistral': - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::mistral::config include ::mistral::client diff --git a/manifests/profile/base/neutron.pp b/manifests/profile/base/neutron.pp index 53df3d9..64f5f32 100644 --- a/manifests/profile/base/neutron.pp +++ b/manifests/profile/base/neutron.pp @@ -36,8 +36,9 @@ class tripleo::profile::base::neutron ( $rabbit_port = hiera('neutron::rabbit_port', 5672), ) { if $step >= 3 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::neutron' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::neutron::config } diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp index 2eb09ae..c120931 100644 --- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp @@ -53,9 +53,9 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight ( if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') } class { '::neutron::plugins::ml2::opendaylight': - odl_username => $odl_username, - odl_password => $odl_password, - odl_url => "${conn_proto}://${odl_url_ip}:${odl_port}/controller/nb/v2/neutron"; + odl_username => $odl_username, + odl_password => $odl_password, + odl_url => "${conn_proto}://${odl_url_ip}:${odl_port}/controller/nb/v2/neutron"; } } } diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 82c2d5f..4667ae2 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -27,9 +27,30 @@ # for more details. # Defaults to hiera('step') # +# [*l3_ha_override*] +# (Optional) Override the calculated value for neutron::server::l3_ha +# by default this is calculated to enable when DVR is not enabled +# and the number of nodes running neutron api is more than one. +# Defaults to '' which aligns with the t-h-t default, and means use +# the calculated value. Other possible values are 'true' or 'false' +# +# [*l3_nodes*] +# (Optional) List of nodes running the l3 agent, used when no override +# is passed to l3_ha_override to calculate enabling l3 HA. +# Defaults to hiera('neutron_l3_short_node_names') or [] +# (we need to default neutron_l3_short_node_names to an empty list +# because some neutron backends disable the l3 agent) +# +# [*dvr_enabled*] +# (Optional) Is dvr enabled, used when no override is passed to +# l3_ha_override to calculate enabling l3 HA. +# Defaults to hiera('neutron::server::router_distributed') or false class tripleo::profile::base::neutron::server ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), + $l3_ha_override = '', + $l3_nodes = hiera('neutron_l3_short_node_names', []), + $dvr_enabled = hiera('neutron::server::router_distributed', false) ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -39,6 +60,16 @@ class tripleo::profile::base::neutron::server ( include ::tripleo::profile::base::neutron + # Calculate neutron::server::l3_ha based on the number of API nodes + # combined with if DVR is enabled. + if $l3_ha_override != '' { + $l3_ha = str2bool($l3_ha_override) + } elsif ! str2bool($dvr_enabled) { + $l3_ha = size($l3_nodes) > 1 + } else { + $l3_ha = false + } + # We start neutron-server on the bootstrap node first, because # it will try to populate tables and we need to make sure this happens # before it starts on other nodes @@ -48,12 +79,14 @@ class tripleo::profile::base::neutron::server ( # to true class { '::neutron::server': sync_db => $sync_db, + l3_ha => $l3_ha, } } if $step >= 5 and !$sync_db { include ::neutron::server::notifications class { '::neutron::server': sync_db => $sync_db, + l3_ha => $l3_ha, } } } diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index b397802..4626465 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -68,8 +68,9 @@ class tripleo::profile::base::nova ( } if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::nova' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::nova::config class { '::nova::cache': diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index ca2f7dd..e660990 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -20,14 +20,47 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# +# [*nova_api_network*] +# (Optional) The network name where the nova API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('nova_api_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::nova::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $nova_api_network = hiera('nova_api_network', undef), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -37,6 +70,21 @@ class tripleo::profile::base::nova::api ( include ::tripleo::profile::base::nova + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$nova_api_network { + fail('nova_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${nova_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${nova_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ($step >= 3 and $sync_db) { if hiera('nova::use_ipv6', false) { @@ -53,7 +101,10 @@ class tripleo::profile::base::nova::api ( sync_db => $sync_db, sync_db_api => $sync_db, } - include ::nova::wsgi::apache + class { '::nova::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } include ::nova::network::neutron } diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp new file mode 100644 index 0000000..4abed56 --- /dev/null +++ b/manifests/profile/base/panko.pp @@ -0,0 +1,47 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::panko +# +# panko profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') + +class tripleo::profile::base::panko ( + $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), +) { + + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + if $step >= 4 or ($step >= 3 and $sync_db) { + include ::panko + include ::panko::config + include ::panko::db::sync + } + +} diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp new file mode 100644 index 0000000..45ee0c0 --- /dev/null +++ b/manifests/profile/base/panko/api.pp @@ -0,0 +1,86 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::panko::api +# +# Panko API profile for tripleo +# +# === Parameters +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# +# [*panko_network*] +# (Optional) The network name where the panko endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('panko_api_network', undef) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::panko::api ( + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $panko_network = hiera('panko_api_network', undef), + $step = hiera('step'), +) { + include ::tripleo::profile::base::panko + + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$panko_network { + fail('panko_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${panko_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${panko_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + + if $step >= 4 { + include ::panko::api + class { '::panko::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } + } +} diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp index c034628..f509225 100644 --- a/manifests/profile/base/sahara.pp +++ b/manifests/profile/base/sahara.pp @@ -47,9 +47,10 @@ class tripleo::profile::base::sahara ( } if $step >= 4 or ($step >= 3 and $sync_db){ + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::sahara': sync_db => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 15b4686..ea309db 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -68,5 +68,10 @@ class tripleo::profile::base::swift::proxy ( rabbit_hosts => $swift_rabbit_hosts, } include ::swift::proxy::versioned_writes + include ::swift::proxy::slo + include ::swift::proxy::dlo + include ::swift::proxy::copy + include ::swift::proxy::container_quotas + include ::swift::proxy::account_quotas } } diff --git a/manifests/ui.pp b/manifests/ui.pp index 41ad8d6..27e3e50 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -25,7 +25,7 @@ # # [*bind_host*] # The host/ip address Apache will listen on. -# Optional. Defaults to undef (listen on all ip addresses). +# Optional. Defaults to hiera('controller_host') # # [*ui_port*] # The port on which the UI is listening. diff --git a/metadata.json b/metadata.json index c7f0e77..a417f95 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "5.4.0", + "version": "6.0.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb index 1270aa7..3116a51 100644 --- a/spec/classes/tripleo_firewall_spec.rb +++ b/spec/classes/tripleo_firewall_spec.rb @@ -76,7 +76,8 @@ describe 'tripleo::firewall' do '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}, '302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'}, '303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'}, - '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'} + '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'}, + '305 add gre rule' => {'proto' => 'gre'} } ) end @@ -109,6 +110,7 @@ describe 'tripleo::firewall' do :action => 'accept', :state => ['NEW'], ) + is_expected.to contain_firewall('305 add gre rule').without(:state) end end diff --git a/spec/classes/tripleo_profile_base_aodh_api_spec.rb b/spec/classes/tripleo_profile_base_aodh_api_spec.rb index d1f0b6b..63dbe71 100644 --- a/spec/classes/tripleo_profile_base_aodh_api_spec.rb +++ b/spec/classes/tripleo_profile_base_aodh_api_spec.rb @@ -30,7 +30,6 @@ describe 'tripleo::profile::base::aodh::api' do is_expected.to contain_class('tripleo::profile::base::aodh') is_expected.to_not contain_class('aodh::api') is_expected.to_not contain_class('aodh::wsgi::apache') - is_expected.to_not contain_aodh_config('api/enable_combination_alarms') end end @@ -42,23 +41,8 @@ describe 'tripleo::profile::base::aodh::api' do it 'should trigger complete configuration' do is_expected.to contain_class('aodh::api') is_expected.to contain_class('aodh::wsgi::apache') - is_expected.to contain_aodh_config('api/enable_combination_alarms').with_value('false') end end - - context 'with step 4 and enable combo alarms' do - let(:params) { { - :step => 4, - :enable_combination_alarms => true - } } - - it 'should trigger complete configuration' do - is_expected.to contain_class('aodh::api') - is_expected.to contain_class('aodh::wsgi::apache') - is_expected.to contain_aodh_config('api/enable_combination_alarms').with_value('true') - end - end - end diff --git a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb index e9459d0..88f971b 100644 --- a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb +++ b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb @@ -30,7 +30,9 @@ describe 'tripleo::profile::base::ceph::rgw' do { :keystone_admin_token => 'token', :keystone_url => 'url', - :rgw_key => 'key' + :rgw_key => 'key', + :civetweb_bind_ip => '2001:db8:0:1234:0:567:8:1', + :civetweb_bind_port => '8888', } end @@ -39,7 +41,7 @@ describe 'tripleo::profile::base::ceph::rgw' do it 'should do nothing' do is_expected.to contain_class('tripleo::profile::base::ceph::rgw') is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to_not contain_class('ceph::profile::rgw') + is_expected.to_not contain_class('ceph::rgw') end end @@ -47,7 +49,10 @@ describe 'tripleo::profile::base::ceph::rgw' do let(:params) { default_params.merge({ :step => 3 }) } it 'should include rgw configuration' do is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to contain_class('ceph::profile::rgw') + is_expected.to contain_ceph__rgw('radosgw.gateway').with( + :frontend_type => 'civetweb', + :rgw_frontends => 'civetweb port=[2001:db8:0:1234:0:567:8:1]:8888' + ) is_expected.to contain_ceph__key('client.radosgw.gateway').with( :secret => 'key', :cap_mon => 'allow *', @@ -62,7 +67,10 @@ describe 'tripleo::profile::base::ceph::rgw' do let(:params) { default_params.merge({ :step => 4 }) } it 'should include rgw configuration' do is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to contain_class('ceph::profile::rgw') + is_expected.to contain_ceph__rgw('radosgw.gateway').with( + :frontend_type => 'civetweb', + :rgw_frontends => 'civetweb port=[2001:db8:0:1234:0:567:8:1]:8888' + ) is_expected.to contain_ceph__key('client.radosgw.gateway').with( :secret => 'key', :cap_mon => 'allow *', |