diff options
Diffstat (limited to 'manifests/profile/base')
43 files changed, 1158 insertions, 200 deletions
diff --git a/manifests/profile/base/aodh.pp b/manifests/profile/base/aodh.pp index 281e069..6e70b50 100644 --- a/manifests/profile/base/aodh.pp +++ b/manifests/profile/base/aodh.pp @@ -28,8 +28,8 @@ # Defaults to hiera('bootstrap_nodeid') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -38,7 +38,7 @@ class tripleo::profile::base::aodh ( $step = hiera('step'), $bootstrap_node = hiera('bootstrap_nodeid', undef), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('aodh::rabbit_port', 5672), ) { @@ -49,7 +49,7 @@ class tripleo::profile::base::aodh ( } if $step >= 4 or ($step >= 3 and $sync_db) { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::aodh' : rabbit_hosts => $rabbit_endpoints, } diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 06dcfe5..af4a5b3 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -52,10 +52,6 @@ # for more details. # Defaults to hiera('step') # -# [*enable_combination_alarms*] -# (optional) Setting to enable combination alarms -# Defaults to: false -# class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), @@ -63,7 +59,6 @@ class tripleo::profile::base::aodh::api ( $enable_internal_tls = hiera('enable_internal_tls', false), $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), - $enable_combination_alarms = false, ) { include ::tripleo::profile::base::aodh @@ -90,12 +85,5 @@ class tripleo::profile::base::aodh::api ( ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, } - - #NOTE: Combination alarms are deprecated in newton and disabled by default. - # we need a way to override this setting for users still using this type - # of alarms. - aodh_config { - 'api/enable_combination_alarms' : value => $enable_combination_alarms; - } } } diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 470e649..b464317 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -18,18 +18,51 @@ # # === Parameters # +# [*barbican_network*] +# (Optional) The network name where the barbican endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('barbican_api_network', undef) +# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::barbican::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $barbican_network = hiera('barbican_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -37,6 +70,21 @@ class tripleo::profile::base::barbican::api ( $sync_db = false } + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$barbican_network { + fail('barbican_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${barbican_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${barbican_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + include ::tripleo::profile::base::barbican if $step >= 3 and $sync_db { @@ -51,6 +99,9 @@ class tripleo::profile::base::barbican::api ( include ::barbican::api::logging include ::barbican::keystone::notification include ::barbican::quota - include ::barbican::wsgi::apache + class { '::barbican::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } diff --git a/manifests/profile/base/ceilometer.pp b/manifests/profile/base/ceilometer.pp index 392d0c7..bbe7f27 100644 --- a/manifests/profile/base/ceilometer.pp +++ b/manifests/profile/base/ceilometer.pp @@ -24,8 +24,8 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -33,12 +33,12 @@ class tripleo::profile::base::ceilometer ( $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('ceilometer::rabbit_port', 5672), ) { if $step >= 3 { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::ceilometer' : rabbit_hosts => $rabbit_endpoints, } diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6ef4748..2e7986b 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*enable_legacy_api*] +# (Optional) Enable legacy ceilometer api service. +# Defaults to hiera('enable_legacy_api', false) +# # [*ceilometer_network*] # (Optional) The network name where the ceilometer endpoint is listening on. # This is set by t-h-t. @@ -53,6 +57,7 @@ # Defaults to hiera('step') # class tripleo::profile::base::ceilometer::api ( + $enable_legacy_api = hiera('enable_legacy_ceilometer_api', false), $ceilometer_network = hiera('ceilometer_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), @@ -76,7 +81,7 @@ class tripleo::profile::base::ceilometer::api ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 4 and $enable_legacy_api { include ::ceilometer::api class { '::ceilometer::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp index 3c0a361..20eab54 100644 --- a/manifests/profile/base/ceilometer/collector.pp +++ b/manifests/profile/base/ceilometer/collector.pp @@ -68,19 +68,8 @@ class tripleo::profile::base::ceilometer::collector ( if !$mongodb_replset { fail('mongodb_replset is required when using mongodb') } - # NOTE(gfidente): We need to pass the list of IPv6 addresses *with* port - # and without the brackets as 'members' argument for the 'mongodb_replset' - # resource. - if str2bool($mongodb_ipv6) { - $mongo_node_ips_with_port_prefixed = prefix($mongodb_node_ips, '[') - $mongo_node_ips_with_port = suffix($mongo_node_ips_with_port_prefixed, ']:27017') - $mongo_node_ips_with_port_nobr = suffix($mongodb_node_ips, ':27017') - } else { - $mongo_node_ips_with_port = suffix($mongodb_node_ips, ':27017') - $mongo_node_ips_with_port_nobr = suffix($mongodb_node_ips, ':27017') - } - $mongo_node_string = join($mongo_node_ips_with_port, ',') - + $mongo_nodes = suffix(any2array(normalize_ip_for_uri($mongodb_node_ips)), ':27017') + $mongo_node_string = join($mongo_nodes, ',') $ceilometer_mongodb_conn_string = "mongodb://${mongo_node_string}/ceilometer?replicaSet=${mongodb_replset}" class { '::ceilometer::db' : diff --git a/manifests/profile/base/ceph/mds.pp b/manifests/profile/base/ceph/mds.pp new file mode 100644 index 0000000..c5c7654 --- /dev/null +++ b/manifests/profile/base/ceph/mds.pp @@ -0,0 +1,35 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::ceph::mds +# +# Ceph MDS profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::ceph::mds ( + $step = hiera('step'), +) { + + include ::tripleo::profile::base::ceph + + if $step >= 3 { + include ::ceph::profile::mds + } +} diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 7cd2b6a..8443de0 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -18,9 +18,21 @@ # # === Parameters # +# [*civetweb_bind_ip*] +# IP address where to bind the RGW civetweb instance +# (Optional) Defaults to 127.0.0.1 +# +# [*civetweb_bind_port*] +# PORT where to bind the RGW civetweb instance +# (Optional) Defaults to 8080 +# # [*keystone_admin_token*] # The keystone admin token # +# [*rgw_keystone_version*] The api version for keystone. +# Possible values 'v2.0', 'v3' +# Optional. Default is 'v2.0' +# # [*keystone_url*] # The internal or admin url for keystone # @@ -36,14 +48,24 @@ class tripleo::profile::base::ceph::rgw ( $keystone_admin_token, $keystone_url, $rgw_key, - $step = hiera('step'), + $civetweb_bind_ip = '127.0.0.1', + $civetweb_bind_port = '8080', + $rgw_keystone_version = 'v2.0', + $step = hiera('step'), ) { include ::tripleo::profile::base::ceph if $step >= 3 { - include ::ceph::profile::rgw $rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway') + $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip) + include ::ceph::params + include ::ceph::profile::base + ceph::rgw { $rgw_name: + frontend_type => 'civetweb', + rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}", + user => 'ceph', + } ceph::key { "client.${rgw_name}": secret => $rgw_key, cap_mon => 'allow *', @@ -53,11 +75,24 @@ class tripleo::profile::base::ceph::rgw ( } if $step >= 4 { - ceph::rgw::keystone { $rgw_name: - rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'], - use_pki => false, - rgw_keystone_admin_token => $keystone_admin_token, - rgw_keystone_url => $keystone_url, + if $rgw_keystone_version == 'v2.0' { + ceph::rgw::keystone { $rgw_name: + rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'], + use_pki => false, + rgw_keystone_admin_token => $keystone_admin_token, + rgw_keystone_url => $keystone_url, + user => 'ceph', + } + } + else + { + ceph::rgw::keystone { $rgw_name: + rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'], + use_pki => false, + rgw_keystone_url => $keystone_url, + rgw_keystone_version => $rgw_keystone_version, + user => 'ceph', + } } } } diff --git a/manifests/profile/base/cinder.pp b/manifests/profile/base/cinder.pp index 8023fcc..6a821f3 100644 --- a/manifests/profile/base/cinder.pp +++ b/manifests/profile/base/cinder.pp @@ -31,8 +31,8 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -42,7 +42,7 @@ class tripleo::profile::base::cinder ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $cinder_enable_db_purge = true, $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('cinder::rabbit_port', 5672), ) { if $::hostname == downcase($bootstrap_node) { @@ -52,7 +52,7 @@ class tripleo::profile::base::cinder ( } if $step >= 4 or ($step >= 3 and $sync_db) { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::cinder' : rabbit_hosts => $rabbit_endpoints, } diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 8fcc7d6..5ea2058 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -22,14 +22,47 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*cinder_api_network*] +# (Optional) The network name where the cinder API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('cinder_api_network', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::cinder::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $cinder_api_network = hiera('cinder_api_network', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -39,9 +72,27 @@ class tripleo::profile::base::cinder::api ( include ::tripleo::profile::base::cinder + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$cinder_api_network { + fail('cinder_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${cinder_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${cinder_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ($step >= 3 and $sync_db) { include ::cinder::api - include ::cinder::wsgi::apache + class { '::cinder::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } include ::cinder::ceilometer include ::cinder::glance } diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 7d562ec..7663b6f 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -22,6 +22,10 @@ # (Optional) Whether to enable the delsc backend # Defaults to true # +# [*cinder_enable_hpelefthand_backend*] +# (Optional) Whether to enable the hpelefthand backend +# Defaults to false +# # [*cinder_enable_eqlx_backend*] # (Optional) Whether to enable the eqlx backend # Defaults to true @@ -52,14 +56,15 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( - $cinder_enable_dellsc_backend = false, - $cinder_enable_eqlx_backend = false, - $cinder_enable_iscsi_backend = true, - $cinder_enable_netapp_backend = false, - $cinder_enable_nfs_backend = false, - $cinder_enable_rbd_backend = false, - $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), - $step = hiera('step'), + $cinder_enable_dellsc_backend = false, + $cinder_enable_hpelefthand_backend = false, + $cinder_enable_eqlx_backend = false, + $cinder_enable_iscsi_backend = true, + $cinder_enable_netapp_backend = false, + $cinder_enable_nfs_backend = false, + $cinder_enable_rbd_backend = false, + $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), + $step = hiera('step'), ) { include ::tripleo::profile::base::cinder @@ -73,6 +78,13 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellsc_backend_name = undef } + if $cinder_enable_hpelefthand_backend { + include ::tripleo::profile::base::cinder::volume::hpelefthand + $cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand') + } else { + $cinder_hpelefthand_backend_name = undef + } + if $cinder_enable_eqlx_backend { include ::tripleo::profile::base::cinder::volume::eqlx $cinder_eqlx_backend_name = hiera('cinder::backend::eqlx::volume_backend_name', 'tripleo_eqlx') @@ -108,13 +120,20 @@ class tripleo::profile::base::cinder::volume ( $cinder_rbd_backend_name = undef } - $cinder_enabled_backends = delete_undef_values([$cinder_iscsi_backend_name, - $cinder_rbd_backend_name, - $cinder_eqlx_backend_name, - $cinder_dellsc_backend_name, - $cinder_netapp_backend_name, - $cinder_nfs_backend_name, - $cinder_user_enabled_backends]) + $backends = delete_undef_values([$cinder_iscsi_backend_name, + $cinder_rbd_backend_name, + $cinder_eqlx_backend_name, + $cinder_dellsc_backend_name, + $cinder_hpelefthand_backend_name, + $cinder_netapp_backend_name, + $cinder_nfs_backend_name, + $cinder_user_enabled_backends]) + # NOTE(aschultz): during testing it was found that puppet 3 may incorrectly + # include a "" in the previous array which is not removed by the + # delete_undef_values function. So we need to make sure we don't have any + # "" strings in our array. + $cinder_enabled_backends = delete($backends, '') + class { '::cinder::backends' : enabled_backends => $cinder_enabled_backends, } diff --git a/manifests/profile/base/cinder/volume/hpelefthand.pp b/manifests/profile/base/cinder/volume/hpelefthand.pp new file mode 100644 index 0000000..32f0976 --- /dev/null +++ b/manifests/profile/base/cinder/volume/hpelefthand.pp @@ -0,0 +1,71 @@ +# Copyright 2016 Hewlett-Packard Enterprise. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::hpelefthand +# +# Cinder Volume hpelefthand profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_hpelefthand' +# +# [*cinder_hpelefthand_api_url*] +# (required) url for api access to lefthand - example https://10.x.x.x:8080/api/v1 +# +# [*cinder_hpelefthand_username*] +# (required) Username for HPElefthand admin user +# +# [*cinder_hpelefthand_password*] +# (required) Password for hpelefthand_username +# +# [*cinder_hpelefthand_iscsi_chap_enabled*] +# (required) setting to false by default +# +# [*cinder_hpelefthand_clustername*] +# (required) clustername of hpelefthand +# +# [*cinder_hpelefthand_debug*] +# (required) setting to false by default +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::hpelefthand ( + $backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand'), + $cinder_hpelefthand_username = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_username', undef), + $cinder_hpelefthand_password = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_password', undef), + $cinder_hpelefthand_clustername = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_clustername', undef), + $cinder_hpelefthand_api_url = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_api_url', undef), + $cinder_hpelefthand_iscsi_chap_enabled = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_iscsi_chap_enabled', undef), + $cinder_hpelefthand_debug = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_debug', undef), + $step = hiera('step'), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::hpelefthand_iscsi { $backend_name : + hpelefthand_username => $cinder_hpelefthand_username, + hpelefthand_password => $cinder_hpelefthand_password, + hpelefthand_clustername => $cinder_hpelefthand_clustername, + hpelefthand_api_url => $cinder_hpelefthand_api_url, + hpelefthand_iscsi_chap_enabled => $cinder_hpelefthand_iscsi_chap_enabled, + hpelefthand_debug => $cinder_hpelefthand_debug, + } + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 9da1456..1692108 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -26,6 +26,28 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to {}. +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# MySQL. This could be as many as specified by the $certificates_specs +# variable. +# Defaults to hiera('generate_service_certificate', false). +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -44,13 +66,17 @@ # for more details. # Defaults to hiera('step') # +# class tripleo::profile::base::database::mysql ( - $bind_address = $::hostname, - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $manage_resources = true, - $mysql_server_options = {}, - $remove_default_accounts = true, - $step = hiera('step'), + $bind_address = $::hostname, + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificate_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $manage_resources = true, + $mysql_server_options = {}, + $remove_default_accounts = true, + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -60,6 +86,18 @@ class tripleo::profile::base::database::mysql ( } validate_hash($mysql_server_options) + validate_hash($certificate_specs) + + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs) + } + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } # non-ha scenario if $manage_resources { @@ -84,6 +122,10 @@ class tripleo::profile::base::database::mysql ( 'bind-address' => $bind_address, 'max_connections' => hiera('mysql_max_connections'), 'open_files_limit' => '-1', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) @@ -109,7 +151,7 @@ class tripleo::profile::base::database::mysql ( if hiera('cinder_api_enabled', false) { include ::cinder::db::mysql } - if hiera('glance_registry_enabled', false) { + if hiera('glance_api_enabled', false) { include ::glance::db::mysql } if hiera('gnocchi_api_enabled', false) { @@ -137,12 +179,18 @@ class tripleo::profile::base::database::mysql ( include ::nova::db::mysql include ::nova::db::mysql_api } + if hiera('nova_placement_enabled', false) { + include ::nova::db::mysql_placement + } if hiera('sahara_api_enabled', false) { include ::sahara::db::mysql } if hiera('trove_api_enabled', false) { include ::trove::db::mysql } + if hiera('panko_api_enabled', false) { + include ::panko::db::mysql + } } } diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp new file mode 100644 index 0000000..05a516d --- /dev/null +++ b/manifests/profile/base/docker_registry.pp @@ -0,0 +1,73 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::docker_registry +# +# Docker Registry profile for tripleo +# +# === Parameters: +# +# [*registry_host*] +# (String) IP address on which the Docker registry is listening on +# Defaults to hiera('controller_host') +# +# [*registry_port*] +# (Integer) The port on which the Docker registry is listening on +# Defaults to 8787 +# +# [*controller_admin_vip*] +# (String) VIP of the host +# Defaults to hiera('controller_admin_vip') +# +class tripleo::profile::base::docker_registry ( + $registry_host = hiera('controller_host'), + $registry_port = 8787, + $controller_admin_vip = hiera('controller_admin_vip'), +) { + # We want a v2 registry + package{'docker-registry': + ensure => absent, + } + package{'docker-distribution': } + package{'docker': } + file { '/etc/docker-distribution/registry/config.yml' : + ensure => file, + content => template('tripleo/docker_distribution/registry_config.yml.erb'), + owner => 'root', + group => 'root', + mode => '0644', + require => Package['docker-distribution'], + notify => Service['docker-distribution'], + } + file_line { 'docker insecure registry': + path => '/etc/sysconfig/docker', + line => join ([ + 'INSECURE_REGISTRY="', + '--insecure-registry ', $registry_host, ':', $registry_port, ' ', + '--insecure-registry ', $controller_admin_vip, ':', $registry_port, '"']), + match => 'INSECURE_REGISTRY=', + require => Package['docker'], + notify => Service['docker'], + } + service { 'docker-distribution': + ensure => running, + enable => true, + require => Package['docker-distribution'], + } + service { 'docker': + ensure => running, + enable => true, + require => Package['docker'], + } +} diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index af3b0ac..8945fff 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*glance_backend*] # (Optional) Glance backend(s) to use. # Defaults to downcase(hiera('glance_backend', 'swift')) @@ -32,26 +36,33 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service # Defaults to hiera('glance::notify::rabbitmq::rabbit_port', 5672) class tripleo::profile::base::glance::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $glance_backend = downcase(hiera('glance_backend', 'swift')), $glance_nfs_enabled = false, $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('glance::notify::rabbitmq::rabbit_port', 5672), ) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + if $step >= 1 and $glance_nfs_enabled { include ::tripleo::glance::nfs_mount } - if $step >= 4 { + if $step >= 4 or ($step >= 3 and $sync_db) { case $glance_backend { 'swift': { $backend_store = 'glance.store.swift.Store' } 'file': { $backend_store = 'glance.store.filesystem.Store' } @@ -65,9 +76,10 @@ class tripleo::profile::base::glance::api ( include ::glance include ::glance::config class { '::glance::api': - stores => $glance_store, + stores => $glance_store, + sync_db => $sync_db, } - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::glance::notify::rabbitmq' : rabbit_hosts => $rabbit_endpoints, } diff --git a/manifests/profile/base/glance/registry.pp b/manifests/profile/base/glance/registry.pp index 9e2be9d..cd40aeb 100644 --- a/manifests/profile/base/glance/registry.pp +++ b/manifests/profile/base/glance/registry.pp @@ -19,6 +19,7 @@ # === Parameters # # [*bootstrap_node*] +# DEPRECATED # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # @@ -32,23 +33,16 @@ # Defaults to hiera('step') # class tripleo::profile::base::glance::registry ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), + $bootstrap_node = undef, $glance_backend = downcase(hiera('glance_backend', 'swift')), $step = hiera('step'), ) { - if $::hostname == downcase($bootstrap_node) { - $sync_db = true - } else { - $sync_db = false - } - if $step >= 4 or ( $step >= 3 and $sync_db ) { + if $step >= 4 { # TODO: notifications, scrubber, etc. include ::glance include ::glance::config - class { '::glance::registry' : - sync_db => $sync_db, - } + include ::glance::registry include ::glance::notify::rabbitmq include join(['::glance::backend::', $glance_backend]) } diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index 00a9809..6e7e5f6 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -36,8 +36,8 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -48,7 +48,7 @@ class tripleo::profile::base::heat ( $manage_db_purge = hiera('heat_enable_db_purge', true), $notification_driver = 'messaging', $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('heat::rabbit_port', 5672), ) { # Domain resources will be created at step5 on the node running keystone.pp @@ -59,10 +59,8 @@ class tripleo::profile::base::heat ( manage_user => false, manage_role => false, } - } - if $step >= 4 { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::heat' : notification_driver => $notification_driver, rabbit_hosts => $rabbit_endpoints, diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index 7b44421..5db1e1f 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -27,8 +27,8 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -37,7 +37,7 @@ class tripleo::profile::base::ironic ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('ironic::rabbit_port', 5672), ) { # Database is accessed by both API and conductor, hence it's here. @@ -48,7 +48,7 @@ class tripleo::profile::base::ironic ( } if $step >= 4 or ($step >= 3 and $sync_db) { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::ironic': sync_db => $sync_db, rabbit_hosts => $rabbit_endpoints, diff --git a/manifests/profile/base/keepalived.pp b/manifests/profile/base/keepalived.pp index f2063d6..8dd03dc 100644 --- a/manifests/profile/base/keepalived.pp +++ b/manifests/profile/base/keepalived.pp @@ -27,13 +27,54 @@ # for more details. # Defaults to hiera('step') # +# [*control_virtual_interface*] +# (Optional) Interface specified for control plane network +# Defaults to hiera('tripleo::keepalived::control_virtual_interface', false) +# +# [*control_virtual_ip*] +# Virtual IP address used for control plane network +# Defaults to hiera('tripleo::keepalived::controller_virtual_ip') +# +# [*public_virtual_interface*] +# (Optional) Interface specified for public/external network +# Defaults to hiera('tripleo::keepalived::public_virtual_interface', false) +# +# [*public_virtual_ip*] +# Virtual IP address used for public/ network +# Defaults to hiera('tripleo::keepalived::public_virtual_ip') +# class tripleo::profile::base::keepalived ( - $enable_load_balancer = hiera('enable_load_balancer', true), - $step = hiera('step'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $control_virtual_interface = hiera('tripleo::keepalived::control_virtual_interface', false), + $control_virtual_ip = hiera('tripleo::keepalived::controller_virtual_ip'), + $public_virtual_interface = hiera('tripleo::keepalived::public_virtual_interface', false), + $public_virtual_ip = hiera('tripleo::keepalived::public_virtual_ip'), + $step = hiera('step'), ) { if $step >= 1 { if $enable_load_balancer and hiera('enable_keepalived', true){ - include ::tripleo::keepalived + if ! $control_virtual_interface { + $control_detected_interface = interface_for_ip($control_virtual_ip) + if ! $control_detected_interface { + fail('Unable to find interface for control plane network') + } + } else { + $control_detected_interface = $control_virtual_interface + } + + if ! $public_virtual_interface { + $public_detected_interface = interface_for_ip($public_virtual_ip) + if ! $public_detected_interface { + fail('Unable to find interface for public network') + } + } else { + $public_detected_interface = $public_virtual_interface + } + + class { '::tripleo::keepalived': + control_virtual_interface => $control_detected_interface, + public_virtual_interface => $public_detected_interface, + } } } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 9801eb2..a388def 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -51,6 +51,22 @@ # creates the certificates. # Defaults to hiera('generate_service_certificate', false). # +# [*heat_admin_domain*] +# domain name for heat admin +# Defaults to undef +# +# [*heat_admin_email*] +# heat admin email address +# Defaults to undef +# +# [*heat_admin_password*] +# heat admin password +# Defaults to undef +# +# [*heat_admin_user*] +# heat admin user name +# Defaults to undef +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -62,8 +78,8 @@ # # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -74,38 +90,21 @@ # for more details. # Defaults to hiera('step') # -# [*heat_admin_domain*] -# domain name for heat admin -# Defaults to hiera('heat::keystone::domain::domain_name', 'heat') -# -# [*heat_admin_user*] -# heat admin user name -# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin') -# -# [*heat_admin_email*] -# heat admin email address -# Defaults to hiera('heat::keystone::domain::domain_admin_email', -# 'heat_admin@localhost') -# -# [*heat_admin_password*] -# heat admin password -# Defaults to hiera('heat::keystone::domain::domain_password') -# class tripleo::profile::base::keystone ( $admin_endpoint_network = hiera('keystone_admin_api_network', undef), $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $generate_service_certificates = hiera('generate_service_certificates', false), + $heat_admin_domain = undef, + $heat_admin_email = undef, + $heat_admin_password = undef, + $heat_admin_user = undef, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('keystone::rabbit_port', 5672), $step = hiera('step'), - $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'), - $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'), - $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'), - $heat_admin_password = hiera('heat::keystone::domain::domain_password'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -143,7 +142,7 @@ class tripleo::profile::base::keystone ( } if $step >= 4 or ( $step >= 3 and $sync_db ) { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::keystone': sync_db => $sync_db, enable_bootstrap => $sync_db, @@ -237,6 +236,12 @@ class tripleo::profile::base::keystone ( if hiera('nova_api_enabled', false) { include ::nova::keystone::auth } + if hiera('nova_placement_enabled', false) { + include ::nova::keystone::auth_placement + } + if hiera('panko_api_enabled', false) { + include ::panko::keystone::auth + } if hiera('sahara_api_enabled', false) { include ::sahara::keystone::auth } diff --git a/manifests/profile/base/manila.pp b/manifests/profile/base/manila.pp index 3e16dff..f021f64 100644 --- a/manifests/profile/base/manila.pp +++ b/manifests/profile/base/manila.pp @@ -27,8 +27,8 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -37,7 +37,7 @@ class tripleo::profile::base::manila ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('manila::rabbit_port', 5672), ) { if $::hostname == downcase($bootstrap_node) { @@ -47,7 +47,7 @@ class tripleo::profile::base::manila ( } if $step >= 4 or ($step >= 3 and $sync_db) { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::manila' : rabbit_hosts => $rabbit_endpoints, } diff --git a/manifests/profile/base/metrics/collectd.pp b/manifests/profile/base/metrics/collectd.pp new file mode 100644 index 0000000..0f738d1 --- /dev/null +++ b/manifests/profile/base/metrics/collectd.pp @@ -0,0 +1,88 @@ +# == Class: tripleo::profile::base::metrics::collectd +# +# Collectd configuration for TripleO +# +# === Parameters +# +# [*collectd_plugins*] +# (Optional) List. A list of collectd plugins to configure (the +# corresponding collectd::plugin::NAME class must exist in the +# collectd package). +# +# [*collectd_server*] +# (Optional) String. The name or address of a collectd server to +# which we should send metrics. +# +# [*collectd_port*] +# (Optional) Integer. The port to which we will connect on the +# collectd server. +# +# [*collectd_username*] +# (Optional) String. Username for authenticating to the remote +# collectd server. +# +# [*collectd_password*] +# (Optional) String. Password for authenticating to the remote +# collectd server. +# +# [*collectd_securitylevel*] +# (Optional) String. +# +# [*collectd_interface*] +# (Optional) String. Name of a network interface. +# +# [*collectd_graphite_server*] +# (Optional) String. The name or address of a graphite server to +# which we should send metrics. +# +# [*collectd_graphite_port*] +# (Optional) Integer. This is the port to which we will connect on +# the graphite server. Defaults to 2004. +# +# [*collectd_graphite_prefix*] +# (Optional) String. Prefix to add to metric names. Defaults to +# 'overcloud.'. +# +# [*collectd_graphite_protocol*] +# (Optional) String. One of 'udp' or 'tcp'. +# +class tripleo::profile::base::metrics::collectd ( + $collectd_plugins = [], + + $collectd_server = undef, + $collectd_port = 25826, + $collectd_username = undef, + $collectd_password = undef, + $collectd_securitylevel = undef, + + $collectd_graphite_server = undef, + $collectd_graphite_port = 2004, + $collectd_graphite_prefix = undef, + $collectd_graphite_protocol = 'udp' +) { + include ::collectd + ::tripleo::profile::base::metrics::collectd::plugin_helper { $collectd_plugins: } + + if ! ($collectd_graphite_protocol in ['udp', 'tcp']) { + fail("collectd_graphite_protocol must be one of 'udp' or 'tcp'") + } + + if $collectd_server { + ::collectd::plugin::network::server { $collectd_server: + username => $collectd_username, + password => $collectd_password, + port => $collectd_port, + securitylevel => $collectd_securitylevel, + } + } + + if $collectd_graphite_server { + ::collectd::plugin::write_graphite::carbon { 'openstack_graphite': + graphitehost => $collectd_graphite_server, + graphiteport => $collectd_graphite_port, + graphiteprefix => $collectd_graphite_prefix, + protocol => $collectd_graphite_protocol, + } + } +} + diff --git a/manifests/profile/base/metrics/collectd/plugin_helper.pp b/manifests/profile/base/metrics/collectd/plugin_helper.pp new file mode 100644 index 0000000..b624ee1 --- /dev/null +++ b/manifests/profile/base/metrics/collectd/plugin_helper.pp @@ -0,0 +1,6 @@ +# We use this to transform a list of unqualified plugin names +# (like ['disk', 'ntpd']) into the correct collectd plugin classes. +define tripleo::profile::base::metrics::collectd::plugin_helper ( +) { + include "collectd::plugin::${title}" +} diff --git a/manifests/profile/base/mistral.pp b/manifests/profile/base/mistral.pp index 3da754c..d8e1330 100644 --- a/manifests/profile/base/mistral.pp +++ b/manifests/profile/base/mistral.pp @@ -28,8 +28,8 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -38,7 +38,7 @@ class tripleo::profile::base::mistral ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('mistral::rabbit_port', 5672), ) { if $::hostname == downcase($bootstrap_node) { @@ -48,7 +48,7 @@ class tripleo::profile::base::mistral ( } if $step >= 4 or ($step >= 3 and $sync_db) { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::mistral': rabbit_hosts => $rabbit_endpoints, } diff --git a/manifests/profile/base/neutron.pp b/manifests/profile/base/neutron.pp index 64f5f32..e6a32db 100644 --- a/manifests/profile/base/neutron.pp +++ b/manifests/profile/base/neutron.pp @@ -23,8 +23,8 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -32,11 +32,11 @@ class tripleo::profile::base::neutron ( $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('neutron::rabbit_port', 5672), ) { if $step >= 3 { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::neutron' : rabbit_hosts => $rabbit_endpoints, } diff --git a/manifests/profile/base/neutron/agents/ovn.pp b/manifests/profile/base/neutron/agents/ovn.pp index 443b164..a593092 100644 --- a/manifests/profile/base/neutron/agents/ovn.pp +++ b/manifests/profile/base/neutron/agents/ovn.pp @@ -17,7 +17,12 @@ # OVN Neutron agent profile for tripleo # # [*ovn_db_host*] -# The IP-Address/Hostname where OVN DBs are deployed +# (Optional) The IP-Address where OVN DBs are listening. +# Defaults to hiera('ovn_dbs_vip') +# +# [*ovn_sbdb_port*] +# (Optional) Port number on which southbound database is listening +# Defaults to hiera('ovn::southbound::port') # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -25,14 +30,13 @@ # Defaults to hiera('step') # class tripleo::profile::base::neutron::agents::ovn ( - $ovn_db_host, - $step = hiera('step') + $ovn_db_host = hiera('ovn_dbs_vip'), + $ovn_sbdb_port = hiera('ovn::southbound::port'), + $step = hiera('step') ) { if $step >= 4 { - $ovn_sbdb_port = hiera('ovn::southbound::port') class { '::ovn::controller': ovn_remote => "tcp:${ovn_db_host}:${ovn_sbdb_port}", - ovn_encap_type => hiera('ovn::southboud::encap_type') } } } diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp index a3f46ec..556fe63 100644 --- a/manifests/profile/base/neutron/opendaylight.pp +++ b/manifests/profile/base/neutron/opendaylight.pp @@ -22,24 +22,19 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*primary_controller*] -# (Optional) The hostname of the first controller +# [*primary_node*] +# (Optional) The hostname of the first node of this role type # Defaults to hiera('bootstrap_nodeid', undef) # class tripleo::profile::base::neutron::opendaylight ( - $step = hiera('step'), - $primary_controller = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), + $primary_node = hiera('bootstrap_nodeid', undef), ) { - include ::tripleo::profile::base::neutron - - if ! str2bool(hiera('opendaylight::enable_l3')) { - include ::tripleo::profile::base::neutron::l3 - } - if $step >= 1 { - # Configure ODL only on first controller - if $primary_controller == downcase($::hostname) { + # Configure ODL only on first node of the role where this service is + # applied + if $primary_node == downcase($::hostname) { include ::opendaylight } } diff --git a/manifests/profile/base/neutron/ovn_northd.pp b/manifests/profile/base/neutron/ovn_northd.pp new file mode 100644 index 0000000..0b46d5c --- /dev/null +++ b/manifests/profile/base/neutron/ovn_northd.pp @@ -0,0 +1,40 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::ml2::ovn +# +# OVN Neutron northd profile for tripleo +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::ovn_northd ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + if $step >= 4 { + # Note this only runs on the first node in the cluster when + # deployed on a role where multiple nodes exist. + if $::hostname == downcase($bootstrap_node) { + include ::ovn::northd + } + } +} + diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp index 4f4de0b..52d4ca1 100644 --- a/manifests/profile/base/neutron/plugins/ml2.pp +++ b/manifests/profile/base/neutron/plugins/ml2.pp @@ -64,12 +64,22 @@ class tripleo::profile::base::neutron::plugins::ml2 ( include ::neutron::plugins::ml2::bigswitch::restproxy } - if 'opendaylight' in $mechanism_drivers { + if ('opendaylight' in $mechanism_drivers) or ('opendaylight_v2' in $mechanism_drivers) { include ::tripleo::profile::base::neutron::plugins::ml2::opendaylight } if 'ovn' in $mechanism_drivers { include ::tripleo::profile::base::neutron::plugins::ml2::ovn } + + if 'fujitsu_cfab' in $mechanism_drivers { + include ::neutron::plugins::ml2::fujitsu + include ::neutron::plugins::ml2::fujitsu::cfab + } + + if 'fujitsu_fossw' in $mechanism_drivers { + include ::neutron::plugins::ml2::fujitsu + include ::neutron::plugins::ml2::fujitsu::fossw + } } } diff --git a/manifests/profile/base/neutron/plugins/ml2/ovn.pp b/manifests/profile/base/neutron/plugins/ml2/ovn.pp index 46477a7..b5b7a0a 100644 --- a/manifests/profile/base/neutron/plugins/ml2/ovn.pp +++ b/manifests/profile/base/neutron/plugins/ml2/ovn.pp @@ -17,7 +17,16 @@ # OVN Neutron ML2 profile for tripleo # # [*ovn_db_host*] -# The IP-Address/Hostname where OVN DBs are deployed +# The IP-Address where OVN DBs are listening. +# Defaults to hiera('ovn_dbs_vip') +# +# [*ovn_nb_port*] +# (Optional) Port number on which northbound database is listening +# Defaults to hiera('ovn::northbound::port') +# +# [*ovn_sb_port*] +# (Optional) Port number on which southbound database is listening +# Defaults to hiera('ovn::southbound::port') # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -25,18 +34,12 @@ # Defaults to hiera('step') # class tripleo::profile::base::neutron::plugins::ml2::ovn ( - $ovn_db_host, - $step = hiera('step') + $ovn_db_host = hiera('ovn_dbs_vip'), + $ovn_nb_port = hiera('ovn::northbound::port'), + $ovn_sb_port = hiera('ovn::southbound::port'), + $step = hiera('step') ) { if $step >= 4 { - if $::hostname == $ovn_db_host { - # NOTE: we might split northd from plugin later, in the case of - # micro-services, where neutron-server & northd are not in the same - # containers - include ::ovn::northd - } - $ovn_nb_port = hiera('ovn::northbound::port') - $ovn_sb_port = hiera('ovn::southbound::port') class { '::neutron::plugins::ml2::ovn': ovn_nb_connection => "tcp:${ovn_db_host}:${ovn_nb_port}", ovn_sb_connection => "tcp:${ovn_db_host}:${ovn_sb_port}", diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 82c2d5f..4667ae2 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -27,9 +27,30 @@ # for more details. # Defaults to hiera('step') # +# [*l3_ha_override*] +# (Optional) Override the calculated value for neutron::server::l3_ha +# by default this is calculated to enable when DVR is not enabled +# and the number of nodes running neutron api is more than one. +# Defaults to '' which aligns with the t-h-t default, and means use +# the calculated value. Other possible values are 'true' or 'false' +# +# [*l3_nodes*] +# (Optional) List of nodes running the l3 agent, used when no override +# is passed to l3_ha_override to calculate enabling l3 HA. +# Defaults to hiera('neutron_l3_short_node_names') or [] +# (we need to default neutron_l3_short_node_names to an empty list +# because some neutron backends disable the l3 agent) +# +# [*dvr_enabled*] +# (Optional) Is dvr enabled, used when no override is passed to +# l3_ha_override to calculate enabling l3 HA. +# Defaults to hiera('neutron::server::router_distributed') or false class tripleo::profile::base::neutron::server ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), + $l3_ha_override = '', + $l3_nodes = hiera('neutron_l3_short_node_names', []), + $dvr_enabled = hiera('neutron::server::router_distributed', false) ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -39,6 +60,16 @@ class tripleo::profile::base::neutron::server ( include ::tripleo::profile::base::neutron + # Calculate neutron::server::l3_ha based on the number of API nodes + # combined with if DVR is enabled. + if $l3_ha_override != '' { + $l3_ha = str2bool($l3_ha_override) + } elsif ! str2bool($dvr_enabled) { + $l3_ha = size($l3_nodes) > 1 + } else { + $l3_ha = false + } + # We start neutron-server on the bootstrap node first, because # it will try to populate tables and we need to make sure this happens # before it starts on other nodes @@ -48,12 +79,14 @@ class tripleo::profile::base::neutron::server ( # to true class { '::neutron::server': sync_db => $sync_db, + l3_ha => $l3_ha, } } if $step >= 5 and !$sync_db { include ::neutron::server::notifications class { '::neutron::server': sync_db => $sync_db, + l3_ha => $l3_ha, } } } diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 4626465..dae627c 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -30,6 +30,30 @@ # (Optional) Whether or not manage Nova Live migration # Defaults to false # +# [*messaging_driver*] +# Driver for messaging service. +# Defaults to hiera('messaging_service_name', 'rabbit') +# +# [*messaging_hosts*] +# list of the messaging host fqdns +# Defaults to hiera('rabbitmq_node_names') +# +# [*messaging_password*] +# Password for messaging nova queue +# Defaults to hiera('nova::rabbit_password') +# +# [*messaging_port*] +# IP port for messaging service +# Defaults to hiera('nova::rabbit_port', 5672) +# +# [*messaging_username*] +# Username for messaging nova queue +# Defaults to hiera('nova::rabbit_userid', 'guest') +# +# [*messaging_use_ssl*] +# Flag indicating ssl usage. +# Defaults to hiera('nova::rabbit_use_ssl', '0') +# # [*nova_compute_enabled*] # (Optional) Whether or not nova-compute is enabled. # Defaults to false @@ -38,22 +62,18 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') -# -# [*rabbit_port*] -# IP port for rabbitmq service -# Defaults to hiera('nova::rabbit_port', 5672) - class tripleo::profile::base::nova ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $libvirt_enabled = false, $manage_migration = false, + $messaging_driver = hiera('messaging_service_name', 'rabbit'), + $messaging_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $messaging_password = hiera('nova::rabbit_password'), + $messaging_port = hiera('nova::rabbit_port', '5672'), + $messaging_username = hiera('nova::rabbit_userid', 'guest'), + $messaging_use_ssl = hiera('nova::rabbit_use_ssl', '0'), $nova_compute_enabled = false, $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), - $rabbit_port = hiera('nova::rabbit_port', 5672), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -67,10 +87,19 @@ class tripleo::profile::base::nova ( $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211') } - if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) { - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + if $step >= 4 or ($step >= 3 and $sync_db) { + $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($messaging_use_ssl))) + # TODO(ccamacho): remove sprintf once we properly type the port, needs + # to be a string for the os_transport_url function. class { '::nova' : - rabbit_hosts => $rabbit_endpoints, + default_transport_url => os_transport_url({ + 'transport' => $messaging_driver, + 'hosts' => $messaging_hosts, + 'port' => sprintf('%s', $messaging_port), + 'username' => $messaging_username, + 'password' => $messaging_password, + 'ssl' => $messaging_use_ssl_real, + }), } include ::nova::config class { '::nova::cache': diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index e660990..8ded3ef 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -85,6 +85,27 @@ class tripleo::profile::base::nova::api ( $tls_keyfile = undef } + if ($step >= 3 and $sync_db) { + $messaging_hosts_real = any2array($::tripleo::profile::base::nova::messaging_hosts) + # TODO(aschultz): remove sprintf once we properly type the port, needs + # to be a string for the os_transport_url function. + $messaging_port_real = sprintf('%s', $::tripleo::profile::base::nova::messaging_port) + $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($::tripleo::profile::base::nova::messaging_use_ssl))) + + #TODO(emilien): enable it again when it's fixed upstream in nova + # https://bugs.launchpad.net/tripleo/+bug/1649341 + # class { '::nova::db::sync_cell_v2': + # transport_url => os_transport_url({ + # 'transport' => $::tripleo::profile::base::nova::messaging_driver, + # 'hosts' => $messaging_hosts_real, + # 'port' => $messaging_port_real, + # 'username' => $::tripleo::profile::base::nova::messaging_username, + # 'password' => $::tripleo::profile::base::nova::messaging_password, + # 'ssl' => $messaging_use_ssl_real, + # }), + # } + } + if $step >= 4 or ($step >= 3 and $sync_db) { if hiera('nova::use_ipv6', false) { @@ -101,7 +122,7 @@ class tripleo::profile::base::nova::api ( sync_db => $sync_db, sync_db_api => $sync_db, } - class { '::nova::wsgi::apache': + class { '::nova::wsgi::apache_api': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, } diff --git a/manifests/profile/base/nova/compute/libvirt.pp b/manifests/profile/base/nova/compute/libvirt.pp index 956f8ad..6767f6b 100644 --- a/manifests/profile/base/nova/compute/libvirt.pp +++ b/manifests/profile/base/nova/compute/libvirt.pp @@ -60,6 +60,8 @@ class tripleo::profile::base::nova::compute::libvirt ( } } + include ::nova::compute::libvirt::qemu + } } diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp new file mode 100644 index 0000000..7edd4e8 --- /dev/null +++ b/manifests/profile/base/nova/placement.pp @@ -0,0 +1,98 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::placement +# +# Nova Placement API profile for tripleo +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# +# [*nova_placement_network*] +# (Optional) The network name where the nova placement endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('nova_placement_network', undef) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::nova::placement ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $nova_placement_network = hiera('nova_placement_network', undef), + $step = hiera('step'), +) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + include ::tripleo::profile::base::nova + + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$nova_placement_network { + fail('nova_placement_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${nova_placement_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${nova_placement_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + + if $step >= 4 { + include ::nova::placement + + class { '::nova::wsgi::apache_placement': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } + } + +} + diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index cc5fd8a..19eb52b 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -40,7 +40,8 @@ class tripleo::profile::base::pacemaker ( $enable_fencing = str2bool(hiera('enable_fencing', false)) and $step >= 5 if $step >= 1 { - $pacemaker_cluster_members = downcase(regsubst(hiera('controller_node_names'), ',', ' ', 'G')) + $pacemaker_short_node_names = join(hiera('pacemaker_short_node_names'), ',') + $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp new file mode 100644 index 0000000..880cf7d --- /dev/null +++ b/manifests/profile/base/panko.pp @@ -0,0 +1,48 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::panko +# +# panko profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') + +class tripleo::profile::base::panko ( + $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), +) { + + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + if $step >= 4 or ($step >= 3 and $sync_db) { + include ::panko + include ::panko::db + include ::panko::config + include ::panko::db::sync + } + +} diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp new file mode 100644 index 0000000..45ee0c0 --- /dev/null +++ b/manifests/profile/base/panko/api.pp @@ -0,0 +1,86 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::panko::api +# +# Panko API profile for tripleo +# +# === Parameters +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# +# [*panko_network*] +# (Optional) The network name where the panko endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('panko_api_network', undef) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::panko::api ( + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $panko_network = hiera('panko_api_network', undef), + $step = hiera('step'), +) { + include ::tripleo::profile::base::panko + + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$panko_network { + fail('panko_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${panko_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${panko_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + + if $step >= 4 { + include ::panko::api + class { '::panko::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } + } +} diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index d90805a..15bab44 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -36,7 +36,7 @@ # # [*nodes*] # (Optional) Array of host(s) for RabbitMQ nodes. -# Defaults to hiera('rabbitmq_node_ips', []). +# Defaults to hiera('rabbitmq_node_names', []). # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -48,7 +48,7 @@ class tripleo::profile::base::rabbitmq ( $environment = hiera('rabbitmq_environment'), $ipv6 = str2bool(hiera('rabbit_ipv6', false)), $kernel_variables = hiera('rabbitmq_kernel_variables'), - $nodes = hiera('rabbitmq_node_ips', []), + $nodes = hiera('rabbitmq_node_names', []), $step = hiera('step'), ) { # IPv6 environment, necessary for RabbitMQ. diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp index f509225..8db071b 100644 --- a/manifests/profile/base/sahara.pp +++ b/manifests/profile/base/sahara.pp @@ -27,8 +27,8 @@ # Defaults to hiera('step') # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service @@ -37,7 +37,7 @@ class tripleo::profile::base::sahara ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_hosts = hiera('rabbitmq_node_names', undef), $rabbit_port = hiera('sahara::rabbit_port', 5672), ) { if $::hostname == downcase($bootstrap_node) { @@ -47,7 +47,7 @@ class tripleo::profile::base::sahara ( } if $step >= 4 or ($step >= 3 and $sync_db){ - $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::sahara': sync_db => $sync_db, rabbit_hosts => $rabbit_endpoints, diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp new file mode 100644 index 0000000..e7916c1 --- /dev/null +++ b/manifests/profile/base/sshd.pp @@ -0,0 +1,61 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::sshd +# +# SSH profile for tripleo +# +# === Parameters +# +# [*bannertext*] +# The text used within SSH Banner +# Defaults to hiera('BannerText') +# +class tripleo::profile::base::sshd ( + $bannertext = hiera('BannerText', undef), +) { + + if $bannertext { + $action = 'set' + } else { + $action = 'rm' + } + + package {'openssh-server': + ensure => installed, + } + + augeas { 'sshd_config_banner': + context => '/files/etc/ssh/sshd_config', + changes => [ "${action} Banner /etc/issue" ], + notify => Service['sshd'] + } + + file { '/etc/issue': + ensure => file, + backup => false, + content => $bannertext, + owner => 'root', + group => 'root', + mode => '0600' + } + + service { 'sshd': + ensure => 'running', + enable => true, + hasstatus => false, + require => Package['openssh-server'], + } +} diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 15b4686..5bd75bd 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -32,19 +32,24 @@ # Defaults to 11211 # # [*rabbit_hosts*] -# list of the rabbbit host IPs -# Defaults to hiera('rabbitmq_node_ips') +# list of the rabbbit host fqdns +# Defaults to hiera('rabbitmq_node_names') # # [*rabbit_port*] # IP port for rabbitmq service -# Defaults to hiera('swift::proxy::ceilometer::rabbit_port', 5672) +# Defaults to 5672 +# +# [*ceilometer_enabled*] +# Whether the ceilometer pipeline is enabled. +# Defaults to true # class tripleo::profile::base::swift::proxy ( - $step = hiera('step'), - $memcache_servers = hiera('memcached_node_ips'), - $memcache_port = 11211, - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), - $rabbit_port = hiera('swift::proxy::ceilometer::rabbit_port', 5672), + $step = hiera('step'), + $memcache_servers = hiera('memcached_node_ips'), + $memcache_port = 11211, + $rabbit_hosts = hiera('rabbitmq_node_names', undef), + $rabbit_port = 5672, + $ceilometer_enabled = true, ) { if $step >= 4 { $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") @@ -63,10 +68,21 @@ class tripleo::profile::base::swift::proxy ( include ::swift::proxy::tempurl include ::swift::proxy::formpost include ::swift::proxy::bulk - $swift_rabbit_hosts = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") - class { '::swift::proxy::ceilometer': - rabbit_hosts => $swift_rabbit_hosts, + $swift_rabbit_hosts = suffix(any2array($rabbit_hosts), ":${rabbit_port}") + if $ceilometer_enabled { + class { '::swift::proxy::ceilometer': + rabbit_hosts => $swift_rabbit_hosts, + } } include ::swift::proxy::versioned_writes + include ::swift::proxy::slo + include ::swift::proxy::dlo + include ::swift::proxy::copy + include ::swift::proxy::container_quotas + include ::swift::proxy::account_quotas + + class { '::swift::objectexpirer': + memcache_servers => $swift_memcache_servers + } } } diff --git a/manifests/profile/base/swift/storage.pp b/manifests/profile/base/swift/storage.pp index 568be66..5018d77 100644 --- a/manifests/profile/base/swift/storage.pp +++ b/manifests/profile/base/swift/storage.pp @@ -34,8 +34,10 @@ class tripleo::profile::base::swift::storage ( ) { if $step >= 4 { if $enable_swift_storage { + include ::swift include ::swift::config include ::swift::storage::disks + include ::swift::storage::loopbacks include ::swift::storage::all if(!defined(File['/srv/node'])) { file { '/srv/node': |