diff options
30 files changed, 726 insertions, 149 deletions
diff --git a/manifests/certmonger/ca/crl.pp b/manifests/certmonger/ca/crl.pp index 2454460..a69065d 100644 --- a/manifests/certmonger/ca/crl.pp +++ b/manifests/certmonger/ca/crl.pp @@ -129,7 +129,7 @@ class tripleo::certmonger::ca::crl ( if $ensure == 'present' { # Fetch CRL in cron job and notify needed services - $cmd_list = concat(["${sleep}curl -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds) + $cmd_list = concat(["${sleep}curl -s -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds) $cron_cmd = join($cmd_list, ' && ') } else { $cron_cmd = absent diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index d4f4ad2..819348d 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -32,10 +32,6 @@ # The hostname that certmonger will use as the common name for the # certificate. # -# [*postsave_cmd*] -# The post-save-command that certmonger will use once it renews the -# certificate. -# # [*certmonger_ca*] # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). @@ -48,15 +44,19 @@ # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # +# [*postsave_cmd*] +# The post-save-command that certmonger will use once it renews the +# certificate. +# define tripleo::certmonger::haproxy ( $service_pem, $service_certificate, $service_key, $hostname, - $postsave_cmd, $certmonger_ca = hiera('certmonger_ca', 'local'), $dnsnames = undef, $principal = undef, + $postsave_cmd = undef, ){ include ::certmonger include ::haproxy::params @@ -74,6 +74,7 @@ define tripleo::certmonger::haproxy ( $dnsnames_real = $hostname } + $postsave_cmd_real = pick($postsave_cmd, 'systemctl reload haproxy') certmonger_certificate { "${title}-cert": ensure => 'present', ca => $certmonger_ca, @@ -81,7 +82,7 @@ define tripleo::certmonger::haproxy ( dnsname => $dnsnames_real, certfile => $service_certificate, keyfile => $service_key, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, principal => $principal, wait => true, tag => 'haproxy-cert', diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp index e9754f7..1b57984 100644 --- a/manifests/certmonger/httpd.pp +++ b/manifests/certmonger/httpd.pp @@ -36,6 +36,11 @@ # in the certificate. If left unset, the value will be set to the $hostname. # Defaults to undef # +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # @@ -45,6 +50,7 @@ define tripleo::certmonger::httpd ( $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), $dnsnames = undef, + $postsave_cmd = undef, $principal = undef, ) { include ::certmonger @@ -56,7 +62,7 @@ define tripleo::certmonger::httpd ( $dnsnames_real = $hostname } - $postsave_cmd = "systemctl reload ${::apache::params::service_name}" + $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::apache::params::service_name}") certmonger_certificate { $name : ensure => 'present', certfile => $service_certificate, @@ -64,7 +70,7 @@ define tripleo::certmonger::httpd ( hostname => $hostname, dnsname => $dnsnames_real, principal => $principal, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, wait => true, tag => 'apache-cert', diff --git a/manifests/certmonger/mongodb.pp b/manifests/certmonger/mongodb.pp index 0b2dd6a..37af82c 100644 --- a/manifests/certmonger/mongodb.pp +++ b/manifests/certmonger/mongodb.pp @@ -34,6 +34,11 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# # [*principal*] # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef @@ -44,12 +49,13 @@ class tripleo::certmonger::mongodb ( $service_key, $service_pem, $certmonger_ca = hiera('certmonger_ca', 'local'), + $postsave_cmd = undef, $principal = undef, ) { include ::certmonger include ::mongodb::params - $postsave_cmd = "systemctl restart ${::mongodb::params::service_name}" + $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::mongodb::params::service_name}") certmonger_certificate { 'mongodb' : ensure => 'present', certfile => $service_certificate, @@ -57,7 +63,7 @@ class tripleo::certmonger::mongodb ( hostname => $hostname, dnsname => $hostname, principal => $principal, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, wait => true, require => Class['::certmonger'], diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp index 0988c55..ae408b6 100644 --- a/manifests/certmonger/mysql.pp +++ b/manifests/certmonger/mysql.pp @@ -37,6 +37,11 @@ # This parameter can take both a string or an array of strings. # Defaults to $hostname # +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# # [*principal*] # (Optional) The haproxy service principal that is set for MySQL in kerberos. # Defaults to undef @@ -47,12 +52,13 @@ class tripleo::certmonger::mysql ( $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), $dnsnames = $hostname, + $postsave_cmd = undef, $principal = undef, ) { include ::certmonger include ::mysql::params - $postsave_cmd = "systemctl reload ${::mysql::params::server_service_name}" + $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::mysql::params::server_service_name}") certmonger_certificate { 'mysql' : ensure => 'present', certfile => $service_certificate, @@ -60,7 +66,7 @@ class tripleo::certmonger::mysql ( hostname => $hostname, dnsname => $dnsnames, principal => $principal, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, wait => true, require => Class['::certmonger'], diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp index 4a47938..15b1fc3 100644 --- a/manifests/certmonger/rabbitmq.pp +++ b/manifests/certmonger/rabbitmq.pp @@ -31,6 +31,11 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# # [*principal*] # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef @@ -40,12 +45,13 @@ class tripleo::certmonger::rabbitmq ( $service_certificate, $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), + $postsave_cmd = undef, $principal = undef, ) { include ::certmonger include ::rabbitmq::params - $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}" + $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}") certmonger_certificate { 'rabbitmq' : ensure => 'present', certfile => $service_certificate, @@ -53,7 +59,7 @@ class tripleo::certmonger::rabbitmq ( hostname => $hostname, dnsname => $hostname, principal => $principal, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, wait => true, require => Class['::certmonger'], diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index a3d088a..9939ca9 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -402,6 +402,10 @@ # (optional) Specify the network heat_cloudwatch is running on. # Defaults to hiera('heat_api_cloudwatch_network', undef) # +# [*horizon_network*] +# (optional) Specify the network horizon is running on. +# Defaults to hiera('horizon_network', undef) +# # [*ironic_inspector_network*] # (optional) Specify the network ironic_inspector is running on. # Defaults to hiera('ironic_inspector_network', undef) @@ -520,7 +524,6 @@ # 'ironic_inspector_port' (Defaults to 5050) # 'ironic_inspector_ssl_port' (Defaults to 13050) # 'keystone_admin_api_port' (Defaults to 35357) -# 'keystone_admin_api_ssl_port' (Defaults to 13357) # 'keystone_public_api_port' (Defaults to 5000) # 'keystone_public_api_ssl_port' (Defaults to 13000) # 'manila_api_port' (Defaults to 8786) @@ -644,6 +647,7 @@ class tripleo::haproxy ( $heat_api_network = hiera('heat_api_network', undef), $heat_cfn_network = hiera('heat_api_cfn_network', undef), $heat_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), + $horizon_network = hiera('horizon_network', undef), $ironic_inspector_network = hiera('ironic_inspector_network', undef), $ironic_network = hiera('ironic_api_network', undef), $keystone_admin_network = hiera('keystone_admin_api_network', undef), @@ -708,7 +712,6 @@ class tripleo::haproxy ( ironic_inspector_port => 5050, ironic_inspector_ssl_port => 13050, keystone_admin_api_port => 35357, - keystone_admin_api_ssl_port => 13357, keystone_public_api_port => 5000, keystone_public_api_ssl_port => 13000, manila_api_port => 8786, @@ -772,43 +775,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) - if $service_certificate { - # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the - # same, the first option takes precedence. Which is the case when network - # isolation is not enabled. This is not a problem as both options are - # identical. If network isolation is enabled, this works correctly and - # will add a TLS binding to both the horizon_vip and the - # public_virtual_ip. - # Even though for the public_virtual_ip the port 80 is listening, we - # redirect to https in the horizon_options below. - $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - "${public_virtual_ip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', - # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => 'scheme https code 301 if !{ ssl_fc }', - 'option' => [ 'forwardfor', 'httpchk' ], - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - } - } else { - $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:80" => $haproxy_listen_bind_param, - } - $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'option' => [ 'forwardfor', 'httpchk' ], - } - } - $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) $mysql_bind_opts = { "${mysql_vip}:3306" => $haproxy_listen_bind_param, @@ -894,16 +860,14 @@ class tripleo::haproxy ( if $keystone_admin { ::tripleo::haproxy::endpoint { 'keystone_admin': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), - service_port => $ports[keystone_admin_api_port], - ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), - server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), - mode => 'http', - listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), - public_ssl_port => $ports[keystone_admin_api_ssl_port], - service_network => $keystone_admin_network, - member_options => union($haproxy_member_options, $internal_tls_member_options), + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), + server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), + service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1071,6 +1035,7 @@ class tripleo::haproxy ( 'option' => [ 'httpchk', ], }, service_network => $nova_metadata_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1274,18 +1239,17 @@ class tripleo::haproxy ( } if $horizon { - haproxy::listen { 'horizon': - bind => $horizon_bind_opts, - options => $horizon_options, - mode => 'http', - collect_exported => false, - } - haproxy::balancermember { 'horizon': - listening_service => 'horizon', - ports => '80', - ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), - server_names => hiera('horizon_node_names', $controller_hosts_names_real), - options => union($haproxy_member_options, ["cookie ${::hostname}"]), + class { '::tripleo::haproxy::horizon_endpoint': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('horizon_vip', $controller_virtual_ip), + haproxy_listen_bind_param => $haproxy_listen_bind_param, + ip_addresses => hiera('horizon_node_ips', $controller_hosts_real), + server_names => hiera('horizon_node_names', $controller_hosts_names_real), + member_options => union($haproxy_member_options, $internal_tls_member_options), + public_certificate => $service_certificate, + use_internal_certificates => $use_internal_certificates, + internal_certificates_specs => $internal_certificates_specs, + service_network => $horizon_network, } } diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 9139061..4436e19 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -133,21 +133,35 @@ define tripleo::haproxy::endpoint ( } else { # internal service only $public_bind_opts = {} + $listen_options_real = $listen_options } if $use_internal_certificates { if !$service_network { fail("The service_network for this service is undefined. Can't configure TLS for the internal network.") } - # NOTE(jaosorior): The key of the internal_certificates_specs hash must - # must match the convention haproxy-<network name> or else this - # will fail. Futherly, it must contain the path that we'll use under - # 'service_pem'. - $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + + if $service_network == 'external' and $public_certificate { + # NOTE(jaosorior): This service has been configured to use the external + # network. We should use the public certificate in this case. + $internal_cert_path = $public_certificate + } else { + # NOTE(jaosorior): This service is configured for the internal network. + # We use the certificate spec hash. The key of the + # internal_certificates_specs hash must must match the convention + # haproxy-<network name> or else this will fail. Futherly, it must + # contain the path that we'll use under 'service_pem'. + $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + } $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path])) } else { - $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + if $service_network == 'external' and $public_certificate { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), + union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + } } $bind_opts = merge($internal_bind_opts, $public_bind_opts) diff --git a/manifests/haproxy/horizon_endpoint.pp b/manifests/haproxy/horizon_endpoint.pp new file mode 100644 index 0000000..c7dfd88 --- /dev/null +++ b/manifests/haproxy/horizon_endpoint.pp @@ -0,0 +1,154 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::haproxy::endpoint +# +# Configure a HAProxy listen endpoint +# +# [*internal_ip*] +# The IP in which the proxy endpoint will be listening in the internal +# network. +# +# [*ip_addresses*] +# The ordered list of IPs to be used to contact the balancer member. +# +# [*server_names*] +# The names of the balancer members, which usually should be the hostname. +# +# [*member_options*] +# Options for the balancer member, specified after the server declaration. +# These should go in the member's configuration block. +# +# [*public_virtual_ip*] +# Address in which the proxy endpoint will be listening in the public network. +# If this service is internal only this should be ommitted. +# Defaults to undef. +# +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. +# Defaults to undef. +# +# [*public_certificate*] +# Certificate path used to enable TLS for the public proxy endpoint. +# Defaults to undef. +# +# [*use_internal_certificates*] +# Flag that indicates if we'll use an internal certificate for this specific +# service. When set, enables SSL on the internal API endpoints using the file +# that certmonger is tracking; this is derived from the network the service is +# listening on. +# Defaults to false +# +# [*internal_certificates_specs*] +# A hash that should contain the specs that were used to create the +# certificates. As the name indicates, only the internal certificates will be +# fetched from here. And the keys should follow the following pattern +# "haproxy-<network name>". The network name should be as it was defined in +# tripleo-heat-templates. +# Note that this is only taken into account if the $use_internal_certificates +# flag is set. +# Defaults to {} +# +# [*service_network*] +# (optional) Indicates the network that the service is running on. Used for +# fetching the certificate for that specific network. +# Defaults to undef +# +class tripleo::haproxy::horizon_endpoint ( + $internal_ip, + $ip_addresses, + $server_names, + $member_options, + $public_virtual_ip, + $haproxy_listen_bind_param = undef, + $public_certificate = undef, + $use_internal_certificates = false, + $internal_certificates_specs = {}, + $service_network = undef, +) { + # service exposed to the public network + if $public_certificate { + if $use_internal_certificates { + if !$service_network { + fail("The service_network for this service is undefined. Can't configure TLS for the internal network.") + } + # NOTE(jaosorior): The key of the internal_certificates_specs hash must + # must match the convention haproxy-<network name> or else this + # will fail. Futherly, it must contain the path that we'll use under + # 'service_pem'. + $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + $internal_bind_opts = union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]) + } else { + # If no internal cert is given, we still configure TLS for the internal + # network, however, we expect that the public certificate has appropriate + # subjectaltnames set. + $internal_bind_opts = union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]) + } + # NOTE(jaosorior): If the internal_ip and the public_virtual_ip are the + # same, the first option takes precedence. Which is the case when network + # isolation is not enabled. This is not a problem as both options are + # identical. If network isolation is enabled, this works correctly and + # will add a TLS binding to both the internal_ip and the + # public_virtual_ip. + # Even though for the public_virtual_ip the port 80 is listening, we + # redirect to https in the horizon_options below. + $horizon_bind_opts = { + "${internal_ip}:80" => $haproxy_listen_bind_param, + "${internal_ip}:443" => $internal_bind_opts, + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. + 'redirect' => 'scheme https code 301 if !{ ssl_fc }', + 'option' => [ 'forwardfor', 'httpchk' ], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } + } else { + $horizon_bind_opts = { + "${internal_ip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'option' => [ 'forwardfor', 'httpchk' ], + } + } + + if $use_internal_certificates { + # Use SSL port if TLS in the internal network is enabled. + $backend_port = '443' + } else { + $backend_port = '80' + } + + haproxy::listen { 'horizon': + bind => $horizon_bind_opts, + options => $horizon_options, + mode => 'http', + collect_exported => false, + } + haproxy::balancermember { 'horizon': + listening_service => 'horizon', + ports => $backend_port, + ipaddresses => $ip_addresses, + server_names => $server_names, + options => union($member_options, ["cookie ${::hostname}"]), + } +} diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 40a0a99..48bf4b8 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api ( include ::tripleo::profile::base::barbican - if $step >= 3 and $sync_db { - include ::barbican::db::mysql - } - if $step >= 4 or ( $step >= 3 and $sync_db ) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::barbican::api': diff --git a/manifests/profile/base/ceph/mds.pp b/manifests/profile/base/ceph/mds.pp index 9cc2b20..d675563 100644 --- a/manifests/profile/base/ceph/mds.pp +++ b/manifests/profile/base/ceph/mds.pp @@ -32,4 +32,9 @@ class tripleo::profile::base::ceph::mds ( if $step >= 3 { include ::ceph::profile::mds } + + # when deploying mds, create also cephfs which is used by manila + if $step >= 4 { + include ::ceph::profile::fs + } } diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 2ac4b6e..c3dde96 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -38,11 +38,21 @@ # it will create. # Defaults to hiera('apache_certificate_specs', {}). # +# [*apache_postsave_cmd*] +# (Optional) If set, it overrides the default way to restart apache when the +# certificate is renewed. +# Defaults to undef +# # [*haproxy_certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. # Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). # +# [*haproxy_postsave_cmd*] +# (Optional) If set, it overrides the default way to restart haproxy when the +# certificate is renewed. +# Defaults to undef +# # [*libvirt_certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -70,7 +80,9 @@ # class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), + $apache_postsave_cmd = undef, $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $haproxy_postsave_cmd = undef, $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), $mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), @@ -94,7 +106,8 @@ class tripleo::profile::base::certmonger_user ( unless empty($apache_certificates_specs) { include ::tripleo::certmonger::apache_dirs - ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) + ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs, + {'postsave_cmd' => $apache_postsave_cmd}) } unless empty($libvirt_certificates_specs) { include ::tripleo::certmonger::libvirt_dirs @@ -102,7 +115,8 @@ class tripleo::profile::base::certmonger_user ( } unless empty($haproxy_certificates_specs) { include ::tripleo::certmonger::haproxy_dirs - ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) + ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs, + {'postsave_cmd' => $haproxy_postsave_cmd}) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 252bae1..b9cee83 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -30,6 +30,10 @@ # (Optional) Whether to enable the unity backend # Defaults to false # +# [*cinder_enable_dellemc_vmax_iscsi_backend*] +# (Optional) Whether to enable the vmax iscsi backend +# Defaults to false +# # [*cinder_enable_hpelefthand_backend*] # (Optional) Whether to enable the hpelefthand backend # Defaults to false @@ -72,19 +76,20 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( - $cinder_enable_pure_backend = false, - $cinder_enable_dellsc_backend = false, - $cinder_enable_dellemc_unity_backend = false, - $cinder_enable_hpelefthand_backend = false, - $cinder_enable_dellps_backend = false, - $cinder_enable_iscsi_backend = true, - $cinder_enable_netapp_backend = false, - $cinder_enable_nfs_backend = false, - $cinder_enable_rbd_backend = false, - $cinder_enable_scaleio_backend = false, - $cinder_enable_vrts_hs_backend = false, - $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), - $step = Integer(hiera('step')), + $cinder_enable_pure_backend = false, + $cinder_enable_dellsc_backend = false, + $cinder_enable_dellemc_unity_backend = false, + $cinder_enable_dellemc_vmax_iscsi_backend = false, + $cinder_enable_hpelefthand_backend = false, + $cinder_enable_dellps_backend = false, + $cinder_enable_iscsi_backend = true, + $cinder_enable_netapp_backend = false, + $cinder_enable_nfs_backend = false, + $cinder_enable_rbd_backend = false, + $cinder_enable_scaleio_backend = false, + $cinder_enable_vrts_hs_backend = false, + $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), + $step = Integer(hiera('step')), ) { include ::tripleo::profile::base::cinder @@ -112,6 +117,14 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellemc_unity_backend_name = undef } + if $cinder_enable_dellemc_vmax_iscsi_backend { + include ::tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi + $cinder_dellemc_vmax_iscsi_backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name', + 'tripleo_dellemc_vmax_iscsi') + } else { + $cinder_dellemc_vmax_iscsi_backend_name = undef + } + if $cinder_enable_hpelefthand_backend { include ::tripleo::profile::base::cinder::volume::hpelefthand $cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand') @@ -174,6 +187,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellps_backend_name, $cinder_dellsc_backend_name, $cinder_dellemc_unity_backend_name, + $cinder_dellemc_vmax_iscsi_backend_name, $cinder_hpelefthand_backend_name, $cinder_netapp_backend_name, $cinder_nfs_backend_name, diff --git a/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp new file mode 100644 index 0000000..d09481f --- /dev/null +++ b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp @@ -0,0 +1,42 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi +# +# Cinder Volume dellemc_vmax_iscsi profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_dellemc_vmax_iscsi' +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi ( + $backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name', 'tripleo_dellemc_vmax_iscsi'), + $step = Integer(hiera('step')), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::dellemc_vmax_iscsi { $backend_name : + cinder_emc_config_file => hiera('cinder::backend::dellemc_vmax_iscsi::cinder_emc_config_file', undef), + } + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 7e7d68b..7bb8c74 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -171,6 +171,9 @@ class tripleo::profile::base::database::mysql ( if hiera('cinder_api_enabled', false) { include ::cinder::db::mysql } + if hiera('barbican_api_enabled', false) { + include ::barbican::db::mysql + } if hiera('congress_enabled', false) { include ::congress::db::mysql } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index d230366..8cb4cdd 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -19,10 +19,11 @@ # # === Parameters # -# [*insecure_registry_address*] -# The host/port combiniation of the insecure registry. This is used to configure -# /etc/sysconfig/docker so that a local (insecure) registry can be accessed. -# Example: 127.0.0.1:8787 (defaults to unset) +# [*insecure_registries*] +# An array of host/port combiniations of insecure registries. This is used to configure +# /etc/sysconfig/docker so that local (insecure) registries can be accessed. +# Example: ['127.0.0.1:8787'] +# (defaults to unset) # # [*registry_mirror*] # Configure a registry-mirror in the /etc/docker/daemon.json file. @@ -45,6 +46,11 @@ # # DEPRECATED PARAMETERS # +# [*insecure_registry_address*] +# DEPRECATED: The host/port combiniation of the insecure registry. This is used to configure +# /etc/sysconfig/docker so that a local (insecure) registry can be accessed. +# Example: 127.0.0.1:8787 (defaults to unset) +# # [*docker_namespace*] # DEPRECATED: The namespace to be used when setting INSECURE_REGISTRY # this will be split on "/" to derive the docker registry @@ -55,13 +61,14 @@ # is enabled (defaults to false) # class tripleo::profile::base::docker ( - $insecure_registry_address = undef, + $insecure_registries = undef, $registry_mirror = false, $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), # DEPRECATED PARAMETERS + $insecure_registry_address = undef, $docker_namespace = undef, $insecure_registry = false, ) { @@ -92,14 +99,19 @@ class tripleo::profile::base::docker ( } if $insecure_registry { - warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registry_address instead.') + warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registries instead.') if $docker_namespace == undef { fail('You must provide a $docker_namespace in order to configure insecure registry') } $namespace = strip($docker_namespace.split('/')[0]) $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'" ] } elsif $insecure_registry_address { + warning('The $insecure_registry_address parameter is deprecated. Use $insecure_registries instead.') $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${insecure_registry_address}\"'" ] + } elsif $insecure_registries { + $registry_changes = [ join(['set INSECURE_REGISTRY \'"--insecure-registry ', + join($insecure_registries, ' --insecure-registry '), + '"\''], '') ] } else { $registry_changes = [ 'rm INSECURE_REGISTRY' ] } diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 3f01d01..9441329 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -27,6 +27,27 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*horizon_network*] +# (Optional) The network name where the horizon endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('horizon_network', undef) +# # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron # Defaults to hiera('horizon::neutron_options', {}) @@ -36,10 +57,13 @@ # Defaults to hiera('memcached_node_ips') # class tripleo::profile::base::horizon ( - $step = Integer(hiera('step')), - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $neutron_options = hiera('horizon::neutron_options', {}), - $memcached_ips = hiera('memcached_node_ips') + $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $horizon_network = hiera('horizon_network', undef), + $neutron_options = hiera('horizon::neutron_options', {}), + $memcached_ips = hiera('memcached_node_ips') ) { if $::hostname == downcase($bootstrap_node) { $is_bootstrap = true @@ -47,6 +71,17 @@ class tripleo::profile::base::horizon ( $is_bootstrap = false } + if $enable_internal_tls { + if !$horizon_network { + fail('horizon_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${horizon_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${horizon_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { # Horizon include ::apache::mod::remoteip @@ -68,6 +103,8 @@ class tripleo::profile::base::horizon ( class { '::horizon': cache_server_ip => $horizon_memcached_servers, neutron_options => $neutron_options_real, + horizon_cert => $tls_certfile, + horizon_key => $tls_keyfile, } } } diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp new file mode 100644 index 0000000..1545875 --- /dev/null +++ b/manifests/profile/base/logging/logrotate.pp @@ -0,0 +1,112 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::logging::logrotate +# +# Installs a cron job that rotates containerized services logs. +# +# === Parameters +# +# [*step*] +# (Optional) String. The current step of the deployment +# Defaults to hiera('step') +# +# [*ensure*] +# (optional) Defaults to present. +# Valid values are present, absent. +# +# [*minute*] +# (optional) Defaults to '0'. Configures cron job for logrotate. +# +# [*hour*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*monthday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*month*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*weekday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*maxdelay*] +# (optional) Seconds. Defaults to 90. Should be a positive integer. +# Induces a random delay before running the cronjob to avoid running all +# cron jobs at the same time on all hosts this job is configured. +# +# [*user*] +# (optional) Defaults to 'root'. Configures cron job for logrotate. +# +# [*delaycompress*] +# (optional) Defaults to True. +# Configures the logrotate delaycompress parameter. +# +# [*size*] +# (optional) Defaults to '10M'. +# Configures the logrotate size parameter. +# +# [*rotate*] +# (optional) Defaults to 14. +# Configures the logrotate rotate parameter. +# +class tripleo::profile::base::logging::logrotate ( + $step = Integer(hiera('step')), + $ensure = present, + $minute = 0, + $hour = '*', + $monthday = '*', + $month = '*', + $weekday = '*', + Integer $maxdelay = 90, + $user = 'root', + $delaycompress = true, + $size = '10M', + $rotate = 14, +) { + + if $step >= 4 { + if $maxdelay == 0 { + $sleep = '' + } else { + $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " + } + + $svc = 'logrotate-crond' + $config = "/etc/${svc}.conf" + $state = "/var/lib/logrotate/${svc}.status" + $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}" + + file { "${config}": + ensure => $ensure, + owner => $user, + group => $user, + mode => '0640', + content => template('tripleo/logrotate/containers_logrotate.conf.erb'), + } + + cron { "${svc}": + ensure => $ensure, + command => "${cmd} 2>&1|logger -t ${svc}", + environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh', + user => $user, + minute => $minute, + hour => $hour, + monthday => $monthday, + month => $month, + weekday => $weekday, + } + } +} diff --git a/manifests/profile/base/manila/api.pp b/manifests/profile/base/manila/api.pp index 95607ae..25c3890 100644 --- a/manifests/profile/base/manila/api.pp +++ b/manifests/profile/base/manila/api.pp @@ -26,6 +26,10 @@ # (Optional) Whether or not the netapp backend is enabled # Defaults to hiera('manila_backend_netapp_enabled', false) # +# [*backend_vmax_enabled*] +# (Optional) Whether or not the vmax backend is enabled +# Defaults to hiera('manila_backend_vmax_enabled', false) +# # [*backend_cephfs_enabled*] # (Optional) Whether or not the cephfs backend is enabled # Defaults to hiera('manila_backend_cephfs_enabled', false) @@ -42,6 +46,7 @@ class tripleo::profile::base::manila::api ( $backend_generic_enabled = hiera('manila_backend_generic_enabled', false), $backend_netapp_enabled = hiera('manila_backend_netapp_enabled', false), + $backend_vmax_enabled = hiera('manila_backend_vmax_enabled', false), $backend_cephfs_enabled = hiera('manila_backend_cephfs_enabled', false), $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = Integer(hiera('step')), @@ -55,7 +60,7 @@ class tripleo::profile::base::manila::api ( include ::tripleo::profile::base::manila if $step >= 4 or ($step >= 3 and $sync_db) { - if $backend_generic_enabled or $backend_netapp_enabled { + if $backend_generic_enabled or $backend_netapp_enabled or $backend_vmax_enabled { $nfs_protocol = 'NFS' $cifs_protocol = 'CIFS' } else { diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 0dcc754..2ff1add 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -46,18 +46,42 @@ # Nova Team discourages it. # Defaults to hiera('nova_wsgi_enabled', false) # +# [*nova_metadata_network*] +# (Optional) The network name where the nova metadata endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('nova_metadata_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # +# [*metadata_tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to undef +# +# [*metadata_tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*metadata_tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::nova::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $nova_api_network = hiera('nova_api_network', undef), $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false), + $nova_metadata_network = hiera('nova_metadata_network', undef), $step = Integer(hiera('step')), + $metadata_tls_proxy_bind_ip = undef, + $metadata_tls_proxy_fqdn = undef, + $metadata_tls_proxy_port = 8775, ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -73,6 +97,22 @@ class tripleo::profile::base::nova::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { + if $enable_internal_tls { + if !$nova_metadata_network { + fail('nova_metadata_network is not set in the hieradata.') + } + $metadata_tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate'] + $metadata_tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key'] + + ::tripleo::tls_proxy { 'nova-metadata-api': + servername => $metadata_tls_proxy_fqdn, + ip => $metadata_tls_proxy_bind_ip, + port => $metadata_tls_proxy_port, + tls_cert => $metadata_tls_certfile, + tls_key => $metadata_tls_keyfile, + } + Tripleo::Tls_proxy['nova-metadata-api'] ~> Anchor<| title == 'nova::service::begin' |> + } class { '::nova::api': sync_db => $sync_db, diff --git a/manifests/profile/pacemaker/manila.pp b/manifests/profile/pacemaker/manila.pp index 25d389a..3fb4e0b 100644 --- a/manifests/profile/pacemaker/manila.pp +++ b/manifests/profile/pacemaker/manila.pp @@ -26,16 +26,14 @@ # (Optional) Whether or not the netapp backend is enabled # Defaults to hiera('manila_backend_netapp_enabled', false) # +# [*backend_vmax_enabled*] +# (Optional) Whether or not the vmax backend is enabled +# Defaults to hiera('manila_backend_vmax_enabled', false) +# # [*backend_cephfs_enabled*] # (Optional) Whether or not the cephfs backend is enabled # Defaults to hiera('manila_backend_cephfs_enabled', false) # -# [*ceph_mds_enabled*] -# (Optional) Whether or not the ceph mds is enabled. This option is used -# to distinguish if an external ceph is used or if ceph is deployed by -# tripleo. By default ceph mds is not deployed by tripleo. -# Defaults to hiera('ceph_mds_enabled', false) -# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('manila_share_short_bootstrap_node_name') @@ -52,8 +50,8 @@ class tripleo::profile::pacemaker::manila ( $backend_generic_enabled = hiera('manila_backend_generic_enabled', false), $backend_netapp_enabled = hiera('manila_backend_netapp_enabled', false), + $backend_vmax_enabled = hiera('manila_backend_vmax_enabled', false), $backend_cephfs_enabled = hiera('manila_backend_cephfs_enabled', false), - $ceph_mds_enabled = hiera('ceph_mds_enabled', false), $bootstrap_node = hiera('manila_share_short_bootstrap_node_name'), $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -119,12 +117,6 @@ class tripleo::profile::pacemaker::manila ( $cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id') $keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring" - # $ceph_mds_enabled is used to distinguish if an external ceph is used or - # if ceph is deployed by TripleO - if $ceph_mds_enabled { - include ::ceph::profile::fs - } - manila::backend::cephfsnative { $manila_cephfsnative_backend : driver_handles_share_servers => hiera('manila::backend::cephfsnative::driver_handles_share_servers', false), share_backend_name => hiera('manila::backend::cephfsnative::share_backend_name'), @@ -134,21 +126,6 @@ class tripleo::profile::pacemaker::manila ( cephfs_enable_snapshots => hiera('manila::backend::cephfsnative::cephfs_enable_snapshots'), } - if !defined(Resource['ceph::key', "client.${cephfs_auth_id}"]) { - ceph::key { "client.${cephfs_auth_id}" : - secret => hiera('manila::backend::cephfsnative::ceph_client_key'), - keyring_path => $keyring_path, - # inject the new key into ceph cluster only if ceph is deployed by - # tripleo (if external ceph is used it should be added manually) - inject => $ceph_mds_enabled, - user => 'manila', - cap_mds => 'allow *', - cap_mon => 'allow r, allow command \"auth del\", allow command \"auth caps\", \ -allow command \"auth get\", allow command \"auth get-or-create\"', - cap_osd => 'allow rw' - } - } - ceph_config { "client.${cephfs_auth_id}/keyring": value => $keyring_path; "client.${cephfs_auth_id}/client mount uid": value => 0; @@ -179,11 +156,30 @@ allow command \"auth get\", allow command \"auth get-or-create\"', } } + # manila vmax: + if $backend_vmax_enabled { + $manila_vmax_backend = hiera('manila::backend::dellemc_vmax::title') + manila::backend::dellemc_vmax { $manila_vmax_backend : + driver_handles_share_servers => hiera('manila::backend::dellemc_vmax::driver_handles_share_servers', true), + emc_nas_login => hiera('manila::backend::dellemc_vmax::emc_nas_login'), + emc_nas_password => hiera('manila::backend::dellemc_vmax::emc_nas_password'), + emc_nas_server => hiera('manila::backend::dellemc_vmax::emc_nas_server'), + emc_share_backend => hiera('manila::backend::dellemc_vmax::emc_share_backend','vmax'), + share_backend_name => hiera('manila::backend::dellemc_vmax::share_backend_name'), + vmax_server_container => hiera('manila::backend::dellemc_vmax::vmax_server_container'), + vmax_share_data_pools => hiera('manila::backend::dellemc_vmax::vmax_share_data_pools'), + vmax_ethernet_ports => hiera('manila::backend::dellemc_vmax::vmax_ethernet_ports'), + } + } + + + $manila_enabled_backends = delete_undef_values( [ $manila_generic_backend, $manila_cephfsnative_backend, - $manila_netapp_backend + $manila_netapp_backend, + $manila_vmax_backend ] ) class { '::manila::backends' : diff --git a/metadata.json b/metadata.json index 821ce7c..82284f4 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "7.2.0", + "version": "7.3.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/releasenotes/notes/unity_driver_aaa347d073cd11e7.yaml b/releasenotes/notes/unity_driver_aaa347d073cd11e7.yaml new file mode 100644 index 0000000..ccda848 --- /dev/null +++ b/releasenotes/notes/unity_driver_aaa347d073cd11e7.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Add support to configure Dell EMC VMAX Manila backend diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index bba17b6..7224ef2 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -53,9 +53,9 @@ copyright = u'2017, Puppet TripleO Developers' # built documents. # # The short X.Y version. -version = '7.2.0' +version = '7.3.0' # The full version, including alpha/beta/rc tags. -release = '7.2.0' +release = '7.3.0' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/spec/classes/tripleo_certmonger_ca_crl_spec.rb b/spec/classes/tripleo_certmonger_ca_crl_spec.rb index 1e605ce..29726f1 100644 --- a/spec/classes/tripleo_certmonger_ca_crl_spec.rb +++ b/spec/classes/tripleo_certmonger_ca_crl_spec.rb @@ -47,7 +47,7 @@ describe 'tripleo::certmonger::ca::crl' do end let :cron_cmd do - "curl -L -o #{params[:crl_preprocessed]} #{params[:crl_source]} && #{process_cmd}" + "curl -s -L -o #{params[:crl_preprocessed]} #{params[:crl_source]} && #{process_cmd}" end it 'should create and process CRL file' do @@ -75,7 +75,7 @@ describe 'tripleo::certmonger::ca::crl' do end let :cron_cmd do - "curl -L -o #{params[:crl_dest]} #{params[:crl_source]}" + "curl -s -L -o #{params[:crl_dest]} #{params[:crl_source]}" end it 'should create and process CRL file' do diff --git a/spec/classes/tripleo_profile_base_barbican_api_spec.rb b/spec/classes/tripleo_profile_base_barbican_api_spec.rb index 169642e..881cc0a 100644 --- a/spec/classes/tripleo_profile_base_barbican_api_spec.rb +++ b/spec/classes/tripleo_profile_base_barbican_api_spec.rb @@ -45,7 +45,6 @@ describe 'tripleo::profile::base::barbican::api' do it 'should trigger complete configuration' do is_expected.to contain_class('tripleo::profile::base::barbican::api') is_expected.to contain_class('tripleo::profile::base::barbican') - is_expected.to contain_class('barbican::db::mysql') is_expected.to contain_class('barbican::db::sync') is_expected.to contain_class('barbican::api') is_expected.to contain_class('barbican::api::logging') @@ -64,7 +63,6 @@ describe 'tripleo::profile::base::barbican::api' do it 'should not trigger any configuration' do is_expected.to contain_class('tripleo::profile::base::barbican::api') is_expected.to contain_class('tripleo::profile::base::barbican') - is_expected.to_not contain_class('barbican::db::mysql') is_expected.to_not contain_class('barbican::db::sync') is_expected.to_not contain_class('barbican::api') is_expected.to_not contain_class('barbican::api::logging') @@ -81,7 +79,6 @@ describe 'tripleo::profile::base::barbican::api' do } } it 'should trigger complete configuration with out db items' do - is_expected.to_not contain_class('barbican::db::mysql') # TODO(aschultz): barbican::api includes this automatically #is_expected.to_not contain_class('barbican::db::sync') is_expected.to contain_class('barbican::api') diff --git a/spec/classes/tripleo_profile_base_cinder_vmax_spec.rb b/spec/classes/tripleo_profile_base_cinder_vmax_spec.rb new file mode 100644 index 0000000..bcb40c5 --- /dev/null +++ b/spec/classes/tripleo_profile_base_cinder_vmax_spec.rb @@ -0,0 +1,57 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi' do + shared_examples_for 'tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'with step less than 4' do + let(:params) { { :step => 3 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi') + is_expected.to contain_class('tripleo::profile::base::cinder::volume') + is_expected.to contain_class('tripleo::profile::base::cinder') + is_expected.to_not contain_cinder__backend__dellemc_vmax_iscsi('tripleo_dellemc_vmax_iscsi') + end + end + + context 'with step 4' do + let(:params) { { + :step => 4, + } } + + it 'should trigger complete configuration' do + # TODO(aschultz): check hiera parameters + is_expected.to contain_cinder__backend__dellemc_vmax_iscsi('tripleo_dellemc_vmax_iscsi') + end + end + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi' + end + end +end diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index 2a15362..146d784 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -50,6 +50,19 @@ describe 'tripleo::profile::base::docker' do } end + context 'with step 1 and insecure_registries configured' do + let(:params) { { + :insecure_registries => ['foo:8787', 'bar'], + :step => 1, + } } + + it { + is_expected.to contain_augeas('docker-sysconfig-registry').with_changes([ + "set INSECURE_REGISTRY '\"--insecure-registry foo:8787 --insecure-registry bar\"'", + ]) + } + end + context 'with step 1 and insecure_registry configured but no docker_namespace' do let(:params) { { :insecure_registry => true, diff --git a/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb b/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb new file mode 100644 index 0000000..df109b4 --- /dev/null +++ b/spec/classes/tripleo_profile_base_logging_logrotate_spec.rb @@ -0,0 +1,59 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::logging::logrotate' do + shared_examples_for 'tripleo::profile::base::logging::logrotate' do + + context 'with step less than 4' do + let(:params) { { :step => 3 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::logging::logrotate') + is_expected.to_not contain_cron('logrotate-crond') + is_expected.to_not contain_file('/etc/logrotate-crond.conf') + end + end + + context 'with defaults and step greater than 3' do + let(:params) { { :step => 4 } } + + it { is_expected.to contain_class('tripleo::profile::base::logging::logrotate') } + it { is_expected.to contain_cron('logrotate-crond').with( + :ensure => 'present', + :command => 'sleep `expr ${RANDOM} \\% 90`; /usr/sbin/logrotate -s ' + + '/var/lib/logrotate/logrotate-crond.status ' + + '/etc/logrotate-crond.conf 2>&1|logger -t logrotate-crond', + :user => 'root', + :minute => 0, + :hour => '*', + :monthday => '*', + :month => '*', + :weekday => '*') } + it { is_expected.to contain_file('/etc/logrotate-crond.conf') } + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::logging::logrotate' + end + end +end diff --git a/templates/logrotate/containers_logrotate.conf.erb b/templates/logrotate/containers_logrotate.conf.erb new file mode 100644 index 0000000..cbf17b4 --- /dev/null +++ b/templates/logrotate/containers_logrotate.conf.erb @@ -0,0 +1,14 @@ +/var/log/containers/*/*.log { + rotate <%= @rotate %> + size <%= @size %> + missingok + notifempty +<%- if @delaycompress %> + delaycompress +<%- end %> + postrotate + /sbin/lsof -nPs +L1 +D /var/log 2>&1|\ + /bin/perl -ne '/\S+\s+(\d+).*\/var\/log\/.*\(deleted\)/ && print "$1\n"' |\ + /bin/xargs -n1 -r -t kill -HUP + endscript +} |