aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/certmonger/rabbitmq.pp4
-rw-r--r--manifests/haproxy.pp114
-rw-r--r--manifests/keepalived.pp18
-rw-r--r--manifests/profile/base/ironic/conductor.pp1
-rw-r--r--manifests/profile/base/keystone.pp16
-rw-r--r--manifests/profile/base/logging/fluentd.pp160
-rw-r--r--manifests/profile/base/neutron/agents/bagpipe.pp37
-rw-r--r--manifests/profile/base/neutron/agents/l2gw.pp35
-rw-r--r--manifests/profile/base/pacemaker.pp25
-rw-r--r--manifests/profile/base/swift/proxy.pp58
-rw-r--r--releasenotes/notes/add-bagpipe-driver-9163f5b22096fde0.yaml3
-rw-r--r--releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml5
-rw-r--r--releasenotes/notes/l2gw_agent_support-2bc24b539da738a8.yaml3
13 files changed, 310 insertions, 169 deletions
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
index 344adef..4a47938 100644
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -31,10 +31,6 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
-# [*file_owner*]
-# (Optional) The user which the certificate and key files belong to.
-# Defaults to 'root'
-#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index e5d57e5..7aca0e1 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -750,7 +750,7 @@ class tripleo::haproxy (
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
- 'option' => 'forwardfor',
+ 'option' => [ 'forwardfor', 'httpchk' ],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
@@ -762,7 +762,7 @@ class tripleo::haproxy (
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
- 'option' => 'forwardfor',
+ 'option' => [ 'forwardfor', 'httpchk' ],
}
}
@@ -821,12 +821,20 @@ class tripleo::haproxy (
},
}
+
+ $default_listen_options = {
+ 'option' => [ 'httpchk', ],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ }
Tripleo::Haproxy::Endpoint {
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
+ listen_options => $default_listen_options,
}
$stats_base = ['enable', 'uri /']
@@ -852,11 +860,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
public_ssl_port => $ports[keystone_admin_api_ssl_port],
service_network => $keystone_admin_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -864,11 +868,6 @@ class tripleo::haproxy (
}
if $keystone_public {
- $keystone_listen_opts = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- }
if $service_certificate {
$keystone_public_tls_listen_opts = {
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
@@ -877,7 +876,9 @@ class tripleo::haproxy (
'option' => 'forwardfor',
}
} else {
- $keystone_public_tls_listen_opts = {}
+ $keystone_public_tls_listen_opts = {
+ 'option' => [ 'httpchk GET /v3', ],
+ }
}
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
@@ -886,7 +887,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
+ listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -901,11 +902,6 @@ class tripleo::haproxy (
ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
server_names => hiera('neutron_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[neutron_api_ssl_port],
service_network => $neutron_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -920,11 +916,6 @@ class tripleo::haproxy (
ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
server_names => hiera('cinder_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[cinder_api_ssl_port],
service_network => $cinder_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -939,11 +930,6 @@ class tripleo::haproxy (
ip_addresses => hiera('congress_node_ips', $controller_hosts_real),
server_names => hiera('congress_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[congress_api_ssl_port],
service_network => $congress_network,
}
@@ -957,11 +943,6 @@ class tripleo::haproxy (
ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
server_names => hiera('manila_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[manila_api_ssl_port],
service_network => $manila_network,
}
@@ -987,11 +968,6 @@ class tripleo::haproxy (
ip_addresses => hiera('tacker_node_ips', $controller_hosts_real),
server_names => hiera('tacker_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[tacker_api_ssl_port],
service_network => $tacker_network,
}
@@ -1018,11 +994,7 @@ class tripleo::haproxy (
server_names => hiera('glance_api_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[glance_api_ssl_port],
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}),
service_network => $glance_api_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
}
@@ -1037,11 +1009,6 @@ class tripleo::haproxy (
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[nova_api_ssl_port],
service_network => $nova_osapi_network,
#member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1057,11 +1024,6 @@ class tripleo::haproxy (
ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real),
server_names => hiera('nova_placement_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[nova_placement_ssl_port],
service_network => $nova_placement_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1074,6 +1036,9 @@ class tripleo::haproxy (
service_port => $ports[nova_metadata_port],
ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real),
+ listen_options => {
+ 'option' => [ 'httpchk', ],
+ },
service_network => $nova_metadata_network,
}
}
@@ -1085,10 +1050,11 @@ class tripleo::haproxy (
service_port => $ports[nova_novnc_port],
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
- listen_options => {
+ listen_options => merge($default_listen_options, {
+ 'option' => [ 'tcpka' ],
'balance' => 'source',
'timeout' => [ 'tunnel 1h' ],
- },
+ }),
public_ssl_port => $ports[nova_novnc_ssl_port],
service_network => $nova_novncproxy_network,
}
@@ -1102,11 +1068,6 @@ class tripleo::haproxy (
ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real),
server_names => hiera('ec2_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[ec2_api_ssl_port],
service_network => $ec2_api_network,
}
@@ -1130,11 +1091,6 @@ class tripleo::haproxy (
ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[ceilometer_api_ssl_port],
service_network => $ceilometer_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1149,11 +1105,6 @@ class tripleo::haproxy (
ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
server_names => hiera('aodh_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[aodh_api_ssl_port],
service_network => $aodh_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1167,11 +1118,6 @@ class tripleo::haproxy (
service_port => $ports[panko_api_port],
ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real),
server_names => hiera('panko_api_node_names', $controller_hosts_names_real),
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[panko_api_ssl_port],
service_network => $panko_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1199,11 +1145,6 @@ class tripleo::haproxy (
ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[gnocchi_api_ssl_port],
service_network => $gnocchi_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1224,6 +1165,7 @@ class tripleo::haproxy (
if $swift_proxy_server {
$swift_proxy_server_listen_options = {
+ 'option' => [ 'httpchk GET /healthcheck', ],
'timeout client' => '2m',
'timeout server' => '2m',
}
@@ -1236,22 +1178,19 @@ class tripleo::haproxy (
listen_options => $swift_proxy_server_listen_options,
public_ssl_port => $ports[swift_proxy_ssl_port],
service_network => $swift_proxy_server_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
- $heat_base_options = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
if $service_certificate {
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
- $heat_options = merge($heat_base_options, $heat_ssl_options)
+ $heat_options = merge($default_listen_options, $heat_ssl_options)
} else {
- $heat_options = $heat_base_options
+ $heat_options = $default_listen_options
}
if $heat_api {
@@ -1514,6 +1453,7 @@ class tripleo::haproxy (
server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[ceph_rgw_ssl_port],
service_network => $ceph_rgw_network,
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk HEAD /' ] }),
}
}
diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp
index a6d5832..aa0e5d6 100644
--- a/manifests/keepalived.pp
+++ b/manifests/keepalived.pp
@@ -59,6 +59,12 @@
# A string.
# Defaults to false
#
+# [*ovndbs_virtual_ip*]
+# Virtual IP on the OVNDBs service.
+# A string.
+# Defaults to false
+#
+
class tripleo::keepalived (
$controller_virtual_ip,
$control_virtual_interface,
@@ -68,6 +74,7 @@ class tripleo::keepalived (
$storage_virtual_ip = false,
$storage_mgmt_virtual_ip = false,
$redis_virtual_ip = false,
+ $ovndbs_virtual_ip = false,
) {
case $::osfamily {
@@ -178,4 +185,15 @@ class tripleo::keepalived (
priority => 101,
}
}
+ if $ovndbs_virtual_ip and $ovndbs_virtual_ip != $controller_virtual_ip {
+ $ovndbs_virtual_interface = interface_for_ip($ovndbs_virtual_ip)
+ # KEEPALIVE OVNDBS MANAGEMENT NETWORK
+ keepalived::instance { '57':
+ interface => $ovndbs_virtual_interface,
+ virtual_ips => [join([$ovndbs_virtual_ip, ' dev ', $ovndbs_virtual_interface])],
+ state => 'MASTER',
+ track_script => ['haproxy'],
+ priority => 101,
+ }
+ }
}
diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp
index 7f90da9..cb0524b 100644
--- a/manifests/profile/base/ironic/conductor.pp
+++ b/manifests/profile/base/ironic/conductor.pp
@@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor (
if $step >= 4 {
include ::ironic::conductor
+ include ::ironic::drivers::interfaces
include ::ironic::drivers::pxe
if $manage_pxe {
include ::ironic::pxe
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index bb3f387..5909337 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -59,6 +59,15 @@
# heat admin user name
# Defaults to undef
#
+# [*ldap_backends_config*]
+# Configuration for keystone::ldap_backend. This takes a hash that will
+# create each backend specified.
+# Defaults to undef
+#
+# [*ldap_backend_enable*]
+# Enables creating per-domain LDAP backends for keystone.
+# Default to false
+#
# [*manage_db_purge*]
# (Optional) Whether keystone token flushing should be enabled
# Defaults to hiera('keystone_enable_db_purge', true)
@@ -126,6 +135,8 @@ class tripleo::profile::base::keystone (
$heat_admin_email = undef,
$heat_admin_password = undef,
$heat_admin_user = undef,
+ $ldap_backends_config = undef,
+ $ldap_backend_enable = false,
$manage_db_purge = hiera('keystone_enable_db_purge', true),
$public_endpoint_network = hiera('keystone_public_api_network', undef),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
@@ -207,6 +218,11 @@ class tripleo::profile::base::keystone (
ssl_key_admin => $tls_keyfile_admin,
}
include ::keystone::cors
+
+ if $ldap_backend_enable {
+ validate_hash($ldap_backends_config)
+ create_resources('::keystone::ldap_backend', $ldap_backends_config)
+ }
}
if $step >= 4 and $manage_db_purge {
diff --git a/manifests/profile/base/logging/fluentd.pp b/manifests/profile/base/logging/fluentd.pp
index 9e1aa8d..fc996e9 100644
--- a/manifests/profile/base/logging/fluentd.pp
+++ b/manifests/profile/base/logging/fluentd.pp
@@ -71,105 +71,109 @@ class tripleo::profile::base::logging::fluentd (
$fluentd_listen_syslog = true,
$fluentd_syslog_port = 42185
) {
- include ::fluentd
- if $fluentd_groups {
- user { $::fluentd::config_owner:
- ensure => present,
- groups => $fluentd_groups,
- membership => 'minimum',
+ if $step >= 4 {
+ include ::fluentd
+
+ if $fluentd_groups {
+ Package<| tag == 'openstack' |> ->
+ user { $::fluentd::config_owner:
+ ensure => present,
+ groups => $fluentd_groups,
+ membership => 'minimum',
+ }
}
- }
- if $fluentd_pos_file_path {
- file { $fluentd_pos_file_path:
- ensure => 'directory',
- owner => $::fluentd::config_owner,
- group => $::fluentd::config_group,
- mode => '0750',
+ if $fluentd_pos_file_path {
+ file { $fluentd_pos_file_path:
+ ensure => 'directory',
+ owner => $::fluentd::config_owner,
+ group => $::fluentd::config_group,
+ mode => '0750',
+ }
}
- }
- ::fluentd::plugin { 'rubygem-fluent-plugin-add':
- plugin_provider => 'yum',
- }
+ ::fluentd::plugin { 'rubygem-fluent-plugin-add':
+ plugin_provider => 'yum',
+ }
- if $fluentd_sources {
- ::fluentd::config { '100-openstack-sources.conf':
- config => {
- 'source' => $fluentd_sources,
+ if $fluentd_sources {
+ ::fluentd::config { '100-openstack-sources.conf':
+ config => {
+ 'source' => $fluentd_sources,
+ }
}
}
- }
- if $fluentd_listen_syslog {
- # fluentd will receive syslog messages by listening on a local udp
- # socket.
- ::fluentd::config { '110-system-sources.conf':
- config => {
- 'source' => {
- 'type' => 'syslog',
- 'tag' => 'system.messages',
- 'port' => $fluentd_syslog_port,
+ if $fluentd_listen_syslog {
+ # fluentd will receive syslog messages by listening on a local udp
+ # socket.
+ ::fluentd::config { '110-system-sources.conf':
+ config => {
+ 'source' => {
+ 'type' => 'syslog',
+ 'tag' => 'system.messages',
+ 'port' => $fluentd_syslog_port,
+ }
}
}
- }
- file { '/etc/rsyslog.d/fluentd.conf':
- content => "*.* @127.0.0.1:${fluentd_syslog_port}",
- owner => 'root',
- group => 'root',
- mode => '0644',
- } ~> exec { 'reload rsyslog':
- command => '/bin/systemctl restart rsyslog',
+ file { '/etc/rsyslog.d/fluentd.conf':
+ content => "*.* @127.0.0.1:${fluentd_syslog_port}",
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ } ~> exec { 'reload rsyslog':
+ command => '/bin/systemctl restart rsyslog',
+ }
}
- }
- if $fluentd_filters {
- ::fluentd::config { '200-openstack-filters.conf':
- config => {
- 'filter' => $fluentd_filters,
+ if $fluentd_filters {
+ ::fluentd::config { '200-openstack-filters.conf':
+ config => {
+ 'filter' => $fluentd_filters,
+ }
}
}
- }
- if $fluentd_servers and !empty($fluentd_servers) {
- if $fluentd_use_ssl {
- ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward':
- plugin_provider => 'yum',
- }
+ if $fluentd_servers and !empty($fluentd_servers) {
+ if $fluentd_use_ssl {
+ ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward':
+ plugin_provider => 'yum',
+ }
- file {'/etc/fluentd/ca_cert.pem':
- content => $fluentd_ssl_certificate,
- owner => $::fluentd::config_owner,
- group => $::fluentd::config_group,
- mode => '0444',
- }
+ file {'/etc/fluentd/ca_cert.pem':
+ content => $fluentd_ssl_certificate,
+ owner => $::fluentd::config_owner,
+ group => $::fluentd::config_group,
+ mode => '0444',
+ }
- ::fluentd::config { '300-openstack-matches.conf':
- config => {
- 'match' => {
- # lint:ignore:single_quote_string_with_variables
- # lint:ignore:quoted_booleans
- 'type' => 'secure_forward',
- 'tag_pattern' => '**',
- 'self_hostname' => '${hostname}',
- 'secure' => 'true',
- 'ca_cert_path' => '/etc/fluentd/ca_cert.pem',
- 'shared_key' => $fluentd_shared_key,
- 'server' => $fluentd_servers,
- # lint:endignore
- # lint:endignore
+ ::fluentd::config { '300-openstack-matches.conf':
+ config => {
+ 'match' => {
+ # lint:ignore:single_quote_string_with_variables
+ # lint:ignore:quoted_booleans
+ 'type' => 'secure_forward',
+ 'tag_pattern' => '**',
+ 'self_hostname' => '${hostname}',
+ 'secure' => 'true',
+ 'ca_cert_path' => '/etc/fluentd/ca_cert.pem',
+ 'shared_key' => $fluentd_shared_key,
+ 'server' => $fluentd_servers,
+ # lint:endignore
+ # lint:endignore
+ }
}
}
- }
- } else {
- ::fluentd::config { '300-openstack-matches.conf':
- config => {
- 'match' => {
- 'type' => 'forward',
- 'tag_pattern' => '**',
- 'server' => $fluentd_servers,
+ } else {
+ ::fluentd::config { '300-openstack-matches.conf':
+ config => {
+ 'match' => {
+ 'type' => 'forward',
+ 'tag_pattern' => '**',
+ 'server' => $fluentd_servers,
+ }
}
}
}
diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp
new file mode 100644
index 0000000..fb5e000
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/bagpipe.pp
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Ricardo Noriega <rnoriega@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agents::bagpipe
+#
+# Neutron Bagpipe Agent profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::agents::bagpipe (
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 {
+ include ::neutron::agents::bagpipe
+ }
+}
diff --git a/manifests/profile/base/neutron/agents/l2gw.pp b/manifests/profile/base/neutron/agents/l2gw.pp
new file mode 100644
index 0000000..10cd662
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/l2gw.pp
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Peng Liu <pliu@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agent::l2gw
+#
+# Neutron L2 Gateway agent profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::agents::l2gw (
+ $step = hiera('step'),
+) {
+ if $step >= 4 {
+ include ::neutron::agents::l2gw
+ }
+}
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index 6021731..c1d745a 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -55,6 +55,14 @@
# (Optional) Number of seconds to sleep between remote creation tries
# Defaults to hiera('pacemaker_remote_try_sleep', 60)
#
+# [*cluster_recheck_interval*]
+# (Optional) Set the cluster-wide cluster-recheck-interval property
+# If the hiera key does not exist or if it is set to undef, the property
+# won't be changed from its default value when there are no pacemaker_remote
+# nodes. In presence of pacemaker_remote nodes and an undef value it will
+# be set to 60s.
+# Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
+#
class tripleo::profile::base::pacemaker (
$step = hiera('step'),
$pcs_tries = hiera('pcs_tries', 20),
@@ -65,6 +73,7 @@ class tripleo::profile::base::pacemaker (
$remote_monitor_interval = hiera('pacemaker_remote_monitor_interval', 20),
$remote_tries = hiera('pacemaker_remote_tries', 5),
$remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60),
+ $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef),
) {
if count($remote_short_node_names) != count($remote_node_ips) {
@@ -136,6 +145,22 @@ class tripleo::profile::base::pacemaker (
if $step >= 2 {
if $pacemaker_master {
include ::pacemaker::resource_defaults
+ # When we have a non-zero number of pacemaker remote nodes we
+ # want to set the cluster-recheck-interval property to something
+ # lower (unless the operator has explicitely set a value)
+ if count($remote_short_node_names) > 0 and $cluster_recheck_interval == undef {
+ pacemaker::property{ 'cluster-recheck-interval-property':
+ property => 'cluster-recheck-interval',
+ value => '60s',
+ tries => $pcs_tries,
+ }
+ } elsif $cluster_recheck_interval != undef {
+ pacemaker::property{ 'cluster-recheck-interval-property':
+ property => 'cluster-recheck-interval',
+ value => $cluster_recheck_interval,
+ tries => $pcs_tries,
+ }
+ }
}
}
diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp
index 0d9ba68..e80c8c9 100644
--- a/manifests/profile/base/swift/proxy.pp
+++ b/manifests/profile/base/swift/proxy.pp
@@ -46,6 +46,22 @@
# Username for messaging nova queue
# Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest')
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*memcache_port*]
# (Optional) memcache port
# Defaults to 11211
@@ -59,6 +75,26 @@
# for more details.
# Defaults to hiera('step')
#
+# [*swift_proxy_network*]
+# (Optional) The network name where the swift proxy endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('swift_proxy_network', undef)
+#
+# [*tls_proxy_bind_ip*]
+# IP on which the TLS proxy will listen on. Required only if
+# enable_internal_tls is set.
+# Defaults to undef
+#
+# [*tls_proxy_fqdn*]
+# fqdn on which the tls proxy will listen on. required only used if
+# enable_internal_tls is set.
+# defaults to undef
+#
+# [*tls_proxy_port*]
+# port on which the tls proxy will listen on. Only used if
+# enable_internal_tls is set.
+# defaults to 8080
+#
class tripleo::profile::base::swift::proxy (
$ceilometer_enabled = true,
$ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'),
@@ -67,11 +103,33 @@ class tripleo::profile::base::swift::proxy (
$ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'),
$ceilometer_messaging_use_ssl = '0',
$ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
$memcache_port = 11211,
$memcache_servers = hiera('memcached_node_ips'),
$step = hiera('step'),
+ $swift_proxy_network = hiera('swift_proxy_network', undef),
+ $tls_proxy_bind_ip = undef,
+ $tls_proxy_fqdn = undef,
+ $tls_proxy_port = 8080,
) {
if $step >= 4 {
+ if $enable_internal_tls {
+ if !$swift_proxy_network {
+ fail('swift_proxy_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key']
+
+ ::tripleo::tls_proxy { 'swift-proxy-api':
+ servername => $tls_proxy_fqdn,
+ ip => $tls_proxy_bind_ip,
+ port => $tls_proxy_port,
+ tls_cert => $tls_certfile,
+ tls_key => $tls_keyfile,
+ notify => Class['::neutron::server'],
+ }
+ }
$swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}")
include ::swift::config
include ::swift::proxy
diff --git a/releasenotes/notes/add-bagpipe-driver-9163f5b22096fde0.yaml b/releasenotes/notes/add-bagpipe-driver-9163f5b22096fde0.yaml
new file mode 100644
index 0000000..df6b232
--- /dev/null
+++ b/releasenotes/notes/add-bagpipe-driver-9163f5b22096fde0.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Add support for Bagpipe Neutron driver as backend in BGPVPN scenarios
diff --git a/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml
new file mode 100644
index 0000000..0fb9271
--- /dev/null
+++ b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - Add keystone::ldap_backend call as resource when is trigged to setup a LDAP
+ backend as keystone domain. This allows per-domain LDAP backends for
+ keystone.
diff --git a/releasenotes/notes/l2gw_agent_support-2bc24b539da738a8.yaml b/releasenotes/notes/l2gw_agent_support-2bc24b539da738a8.yaml
new file mode 100644
index 0000000..66e8f35
--- /dev/null
+++ b/releasenotes/notes/l2gw_agent_support-2bc24b539da738a8.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Add support for l2 gateway Neutron agent support.