diff options
| -rw-r--r-- | manifests/haproxy.pp | 12 | ||||
| -rw-r--r-- | manifests/network/os_net_config.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/barbican/api.pp | 57 | ||||
| -rw-r--r-- | manifests/profile/base/ceph/rgw.pp | 20 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/api.pp | 57 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 41 | ||||
| -rw-r--r-- | metadata.json | 2 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_ceph_rgw_spec.rb | 16 |
8 files changed, 177 insertions, 39 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index c0084be..5b4d05e 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -21,7 +21,7 @@ # # [*keepalived*] # Whether to configure keepalived to manage the VIPs or not. -# Defaults to true +# Defaults to hiera('keepalived_enabled') # # [*haproxy_service_manage*] # Will be passed as value for service_manage to HAProxy module. @@ -459,7 +459,7 @@ class tripleo::haproxy ( $controller_virtual_ip, $public_virtual_ip, - $keepalived = true, + $keepalived = hiera('keepalived_enabled', false), $haproxy_service_manage = true, $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, @@ -620,7 +620,7 @@ class tripleo::haproxy ( } # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles. - if $keepalived { + if str2bool($keepalived) { include ::tripleo::keepalived # Make sure keepalive starts before haproxy. Class['::keepalived::service'] -> Class['::haproxy'] @@ -823,6 +823,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1001,9 +1002,10 @@ class tripleo::haproxy ( internal_ip => hiera('barbican_api_vip', $controller_virtual_ip), service_port => $ports[barbican_api_port], ip_addresses => hiera('barbican_api_node_ips', $controller_hosts_real), - server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + server_names => hiera('barbican_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[barbican_api_ssl_port], - service_network => $barbican_network + service_network => $barbican_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/network/os_net_config.pp b/manifests/network/os_net_config.pp index 7e07f6c..3283b5f 100644 --- a/manifests/network/os_net_config.pp +++ b/manifests/network/os_net_config.pp @@ -30,6 +30,17 @@ class tripleo::network::os_net_config { Package['openvswitch'], Service['openvswitch'], ], + notify => Exec['trigger-keepalived-restart'], } + # By modifying the keepalived.conf file we ensure that puppet will + # trigger a restart of keepalived during the main stage. Adding back + # any lost conf during the os-net-config step. + exec { 'trigger-keepalived-restart': + command => '/usr/bin/echo "# Restart keepalived" >> /etc/keepalived/keepalived.conf', + path => '/usr/bin:/bin', + refreshonly => true, + # Only if keepalived is installed + onlyif => 'test -e /etc/keepalived/keepalived.conf', + } } diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 470e649..b464317 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -18,18 +18,51 @@ # # === Parameters # +# [*barbican_network*] +# (Optional) The network name where the barbican endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('barbican_api_network', undef) +# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::barbican::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $barbican_network = hiera('barbican_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -37,6 +70,21 @@ class tripleo::profile::base::barbican::api ( $sync_db = false } + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$barbican_network { + fail('barbican_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${barbican_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${barbican_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + include ::tripleo::profile::base::barbican if $step >= 3 and $sync_db { @@ -51,6 +99,9 @@ class tripleo::profile::base::barbican::api ( include ::barbican::api::logging include ::barbican::keystone::notification include ::barbican::quota - include ::barbican::wsgi::apache + class { '::barbican::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 7cd2b6a..2ecca52 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -18,6 +18,14 @@ # # === Parameters # +# [*civetweb_bind_ip*] +# IP address where to bind the RGW civetweb instance +# (Optional) Defaults to 127.0.0.1 +# +# [*civetweb_bind_port*] +# PORT where to bind the RGW civetweb instance +# (Optional) Defaults to 8080 +# # [*keystone_admin_token*] # The keystone admin token # @@ -36,14 +44,22 @@ class tripleo::profile::base::ceph::rgw ( $keystone_admin_token, $keystone_url, $rgw_key, - $step = hiera('step'), + $civetweb_bind_ip = '127.0.0.1', + $civetweb_bind_port = '8080', + $step = hiera('step'), ) { include ::tripleo::profile::base::ceph if $step >= 3 { - include ::ceph::profile::rgw $rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway') + $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip) + include ::ceph::params + include ::ceph::profile::base + ceph::rgw { $rgw_name: + frontend_type => 'civetweb', + rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}" + } ceph::key { "client.${rgw_name}": secret => $rgw_key, cap_mon => 'allow *', diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 8fcc7d6..5ea2058 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -22,14 +22,47 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*cinder_api_network*] +# (Optional) The network name where the cinder API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('cinder_api_network', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::cinder::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $cinder_api_network = hiera('cinder_api_network', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -39,9 +72,27 @@ class tripleo::profile::base::cinder::api ( include ::tripleo::profile::base::cinder + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$cinder_api_network { + fail('cinder_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${cinder_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${cinder_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ($step >= 3 and $sync_db) { include ::cinder::api - include ::cinder::wsgi::apache + class { '::cinder::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } include ::cinder::ceilometer include ::cinder::glance } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index e72798d..ff8d790 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -51,6 +51,22 @@ # creates the certificates. # Defaults to hiera('generate_service_certificate', false). # +# [*heat_admin_domain*] +# domain name for heat admin +# Defaults to undef +# +# [*heat_admin_email*] +# heat admin email address +# Defaults to undef +# +# [*heat_admin_password*] +# heat admin password +# Defaults to undef +# +# [*heat_admin_user*] +# heat admin user name +# Defaults to undef +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -74,38 +90,21 @@ # for more details. # Defaults to hiera('step') # -# [*heat_admin_domain*] -# domain name for heat admin -# Defaults to hiera('heat::keystone::domain::domain_name', 'heat') -# -# [*heat_admin_user*] -# heat admin user name -# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin') -# -# [*heat_admin_email*] -# heat admin email address -# Defaults to hiera('heat::keystone::domain::domain_admin_email', -# 'heat_admin@localhost') -# -# [*heat_admin_password*] -# heat admin password -# Defaults to hiera('heat::keystone::domain::domain_password') -# class tripleo::profile::base::keystone ( $admin_endpoint_network = hiera('keystone_admin_api_network', undef), $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $generate_service_certificates = hiera('generate_service_certificates', false), + $heat_admin_domain = undef, + $heat_admin_email = undef, + $heat_admin_password = undef, + $heat_admin_user = undef, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $rabbit_hosts = hiera('rabbitmq_node_ips', undef), $rabbit_port = hiera('keystone::rabbit_port', 5672), $step = hiera('step'), - $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'), - $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'), - $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'), - $heat_admin_password = hiera('heat::keystone::domain::domain_password'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true diff --git a/metadata.json b/metadata.json index c7f0e77..a417f95 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "5.4.0", + "version": "6.0.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb index e9459d0..88f971b 100644 --- a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb +++ b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb @@ -30,7 +30,9 @@ describe 'tripleo::profile::base::ceph::rgw' do { :keystone_admin_token => 'token', :keystone_url => 'url', - :rgw_key => 'key' + :rgw_key => 'key', + :civetweb_bind_ip => '2001:db8:0:1234:0:567:8:1', + :civetweb_bind_port => '8888', } end @@ -39,7 +41,7 @@ describe 'tripleo::profile::base::ceph::rgw' do it 'should do nothing' do is_expected.to contain_class('tripleo::profile::base::ceph::rgw') is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to_not contain_class('ceph::profile::rgw') + is_expected.to_not contain_class('ceph::rgw') end end @@ -47,7 +49,10 @@ describe 'tripleo::profile::base::ceph::rgw' do let(:params) { default_params.merge({ :step => 3 }) } it 'should include rgw configuration' do is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to contain_class('ceph::profile::rgw') + is_expected.to contain_ceph__rgw('radosgw.gateway').with( + :frontend_type => 'civetweb', + :rgw_frontends => 'civetweb port=[2001:db8:0:1234:0:567:8:1]:8888' + ) is_expected.to contain_ceph__key('client.radosgw.gateway').with( :secret => 'key', :cap_mon => 'allow *', @@ -62,7 +67,10 @@ describe 'tripleo::profile::base::ceph::rgw' do let(:params) { default_params.merge({ :step => 4 }) } it 'should include rgw configuration' do is_expected.to contain_class('tripleo::profile::base::ceph') - is_expected.to contain_class('ceph::profile::rgw') + is_expected.to contain_ceph__rgw('radosgw.gateway').with( + :frontend_type => 'civetweb', + :rgw_frontends => 'civetweb port=[2001:db8:0:1234:0:567:8:1]:8888' + ) is_expected.to contain_ceph__key('client.radosgw.gateway').with( :secret => 'key', :cap_mon => 'allow *', |