diff options
56 files changed, 1132 insertions, 261 deletions
diff --git a/Puppetfile_extras b/Puppetfile_extras index 7339074..0b617b9 100644 --- a/Puppetfile_extras +++ b/Puppetfile_extras @@ -36,3 +36,15 @@ mod 'fdio', mod 'certmonger', :git => 'https://github.com/earsdown/puppet-certmonger', :ref => 'v1.1.1' + +mod 'ntp', + :git => 'https://github.com/puppetlabs/puppetlabs-ntp', + :ref => '4.2.x' + +mod 'systemd', + :git => 'https://github.com/camptocamp/puppet-systemd', + :ref => 'master' + +mod 'opendaylight', + :git => 'https://github.com/dfarrell07/puppet-opendaylight', + :ref => 'master' diff --git a/bindep.txt b/bindep.txt new file mode 100644 index 0000000..4f9b425 --- /dev/null +++ b/bindep.txt @@ -0,0 +1,2 @@ +# This is a cross-platform list tracking distribution packages needed by tests; +# see http://docs.openstack.org/infra/bindep/ for additional information. diff --git a/lib/puppet/provider/package/norpm.rb b/lib/puppet/provider/package/norpm.rb index 080b138..abe1780 100644 --- a/lib/puppet/provider/package/norpm.rb +++ b/lib/puppet/provider/package/norpm.rb @@ -12,6 +12,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +require 'puppet' require 'puppet/provider/package' Puppet::Type.type(:package).provide :norpm, :source => :rpm, :parent => :rpm do @@ -24,18 +25,22 @@ Puppet::Type.type(:package).provide :norpm, :source => :rpm, :parent => :rpm do end def install + Puppet.warning("[norpm] Attempting to install #{name} but it will not be installed") true end def uninstall + Puppet.warning("[norpm] Attempting to uninstall #{name} but it will not be removed") true end def update + Puppet.warning("[norpm] Attempting to update #{name} but it will not be updated") true end def purge + Puppet.warning("[norpm] Attempting to purge #{name} but it will not be removed") true end diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 3b8fd09..6668440 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy ( $certmonger_ca = hiera('certmonger_ca', 'local'), $principal = undef, ){ + include ::certmonger include ::haproxy::params + # This is only needed for certmonger's local CA. For any other CA this + # operation (trusting the CA) should be done by the deployer. + if $certmonger_ca == 'local' { + class { '::tripleo::certmonger::ca::local': + notify => Class['::tripleo::haproxy'] + } + } + certmonger_certificate { "${title}-cert": + ensure => 'present', + ca => $certmonger_ca, hostname => $hostname, dnsname => $hostname, certfile => $service_certificate, keyfile => $service_key, postsave_cmd => $postsave_cmd, principal => $principal, + wait => true, + require => Class['::certmonger'], } concat { $service_pem : ensure => present, diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp new file mode 100644 index 0000000..344adef --- /dev/null +++ b/manifests/certmonger/rabbitmq.pp @@ -0,0 +1,79 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::rabbitmq +# +# Request a certificate for RabbitMQ and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*file_owner*] +# (Optional) The user which the certificate and key files belong to. +# Defaults to 'root' +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +class tripleo::certmonger::rabbitmq ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::rabbitmq::params + + $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}" + certmonger_certificate { 'rabbitmq' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + file { $service_certificate : + owner => $::rabbitmq::params::rabbitmq_user, + group => $::rabbitmq::params::rabbitmq_group, + require => Certmonger_certificate['rabbitmq'], + } + file { $service_key : + owner => $::rabbitmq::params::rabbitmq_user, + group => $::rabbitmq::params::rabbitmq_group, + require => Certmonger_certificate['rabbitmq'], + } + + File[$service_certificate] ~> Service<| title == $::rabbitmq::params::service_name |> + File[$service_key] ~> Service<| title == $::rabbitmq::params::service_name |> +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 13d4ba5..92edd71 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -808,7 +808,7 @@ class tripleo::haproxy ( 'ssl-default-bind-ciphers' => $ssl_cipher_suite, 'ssl-default-bind-options' => $ssl_options, 'stats' => [ - 'socket /var/run/haproxy.sock mode 600 level user', + 'socket /var/lib/haproxy/stats mode 600 level user', 'timeout 2m' ], }, @@ -1265,6 +1265,7 @@ class tripleo::haproxy ( listen_options => $heat_options, public_ssl_port => $ports[heat_api_ssl_port], service_network => $heat_api_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1279,6 +1280,7 @@ class tripleo::haproxy ( listen_options => $heat_options, public_ssl_port => $ports[heat_cw_ssl_port], service_network => $heat_cloudwatch_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1293,6 +1295,7 @@ class tripleo::haproxy ( listen_options => $heat_options, public_ssl_port => $ports[heat_cfn_ssl_port], service_network => $heat_cfn_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index af4a5b3..0834536 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -39,14 +39,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -57,17 +49,12 @@ class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { include ::tripleo::profile::base::aodh if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$aodh_network { fail('aodh_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 22984b1..71e4ea1 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -105,7 +97,6 @@ class tripleo::profile::base::barbican::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), @@ -126,10 +117,6 @@ class tripleo::profile::base::barbican::api ( } if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$barbican_network { fail('barbican_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6ef4748..28504c5 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -39,14 +39,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -56,16 +48,11 @@ class tripleo::profile::base::ceilometer::api ( $ceilometer_network = hiera('ceilometer_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { include ::tripleo::profile::base::ceilometer if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$ceilometer_network { fail('ceilometer_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 8443de0..d00f7cd 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -60,7 +60,7 @@ class tripleo::profile::base::ceph::rgw ( $rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway') $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip) include ::ceph::params - include ::ceph::profile::base + include ::ceph::profile::client ceph::rgw { $rgw_name: frontend_type => 'civetweb', rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}", diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp new file mode 100644 index 0000000..586c7e4 --- /dev/null +++ b/manifests/profile/base/certmonger_user.pp @@ -0,0 +1,77 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == class: tripleo::profile::base::certmonger_user +# +# Profile that ensures that the relevant certmonger certificates have been +# requested. The certificates come from the hiera set by the specific profiles +# and come in a pre-defined format. +# For a service that has several certificates (one per network name): +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "HTTP/<overcloud controller fqdn>" +# For a service that uses a single certificate: +# mysql_certificates_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# +# === Parameters +# +# [*apache_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*haproxy_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). +# +# [*mysql_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*rabbitmq_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}). +# +class tripleo::profile::base::certmonger_user ( + $apache_certificates_specs = hiera('apache_certificates_specs', {}), + $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), +) { + unless empty($apache_certificates_specs) { + ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) + } + unless empty($haproxy_certificates_specs) { + ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) + # The haproxy fronends (or listen resources) depend on the certificate + # existing and need to be refreshed if it changed. + Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> + } + unless empty($mysql_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs) + } + unless empty($rabbitmq_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs) + } +} diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 450a8e6..c432fd6 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -61,7 +53,6 @@ class tripleo::profile::base::cinder::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $cinder_api_network = hiera('cinder_api_network', undef), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -73,10 +64,6 @@ class tripleo::profile::base::cinder::api ( include ::tripleo::profile::base::cinder if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$cinder_api_network { fail('cinder_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index a0193cf..b4ac8ac 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,12 +47,6 @@ # limit for the mysql service. # Defaults to false # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# MySQL. This could be as many as specified by the $certificates_specs -# variable. -# Defaults to hiera('generate_service_certificate', false). -# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -62,6 +56,10 @@ # Should be an hash. # Defaults to {} # +# [*mysql_max_connections*] +# (Optional) Maximum number of connections to MySQL. +# Defaults to hiera('mysql_max_connections', undef) +# # [*remove_default_accounts*] # (Optional) Whether or not remove default MySQL accounts. # Defaults to true @@ -78,9 +76,9 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, - $generate_service_certificates = hiera('generate_service_certificates', false), $manage_resources = true, $mysql_server_options = {}, + $mysql_max_connections = hiera('mysql_max_connections', undef), $remove_default_accounts = true, $step = hiera('step'), ) { @@ -95,9 +93,6 @@ class tripleo::profile::base::database::mysql ( validate_hash($certificate_specs) if $enable_internal_tls { - if $generate_service_certificates { - ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs) - } $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] } else { @@ -126,7 +121,7 @@ class tripleo::profile::base::database::mysql ( $mysql_server_default = { 'mysqld' => { 'bind-address' => $bind_address, - 'max_connections' => hiera('mysql_max_connections'), + 'max_connections' => $mysql_max_connections, 'open_files_limit' => '-1', 'innodb_file_per_table' => 'ON', 'ssl' => $enable_internal_tls, @@ -146,11 +141,11 @@ class tripleo::profile::base::database::mysql ( remove_default_accounts => $remove_default_accounts, } - if $generate_dropin_file_limit { + if $generate_dropin_file_limit and $manage_resources { # Raise the mysql file limit ::systemd::service_limits { 'mariadb.service': limits => { - LimitNOFILE => 16384 + 'LimitNOFILE' => 16384 } } } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp new file mode 100644 index 0000000..5e18a85 --- /dev/null +++ b/manifests/profile/base/docker.pp @@ -0,0 +1,68 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::docker +# +# docker profile for tripleo +# +# === Parameters +# +# [*docker_namespace*] +# The namespace to be used when setting INSECURE_REGISTRY +# this will be split on "/" to derive the docker registry +# (defaults to undef) +# +# [*insecure_registry*] +# Set docker_namespace to INSECURE_REGISTRY, used when a local registry +# is enabled (defaults to false) +# +# [*step*] +# step defaults to hiera('step') +# +class tripleo::profile::base::docker ( + $docker_namespace = undef, + $insecure_registry = false, + $step = hiera('step'), +) { + if $step >= 1 { + package {'docker': + ensure => installed, + } + + service { 'docker': + ensure => 'running', + enable => true, + require => Package['docker'], + } + + if $insecure_registry { + if $docker_namespace == undef { + fail('You must provide a $docker_namespace in order to configure insecure registry') + } + $namespace = strip($docker_namespace.split('/')[0]) + $changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'", ] + } else { + $changes = [ 'rm INSECURE_REGISTRY', ] + } + + augeas { 'docker-sysconfig': + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/docker', + changes => $changes, + subscribe => Package['docker'], + notify => Service['docker'], + } + } +} diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index e5807f6..8ed7fb7 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -38,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*glance_backend*] # (Optional) Glance backend(s) to use. # Defaults to downcase(hiera('glance_backend', 'swift')) @@ -91,7 +83,6 @@ class tripleo::profile::base::glance::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $glance_backend = downcase(hiera('glance_backend', 'swift')), $glance_network = hiera('glance_api_network', undef), $glance_nfs_enabled = false, @@ -102,10 +93,6 @@ class tripleo::profile::base::glance::api ( $tls_proxy_fqdn = undef, $tls_proxy_port = 9292, ) { - if $enable_internal_tls and $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 2fde1fc..5b4c0c2 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -38,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*gnocchi_backend*] # (Optional) Gnocchi backend string file, swift or rbd # Defaults to swift @@ -64,7 +56,6 @@ class tripleo::profile::base::gnocchi::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), $gnocchi_network = hiera('gnocchi_api_network', undef), $step = hiera('step'), @@ -78,10 +69,6 @@ class tripleo::profile::base::gnocchi::api ( include ::tripleo::profile::base::gnocchi if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$gnocchi_network { fail('gnocchi_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index f16ec1b..9a03487 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -32,22 +32,10 @@ # principal: "haproxy/<undercloud fqdn>" # Defaults to {}. # -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# # [*enable_load_balancer*] # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -55,35 +43,11 @@ # class tripleo::profile::base::haproxy ( $certificates_specs = {}, - $certmonger_ca = hiera('certmonger_ca', 'local'), $enable_load_balancer = hiera('enable_load_balancer', true), - $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), ) { if $step >= 1 { if $enable_load_balancer { - if str2bool($generate_service_certificates) { - include ::certmonger - # This is only needed for certmonger's local CA. For any other CA this - # operation (trusting the CA) should be done by the deployer. - if $certmonger_ca == 'local' { - class { '::tripleo::certmonger::ca::local': - notify => Class['::tripleo::haproxy'] - } - } - - Certmonger_certificate { - ca => $certmonger_ca, - ensure => 'present', - wait => true, - require => Class['::certmonger'], - } - create_resources('::tripleo::certmonger::haproxy', $certificates_specs) - # The haproxy fronends (or listen resources) depend on the certificate - # existing and need to be refreshed if it changed. - Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> - } - class {'::tripleo::haproxy': internal_certificates_specs => $certificates_specs, } diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index 7166298..f35735b 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -18,18 +18,57 @@ # # === Parameters # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*heat_api_network*] +# (Optional) The network name where the heat API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('heat_api_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::heat::api ( - $step = hiera('step'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $heat_api_network = hiera('heat_api_network', undef), + $step = hiera('step'), ) { include ::tripleo::profile::base::heat + if $enable_internal_tls { + if !$heat_api_network { + fail('heat_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${heat_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${heat_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 { include ::heat::api + class { '::heat::wsgi::apache_api': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index c1adae6..2545dbc 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -18,18 +18,58 @@ # # === Parameters # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*heat_api_cfn_network*] +# (Optional) The network name where the heat cfn endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('heat_api_cfn_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cfn ( - $step = hiera('step'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $heat_api_cfn_network = hiera('heat_api_cfn_network', undef), + $step = hiera('step'), ) { include ::tripleo::profile::base::heat + if $enable_internal_tls { + if !$heat_api_cfn_network { + fail('heat_api_cfn_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${heat_api_cfn_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${heat_api_cfn_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 { include ::heat::api_cfn + + class { '::heat::wsgi::apache_api_cfn': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 3004db9..872de8d 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -18,18 +18,58 @@ # # === Parameters # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*heat_api_cloudwatch_network*] +# (Optional) The network name where the heat cloudwatch endpoint is listening +# on. This is set by t-h-t. +# Defaults to hiera('heat_api_cloudwatch_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cloudwatch ( - $step = hiera('step'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), + $step = hiera('step'), ) { include ::tripleo::profile::base::heat + if $enable_internal_tls { + if !$heat_api_cloudwatch_network { + fail('heat_api_cloudwatch_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${heat_api_cloudwatch_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${heat_api_cloudwatch_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 { include ::heat::api_cloudwatch + + class { '::heat::wsgi::apache_api_cloudwatch': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp index 4824648..7f90da9 100644 --- a/manifests/profile/base/ironic/conductor.pp +++ b/manifests/profile/base/ironic/conductor.pp @@ -44,5 +44,12 @@ class tripleo::profile::base::ironic::conductor ( include ::ironic::drivers::ilo include ::ironic::drivers::ipmi include ::ironic::drivers::ssh + + # Configure access to other services + include ::ironic::drivers::inspector + include ::ironic::glance + include ::ironic::neutron + include ::ironic::service_catalog + include ::ironic::swift } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 9b2fc51..937f5e2 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*heat_admin_domain*] # domain name for heat admin # Defaults to undef @@ -130,7 +122,6 @@ class tripleo::profile::base::keystone ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $heat_admin_domain = undef, $heat_admin_email = undef, $heat_admin_password = undef, @@ -163,10 +154,6 @@ class tripleo::profile::base::keystone ( } if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$public_endpoint_network { fail('keystone_public_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/neutron/bgpvpn.pp b/manifests/profile/base/neutron/bgpvpn.pp new file mode 100644 index 0000000..9fa1d14 --- /dev/null +++ b/manifests/profile/base/neutron/bgpvpn.pp @@ -0,0 +1,36 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::bgpvpn +# +# Neutron BGPVPN Service plugin profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::bgpvpn ( + $step = hiera('step'), +) { + if $step >= 4 { + include ::tripleo::profile::base::neutron + include ::neutron::services::bgpvpn + } +} diff --git a/manifests/profile/base/neutron/l2gw.pp b/manifests/profile/base/neutron/l2gw.pp new file mode 100644 index 0000000..da71108 --- /dev/null +++ b/manifests/profile/base/neutron/l2gw.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Peng Liu <pliu@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::l2gw +# +# Neutron L2 Gateway Service plugin profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::l2gw ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::services::l2gw + } +} diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp index 556fe63..b5e6d11 100644 --- a/manifests/profile/base/neutron/opendaylight.pp +++ b/manifests/profile/base/neutron/opendaylight.pp @@ -22,19 +22,35 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*primary_node*] -# (Optional) The hostname of the first node of this role type -# Defaults to hiera('bootstrap_nodeid', undef) +# [*odl_api_ips*] +# (Optional) List of OpenStack Controller IPs for ODL API +# Defaults to hiera('opendaylight_api_node_ips') +# +# [*node_name*] +# (Optional) The short hostname of node +# Defaults to hiera('bootstack_nodeid') # class tripleo::profile::base::neutron::opendaylight ( $step = hiera('step'), - $primary_node = hiera('bootstrap_nodeid', undef), + $odl_api_ips = hiera('opendaylight_api_node_ips'), + $node_name = hiera('bootstack_nodeid') ) { if $step >= 1 { - # Configure ODL only on first node of the role where this service is - # applied - if $primary_node == downcase($::hostname) { + validate_array($odl_api_ips) + if empty($odl_api_ips) { + fail('No IPs assigned to OpenDaylight Api Service') + } elsif size($odl_api_ips) == 2 { + fail('2 node OpenDaylight deployments are unsupported. Use 1 or greater than 2') + } elsif size($odl_api_ips) > 2 { + $node_string = split($node_name, '-') + $ha_node_index = $node_string[-1] + 1 + class { '::opendaylight': + enable_ha => true, + ha_node_ips => $odl_api_ips, + ha_node_index => $ha_node_index, + } + } else { include ::opendaylight } } diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp index c120931..2618d4f 100644 --- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp @@ -30,6 +30,10 @@ # (Optional) Password to configure for OpenDaylight # Defaults to 'admin' # +# [*odl_url_ip*] +# (Optional) Virtual IP address for ODL Api Service +# Defaults to hiera('opendaylight_api_vip') +# # [*conn_proto*] # (Optional) Protocol to use to for ODL REST access # Defaults to hiera('opendaylight::nb_connection_protocol') @@ -43,14 +47,13 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight ( $odl_port = hiera('opendaylight::odl_rest_port'), $odl_username = hiera('opendaylight::username'), $odl_password = hiera('opendaylight::password'), + $odl_url_ip = hiera('opendaylight_api_vip'), $conn_proto = hiera('opendaylight::nb_connection_protocol'), $step = hiera('step'), ) { if $step >= 4 { - $odl_url_ip = hiera('opendaylight_api_vip') - - if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') } + if ! $odl_url_ip { fail('OpenDaylight API VIP is Empty') } class { '::neutron::plugins::ml2::opendaylight': odl_username => $odl_username, diff --git a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp index 91c5168..4da8df9 100644 --- a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp @@ -30,6 +30,10 @@ # (Optional) List of OpenStack Controller IPs for ODL API # Defaults to hiera('opendaylight_api_node_ips') # +# [*odl_url_ip*] +# (Optional) Virtual IP address for ODL Api Service +# Defaults to hiera('opendaylight_api_vip') +# # [*conn_proto*] # (Optional) Protocol to use to for ODL REST access # Defaults to hiera('opendaylight::nb_connection_protocol') @@ -43,25 +47,25 @@ class tripleo::profile::base::neutron::plugins::ovs::opendaylight ( $odl_port = hiera('opendaylight::odl_rest_port'), $odl_check_url = hiera('opendaylight_check_url'), $odl_api_ips = hiera('opendaylight_api_node_ips'), + $odl_url_ip = hiera('opendaylight_api_vip'), $conn_proto = hiera('opendaylight::nb_connection_protocol'), $step = hiera('step'), ) { if $step >= 4 { - $opendaylight_controller_ip = $odl_api_ips[0] - $odl_url_ip = hiera('opendaylight_api_vip') - - if ! $opendaylight_controller_ip { fail('OpenDaylight Controller IP is Empty') } + if empty($odl_api_ips) { fail('No IPs assigned to OpenDaylight Api Service') } if ! $odl_url_ip { fail('OpenDaylight API VIP is Empty') } # Build URL to check if ODL is up before connecting OVS $opendaylight_url = "${conn_proto}://${odl_url_ip}:${odl_port}/${odl_check_url}" + $odl_ovsdb_str = join(regsubst($odl_api_ips, '.+', 'tcp:\0:6640'), ' ') + class { '::neutron::plugins::ovs::opendaylight': tunnel_ip => hiera('neutron::agents::ml2::ovs::local_ip'), odl_check_url => $opendaylight_url, - odl_ovsdb_iface => "tcp:${opendaylight_controller_ip}:6640", + odl_ovsdb_iface => $odl_ovsdb_str, } } } diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 5d6909f..d67a40c 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -43,14 +43,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*l3_ha_override*] # (Optional) Override the calculated value for neutron::server::l3_ha # by default this is calculated to enable when DVR is not enabled @@ -95,7 +87,6 @@ class tripleo::profile::base::neutron::server ( $certificates_specs = hiera('apache_certificates_specs', {}), $dvr_enabled = hiera('neutron::server::router_distributed', false), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $l3_ha_override = '', $l3_nodes = hiera('neutron_l3_short_node_names', []), $neutron_network = hiera('neutron_api_network', undef), @@ -104,10 +95,6 @@ class tripleo::profile::base::neutron::server ( $tls_proxy_fqdn = undef, $tls_proxy_port = 9696, ) { - if $enable_internal_tls and $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index cda2b66..95a1721 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -36,14 +36,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*nova_api_network*] # (Optional) The network name where the nova API endpoint is listening on. # This is set by t-h-t. @@ -63,7 +55,6 @@ class tripleo::profile::base::nova::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $nova_api_network = hiera('nova_api_network', undef), $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false), $step = hiera('step'), @@ -93,10 +84,6 @@ class tripleo::profile::base::nova::api ( # https://bugs.launchpad.net/nova/+bug/1661360 if $nova_api_wsgi_enabled { if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$nova_api_network { fail('nova_api_network is not set in the hieradata.') } diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index 0eb2ed7..84b8bd5 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -48,10 +48,12 @@ class tripleo::profile::base::nova::compute ( # When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique # https://bugzilla.redhat.com/show_bug.cgi?id=1244328 + ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' }) exec { 'reset-iscsi-initiator-name': command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi', onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset', before => File['/etc/iscsi/.initiator_reset'], + require => Package['iscsi-initiator-utils'], } file { '/etc/iscsi/.initiator_reset': ensure => present, diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index 46658b8..16bfe17 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -36,14 +36,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*nova_placement_network*] # (Optional) The network name where the nova placement endpoint is listening on. # This is set by t-h-t. @@ -58,7 +50,6 @@ class tripleo::profile::base::nova::placement ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $nova_placement_network = hiera('nova_placement_network', undef), $step = hiera('step'), ) { @@ -72,10 +63,6 @@ class tripleo::profile::base::nova::placement ( include ::tripleo::profile::base::nova::authtoken if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$nova_placement_network { fail('nova_placement_network is not set in the hieradata.') } diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp index 880cf7d..286e4ac 100644 --- a/manifests/profile/base/panko.pp +++ b/manifests/profile/base/panko.pp @@ -23,26 +23,12 @@ # for more details. # Defaults to hiera('step') # -# [*bootstrap_node*] -# (Optional) The hostname of the node responsible for bootstrapping tasks -# Defaults to hiera('bootstrap_nodeid') class tripleo::profile::base::panko ( - $step = hiera('step'), - $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), ) { - - if $::hostname == downcase($bootstrap_node) { - $sync_db = true - } else { - $sync_db = false - } - - if $step >= 4 or ($step >= 3 and $sync_db) { + if $step >= 3 { include ::panko - include ::panko::db include ::panko::config - include ::panko::db::sync } - } diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp index 45ee0c0..90e80a2 100644 --- a/manifests/profile/base/panko/api.pp +++ b/manifests/profile/base/panko/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -34,14 +38,6 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # -# [*generate_service_certificates*] -# (Optional) Whether or not certmonger will generate certificates for -# HAProxy. This could be as many as specified by the $certificates_specs -# variable. -# Note that this doesn't configure the certificates in haproxy, it merely -# creates the certificates. -# Defaults to hiera('generate_service_certificate', false). -# # [*panko_network*] # (Optional) The network name where the panko endpoint is listening on. # This is set by t-h-t. @@ -53,19 +49,21 @@ # Defaults to hiera('step') # class tripleo::profile::base::panko::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), - $generate_service_certificates = hiera('generate_service_certificates', false), $panko_network = hiera('panko_api_network', undef), $step = hiera('step'), ) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + include ::tripleo::profile::base::panko if $enable_internal_tls { - if $generate_service_certificates { - ensure_resources('tripleo::certmonger::httpd', $certificates_specs) - } - if !$panko_network { fail('panko_api_network is not set in the hieradata.') } @@ -76,8 +74,11 @@ class tripleo::profile::base::panko::api ( $tls_keyfile = undef } - if $step >= 4 { - include ::panko::api + if $step >= 4 or ( $step >= 3 and $sync_db ) { + include ::panko::db + class { '::panko::api': + sync_db => $sync_db, + } class { '::panko::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index 1eaabf0..9d1417c 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -18,14 +18,35 @@ # # === Parameters # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to {}. +# # [*config_variables*] # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_config_variables'). # +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to undef +# # [*environment*] # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_environment'). # +# [*inet_dist_interface*] +# (Optional) Address to bind the inter-cluster interface +# to. It is the inet_dist_use_interface option in the kernel variables +# Defaults to hiera('rabbitmq::interface', undef). +# # [*ipv6*] # (Optional) Whether to deploy RabbitMQ on IPv6 network. # Defaults to str2bool(hiera('rabbit_ipv6', false)). @@ -34,11 +55,6 @@ # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_environment'). # -# [*inet_dist_interface*] -# (Optional) Address to bind the inter-cluster interface -# to. It is the inet_dist_use_interface option in the kernel variables -# Defaults to hiera('rabbitmq::interface', undef). -# # [*nodes*] # (Optional) Array of host(s) for RabbitMQ nodes. # Defaults to hiera('rabbitmq_node_names', []). @@ -61,17 +77,27 @@ # Defaults to hiera('step') # class tripleo::profile::base::rabbitmq ( - $config_variables = hiera('rabbitmq_config_variables'), - $environment = hiera('rabbitmq_environment'), - $ipv6 = str2bool(hiera('rabbit_ipv6', false)), - $kernel_variables = hiera('rabbitmq_kernel_variables'), - $inet_dist_interface = hiera('rabbitmq::interface', undef), - $nodes = hiera('rabbitmq_node_names', []), - $rabbitmq_pass = hiera('rabbitmq::default_pass'), - $rabbitmq_user = hiera('rabbitmq::default_user'), - $stack_action = hiera('stack_action'), - $step = hiera('step'), + $certificate_specs = {}, + $config_variables = hiera('rabbitmq_config_variables'), + $enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t + $environment = hiera('rabbitmq_environment'), + $inet_dist_interface = hiera('rabbitmq::interface', undef), + $ipv6 = str2bool(hiera('rabbit_ipv6', false)), + $kernel_variables = hiera('rabbitmq_kernel_variables'), + $nodes = hiera('rabbitmq_node_names', []), + $rabbitmq_pass = hiera('rabbitmq::default_pass'), + $rabbitmq_user = hiera('rabbitmq::default_user'), + $stack_action = hiera('stack_action'), + $step = hiera('step'), ) { + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + # IPv6 environment, necessary for RabbitMQ. if $ipv6 { $rabbit_env = merge($environment, { @@ -100,6 +126,9 @@ class tripleo::profile::base::rabbitmq ( config_kernel_variables => $real_kernel_variables, config_variables => $config_variables, environment_variables => $rabbit_env, + # TLS options + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, } # when running multi-nodes without Pacemaker if $manage_service { @@ -116,8 +145,14 @@ class tripleo::profile::base::rabbitmq ( config_kernel_variables => $kernel_variables, config_variables => $config_variables, environment_variables => $rabbit_env, + # TLS options + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, } } + } + + if $step >= 2 { # In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency # to Service['rabbitmq-server'] will not work. Sticking with UPDATE action. if $stack_action == 'UPDATE' { diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp index c9c656d..7f4ecbe 100644 --- a/manifests/profile/base/sahara.pp +++ b/manifests/profile/base/sahara.pp @@ -114,5 +114,6 @@ class tripleo::profile::base::sahara ( 'ssl' => $oslomsg_use_ssl_real, }), } + include ::sahara::keystone::authtoken } } diff --git a/manifests/profile/base/time/ntp.pp b/manifests/profile/base/time/ntp.pp index c6ce309..06a3048 100644 --- a/manifests/profile/base/time/ntp.pp +++ b/manifests/profile/base/time/ntp.pp @@ -19,10 +19,12 @@ # class tripleo::profile::base::time::ntp { - # if installed, we don't want chrony to conflict with ntp. - package { 'chrony': - ensure => 'purged', - before => Service['ntp'], + # If installed, we don't want chrony to conflict with ntp. LP#1665426 + # It should be noted that this work even if the package is not installed + service { 'chronyd': + ensure => stopped, + enable => false, + before => Class['ntp'] } include ::ntp } diff --git a/manifests/profile/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml b/manifests/profile/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml new file mode 100644 index 0000000..e1caf4c --- /dev/null +++ b/manifests/profile/releasenotes/notes/rabbitmq-user-check-95da891a2e197d89.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The rabbitmq user check is moved to step >= 2 from step >= 1. There + is no gaurantee that rabbitmq is running at step 1, especially if + updating a failed stack that never made it past step 1 to begin + with. diff --git a/metadata.json b/metadata.json index 0db84c7..32b5d95 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "6.2.0", + "version": "7.0.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml b/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml new file mode 100644 index 0000000..2af6aa7 --- /dev/null +++ b/releasenotes/notes/add-bgpvpn-support-77676690fb6dd17b.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for BGPVPN Neutron service plugin diff --git a/releasenotes/notes/add-ceilo-polling-agent-53fab550a09a6196.yaml b/releasenotes/notes/add-ceilo-polling-agent-53fab550a09a6196.yaml index 127991b..5ab15d5 100644 --- a/releasenotes/notes/add-ceilo-polling-agent-53fab550a09a6196.yaml +++ b/releasenotes/notes/add-ceilo-polling-agent-53fab550a09a6196.yaml @@ -1,6 +1,6 @@ --- features: - - Add support for cielometer polling agent. The central, compute and ipmi + - Add support for ceilometer polling agent. The central, compute and ipmi agent services should use polling agent with namespace. This has been done in packaging already since few releases now. Let puppet do it correctly as well. diff --git a/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml b/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml new file mode 100644 index 0000000..e0a6d35 --- /dev/null +++ b/releasenotes/notes/add-opendaylight-ha-47a40c03917faf9c.yaml @@ -0,0 +1,5 @@ +--- +features: + - Adds OpenDaylight HA support. Now when ODL is applied to three or + more nodes ODL will be deployed as a cluster in HA, rather than + the previous behavior of only running on the first node. diff --git a/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml b/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml new file mode 100644 index 0000000..a50a27d --- /dev/null +++ b/releasenotes/notes/deploy-heat-APIs-over-httpd-46b111d0a4a4eed4.yaml @@ -0,0 +1,3 @@ +--- +features: + - Heat APIs (api, cfn and cloudwatch) are now deployed over httpd. diff --git a/releasenotes/notes/docker_profile-8571ae260eec69b8.yaml b/releasenotes/notes/docker_profile-8571ae260eec69b8.yaml new file mode 100644 index 0000000..ddbf175 --- /dev/null +++ b/releasenotes/notes/docker_profile-8571ae260eec69b8.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Added a new profile to configure the docker service diff --git a/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml b/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml new file mode 100644 index 0000000..694f492 --- /dev/null +++ b/releasenotes/notes/l2gw_plugin_support-e0b1faafe8e1135f.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for l2 gateway Neutron service plugin. diff --git a/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml new file mode 100644 index 0000000..c744e0f --- /dev/null +++ b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml @@ -0,0 +1,4 @@ +--- +features: + - Sahara is now deployed with keystone_authtoken parameters and move + forward with Keystone v3 version. diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index 5cc0c41..e293b07 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -45,16 +45,16 @@ master_doc = 'index' # General information about the project. project = u'puppet-tripleo Release Notes' -copyright = u'2016, Puppet TripleO Developers' +copyright = u'2017, Puppet TripleO Developers' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. # # The short X.Y version. -version = '6.2.0' +version = '7.0.0' # The full version, including alpha/beta/rc tags. -release = '6.2.0' +release = '7.0.0' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. @@ -198,7 +198,7 @@ latex_elements = { # author, documentclass [howto, manual, or own class]). latex_documents = [ ('index', 'puppet-tripleoReleaseNotes.tex', u'puppet-tripleo Release Notes Documentation', - u'2016, Puppet TripleO Developers', 'manual'), + u'2017, Puppet TripleO Developers', 'manual'), ] # The name of an image file (relative to this directory) to place at the top of @@ -228,7 +228,7 @@ latex_documents = [ # (source start file, name, description, authors, manual section). man_pages = [ ('index', 'puppet-tripleoreleasenotes', u'puppet-tripleo Release Notes Documentation', - [u'2016, Puppet TripleO Developers'], 1) + [u'2017, Puppet TripleO Developers'], 1) ] # If true, show URL addresses after external links. @@ -242,7 +242,7 @@ man_pages = [ # dir menu entry, description, category) texinfo_documents = [ ('index', 'puppet-tripleoReleaseNotes', u'puppet-tripleo Release Notes Documentation', - u'2016, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.', + u'2017, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.', 'Miscellaneous'), ] diff --git a/spec/classes/tripleo_certmonger_ca_local.rb b/spec/classes/tripleo_certmonger_ca_local.rb new file mode 100644 index 0000000..7ee9383 --- /dev/null +++ b/spec/classes/tripleo_certmonger_ca_local.rb @@ -0,0 +1,46 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::ca::local' do + + shared_examples_for 'tripleo::certmonger::ca::local' do + let :params do + { + :ca_pem => '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem', + } + end + + it 'should extract CA cert' do + is_expected.to contain_exec('extract-and-trust-ca').with( + :creates => params[:ca_pem], + ) + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::ca::local' + end + end +end diff --git a/spec/classes/tripleo_certmonger_httpd.rb b/spec/classes/tripleo_certmonger_httpd.rb new file mode 100644 index 0000000..da5ce94 --- /dev/null +++ b/spec/classes/tripleo_certmonger_httpd.rb @@ -0,0 +1,63 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::httpd' do + + shared_examples_for 'tripleo::certmonger::httpd' do + let :params do + { + :name => 'httpd-cert', + :hostname => 'localhost', + :service_certificate => '/etc/pki/cert.crt', + :service_key => '/etc/pki/key.pem', + } + end + + it 'should include the base for using certmonger' do + is_expected.to contain_class('certmonger') + end + + it 'should include the httpd parameters' do + is_expected.to contain_class('apache::params') + end + + it 'should request a certificate' do + is_expected.to contain_certmonger_certificate('httpd-cert').with( + :ensure => 'present', + :certfile => '/etc/pki/cert.crt', + :keyfile => '/etc/pki/key.pem', + :hostname => 'localhost', + :dnsname => 'localhost', + :ca => 'local', + :wait => true, + ) + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::httpd' + end + end +end diff --git a/spec/classes/tripleo_certmonger_mysql.rb b/spec/classes/tripleo_certmonger_mysql.rb new file mode 100644 index 0000000..23b1e4f --- /dev/null +++ b/spec/classes/tripleo_certmonger_mysql.rb @@ -0,0 +1,64 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::mysql' do + + shared_examples_for 'tripleo::certmonger::mysql' do + let :params do + { + :hostname => 'localhost', + :service_certificate => '/etc/pki/cert.crt', + :service_key => '/etc/pki/key.pem', + } + end + + it 'should include the base for using certmonger' do + is_expected.to contain_class('certmonger') + end + + it 'should include the mysql parameters' do + is_expected.to contain_class('mysql::params') + end + + it 'should request a certificate' do + is_expected.to contain_certmonger_certificate('mysql').with( + :ensure => 'present', + :certfile => '/etc/pki/cert.crt', + :keyfile => '/etc/pki/key.pem', + :hostname => 'localhost', + :dnsname => 'localhost', + :ca => 'local', + :wait => true, + ) + is_expected.to contain_file('/etc/pki/cert.crt') + is_expected.to contain_file('/etc/pki/key.pem') + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::mysql' + end + end +end diff --git a/spec/classes/tripleo_certmonger_rabbitmq.rb b/spec/classes/tripleo_certmonger_rabbitmq.rb new file mode 100644 index 0000000..5c011ce --- /dev/null +++ b/spec/classes/tripleo_certmonger_rabbitmq.rb @@ -0,0 +1,64 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::rabbitmq' do + + shared_examples_for 'tripleo::certmonger::rabbitmq' do + let :params do + { + :hostname => 'localhost', + :service_certificate => '/etc/pki/cert.crt', + :service_key => '/etc/pki/key.pem', + } + end + + it 'should include the base for using certmonger' do + is_expected.to contain_class('certmonger') + end + + it 'should include the rabbitmq parameters' do + is_expected.to contain_class('rabbitmq::params') + end + + it 'should request a certificate' do + is_expected.to contain_certmonger_certificate('rabbitmq').with( + :ensure => 'present', + :certfile => '/etc/pki/cert.crt', + :keyfile => '/etc/pki/key.pem', + :hostname => 'localhost', + :dnsname => 'localhost', + :ca => 'local', + :wait => true, + ) + is_expected.to contain_file('/etc/pki/cert.crt') + is_expected.to contain_file('/etc/pki/key.pem') + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::rabbitmq' + end + end +end diff --git a/spec/classes/tripleo_profile_base_database_mysql_spec.rb b/spec/classes/tripleo_profile_base_database_mysql_spec.rb new file mode 100644 index 0000000..b192f6c --- /dev/null +++ b/spec/classes/tripleo_profile_base_database_mysql_spec.rb @@ -0,0 +1,75 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::database::mysql' do + let :params do + { :step => 2, + :mysql_max_connections => 4096, + } + end + shared_examples_for 'tripleo::profile::base::database::mysql' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'with noha and raise mariadb limit' do + before do + params.merge!({ + :generate_dropin_file_limit => true + }) + end + it 'should create limit file' do + is_expected.to contain_systemd__service_limits('mariadb.service').with( + :limits => { "LimitNOFILE" => 16384 }) + end + end + + context 'with noha and do not raise mariadb limit' do + before do + params.merge!({ + :generate_dropin_file_limit => false + }) + end + it 'should not create limit file' do + is_expected.to_not contain_systemd__service_limits('mariadb.service') + end + end + + context 'with ha and raise mariadb limit' do + before do + params.merge!({ + :generate_dropin_file_limit => true, + :manage_resources => false, + }) + end + it 'should not create limit file in ha' do + is_expected.to_not contain_systemd__service_limits('mariadb.service') + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::database::mysql' + end + end +end diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb new file mode 100644 index 0000000..587cc29 --- /dev/null +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -0,0 +1,68 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::docker' do + shared_examples_for 'tripleo::profile::base::docker' do + context 'with step 1 and defaults' do + let(:params) { { + :step => 1, + } } + + it { is_expected.to contain_class('tripleo::profile::base::docker') } + it { is_expected.to contain_package('docker') } + it { is_expected.to contain_service('docker') } + it { + is_expected.to contain_augeas('docker-sysconfig').with_changes(['rm INSECURE_REGISTRY']) + } + end + + context 'with step 1 and insecure_registry configured' do + let(:params) { { + :docker_namespace => 'foo:8787', + :insecure_registry => true, + :step => 1, + } } + + it { is_expected.to contain_class('tripleo::profile::base::docker') } + it { is_expected.to contain_package('docker') } + it { is_expected.to contain_service('docker') } + it { + is_expected.to contain_augeas('docker-sysconfig').with_changes(["set INSECURE_REGISTRY '\"--insecure-registry foo:8787\"'"]) + } + end + + context 'with step 1 and insecure_registry configured but no docker_namespace' do + let(:params) { { + :insecure_registry => true, + :step => 1, + } } + + it_raises 'a Puppet::Error', /You must provide a \$docker_namespace in order to configure insecure registry/ + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::docker' + end + end +end diff --git a/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb b/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb new file mode 100644 index 0000000..1eb79ae --- /dev/null +++ b/spec/classes/tripleo_profile_base_neutron_opendaylight_spec.rb @@ -0,0 +1,88 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::neutron::opendaylight' do + let :params do + { :step => 1, + :node_name => 'overcloud-controller-0', + } + end + shared_examples_for 'tripleo::profile::base::neutron::opendaylight' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + context 'with noha' do + before do + params.merge!({ + :odl_api_ips => ['192.0.2.5'] + }) + end + it 'should install and configure opendaylight' do + is_expected.to contain_class('opendaylight') + end + end + + context 'with empty OpenDaylight API IPs' do + before do + params.merge!({ + :odl_api_ips => [] + }) + end + it 'should fail to install OpenDaylight' do + is_expected.to compile.and_raise_error(/No IPs assigned to OpenDaylight Api Service/) + end + end + + context 'with 2 OpenDaylight API IPs' do + before do + params.merge!({ + :odl_api_ips => ['192.0.2.5', '192.0.2.6'] + }) + end + it 'should fail to install OpenDaylight' do + is_expected.to compile.and_raise_error(/2 node OpenDaylight deployments are unsupported. Use 1 or greater than 2/) + end + end + + context 'with HA and 3 OpenDaylight API IPs' do + before do + params.merge!({ + :odl_api_ips => ['192.0.2.5', '192.0.2.6', '192.0.2.7'] + }) + end + it 'should install and configure OpenDaylight in HA' do + is_expected.to contain_class('opendaylight').with( + :enable_ha => true, + :ha_node_ips => params[:odl_api_ips], + :ha_node_index => '1', + ) + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::neutron::opendaylight' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_compute_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_spec.rb index d052682..545a1fa 100644 --- a/spec/classes/tripleo_profile_base_nova_compute_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_compute_spec.rb @@ -27,6 +27,7 @@ describe 'tripleo::profile::base::nova::compute' do is_expected.to_not contain_class('tripleo::profile::base::nova') is_expected.to_not contain_class('nova::compute') is_expected.to_not contain_class('nova::network::neutron') + is_expected.to_not contain_package('iscsi-initiator-utils') is_expected.to_not contain_exec('reset-iscsi-initiator-name') is_expected.to_not contain_file('/etc/iscsi/.initiator_reset') } @@ -51,6 +52,7 @@ eos is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_package('iscsi-initiator-utils') is_expected.to contain_exec('reset-iscsi-initiator-name') is_expected.to contain_file('/etc/iscsi/.initiator_reset') is_expected.to_not contain_package('nfs-utils') @@ -66,6 +68,7 @@ eos is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_package('iscsi-initiator-utils') is_expected.to contain_exec('reset-iscsi-initiator-name') is_expected.to contain_file('/etc/iscsi/.initiator_reset') is_expected.to contain_package('nfs-utils') diff --git a/spec/classes/tripleo_profile_base_nova_placement_spec.rb b/spec/classes/tripleo_profile_base_nova_placement_spec.rb index 2a18320..04e032a 100644 --- a/spec/classes/tripleo_profile_base_nova_placement_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_placement_spec.rb @@ -49,7 +49,6 @@ eos let(:params) { { :step => 1, :enable_internal_tls => true, - :generate_service_certificates => true, :nova_placement_network => 'bar', :certificates_specs => { 'httpd-bar' => { @@ -63,7 +62,6 @@ eos it { is_expected.to contain_class('tripleo::profile::base::nova::placement') is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_tripleo__certmonger__httpd('httpd-bar') is_expected.to_not contain_class('nova::keystone::authtoken') is_expected.to_not contain_class('nova::wsgi::apache_placement') } @@ -87,7 +85,6 @@ eos let(:params) { { :step => 3, :enable_internal_tls => true, - :generate_service_certificates => false, :nova_placement_network => 'bar', :certificates_specs => { 'httpd-bar' => { @@ -102,7 +99,6 @@ eos it { is_expected.to contain_class('tripleo::profile::base::nova::placement') is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to_not contain_tripleo__certmonger__httpd('foo') is_expected.to contain_class('nova::keystone::authtoken') is_expected.to contain_class('nova::wsgi::apache_placement').with( :ssl_cert => '/foo.pem', diff --git a/spec/classes/tripleo_profile_base_time_ntp_spec.rb b/spec/classes/tripleo_profile_base_time_ntp_spec.rb new file mode 100644 index 0000000..ec4b55f --- /dev/null +++ b/spec/classes/tripleo_profile_base_time_ntp_spec.rb @@ -0,0 +1,39 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::time::ntp' do + shared_examples_for 'tripleo::profile::base::time::ntp' do + + context 'with defaults' do + it { is_expected.to contain_class('tripleo::profile::base::time::ntp') } + it { is_expected.to contain_service('chronyd').with( + :ensure => 'stopped', + :enable => false) } + it { is_expected.to contain_class('ntp') } + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let (:facts) { + facts + } + it_behaves_like 'tripleo::profile::base::time::ntp' + end + end +end |