diff options
83 files changed, 1755 insertions, 297 deletions
diff --git a/Puppetfile_extras b/Puppetfile_extras index 7339074..0b617b9 100644 --- a/Puppetfile_extras +++ b/Puppetfile_extras @@ -36,3 +36,15 @@ mod 'fdio', mod 'certmonger', :git => 'https://github.com/earsdown/puppet-certmonger', :ref => 'v1.1.1' + +mod 'ntp', + :git => 'https://github.com/puppetlabs/puppetlabs-ntp', + :ref => '4.2.x' + +mod 'systemd', + :git => 'https://github.com/camptocamp/puppet-systemd', + :ref => 'master' + +mod 'opendaylight', + :git => 'https://github.com/dfarrell07/puppet-opendaylight', + :ref => 'master' diff --git a/bindep.txt b/bindep.txt new file mode 100644 index 0000000..4f9b425 --- /dev/null +++ b/bindep.txt @@ -0,0 +1,2 @@ +# This is a cross-platform list tracking distribution packages needed by tests; +# see http://docs.openstack.org/infra/bindep/ for additional information. diff --git a/lib/puppet/provider/package/norpm.rb b/lib/puppet/provider/package/norpm.rb index 080b138..abe1780 100644 --- a/lib/puppet/provider/package/norpm.rb +++ b/lib/puppet/provider/package/norpm.rb @@ -12,6 +12,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +require 'puppet' require 'puppet/provider/package' Puppet::Type.type(:package).provide :norpm, :source => :rpm, :parent => :rpm do @@ -24,18 +25,22 @@ Puppet::Type.type(:package).provide :norpm, :source => :rpm, :parent => :rpm do end def install + Puppet.warning("[norpm] Attempting to install #{name} but it will not be installed") true end def uninstall + Puppet.warning("[norpm] Attempting to uninstall #{name} but it will not be removed") true end def update + Puppet.warning("[norpm] Attempting to update #{name} but it will not be updated") true end def purge + Puppet.warning("[norpm] Attempting to purge #{name} but it will not be removed") true end diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 3b8fd09..6668440 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy ( $certmonger_ca = hiera('certmonger_ca', 'local'), $principal = undef, ){ + include ::certmonger include ::haproxy::params + # This is only needed for certmonger's local CA. For any other CA this + # operation (trusting the CA) should be done by the deployer. + if $certmonger_ca == 'local' { + class { '::tripleo::certmonger::ca::local': + notify => Class['::tripleo::haproxy'] + } + } + certmonger_certificate { "${title}-cert": + ensure => 'present', + ca => $certmonger_ca, hostname => $hostname, dnsname => $hostname, certfile => $service_certificate, keyfile => $service_key, postsave_cmd => $postsave_cmd, principal => $principal, + wait => true, + require => Class['::certmonger'], } concat { $service_pem : ensure => present, diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp new file mode 100644 index 0000000..344adef --- /dev/null +++ b/manifests/certmonger/rabbitmq.pp @@ -0,0 +1,79 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::rabbitmq +# +# Request a certificate for RabbitMQ and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*file_owner*] +# (Optional) The user which the certificate and key files belong to. +# Defaults to 'root' +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +class tripleo::certmonger::rabbitmq ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::rabbitmq::params + + $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}" + certmonger_certificate { 'rabbitmq' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + file { $service_certificate : + owner => $::rabbitmq::params::rabbitmq_user, + group => $::rabbitmq::params::rabbitmq_group, + require => Certmonger_certificate['rabbitmq'], + } + file { $service_key : + owner => $::rabbitmq::params::rabbitmq_user, + group => $::rabbitmq::params::rabbitmq_group, + require => Certmonger_certificate['rabbitmq'], + } + + File[$service_certificate] ~> Service<| title == $::rabbitmq::params::service_name |> + File[$service_key] ~> Service<| title == $::rabbitmq::params::service_name |> +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 13d4ba5..92edd71 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -808,7 +808,7 @@ class tripleo::haproxy ( 'ssl-default-bind-ciphers' => $ssl_cipher_suite, 'ssl-default-bind-options' => $ssl_options, 'stats' => [ - 'socket /var/run/haproxy.sock mode 600 level user', + 'socket /var/lib/haproxy/stats mode 600 level user', 'timeout 2m' ], }, @@ -1265,6 +1265,7 @@ class tripleo::haproxy ( listen_options => $heat_options, public_ssl_port => $ports[heat_api_ssl_port], service_network => $heat_api_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1279,6 +1280,7 @@ class tripleo::haproxy ( listen_options => $heat_options, public_ssl_port => $ports[heat_cw_ssl_port], service_network => $heat_cloudwatch_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1293,6 +1295,7 @@ class tripleo::haproxy ( listen_options => $heat_options, public_ssl_port => $ports[heat_cfn_ssl_port], service_network => $heat_cfn_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/profile/base/aodh.pp b/manifests/profile/base/aodh.pp index d6561a2..da8aaa6 100644 --- a/manifests/profile/base/aodh.pp +++ b/manifests/profile/base/aodh.pp @@ -99,7 +99,7 @@ class tripleo::profile::base::aodh ( default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -107,7 +107,7 @@ class tripleo::profile::base::aodh ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index af4a5b3..0834536 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -39,14 +39,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -57,17 +49,12 @@ class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { include ::tripleo::profile::base::aodh if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$aodh_network { fail('aodh_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 64c2b62..71e4ea1 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -105,7 +97,6 @@ class tripleo::profile::base::barbican::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), @@ -126,10 +117,6 @@ class tripleo::profile::base::barbican::api ( } if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$barbican_network { fail('barbican_api_network is not set in the hieradata.') } @@ -153,7 +140,7 @@ class tripleo::profile::base::barbican::api ( default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -161,7 +148,7 @@ class tripleo::profile::base::barbican::api ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, diff --git a/manifests/profile/base/ceilometer.pp b/manifests/profile/base/ceilometer.pp index 61575d1..2855bd2 100644 --- a/manifests/profile/base/ceilometer.pp +++ b/manifests/profile/base/ceilometer.pp @@ -88,7 +88,7 @@ class tripleo::profile::base::ceilometer ( default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -96,7 +96,7 @@ class tripleo::profile::base::ceilometer ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, diff --git a/manifests/profile/base/ceilometer/agent/polling.pp b/manifests/profile/base/ceilometer/agent/polling.pp new file mode 100644 index 0000000..3706c2e --- /dev/null +++ b/manifests/profile/base/ceilometer/agent/polling.pp @@ -0,0 +1,64 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::ceilometer::agent::polling +# +# Ceilometer polling Agent profile for tripleo +# +# === Parameters +# +# [*central_namespace*] +# (Optional) Use central namespace for polling agent. +# Defaults to false. +# +# [*compute_namespace*] +# (Optional) Use compute namespace for polling agent. +# Defaults to false. +# +# [*ipmi_namespace*] +# (Optional) Use ipmi namespace for polling agent. +# Defaults to false. +# +# [*ceilometer_redis_password*] +# (Optional) redis password to configure coordination url +# +# [*redis_vip*] +# (Optional) redis vip to configure coordination url +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::ceilometer::agent::polling ( + $central_namespace = hiera('central_namespace', false), + $compute_namespace = hiera('compute_namespace', false), + $ipmi_namespace = hiera('ipmi_namespace', false), + $ceilometer_redis_password = hiera('ceilometer_redis_password', undef), + $redis_vip = hiera('redis_vip', undef), + $step = hiera('step'), +) { + include ::tripleo::profile::base::ceilometer + + if $step >= 4 { + include ::ceilometer::agent::auth + class { '::ceilometer::agent::polling': + central_namespace => $central_namespace, + compute_namespace => $compute_namespace, + ipmi_namespace => $ipmi_namespace, + coordination_url => join(['redis://:', $ceilometer_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']), + } + } + +} diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6ef4748..28504c5 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -39,14 +39,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -56,16 +48,11 @@ class tripleo::profile::base::ceilometer::api ( $ceilometer_network = hiera('ceilometer_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { include ::tripleo::profile::base::ceilometer if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$ceilometer_network { fail('ceilometer_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp index 20eab54..6b58286 100644 --- a/manifests/profile/base/ceilometer/collector.pp +++ b/manifests/profile/base/ceilometer/collector.pp @@ -85,4 +85,12 @@ class tripleo::profile::base::ceilometer::collector ( include ::ceilometer::dispatcher::gnocchi } + # Re-run ceilometer-upgrade again in step 5 so gnocchi resource types + # are created safely. + if $step >= 5 and $sync_db { + exec {'ceilometer-db-upgrade': + command => 'ceilometer-upgrade --skip-metering-database', + path => ['/usr/bin', '/usr/sbin'], + } + } } diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 8443de0..d00f7cd 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -60,7 +60,7 @@ class tripleo::profile::base::ceph::rgw ( $rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway') $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip) include ::ceph::params - include ::ceph::profile::base + include ::ceph::profile::client ceph::rgw { $rgw_name: frontend_type => 'civetweb', rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}", diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp new file mode 100644 index 0000000..586c7e4 --- /dev/null +++ b/manifests/profile/base/certmonger_user.pp @@ -0,0 +1,77 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == class: tripleo::profile::base::certmonger_user +# +# Profile that ensures that the relevant certmonger certificates have been +# requested. The certificates come from the hiera set by the specific profiles +# and come in a pre-defined format. +# For a service that has several certificates (one per network name): +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "HTTP/<overcloud controller fqdn>" +# For a service that uses a single certificate: +# mysql_certificates_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# +# === Parameters +# +# [*apache_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*haproxy_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). +# +# [*mysql_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*rabbitmq_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}). +# +class tripleo::profile::base::certmonger_user ( + $apache_certificates_specs = hiera('apache_certificates_specs', {}), + $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), +) { + unless empty($apache_certificates_specs) { + ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) + } + unless empty($haproxy_certificates_specs) { + ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) + # The haproxy fronends (or listen resources) depend on the certificate + # existing and need to be refreshed if it changed. + Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> + } + unless empty($mysql_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs) + } + unless empty($rabbitmq_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs) + } +} diff --git a/manifests/profile/base/cinder.pp b/manifests/profile/base/cinder.pp index d6fad03..fc3c659 100644 --- a/manifests/profile/base/cinder.pp +++ b/manifests/profile/base/cinder.pp @@ -102,7 +102,7 @@ class tripleo::profile::base::cinder ( default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -112,7 +112,7 @@ class tripleo::profile::base::cinder ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 450a8e6..c432fd6 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -61,7 +53,6 @@ class tripleo::profile::base::cinder::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $cinder_api_network = hiera('cinder_api_network', undef), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -73,10 +64,6 @@ class tripleo::profile::base::cinder::api ( include ::tripleo::profile::base::cinder if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$cinder_api_network { fail('cinder_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index d3c3f21..b4ac8ac 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -42,11 +42,10 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# MySQL. This could be as many as specified by the $certificates_specs -# variable. -# Defaults to hiera('generate_service_certificate', false). +# [*generate_dropin_file_limit*] +# (Optional) Generate a systemd drop-in file to raise the file descriptor +# limit for the mysql service. +# Defaults to false # # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. @@ -57,6 +56,10 @@ # Should be an hash. # Defaults to {} # +# [*mysql_max_connections*] +# (Optional) Maximum number of connections to MySQL. +# Defaults to hiera('mysql_max_connections', undef) +# # [*remove_default_accounts*] # (Optional) Whether or not remove default MySQL accounts. # Defaults to true @@ -72,9 +75,10 @@ class tripleo::profile::base::database::mysql ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), + $generate_dropin_file_limit = false, $manage_resources = true, $mysql_server_options = {}, + $mysql_max_connections = hiera('mysql_max_connections', undef), $remove_default_accounts = true, $step = hiera('step'), ) { @@ -89,9 +93,6 @@ class tripleo::profile::base::database::mysql ( validate_hash($certificate_specs) if $enable_internal_tls { - if $generate_service_certificates { - ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs) - } $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] } else { @@ -120,7 +121,7 @@ class tripleo::profile::base::database::mysql ( $mysql_server_default = { 'mysqld' => { 'bind-address' => $bind_address, - 'max_connections' => hiera('mysql_max_connections'), + 'max_connections' => $mysql_max_connections, 'open_files_limit' => '-1', 'innodb_file_per_table' => 'ON', 'ssl' => $enable_internal_tls, @@ -139,6 +140,15 @@ class tripleo::profile::base::database::mysql ( service_enabled => $manage_resources, remove_default_accounts => $remove_default_accounts, } + + if $generate_dropin_file_limit and $manage_resources { + # Raise the mysql file limit + ::systemd::service_limits { 'mariadb.service': + limits => { + 'LimitNOFILE' => 16384 + } + } + } } if $step >= 2 and $sync_db { @@ -167,6 +177,9 @@ class tripleo::profile::base::database::mysql ( if hiera('ironic_api_enabled', false) { include ::ironic::db::mysql } + if hiera('ironic_inspector_enabled', false) { + include ::ironic::inspector::db::mysql + } if hiera('keystone_enabled', false) { include ::keystone::db::mysql } diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp index f23b97d..22384a9 100644 --- a/manifests/profile/base/database/mysql/client.pp +++ b/manifests/profile/base/database/mysql/client.pp @@ -18,17 +18,22 @@ # # === Parameters # +# [*enable_ssl*] +# (Optional) Whether SSL should be used for the connection to the server or +# not. +# Defaults to false +# # [*mysql_read_default_file*] # (Optional) Name of the file that will be passed to pymysql connection strings -# Defaults to hiera('tripleo::profile::base:database::mysql::read_default_file', '/etc/my.cnf.d/tripleo.cnf') +# Defaults to '/etc/my.cnf.d/tripleo.cnf' # # [*mysql_read_default_group*] # (Optional) Name of the ini section to be passed to pymysql connection strings -# Defaults to hiera('tripleo::profile::base:database::mysql::read_default_group', 'tripleo') +# Defaults to 'tripleo' # # [*mysql_client_bind_address*] # (Optional) Client IP address of the host that will be written in the mysql_read_default_file -# Defaults to hiera('tripleo::profile::base:database::mysql::client_bind_address', undef) +# Defaults to undef # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -36,10 +41,11 @@ # Defaults to hiera('step') # class tripleo::profile::base::database::mysql::client ( - $mysql_read_default_file = hiera('tripleo::profile::base:database::mysql::read_default_file', '/etc/my.cnf.d/tripleo.cnf'), - $mysql_read_default_group = hiera('tripleo::profile::base:database::mysql::read_default_group', 'tripleo'), - $mysql_client_bind_address = hiera('tripleo::profile::base:database::mysql::client_bind_address', undef), - $step = hiera('step'), + $enable_ssl = false, + $mysql_read_default_file = '/etc/my.cnf.d/tripleo.cnf', + $mysql_read_default_group = 'tripleo', + $mysql_client_bind_address = undef, + $step = hiera('step'), ) { if $step >= 1 { # If the folder /etc/my.cnf.d does not exist (e.g. if mariadb is not @@ -50,23 +56,38 @@ class tripleo::profile::base::database::mysql::client ( # included on this node as well (we'd get duplicate declaration in such a # situation when using file) if $mysql_client_bind_address { - $changes = [ + $client_bind_changes = [ "set ${mysql_read_default_group}/bind-address '${mysql_client_bind_address}'" ] } else { - $changes = [ + $client_bind_changes = [ "rm ${mysql_read_default_group}/bind-address" ] } + + if $enable_ssl { + $changes_ssl = [ + "set ${mysql_read_default_group}/ssl '1'", + "set ${mysql_read_default_group}/ssl-ca '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'" + ] + } else { + $changes_ssl = [ + "rm ${mysql_read_default_group}/ssl", + "rm ${mysql_read_default_group}/ssl-ca" + ] + } + + $conf_changes = union($client_bind_changes, $changes_ssl) + + # Create /etc/my.cnf.d/tripleo.cnf exec { 'directory-create-etc-my.cnf.d': command => 'mkdir -p /etc/my.cnf.d', path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], } -> - # Create /etc/my.cnf.d/tripleo.cnf with the [tripleo]bind-address=<IP of the node in the mysql network> - augeas { 'mysql-bind-address': + augeas { 'tripleo-mysql-client-conf': incl => $mysql_read_default_file, lens => 'Puppet.lns', - changes => $changes, + changes => $conf_changes, } } } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp new file mode 100644 index 0000000..5e18a85 --- /dev/null +++ b/manifests/profile/base/docker.pp @@ -0,0 +1,68 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::docker +# +# docker profile for tripleo +# +# === Parameters +# +# [*docker_namespace*] +# The namespace to be used when setting INSECURE_REGISTRY +# this will be split on "/" to derive the docker registry +# (defaults to undef) +# +# [*insecure_registry*] +# Set docker_namespace to INSECURE_REGISTRY, used when a local registry +# is enabled (defaults to false) +# +# [*step*] +# step defaults to hiera('step') +# +class tripleo::profile::base::docker ( + $docker_namespace = undef, + $insecure_registry = false, + $step = hiera('step'), +) { + if $step >= 1 { + package {'docker': + ensure => installed, + } + + service { 'docker': + ensure => 'running', + enable => true, + require => Package['docker'], + } + + if $insecure_registry { + if $docker_namespace == undef { + fail('You must provide a $docker_namespace in order to configure insecure registry') + } + $namespace = strip($docker_namespace.split('/')[0]) + $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", ] + } else { + $changes = [ 'rm INSECURE_REGISTRY', ] + } + + augeas { 'docker-sysconfig': + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/docker', + changes => $changes, + subscribe => Package['docker'], + notify => Service['docker'], + } + } +} diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp index 0452575..2f1783d 100644 --- a/manifests/profile/base/docker_registry.pp +++ b/manifests/profile/base/docker_registry.pp @@ -43,6 +43,7 @@ class tripleo::profile::base::docker_registry ( } package{'docker-distribution': } package{'docker': } + package{'openstack-kolla': } file { '/etc/docker-distribution/registry/config.yml' : ensure => file, content => template('tripleo/docker_distribution/registry_config.yml.erb'), diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index e5807f6..8ed7fb7 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -38,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*glance_backend*] # (Optional) Glance backend(s) to use. # Defaults to downcase(hiera('glance_backend', 'swift')) @@ -91,7 +83,6 @@ class tripleo::profile::base::glance::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $glance_backend = downcase(hiera('glance_backend', 'swift')), $glance_network = hiera('glance_api_network', undef), $glance_nfs_enabled = false, @@ -102,10 +93,6 @@ class tripleo::profile::base::glance::api ( $tls_proxy_fqdn = undef, $tls_proxy_port = 9292, ) { - if $enable_internal_tls and $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 2fde1fc..79ee265 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -38,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*gnocchi_backend*] # (Optional) Gnocchi backend string file, swift or rbd # Defaults to swift @@ -64,7 +56,6 @@ class tripleo::profile::base::gnocchi::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), $gnocchi_network = hiera('gnocchi_api_network', undef), $step = hiera('step'), @@ -78,10 +69,6 @@ class tripleo::profile::base::gnocchi::api ( include ::tripleo::profile::base::gnocchi if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$gnocchi_network { fail('gnocchi_api_network is not set in the hieradata.') } @@ -113,4 +100,13 @@ class tripleo::profile::base::gnocchi::api ( default: { fail('Unrecognized gnocchi_backend parameter.') } } } + + # Re-run gnochci upgrade with storage as swift/ceph should be up at this + # stage. + if $step >= 5 and $sync_db { + exec {'run gnocchi upgrade with storage': + command => 'gnocchi-upgrade --config-file=/etc/gnocchi/gnocchi.conf', + path => ['/usr/bin', '/usr/sbin'], + } + } } diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index f16ec1b..9a03487 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -32,22 +32,10 @@ # principal: "haproxy/<undercloud fqdn>" # Defaults to {}. # -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# # [*enable_load_balancer*] # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -55,35 +43,11 @@ # class tripleo::profile::base::haproxy ( $certificates_specs = {}, - $certmonger_ca = hiera('certmonger_ca', 'local'), $enable_load_balancer = hiera('enable_load_balancer', true), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { if $step >= 1 { if $enable_load_balancer { - if str2bool($generate_service_certificates) { - include ::certmonger - # This is only needed for certmonger's local CA. For any other CA this - # operation (trusting the CA) should be done by the deployer. - if $certmonger_ca == 'local' { - class { '::tripleo::certmonger::ca::local': - notify => Class['::tripleo::haproxy'] - } - } - - Certmonger_certificate { - ca => $certmonger_ca, - ensure => 'present', - wait => true, - require => Class['::certmonger'], - } - create_resources('::tripleo::certmonger::haproxy', $certificates_specs) - # The haproxy fronends (or listen resources) depend on the certificate - # existing and need to be refreshed if it changed. - Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> - } - class {'::tripleo::haproxy': internal_certificates_specs => $certificates_specs, } diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index 171f51b..4ff5b41 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -107,14 +107,12 @@ class tripleo::profile::base::heat ( $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) - # TODO(ccamacho): remove sprintf once we properly type the port, needs - # to be a string for the os_transport_url function. class { '::heat' : notification_driver => $notification_driver, default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -122,7 +120,7 @@ class tripleo::profile::base::heat ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index 7166298..f35735b 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -18,18 +18,57 @@ # # === Parameters # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*heat_api_network*] +# (Optional) The network name where the heat API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('heat_api_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::heat::api ( - $step = hiera('step'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $heat_api_network = hiera('heat_api_network', undef), + $step = hiera('step'), ) { include ::tripleo::profile::base::heat + if $enable_internal_tls { + if !$heat_api_network { + fail('heat_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${heat_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${heat_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 { include ::heat::api + class { '::heat::wsgi::apache_api': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index c1adae6..2545dbc 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -18,18 +18,58 @@ # # === Parameters # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*heat_api_cfn_network*] +# (Optional) The network name where the heat cfn endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('heat_api_cfn_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cfn ( - $step = hiera('step'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $heat_api_cfn_network = hiera('heat_api_cfn_network', undef), + $step = hiera('step'), ) { include ::tripleo::profile::base::heat + if $enable_internal_tls { + if !$heat_api_cfn_network { + fail('heat_api_cfn_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${heat_api_cfn_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${heat_api_cfn_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 { include ::heat::api_cfn + + class { '::heat::wsgi::apache_api_cfn': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 3004db9..872de8d 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -18,18 +18,58 @@ # # === Parameters # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*heat_api_cloudwatch_network*] +# (Optional) The network name where the heat cloudwatch endpoint is listening +# on. This is set by t-h-t. +# Defaults to hiera('heat_api_cloudwatch_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cloudwatch ( - $step = hiera('step'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), + $step = hiera('step'), ) { include ::tripleo::profile::base::heat + if $enable_internal_tls { + if !$heat_api_cloudwatch_network { + fail('heat_api_cloudwatch_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${heat_api_cloudwatch_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${heat_api_cloudwatch_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 { include ::heat::api_cloudwatch + + class { '::heat::wsgi::apache_api_cloudwatch': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 1849435..278c25c 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -25,11 +25,11 @@ # # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron -# Defaults to hiera('horizon::neutron_options', undef) +# Defaults to hiera('horizon::neutron_options', {}) # class tripleo::profile::base::horizon ( $step = hiera('step'), - $neutron_options = hiera('horizon::neutron_options', undef), + $neutron_options = hiera('horizon::neutron_options', {}), ) { if $step >= 4 { # Horizon diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp index 4824648..7f90da9 100644 --- a/manifests/profile/base/ironic/conductor.pp +++ b/manifests/profile/base/ironic/conductor.pp @@ -44,5 +44,12 @@ class tripleo::profile::base::ironic::conductor ( include ::ironic::drivers::ilo include ::ironic::drivers::ipmi include ::ironic::drivers::ssh + + # Configure access to other services + include ::ironic::drivers::inspector + include ::ironic::glance + include ::ironic::neutron + include ::ironic::service_catalog + include ::ironic::swift } } diff --git a/manifests/profile/base/ironic_inspector.pp b/manifests/profile/base/ironic_inspector.pp new file mode 100644 index 0000000..b4276c6 --- /dev/null +++ b/manifests/profile/base/ironic_inspector.pp @@ -0,0 +1,46 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::ironic_inspector +# +# Ironic inspector profile for TripleO +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') + +class tripleo::profile::base::ironic_inspector ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + if $step >= 4 or ($step >= 3 and $sync_db) { + class { '::ironic::inspector': + sync_db => $sync_db, + } + } + +} diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 994caad..9598d64 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*heat_admin_domain*] # domain name for heat admin # Defaults to undef @@ -130,7 +122,6 @@ class tripleo::profile::base::keystone ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $heat_admin_domain = undef, $heat_admin_email = undef, $heat_admin_password = undef, @@ -163,10 +154,6 @@ class tripleo::profile::base::keystone ( } if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$public_endpoint_network { fail('keystone_public_api_network is not set in the hieradata.') } @@ -193,7 +180,7 @@ class tripleo::profile::base::keystone ( default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -201,13 +188,17 @@ class tripleo::profile::base::keystone ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, }), } + if 'amqp' in [$oslomsg_rpc_proto, $oslomsg_notify_proto]{ + include ::keystone::messaging::amqp + } + include ::keystone::config class { '::keystone::wsgi::apache': ssl_cert => $tls_certfile, @@ -282,6 +273,9 @@ class tripleo::profile::base::keystone ( if hiera('ironic_api_enabled', false) { include ::ironic::keystone::auth } + if hiera('ironic_inspector_enabled', false) { + include ::ironic::keystone::auth_inspector + } if hiera('manila_api_enabled', false) { include ::manila::keystone::auth } diff --git a/manifests/profile/base/manila.pp b/manifests/profile/base/manila.pp index 87179ab..cad2cdf 100644 --- a/manifests/profile/base/manila.pp +++ b/manifests/profile/base/manila.pp @@ -97,7 +97,7 @@ class tripleo::profile::base::manila ( default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -105,7 +105,7 @@ class tripleo::profile::base::manila ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, diff --git a/manifests/profile/base/mistral.pp b/manifests/profile/base/mistral.pp index 05773ac..0eb849d 100644 --- a/manifests/profile/base/mistral.pp +++ b/manifests/profile/base/mistral.pp @@ -98,7 +98,7 @@ class tripleo::profile::base::mistral ( default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -106,7 +106,7 @@ class tripleo::profile::base::mistral ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, diff --git a/manifests/profile/base/neutron.pp b/manifests/profile/base/neutron.pp index 271003e..2f01b75 100644 --- a/manifests/profile/base/neutron.pp +++ b/manifests/profile/base/neutron.pp @@ -65,6 +65,19 @@ # [*oslomsg_use_ssl*] # Enable ssl oslo messaging services # Defaults to hiera('neutron::rabbit_use_ssl', '0') +# +# [*dhcp_agents_per_network*] +# (Optional) TripleO configured number of DHCP agents +# to use per network. If left to the default value, neutron will be +# configured with the number of DHCP agents being deployed. +# Defaults to undef +# +# [*dhcp_nodes*] +# (Optional) List of nodes running the DHCP agent. Used to +# set neutron's dhcp_agents_per_network value to the number +# of available agents. +# Defaults to hiera('neutron_dhcp_short_node_names') or [] +# class tripleo::profile::base::neutron ( $step = hiera('step'), @@ -79,14 +92,28 @@ class tripleo::profile::base::neutron ( $oslomsg_notify_port = hiera('neutron::rabbit_port', '5672'), $oslomsg_notify_username = hiera('neutron::rabbit_userid', 'guest'), $oslomsg_use_ssl = hiera('neutron::rabbit_use_ssl', '0'), + $dhcp_agents_per_network = undef, + $dhcp_nodes = hiera('neutron_dhcp_short_node_names', []), ) { if $step >= 3 { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) + + $dhcp_agent_count = size($dhcp_nodes) + if $dhcp_agents_per_network { + $dhcp_agents_per_net = $dhcp_agents_per_network + if ($dhcp_agents_per_net > $dhcp_agent_count) { + warning("dhcp_agents_per_network (${dhcp_agents_per_net}) is greater\ + than the number of deployed dhcp agents (${dhcp_agent_count})") + } + } + elsif $dhcp_agent_count > 0 { + $dhcp_agents_per_net = $dhcp_agent_count + } class { '::neutron' : default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -94,11 +121,12 @@ class tripleo::profile::base::neutron ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, }), + dhcp_agents_per_network => $dhcp_agents_per_net, } include ::neutron::config } diff --git a/manifests/profile/base/neutron/bgpvpn.pp b/manifests/profile/base/neutron/bgpvpn.pp new file mode 100644 index 0000000..d6fdf4e --- /dev/null +++ b/manifests/profile/base/neutron/bgpvpn.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::bgpvpn +# +# Neutron BGPVPN Service plugin profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::bgpvpn ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::services::bgpvpn + } +} diff --git a/manifests/profile/base/neutron/l2gw.pp b/manifests/profile/base/neutron/l2gw.pp new file mode 100644 index 0000000..da71108 --- /dev/null +++ b/manifests/profile/base/neutron/l2gw.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Peng Liu <pliu@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::l2gw +# +# Neutron L2 Gateway Service plugin profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::l2gw ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::services::l2gw + } +} diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp index 556fe63..b5e6d11 100644 --- a/manifests/profile/base/neutron/opendaylight.pp +++ b/manifests/profile/base/neutron/opendaylight.pp @@ -22,19 +22,35 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*primary_node*] -# (Optional) The hostname of the first node of this role type -# Defaults to hiera('bootstrap_nodeid', undef) +# [*odl_api_ips*] +# (Optional) List of OpenStack Controller IPs for ODL API +# Defaults to hiera('opendaylight_api_node_ips') +# +# [*node_name*] +# (Optional) The short hostname of node +# Defaults to hiera('bootstack_nodeid') # class tripleo::profile::base::neutron::opendaylight ( $step = hiera('step'), - $primary_node = hiera('bootstrap_nodeid', undef), + $odl_api_ips = hiera('opendaylight_api_node_ips'), + $node_name = hiera('bootstack_nodeid') ) { if $step >= 1 { - # Configure ODL only on first node of the role where this service is - # applied - if $primary_node == downcase($::hostname) { + validate_array($odl_api_ips) + if empty($odl_api_ips) { + fail('No IPs assigned to OpenDaylight Api Service') + } elsif size($odl_api_ips) == 2 { + fail('2 node OpenDaylight deployments are unsupported. Use 1 or greater than 2') + } elsif size($odl_api_ips) > 2 { + $node_string = split($node_name, '-') + $ha_node_index = $node_string[-1] + 1 + class { '::opendaylight': + enable_ha => true, + ha_node_ips => $odl_api_ips, + ha_node_index => $ha_node_index, + } + } else { include ::opendaylight } } diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp index c120931..2618d4f 100644 --- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp @@ -30,6 +30,10 @@ # (Optional) Password to configure for OpenDaylight # Defaults to 'admin' # +# [*odl_url_ip*] +# (Optional) Virtual IP address for ODL Api Service +# Defaults to hiera('opendaylight_api_vip') +# # [*conn_proto*] # (Optional) Protocol to use to for ODL REST access # Defaults to hiera('opendaylight::nb_connection_protocol') @@ -43,14 +47,13 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight ( $odl_port = hiera('opendaylight::odl_rest_port'), $odl_username = hiera('opendaylight::username'), $odl_password = hiera('opendaylight::password'), + $odl_url_ip = hiera('opendaylight_api_vip'), $conn_proto = hiera('opendaylight::nb_connection_protocol'), $step = hiera('step'), ) { if $step >= 4 { - $odl_url_ip = hiera('opendaylight_api_vip') - - if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') } + if ! $odl_url_ip { fail('OpenDaylight API VIP is Empty') } class { '::neutron::plugins::ml2::opendaylight': odl_username => $odl_username, diff --git a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp index 91c5168..4da8df9 100644 --- a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp @@ -30,6 +30,10 @@ # (Optional) List of OpenStack Controller IPs for ODL API # Defaults to hiera('opendaylight_api_node_ips') # +# [*odl_url_ip*] +# (Optional) Virtual IP address for ODL Api Service +# Defaults to hiera('opendaylight_api_vip') +# # [*conn_proto*] # (Optional) Protocol to use to for ODL REST access # Defaults to hiera('opendaylight::nb_connection_protocol') @@ -43,25 +47,25 @@ class tripleo::profile::base::neutron::plugins::ovs::opendaylight ( $odl_port = hiera('opendaylight::odl_rest_port'), $odl_check_url = hiera('opendaylight_check_url'), $odl_api_ips = hiera('opendaylight_api_node_ips'), + $odl_url_ip = hiera('opendaylight_api_vip'), $conn_proto = hiera('opendaylight::nb_connection_protocol'), $step = hiera('step'), ) { if $step >= 4 { - $opendaylight_controller_ip = $odl_api_ips[0] - $odl_url_ip = hiera('opendaylight_api_vip') - - if ! $opendaylight_controller_ip { fail('OpenDaylight Controller IP is Empty') } + if empty($odl_api_ips) { fail('No IPs assigned to OpenDaylight Api Service') } if ! $odl_url_ip { fail('OpenDaylight API VIP is Empty') } # Build URL to check if ODL is up before connecting OVS $opendaylight_url = "${conn_proto}://${odl_url_ip}:${odl_port}/${odl_check_url}" + $odl_ovsdb_str = join(regsubst($odl_api_ips, '.+', 'tcp:\0:6640'), ' ') + class { '::neutron::plugins::ovs::opendaylight': tunnel_ip => hiera('neutron::agents::ml2::ovs::local_ip'), odl_check_url => $opendaylight_url, - odl_ovsdb_iface => "tcp:${opendaylight_controller_ip}:6640", + odl_ovsdb_iface => $odl_ovsdb_str, } } } diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 5d6909f..d67a40c 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*l3_ha_override*] # (Optional) Override the calculated value for neutron::server::l3_ha # by default this is calculated to enable when DVR is not enabled @@ -95,7 +87,6 @@ class tripleo::profile::base::neutron::server ( $certificates_specs = hiera('apache_certificates_specs', {}), $dvr_enabled = hiera('neutron::server::router_distributed', false), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $l3_ha_override = '', $l3_nodes = hiera('neutron_l3_short_node_names', []), $neutron_network = hiera('neutron_api_network', undef), @@ -104,10 +95,6 @@ class tripleo::profile::base::neutron::server ( $tls_proxy_fqdn = undef, $tls_proxy_port = 9696, ) { - if $enable_internal_tls and $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 7daed83..36425f6 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -114,13 +114,11 @@ class tripleo::profile::base::nova ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) - # TODO(ccamacho): remove sprintf once we properly type the port, needs - # to be a string for the os_transport_url function. class { '::nova' : default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -128,7 +126,7 @@ class tripleo::profile::base::nova ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index cda2b66..95a1721 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -36,14 +36,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*nova_api_network*] # (Optional) The network name where the nova API endpoint is listening on. # This is set by t-h-t. @@ -63,7 +55,6 @@ class tripleo::profile::base::nova::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $nova_api_network = hiera('nova_api_network', undef), $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false), $step = hiera('step'), @@ -93,10 +84,6 @@ class tripleo::profile::base::nova::api ( # https://bugs.launchpad.net/nova/+bug/1661360 if $nova_api_wsgi_enabled { if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$nova_api_network { fail('nova_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index 0eb2ed7..84b8bd5 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -48,10 +48,12 @@ class tripleo::profile::base::nova::compute ( # When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique # https://bugzilla.redhat.com/show_bug.cgi?id=1244328 + ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' }) exec { 'reset-iscsi-initiator-name': command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi', onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset', before => File['/etc/iscsi/.initiator_reset'], + require => Package['iscsi-initiator-utils'], } file { '/etc/iscsi/.initiator_reset': ensure => present, diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index 46658b8..16bfe17 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -36,14 +36,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*nova_placement_network*] # (Optional) The network name where the nova placement endpoint is listening on. # This is set by t-h-t. @@ -58,7 +50,6 @@ class tripleo::profile::base::nova::placement ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $nova_placement_network = hiera('nova_placement_network', undef), $step = hiera('step'), ) { @@ -72,10 +63,6 @@ class tripleo::profile::base::nova::placement ( include ::tripleo::profile::base::nova::authtoken if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$nova_placement_network { fail('nova_placement_network is not set in the hieradata.') } diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp index 880cf7d..286e4ac 100644 --- a/manifests/profile/base/panko.pp +++ b/manifests/profile/base/panko.pp @@ -23,26 +23,12 @@ # for more details. # Defaults to hiera('step') # -# [*bootstrap_node*] -# (Optional) The hostname of the node responsible for bootstrapping tasks -# Defaults to hiera('bootstrap_nodeid') class tripleo::profile::base::panko ( - $step = hiera('step'), - $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), ) { - - if $::hostname == downcase($bootstrap_node) { - $sync_db = true - } else { - $sync_db = false - } - - if $step >= 4 or ($step >= 3 and $sync_db) { + if $step >= 3 { include ::panko - include ::panko::db include ::panko::config - include ::panko::db::sync } - } diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp index 45ee0c0..90e80a2 100644 --- a/manifests/profile/base/panko/api.pp +++ b/manifests/profile/base/panko/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -34,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*panko_network*] # (Optional) The network name where the panko endpoint is listening on. # This is set by t-h-t. @@ -53,19 +49,21 @@ # Defaults to hiera('step') # class tripleo::profile::base::panko::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $panko_network = hiera('panko_api_network', undef), $step = hiera('step'), ) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + include ::tripleo::profile::base::panko if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$panko_network { fail('panko_api_network is not set in the hieradata.') } @@ -76,8 +74,11 @@ class tripleo::profile::base::panko::api ( $tls_keyfile = undef } - if $step >= 4 { - include ::panko::api + if $step >= 4 or ( $step >= 3 and $sync_db ) { + include ::panko::db + class { '::panko::api': + sync_db => $sync_db, + } class { '::panko::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/qdr.pp b/manifests/profile/base/qdr.pp new file mode 100644 index 0000000..9827f2e --- /dev/null +++ b/manifests/profile/base/qdr.pp @@ -0,0 +1,54 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::qdr +# +# Qpid dispatch router profile for tripleo +# +# === Parameters +# +# [*qdr_username*] +# Username for the qrouter daemon +# Defaults to undef +# +# [*qdr_password*] +# Password for the qrouter daemon +# Defaults to undef +# +# [*qdr_listener_port*] +# Port for the listener (not that we do not use qdr::listener_port +# directly because it requires a string and we have a number. +# Defaults to hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::qdr ( + $qdr_username = undef, + $qdr_password = undef, + $qdr_listener_port = hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672), + $step = hiera('step'), +) { + if $step >= 1 { + class { '::qdr': + listener_port => "${qdr_listener_port}", + } -> + qdr_user { $qdr_username: + ensure => present, + password => $qdr_password, + } + } +} diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index 1eaabf0..9d1417c 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -18,14 +18,35 @@ # # === Parameters # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to {}. +# # [*config_variables*] # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_config_variables'). # +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to undef +# # [*environment*] # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_environment'). # +# [*inet_dist_interface*] +# (Optional) Address to bind the inter-cluster interface +# to. It is the inet_dist_use_interface option in the kernel variables +# Defaults to hiera('rabbitmq::interface', undef). +# # [*ipv6*] # (Optional) Whether to deploy RabbitMQ on IPv6 network. # Defaults to str2bool(hiera('rabbit_ipv6', false)). @@ -34,11 +55,6 @@ # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_environment'). # -# [*inet_dist_interface*] -# (Optional) Address to bind the inter-cluster interface -# to. It is the inet_dist_use_interface option in the kernel variables -# Defaults to hiera('rabbitmq::interface', undef). -# # [*nodes*] # (Optional) Array of host(s) for RabbitMQ nodes. # Defaults to hiera('rabbitmq_node_names', []). @@ -61,17 +77,27 @@ # Defaults to hiera('step') # class tripleo::profile::base::rabbitmq ( - $config_variables = hiera('rabbitmq_config_variables'), - $environment = hiera('rabbitmq_environment'), - $ipv6 = str2bool(hiera('rabbit_ipv6', false)), - $kernel_variables = hiera('rabbitmq_kernel_variables'), - $inet_dist_interface = hiera('rabbitmq::interface', undef), - $nodes = hiera('rabbitmq_node_names', []), - $rabbitmq_pass = hiera('rabbitmq::default_pass'), - $rabbitmq_user = hiera('rabbitmq::default_user'), - $stack_action = hiera('stack_action'), - $step = hiera('step'), + $certificate_specs = {}, + $config_variables = hiera('rabbitmq_config_variables'), + $enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t + $environment = hiera('rabbitmq_environment'), + $inet_dist_interface = hiera('rabbitmq::interface', undef), + $ipv6 = str2bool(hiera('rabbit_ipv6', false)), + $kernel_variables = hiera('rabbitmq_kernel_variables'), + $nodes = hiera('rabbitmq_node_names', []), + $rabbitmq_pass = hiera('rabbitmq::default_pass'), + $rabbitmq_user = hiera('rabbitmq::default_user'), + $stack_action = hiera('stack_action'), + $step = hiera('step'), ) { + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + # IPv6 environment, necessary for RabbitMQ. if $ipv6 { $rabbit_env = merge($environment, { @@ -100,6 +126,9 @@ class tripleo::profile::base::rabbitmq ( config_kernel_variables => $real_kernel_variables, config_variables => $config_variables, environment_variables => $rabbit_env, + # TLS options + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, } # when running multi-nodes without Pacemaker if $manage_service { @@ -116,8 +145,14 @@ class tripleo::profile::base::rabbitmq ( config_kernel_variables => $kernel_variables, config_variables => $config_variables, environment_variables => $rabbit_env, + # TLS options + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, } } + } + + if $step >= 2 { # In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency # to Service['rabbitmq-server'] will not work. Sticking with UPDATE action. if $stack_action == 'UPDATE' { diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp index 9633dc3..7f4ecbe 100644 --- a/manifests/profile/base/sahara.pp +++ b/manifests/profile/base/sahara.pp @@ -98,7 +98,7 @@ class tripleo::profile::base::sahara ( default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, - 'port' => sprintf('%s', $oslomsg_rpc_port), + 'port' => $oslomsg_rpc_port, 'username' => $oslomsg_rpc_username, 'password' => $oslomsg_rpc_password, 'ssl' => $oslomsg_use_ssl_real, @@ -108,11 +108,12 @@ class tripleo::profile::base::sahara ( notification_transport_url => os_transport_url({ 'transport' => $oslomsg_notify_proto, 'hosts' => $oslomsg_notify_hosts, - 'port' => sprintf('%s', $oslomsg_notify_port), + 'port' => $oslomsg_notify_port, 'username' => $oslomsg_notify_username, 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, }), } + include ::sahara::keystone::authtoken } } diff --git a/manifests/profile/base/securetty.pp b/manifests/profile/base/securetty.pp new file mode 100644 index 0000000..07f29f8 --- /dev/null +++ b/manifests/profile/base/securetty.pp @@ -0,0 +1,48 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::securetty +# +# Sets securetty Parameters +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*tty_list*] +# Hash of values for /etc/securetty console +# Defaults to hiera('securetty::tty_list') +# +class tripleo::profile::base::securetty ( + $step = hiera('step'), + $tty_list = hiera('tty_list', []), +) { + validate_array($tty_list) + + if $step >=1 { + $ttys = join($tty_list, "\n") + + file { '/etc/securetty': + ensure => file, + content => template( 'tripleo/securetty/securetty.erb' ), + owner => 'root', + group => 'root', + mode => '0600' + } + } +} diff --git a/manifests/profile/base/time/ntp.pp b/manifests/profile/base/time/ntp.pp index c6ce309..06a3048 100644 --- a/manifests/profile/base/time/ntp.pp +++ b/manifests/profile/base/time/ntp.pp @@ -19,10 +19,12 @@ # class tripleo::profile::base::time::ntp { - # if installed, we don't want chrony to conflict with ntp. - package { 'chrony': - ensure => 'purged', - before => Service['ntp'], + # If installed, we don't want chrony to conflict with ntp. LP#1665426 + # It should be noted that this work even if the package is not installed + service { 'chronyd': + ensure => stopped, + enable => false, + before => Class['ntp'] } include ::ntp } diff --git a/metadata.json b/metadata.json index 0db84c7..32b5d95 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "6.2.0", + "version": "7.0.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml b/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml new file mode 100644 index 0000000..2af6aa7 --- /dev/null +++ b/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for BGPVPN Neutron service plugin diff --git a/releasenotes/notes/add-ceilo-polling-agent-53fab550a09a6196.yaml b/releasenotes/notes/add-ceilo-polling-agent-53fab550a09a6196.yaml new file mode 100644 index 0000000..5ab15d5 --- /dev/null +++ b/releasenotes/notes/add-ceilo-polling-agent-53fab550a09a6196.yaml @@ -0,0 +1,6 @@ +--- +features: + - Add support for ceilometer polling agent. The central, compute and ipmi + agent services should use polling agent with namespace. This has been + done in packaging already since few releases now. Let puppet do it + correctly as well. diff --git a/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml b/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml new file mode 100644 index 0000000..e0a6d35 --- /dev/null +++ b/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml @@ -0,0 +1,5 @@ +--- +features: + - Adds OpenDaylight HA support. Now when ODL is applied to three or + more nodes ODL will be deployed as a cluster in HA, rather than + the previous behavior of only running on the first node. diff --git a/releasenotes/notes/bugfix-1664561-50d76b25addb08dd.yaml b/releasenotes/notes/bugfix-1664561-50d76b25addb08dd.yaml new file mode 100644 index 0000000..0eb90de --- /dev/null +++ b/releasenotes/notes/bugfix-1664561-50d76b25addb08dd.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - Bugfix 1664561. Removing the string cast when using + the os_transport_url function. diff --git a/releasenotes/notes/calculate-dhcp-agents-per-network-3089c5e7b15f8b7b.yaml b/releasenotes/notes/calculate-dhcp-agents-per-network-3089c5e7b15f8b7b.yaml new file mode 100644 index 0000000..800cedc --- /dev/null +++ b/releasenotes/notes/calculate-dhcp-agents-per-network-3089c5e7b15f8b7b.yaml @@ -0,0 +1,5 @@ +--- +features: | + - Unless a non-default value is provided, the dhcp_agents_per_network + neutron configuration variable is set to the number of deployed + neutron dhcp agents. diff --git a/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml b/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml new file mode 100644 index 0000000..a50a27d --- /dev/null +++ b/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml @@ -0,0 +1,3 @@ +--- +features: + - Heat APIs (api, cfn and cloudwatch) are now deployed over httpd. diff --git a/releasenotes/notes/docker_profile-8571ae260eec69b8.yaml b/releasenotes/notes/docker_profile-8571ae260eec69b8.yaml new file mode 100644 index 0000000..ddbf175 --- /dev/null +++ b/releasenotes/notes/docker_profile-8571ae260eec69b8.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Added a new profile to configure the docker service diff --git a/releasenotes/notes/httpchk-for-haproxy-http-services-ace7d9bf94610ed9.yaml b/releasenotes/notes/httpchk-for-haproxy-http-services-ace7d9bf94610ed9.yaml new file mode 100644 index 0000000..4c9d763 --- /dev/null +++ b/releasenotes/notes/httpchk-for-haproxy-http-services-ace7d9bf94610ed9.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Enabled httpdchk in HAProxy for http based services to reduce situtations + where the port may be open but the service is not actively serving http + requests. diff --git a/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml b/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml new file mode 100644 index 0000000..694f492 --- /dev/null +++ b/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for l2 gateway Neutron service plugin. diff --git a/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml b/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml new file mode 100644 index 0000000..b6f211c --- /dev/null +++ b/releasenotes/notes/messaging-amqp-7efec1bcb435e7cf.yaml @@ -0,0 +1,4 @@ +--- +features: + - Include the amqp messaging class when the oslo.messaging rpc + protocol is enabled for AMQP 1.0. diff --git a/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml new file mode 100644 index 0000000..0857f63 --- /dev/null +++ b/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The rabbitmq user check is moved to step >= 2 from step >= 1. There + is no guarantee that rabbitmq is running at step 1, especially if + updating a failed stack that never made it past step 1 to begin + with. diff --git a/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml b/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml new file mode 100644 index 0000000..c354431 --- /dev/null +++ b/releasenotes/notes/re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - Re-run gnocchi and ceilometer upgrade in step5. This is required + for gnocchi resource types to be created in ceilometer and gnocchi + to function properly. diff --git a/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml new file mode 100644 index 0000000..c744e0f --- /dev/null +++ b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml @@ -0,0 +1,4 @@ +--- +features: + - Sahara is now deployed with keystone_authtoken parameters and move + forward with Keystone v3 version. diff --git a/releasenotes/notes/securetty-6a10eefd601e45ca.yaml b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml new file mode 100644 index 0000000..e5cfcf5 --- /dev/null +++ b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Allows granular level of control over the `/etc/securetty` file. + By allowing operators to specify the values in securetty, they + can improve security by limiting root console access. diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index 5cc0c41..e293b07 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -45,16 +45,16 @@ master_doc = 'index' # General information about the project. project = u'puppet-tripleo Release Notes' -copyright = u'2016, Puppet TripleO Developers' +copyright = u'2017, Puppet TripleO Developers' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. # # The short X.Y version. -version = '6.2.0' +version = '7.0.0' # The full version, including alpha/beta/rc tags. -release = '6.2.0' +release = '7.0.0' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. @@ -198,7 +198,7 @@ latex_elements = { # author, documentclass [howto, manual, or own class]). latex_documents = [ ('index', 'puppet-tripleoReleaseNotes.tex', u'puppet-tripleo Release Notes Documentation', - u'2016, Puppet TripleO Developers', 'manual'), + u'2017, Puppet TripleO Developers', 'manual'), ] # The name of an image file (relative to this directory) to place at the top of @@ -228,7 +228,7 @@ latex_documents = [ # (source start file, name, description, authors, manual section). man_pages = [ ('index', 'puppet-tripleoreleasenotes', u'puppet-tripleo Release Notes Documentation', - [u'2016, Puppet TripleO Developers'], 1) + [u'2017, Puppet TripleO Developers'], 1) ] # If true, show URL addresses after external links. @@ -242,7 +242,7 @@ man_pages = [ # dir menu entry, description, category) texinfo_documents = [ ('index', 'puppet-tripleoReleaseNotes', u'puppet-tripleo Release Notes Documentation', - u'2016, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.', + u'2017, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.', 'Miscellaneous'), ] diff --git a/spec/classes/tripleo_certmonger_ca_local.rb b/spec/classes/tripleo_certmonger_ca_local.rb new file mode 100644 index 0000000..7ee9383 --- /dev/null +++ b/spec/classes/tripleo_certmonger_ca_local.rb @@ -0,0 +1,46 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::ca::local' do + + shared_examples_for 'tripleo::certmonger::ca::local' do + let :params do + { + :ca_pem => '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem', + } + end + + it 'should extract CA cert' do + is_expected.to contain_exec('extract-and-trust-ca').with( + :creates => params[:ca_pem], + ) + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::ca::local' + end + end +end diff --git a/spec/classes/tripleo_certmonger_httpd.rb b/spec/classes/tripleo_certmonger_httpd.rb new file mode 100644 index 0000000..da5ce94 --- /dev/null +++ b/spec/classes/tripleo_certmonger_httpd.rb @@ -0,0 +1,63 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::httpd' do + + shared_examples_for 'tripleo::certmonger::httpd' do + let :params do + { + :name => 'httpd-cert', + :hostname => 'localhost', + :service_certificate => '/etc/pki/cert.crt', + :service_key => '/etc/pki/key.pem', + } + end + + it 'should include the base for using certmonger' do + is_expected.to contain_class('certmonger') + end + + it 'should include the httpd parameters' do + is_expected.to contain_class('apache::params') + end + + it 'should request a certificate' do + is_expected.to contain_certmonger_certificate('httpd-cert').with( + :ensure => 'present', + :certfile => '/etc/pki/cert.crt', + :keyfile => '/etc/pki/key.pem', + :hostname => 'localhost', + :dnsname => 'localhost', + :ca => 'local', + :wait => true, + ) + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::httpd' + end + end +end diff --git a/spec/classes/tripleo_certmonger_mysql.rb b/spec/classes/tripleo_certmonger_mysql.rb new file mode 100644 index 0000000..23b1e4f --- /dev/null +++ b/spec/classes/tripleo_certmonger_mysql.rb @@ -0,0 +1,64 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::mysql' do + + shared_examples_for 'tripleo::certmonger::mysql' do + let :params do + { + :hostname => 'localhost', + :service_certificate => '/etc/pki/cert.crt', + :service_key => '/etc/pki/key.pem', + } + end + + it 'should include the base for using certmonger' do + is_expected.to contain_class('certmonger') + end + + it 'should include the mysql parameters' do + is_expected.to contain_class('mysql::params') + end + + it 'should request a certificate' do + is_expected.to contain_certmonger_certificate('mysql').with( + :ensure => 'present', + :certfile => '/etc/pki/cert.crt', + :keyfile => '/etc/pki/key.pem', + :hostname => 'localhost', + :dnsname => 'localhost', + :ca => 'local', + :wait => true, + ) + is_expected.to contain_file('/etc/pki/cert.crt') + is_expected.to contain_file('/etc/pki/key.pem') + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::mysql' + end + end +end diff --git a/spec/classes/tripleo_certmonger_rabbitmq.rb b/spec/classes/tripleo_certmonger_rabbitmq.rb new file mode 100644 index 0000000..5c011ce --- /dev/null +++ b/spec/classes/tripleo_certmonger_rabbitmq.rb @@ -0,0 +1,64 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::rabbitmq' do + + shared_examples_for 'tripleo::certmonger::rabbitmq' do + let :params do + { + :hostname => 'localhost', + :service_certificate => '/etc/pki/cert.crt', + :service_key => '/etc/pki/key.pem', + } + end + + it 'should include the base for using certmonger' do + is_expected.to contain_class('certmonger') + end + + it 'should include the rabbitmq parameters' do + is_expected.to contain_class('rabbitmq::params') + end + + it 'should request a certificate' do + is_expected.to contain_certmonger_certificate('rabbitmq').with( + :ensure => 'present', + :certfile => '/etc/pki/cert.crt', + :keyfile => '/etc/pki/key.pem', + :hostname => 'localhost', + :dnsname => 'localhost', + :ca => 'local', + :wait => true, + ) + is_expected.to contain_file('/etc/pki/cert.crt') + is_expected.to contain_file('/etc/pki/key.pem') + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::rabbitmq' + end + end +end diff --git a/spec/classes/tripleo_profile_base_ceilometer_agent_polling_spec.rb b/spec/classes/tripleo_profile_base_ceilometer_agent_polling_spec.rb new file mode 100644 index 0000000..38c94c6 --- /dev/null +++ b/spec/classes/tripleo_profile_base_ceilometer_agent_polling_spec.rb @@ -0,0 +1,72 @@ +# +# Copyright (C) 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::ceilometer::agent::polling' do + shared_examples_for 'tripleo::profile::base::ceilometer::agent::polling' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + let(:pre_condition) do + "class { '::tripleo::profile::base::ceilometer': step => #{params[:step]}, oslomsg_rpc_hosts => ['localhost.localdomain'] }" + end + + context 'with step less than 4' do + let(:params) { { :step => 3 } } + + it 'should do nothing' do + is_expected.to contain_class('tripleo::profile::base::ceilometer::agent::polling') + is_expected.to_not contain_class('ceilometer::agent::polling') + end + end + + context 'with step 4 on polling agent' do + + let(:pre_condition) do + "class { '::ceilometer::agent::auth': auth_password => 'password' }" + end + + let(:params) { { + :step => 4, + :ceilometer_redis_password => 'password', + :redis_vip => '127.0.0.1', + :central_namespace => true + } } + + it 'should trigger complete configuration' do + is_expected.to contain_class('ceilometer::agent::polling').with( + :central_namespace => true, + :compute_namespace => false, + :ipmi_namespace => false, + :coordination_url => 'redis://:password@127.0.0.1:6379/', + ) + end + end + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::ceilometer::agent::polling' + end + end +end diff --git a/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb b/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb index 23b198a..0f9aad7 100644 --- a/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb +++ b/spec/classes/tripleo_profile_base_ceilometer_collector_spec.rb @@ -128,6 +128,32 @@ describe 'tripleo::profile::base::ceilometer::collector' do is_expected.to contain_class('ceilometer::dispatcher::gnocchi') end end + + context 'with step 5 on bootstrap node' do + let(:params) { { + :step => 5, + :bootstrap_node => 'node.example.com', + :mongodb_node_ips => ['127.0.0.1',], + :mongodb_replset => 'replicaset' + } } + + it 'should trigger complete configuration' do + is_expected.to contain_exec('ceilometer-db-upgrade') + end + end + + context 'with step 5 not on bootstrap node' do + let(:params) { { + :step => 5, + :bootstrap_node => 'somethingelse.example.com', + :mongodb_node_ips => ['127.0.0.1',], + :mongodb_replset => 'replicaset' + } } + + it 'should trigger complete configuration' do + is_expected.to_not contain_exec('ceilometer-db-upgrade') + end + end end diff --git a/spec/classes/tripleo_profile_base_database_mysql_spec.rb b/spec/classes/tripleo_profile_base_database_mysql_spec.rb new file mode 100644 index 0000000..b192f6c --- /dev/null +++ b/spec/classes/tripleo_profile_base_database_mysql_spec.rb @@ -0,0 +1,75 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::database::mysql' do + let :params do + { :step => 2, + :mysql_max_connections => 4096, + } + end + shared_examples_for 'tripleo::profile::base::database::mysql' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'with noha and raise mariadb limit' do + before do + params.merge!({ + :generate_dropin_file_limit => true + }) + end + it 'should create limit file' do + is_expected.to contain_systemd__service_limits('mariadb.service').with( + :limits => { "LimitNOFILE" => 16384 }) + end + end + + context 'with noha and do not raise mariadb limit' do + before do + params.merge!({ + :generate_dropin_file_limit => false + }) + end + it 'should not create limit file' do + is_expected.to_not contain_systemd__service_limits('mariadb.service') + end + end + + context 'with ha and raise mariadb limit' do + before do + params.merge!({ + :generate_dropin_file_limit => true, + :manage_resources => false, + }) + end + it 'should not create limit file in ha' do + is_expected.to_not contain_systemd__service_limits('mariadb.service') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::database::mysql' + end + end +end diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb new file mode 100644 index 0000000..587cc29 --- /dev/null +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -0,0 +1,68 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::docker' do + shared_examples_for 'tripleo::profile::base::docker' do + context 'with step 1 and defaults' do + let(:params) { { + :step => 1, + } } + + it { is_expected.to contain_class('tripleo::profile::base::docker') } + it { is_expected.to contain_package('docker') } + it { is_expected.to contain_service('docker') } + it { + is_expected.to contain_augeas('docker-sysconfig').with_changes(['rm INSECURE_REGISTRY']) + } + end + + context 'with step 1 and insecure_registry configured' do + let(:params) { { + :docker_namespace => 'foo:8787', + :insecure_registry => true, + :step => 1, + } } + + it { is_expected.to contain_class('tripleo::profile::base::docker') } + it { is_expected.to contain_package('docker') } + it { is_expected.to contain_service('docker') } + it { + is_expected.to contain_augeas('docker-sysconfig').with_changes(["set INSECURE_REGISTRY '\"--insecure-registry foo:8787\"'"]) + } + end + + context 'with step 1 and insecure_registry configured but no docker_namespace' do + let(:params) { { + :insecure_registry => true, + :step => 1, + } } + + it_raises 'a Puppet::Error', /You must provide a \$docker_namespace in order to configure insecure registry/ + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::docker' + end + end +end diff --git a/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb b/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb new file mode 100644 index 0000000..1eb79ae --- /dev/null +++ b/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb @@ -0,0 +1,88 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::neutron::opendaylight' do + let :params do + { :step => 1, + :node_name => 'overcloud-controller-0', + } + end + shared_examples_for 'tripleo::profile::base::neutron::opendaylight' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'with noha' do + before do + params.merge!({ + :odl_api_ips => ['192.0.2.5'] + }) + end + it 'should install and configure opendaylight' do + is_expected.to contain_class('opendaylight') + end + end + + context 'with empty OpenDaylight API IPs' do + before do + params.merge!({ + :odl_api_ips => [] + }) + end + it 'should fail to install OpenDaylight' do + is_expected.to compile.and_raise_error(/No IPs assigned to OpenDaylight Api Service/) + end + end + + context 'with 2 OpenDaylight API IPs' do + before do + params.merge!({ + :odl_api_ips => ['192.0.2.5', '192.0.2.6'] + }) + end + it 'should fail to install OpenDaylight' do + is_expected.to compile.and_raise_error(/2 node OpenDaylight deployments are unsupported. Use 1 or greater than 2/) + end + end + + context 'with HA and 3 OpenDaylight API IPs' do + before do + params.merge!({ + :odl_api_ips => ['192.0.2.5', '192.0.2.6', '192.0.2.7'] + }) + end + it 'should install and configure OpenDaylight in HA' do + is_expected.to contain_class('opendaylight').with( + :enable_ha => true, + :ha_node_ips => params[:odl_api_ips], + :ha_node_index => '1', + ) + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::neutron::opendaylight' + end + end +end diff --git a/spec/classes/tripleo_profile_base_neutron_spec.rb b/spec/classes/tripleo_profile_base_neutron_spec.rb new file mode 100644 index 0000000..504be5b --- /dev/null +++ b/spec/classes/tripleo_profile_base_neutron_spec.rb @@ -0,0 +1,76 @@ +# +# Copyright (C) 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::neutron' do + let :params do + { :step => 5, + :oslomsg_notify_password => 'foobar', + :oslomsg_rpc_password => 'foobar' + } + end + + shared_examples_for 'tripleo::profile::base::neutron' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'when no dhcp agents per network set' do + before do + params.merge!({ + :dhcp_nodes => ['netcont1.localdomain', 'netcont2.localdomain', 'netcont3.localdomain'] + }) + end + it 'should equal the number of dhcp agents' do + is_expected.to contain_class('neutron').with(:dhcp_agents_per_network => 3) + end + end + + context 'when dhcp agents per network is set' do + before do + params.merge!({ + :dhcp_agents_per_network => 2 + }) + end + it 'should set the the value' do + is_expected.to contain_class('neutron').with(:dhcp_agents_per_network => 2) + end + end + + context 'when dhcp agents per network is greater than number of agents' do + before do + params.merge!({ + :dhcp_nodes => ['netcont1.localdomain', 'netcont2.localdomain'], + :dhcp_agents_per_network => 5 + }) + end + it 'should set value and complain about not enough agents' do + is_expected.to contain_class('neutron').with(:dhcp_agents_per_network => 5) + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::neutron' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_compute_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_spec.rb index d052682..545a1fa 100644 --- a/spec/classes/tripleo_profile_base_nova_compute_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_compute_spec.rb @@ -27,6 +27,7 @@ describe 'tripleo::profile::base::nova::compute' do is_expected.to_not contain_class('tripleo::profile::base::nova') is_expected.to_not contain_class('nova::compute') is_expected.to_not contain_class('nova::network::neutron') + is_expected.to_not contain_package('iscsi-initiator-utils') is_expected.to_not contain_exec('reset-iscsi-initiator-name') is_expected.to_not contain_file('/etc/iscsi/.initiator_reset') } @@ -51,6 +52,7 @@ eos is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_package('iscsi-initiator-utils') is_expected.to contain_exec('reset-iscsi-initiator-name') is_expected.to contain_file('/etc/iscsi/.initiator_reset') is_expected.to_not contain_package('nfs-utils') @@ -66,6 +68,7 @@ eos is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_package('iscsi-initiator-utils') is_expected.to contain_exec('reset-iscsi-initiator-name') is_expected.to contain_file('/etc/iscsi/.initiator_reset') is_expected.to contain_package('nfs-utils') diff --git a/spec/classes/tripleo_profile_base_nova_placement_spec.rb b/spec/classes/tripleo_profile_base_nova_placement_spec.rb index 2a18320..04e032a 100644 --- a/spec/classes/tripleo_profile_base_nova_placement_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_placement_spec.rb @@ -49,7 +49,6 @@ eos let(:params) { { :step => 1, :enable_internal_tls => true, - :generate_service_certificates => true, :nova_placement_network => 'bar', :certificates_specs => { 'httpd-bar' => { @@ -63,7 +62,6 @@ eos it { is_expected.to contain_class('tripleo::profile::base::nova::placement') is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_tripleo__certmonger__httpd('httpd-bar') is_expected.to_not contain_class('nova::keystone::authtoken') is_expected.to_not contain_class('nova::wsgi::apache_placement') } @@ -87,7 +85,6 @@ eos let(:params) { { :step => 3, :enable_internal_tls => true, - :generate_service_certificates => false, :nova_placement_network => 'bar', :certificates_specs => { 'httpd-bar' => { @@ -102,7 +99,6 @@ eos it { is_expected.to contain_class('tripleo::profile::base::nova::placement') is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to_not contain_tripleo__certmonger__httpd('foo') is_expected.to contain_class('nova::keystone::authtoken') is_expected.to contain_class('nova::wsgi::apache_placement').with( :ssl_cert => '/foo.pem', diff --git a/spec/classes/tripleo_profile_base_securetty_spec.rb b/spec/classes/tripleo_profile_base_securetty_spec.rb new file mode 100644 index 0000000..c57d8be --- /dev/null +++ b/spec/classes/tripleo_profile_base_securetty_spec.rb @@ -0,0 +1,72 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo::profile::base::securetty +# + +require 'spec_helper' + +describe 'tripleo::profile::base::securetty' do + + shared_examples_for 'tripleo::profile::base::securetty' do + + context 'with defaults step 1' do + let(:params) {{ :step => 1 }} + it { is_expected.to contain_class('tripleo::profile::base::securetty') } + it { + is_expected.to contain_file('/etc/securetty').with( + :content => ["# Managed by Puppet / TripleO Heat Templates", + "# A list of TTYs, from which root can log in", + "# see `man securetty` for reference", + "", + ""].join("\n"), + :owner => 'root', + :group => 'root', + :mode => '0600') + } + end + + context 'it should configure securtty' do + let(:params) {{ + :step => 1, + :tty_list => ['console', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6'] + }} + + it 'should configure securetty values' do + is_expected.to contain_file('/etc/securetty').with( + :owner => 'root', + :group => 'root', + :mode => '0600', + ) + .with_content(/console/) + .with_content(/tty1/) + .with_content(/tty2/) + .with_content(/tty3/) + .with_content(/tty4/) + .with_content(/tty5/) + .with_content(/tty6/) + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::securetty' + end + end +end diff --git a/spec/classes/tripleo_profile_base_time_ntp_spec.rb b/spec/classes/tripleo_profile_base_time_ntp_spec.rb new file mode 100644 index 0000000..ec4b55f --- /dev/null +++ b/spec/classes/tripleo_profile_base_time_ntp_spec.rb @@ -0,0 +1,39 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::time::ntp' do + shared_examples_for 'tripleo::profile::base::time::ntp' do + + context 'with defaults' do + it { is_expected.to contain_class('tripleo::profile::base::time::ntp') } + it { is_expected.to contain_service('chronyd').with( + :ensure => 'stopped', + :enable => false) } + it { is_expected.to contain_class('ntp') } + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::time::ntp' + end + end +end diff --git a/templates/securetty/securetty.erb b/templates/securetty/securetty.erb new file mode 100644 index 0000000..c8c7b90 --- /dev/null +++ b/templates/securetty/securetty.erb @@ -0,0 +1,4 @@ +# Managed by Puppet / TripleO Heat Templates +# A list of TTYs, from which root can log in +# see `man securetty` for reference +<%= @ttys %> |