aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/base
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile/base')
-rw-r--r--manifests/profile/base/barbican/api.pp4
-rw-r--r--manifests/profile/base/certmonger_user.pp23
-rw-r--r--manifests/profile/base/cinder/api.pp11
-rw-r--r--manifests/profile/base/cinder/volume.pp40
-rw-r--r--manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp42
-rw-r--r--manifests/profile/base/database/mysql.pp3
-rw-r--r--manifests/profile/base/docker.pp24
-rw-r--r--manifests/profile/base/horizon.pp45
-rw-r--r--manifests/profile/base/ironic.pp5
-rw-r--r--manifests/profile/base/logging/logrotate.pp112
-rw-r--r--manifests/profile/base/manila/api.pp7
-rw-r--r--manifests/profile/base/nova/api.pp40
-rw-r--r--manifests/profile/base/nova/compute.pp11
-rw-r--r--manifests/profile/base/rabbitmq.pp15
14 files changed, 336 insertions, 46 deletions
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index 40a0a99..48bf4b8 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api (
include ::tripleo::profile::base::barbican
- if $step >= 3 and $sync_db {
- include ::barbican::db::mysql
- }
-
if $step >= 4 or ( $step >= 3 and $sync_db ) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
class { '::barbican::api':
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 231a1d0..c3dde96 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -38,11 +38,21 @@
# it will create.
# Defaults to hiera('apache_certificate_specs', {}).
#
+# [*apache_postsave_cmd*]
+# (Optional) If set, it overrides the default way to restart apache when the
+# certificate is renewed.
+# Defaults to undef
+#
# [*haproxy_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
#
+# [*haproxy_postsave_cmd*]
+# (Optional) If set, it overrides the default way to restart haproxy when the
+# certificate is renewed.
+# Defaults to undef
+#
# [*libvirt_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@@ -70,7 +80,9 @@
#
class tripleo::profile::base::certmonger_user (
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
+ $apache_postsave_cmd = undef,
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+ $haproxy_postsave_cmd = undef,
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
@@ -80,18 +92,22 @@ class tripleo::profile::base::certmonger_user (
unless empty($haproxy_certificates_specs) {
$reload_haproxy = ['systemctl reload haproxy']
Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
- Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+ if defined(Class['::haproxy']) {
+ Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+ }
} else {
$reload_haproxy = []
}
class { '::tripleo::certmonger::ca::crl' :
reload_cmds => $reload_haproxy,
}
+ Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl']
include ::tripleo::certmonger::ca::libvirt
unless empty($apache_certificates_specs) {
include ::tripleo::certmonger::apache_dirs
- ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+ ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs,
+ {'postsave_cmd' => $apache_postsave_cmd})
}
unless empty($libvirt_certificates_specs) {
include ::tripleo::certmonger::libvirt_dirs
@@ -99,7 +115,8 @@ class tripleo::profile::base::certmonger_user (
}
unless empty($haproxy_certificates_specs) {
include ::tripleo::certmonger::haproxy_dirs
- ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+ ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,
+ {'postsave_cmd' => $haproxy_postsave_cmd})
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp
index 54880ad..892e4ed 100644
--- a/manifests/profile/base/cinder/api.pp
+++ b/manifests/profile/base/cinder/api.pp
@@ -43,6 +43,12 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
+# [*keymgr_api_class*]
+# (Optional) The encryption key manager API class. The default value
+# ensures Cinder's legacy key manager is enabled when no hiera value is
+# specified.
+# Defaults to hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager')
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -53,6 +59,7 @@ class tripleo::profile::base::cinder::api (
$certificates_specs = hiera('apache_certificates_specs', {}),
$cinder_api_network = hiera('cinder_api_network', undef),
$enable_internal_tls = hiera('enable_internal_tls', false),
+ $keymgr_api_class = hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager'),
$step = Integer(hiera('step')),
) {
if $::hostname == downcase($bootstrap_node) {
@@ -75,7 +82,9 @@ class tripleo::profile::base::cinder::api (
}
if $step >= 4 or ($step >= 3 and $sync_db) {
- include ::cinder::api
+ class { '::cinder::api':
+ keymgr_api_class => $keymgr_api_class,
+ }
include ::apache::mod::ssl
class { '::cinder::wsgi::apache':
ssl_cert => $tls_certfile,
diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp
index 252bae1..b9cee83 100644
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@@ -30,6 +30,10 @@
# (Optional) Whether to enable the unity backend
# Defaults to false
#
+# [*cinder_enable_dellemc_vmax_iscsi_backend*]
+# (Optional) Whether to enable the vmax iscsi backend
+# Defaults to false
+#
# [*cinder_enable_hpelefthand_backend*]
# (Optional) Whether to enable the hpelefthand backend
# Defaults to false
@@ -72,19 +76,20 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::cinder::volume (
- $cinder_enable_pure_backend = false,
- $cinder_enable_dellsc_backend = false,
- $cinder_enable_dellemc_unity_backend = false,
- $cinder_enable_hpelefthand_backend = false,
- $cinder_enable_dellps_backend = false,
- $cinder_enable_iscsi_backend = true,
- $cinder_enable_netapp_backend = false,
- $cinder_enable_nfs_backend = false,
- $cinder_enable_rbd_backend = false,
- $cinder_enable_scaleio_backend = false,
- $cinder_enable_vrts_hs_backend = false,
- $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
- $step = Integer(hiera('step')),
+ $cinder_enable_pure_backend = false,
+ $cinder_enable_dellsc_backend = false,
+ $cinder_enable_dellemc_unity_backend = false,
+ $cinder_enable_dellemc_vmax_iscsi_backend = false,
+ $cinder_enable_hpelefthand_backend = false,
+ $cinder_enable_dellps_backend = false,
+ $cinder_enable_iscsi_backend = true,
+ $cinder_enable_netapp_backend = false,
+ $cinder_enable_nfs_backend = false,
+ $cinder_enable_rbd_backend = false,
+ $cinder_enable_scaleio_backend = false,
+ $cinder_enable_vrts_hs_backend = false,
+ $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
+ $step = Integer(hiera('step')),
) {
include ::tripleo::profile::base::cinder
@@ -112,6 +117,14 @@ class tripleo::profile::base::cinder::volume (
$cinder_dellemc_unity_backend_name = undef
}
+ if $cinder_enable_dellemc_vmax_iscsi_backend {
+ include ::tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi
+ $cinder_dellemc_vmax_iscsi_backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name',
+ 'tripleo_dellemc_vmax_iscsi')
+ } else {
+ $cinder_dellemc_vmax_iscsi_backend_name = undef
+ }
+
if $cinder_enable_hpelefthand_backend {
include ::tripleo::profile::base::cinder::volume::hpelefthand
$cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand')
@@ -174,6 +187,7 @@ class tripleo::profile::base::cinder::volume (
$cinder_dellps_backend_name,
$cinder_dellsc_backend_name,
$cinder_dellemc_unity_backend_name,
+ $cinder_dellemc_vmax_iscsi_backend_name,
$cinder_hpelefthand_backend_name,
$cinder_netapp_backend_name,
$cinder_nfs_backend_name,
diff --git a/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp
new file mode 100644
index 0000000..d09481f
--- /dev/null
+++ b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp
@@ -0,0 +1,42 @@
+# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi
+#
+# Cinder Volume dellemc_vmax_iscsi profile for tripleo
+#
+# === Parameters
+#
+# [*backend_name*]
+# (Optional) Name given to the Cinder backend stanza
+# Defaults to 'tripleo_dellemc_vmax_iscsi'
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi (
+ $backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name', 'tripleo_dellemc_vmax_iscsi'),
+ $step = Integer(hiera('step')),
+) {
+ include ::tripleo::profile::base::cinder::volume
+
+ if $step >= 4 {
+ cinder::backend::dellemc_vmax_iscsi { $backend_name :
+ cinder_emc_config_file => hiera('cinder::backend::dellemc_vmax_iscsi::cinder_emc_config_file', undef),
+ }
+ }
+
+}
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 7e7d68b..7bb8c74 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -171,6 +171,9 @@ class tripleo::profile::base::database::mysql (
if hiera('cinder_api_enabled', false) {
include ::cinder::db::mysql
}
+ if hiera('barbican_api_enabled', false) {
+ include ::barbican::db::mysql
+ }
if hiera('congress_enabled', false) {
include ::congress::db::mysql
}
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index d230366..8cb4cdd 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -19,10 +19,11 @@
#
# === Parameters
#
-# [*insecure_registry_address*]
-# The host/port combiniation of the insecure registry. This is used to configure
-# /etc/sysconfig/docker so that a local (insecure) registry can be accessed.
-# Example: 127.0.0.1:8787 (defaults to unset)
+# [*insecure_registries*]
+# An array of host/port combiniations of insecure registries. This is used to configure
+# /etc/sysconfig/docker so that local (insecure) registries can be accessed.
+# Example: ['127.0.0.1:8787']
+# (defaults to unset)
#
# [*registry_mirror*]
# Configure a registry-mirror in the /etc/docker/daemon.json file.
@@ -45,6 +46,11 @@
#
# DEPRECATED PARAMETERS
#
+# [*insecure_registry_address*]
+# DEPRECATED: The host/port combiniation of the insecure registry. This is used to configure
+# /etc/sysconfig/docker so that a local (insecure) registry can be accessed.
+# Example: 127.0.0.1:8787 (defaults to unset)
+#
# [*docker_namespace*]
# DEPRECATED: The namespace to be used when setting INSECURE_REGISTRY
# this will be split on "/" to derive the docker registry
@@ -55,13 +61,14 @@
# is enabled (defaults to false)
#
class tripleo::profile::base::docker (
- $insecure_registry_address = undef,
+ $insecure_registries = undef,
$registry_mirror = false,
$docker_options = '--log-driver=journald --signature-verification=false --iptables=false',
$configure_storage = true,
$storage_options = '-s overlay2',
$step = Integer(hiera('step')),
# DEPRECATED PARAMETERS
+ $insecure_registry_address = undef,
$docker_namespace = undef,
$insecure_registry = false,
) {
@@ -92,14 +99,19 @@ class tripleo::profile::base::docker (
}
if $insecure_registry {
- warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registry_address instead.')
+ warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registries instead.')
if $docker_namespace == undef {
fail('You must provide a $docker_namespace in order to configure insecure registry')
}
$namespace = strip($docker_namespace.split('/')[0])
$registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'" ]
} elsif $insecure_registry_address {
+ warning('The $insecure_registry_address parameter is deprecated. Use $insecure_registries instead.')
$registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${insecure_registry_address}\"'" ]
+ } elsif $insecure_registries {
+ $registry_changes = [ join(['set INSECURE_REGISTRY \'"--insecure-registry ',
+ join($insecure_registries, ' --insecure-registry '),
+ '"\''], '') ]
} else {
$registry_changes = [ 'rm INSECURE_REGISTRY' ]
}
diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp
index 3f01d01..9441329 100644
--- a/manifests/profile/base/horizon.pp
+++ b/manifests/profile/base/horizon.pp
@@ -27,6 +27,27 @@
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*horizon_network*]
+# (Optional) The network name where the horizon endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('horizon_network', undef)
+#
# [*neutron_options*]
# (Optional) A hash of parameters to enable features specific to Neutron
# Defaults to hiera('horizon::neutron_options', {})
@@ -36,10 +57,13 @@
# Defaults to hiera('memcached_node_ips')
#
class tripleo::profile::base::horizon (
- $step = Integer(hiera('step')),
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
- $neutron_options = hiera('horizon::neutron_options', {}),
- $memcached_ips = hiera('memcached_node_ips')
+ $step = Integer(hiera('step')),
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $horizon_network = hiera('horizon_network', undef),
+ $neutron_options = hiera('horizon::neutron_options', {}),
+ $memcached_ips = hiera('memcached_node_ips')
) {
if $::hostname == downcase($bootstrap_node) {
$is_bootstrap = true
@@ -47,6 +71,17 @@ class tripleo::profile::base::horizon (
$is_bootstrap = false
}
+ if $enable_internal_tls {
+ if !$horizon_network {
+ fail('horizon_api_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${horizon_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${horizon_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
if $step >= 4 or ( $step >= 3 and $is_bootstrap ) {
# Horizon
include ::apache::mod::remoteip
@@ -68,6 +103,8 @@ class tripleo::profile::base::horizon (
class { '::horizon':
cache_server_ip => $horizon_memcached_servers,
neutron_options => $neutron_options_real,
+ horizon_cert => $tls_certfile,
+ horizon_key => $tls_keyfile,
}
}
}
diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp
index 2739f33..7e6efec 100644
--- a/manifests/profile/base/ironic.pp
+++ b/manifests/profile/base/ironic.pp
@@ -70,8 +70,9 @@ class tripleo::profile::base::ironic (
if $step >= 4 or ($step >= 3 and $sync_db) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
class { '::ironic':
- sync_db => $sync_db,
- default_transport_url => os_transport_url({
+ sync_db => $sync_db,
+ db_online_data_migrations => $sync_db,
+ default_transport_url => os_transport_url({
'transport' => $oslomsg_rpc_proto,
'hosts' => $oslomsg_rpc_hosts,
'port' => sprintf('%s', $oslomsg_rpc_port),
diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp
new file mode 100644
index 0000000..1545875
--- /dev/null
+++ b/manifests/profile/base/logging/logrotate.pp
@@ -0,0 +1,112 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::logging::logrotate
+#
+# Installs a cron job that rotates containerized services logs.
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) String. The current step of the deployment
+# Defaults to hiera('step')
+#
+# [*ensure*]
+# (optional) Defaults to present.
+# Valid values are present, absent.
+#
+# [*minute*]
+# (optional) Defaults to '0'. Configures cron job for logrotate.
+#
+# [*hour*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*monthday*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*month*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*weekday*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*maxdelay*]
+# (optional) Seconds. Defaults to 90. Should be a positive integer.
+# Induces a random delay before running the cronjob to avoid running all
+# cron jobs at the same time on all hosts this job is configured.
+#
+# [*user*]
+# (optional) Defaults to 'root'. Configures cron job for logrotate.
+#
+# [*delaycompress*]
+# (optional) Defaults to True.
+# Configures the logrotate delaycompress parameter.
+#
+# [*size*]
+# (optional) Defaults to '10M'.
+# Configures the logrotate size parameter.
+#
+# [*rotate*]
+# (optional) Defaults to 14.
+# Configures the logrotate rotate parameter.
+#
+class tripleo::profile::base::logging::logrotate (
+ $step = Integer(hiera('step')),
+ $ensure = present,
+ $minute = 0,
+ $hour = '*',
+ $monthday = '*',
+ $month = '*',
+ $weekday = '*',
+ Integer $maxdelay = 90,
+ $user = 'root',
+ $delaycompress = true,
+ $size = '10M',
+ $rotate = 14,
+) {
+
+ if $step >= 4 {
+ if $maxdelay == 0 {
+ $sleep = ''
+ } else {
+ $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
+ }
+
+ $svc = 'logrotate-crond'
+ $config = "/etc/${svc}.conf"
+ $state = "/var/lib/logrotate/${svc}.status"
+ $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}"
+
+ file { "${config}":
+ ensure => $ensure,
+ owner => $user,
+ group => $user,
+ mode => '0640',
+ content => template('tripleo/logrotate/containers_logrotate.conf.erb'),
+ }
+
+ cron { "${svc}":
+ ensure => $ensure,
+ command => "${cmd} 2>&1|logger -t ${svc}",
+ environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
+ user => $user,
+ minute => $minute,
+ hour => $hour,
+ monthday => $monthday,
+ month => $month,
+ weekday => $weekday,
+ }
+ }
+}
diff --git a/manifests/profile/base/manila/api.pp b/manifests/profile/base/manila/api.pp
index 95607ae..25c3890 100644
--- a/manifests/profile/base/manila/api.pp
+++ b/manifests/profile/base/manila/api.pp
@@ -26,6 +26,10 @@
# (Optional) Whether or not the netapp backend is enabled
# Defaults to hiera('manila_backend_netapp_enabled', false)
#
+# [*backend_vmax_enabled*]
+# (Optional) Whether or not the vmax backend is enabled
+# Defaults to hiera('manila_backend_vmax_enabled', false)
+#
# [*backend_cephfs_enabled*]
# (Optional) Whether or not the cephfs backend is enabled
# Defaults to hiera('manila_backend_cephfs_enabled', false)
@@ -42,6 +46,7 @@
class tripleo::profile::base::manila::api (
$backend_generic_enabled = hiera('manila_backend_generic_enabled', false),
$backend_netapp_enabled = hiera('manila_backend_netapp_enabled', false),
+ $backend_vmax_enabled = hiera('manila_backend_vmax_enabled', false),
$backend_cephfs_enabled = hiera('manila_backend_cephfs_enabled', false),
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$step = Integer(hiera('step')),
@@ -55,7 +60,7 @@ class tripleo::profile::base::manila::api (
include ::tripleo::profile::base::manila
if $step >= 4 or ($step >= 3 and $sync_db) {
- if $backend_generic_enabled or $backend_netapp_enabled {
+ if $backend_generic_enabled or $backend_netapp_enabled or $backend_vmax_enabled {
$nfs_protocol = 'NFS'
$cifs_protocol = 'CIFS'
} else {
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp
index 0dcc754..2ff1add 100644
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -46,18 +46,42 @@
# Nova Team discourages it.
# Defaults to hiera('nova_wsgi_enabled', false)
#
+# [*nova_metadata_network*]
+# (Optional) The network name where the nova metadata endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('nova_metadata_network', undef)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
+# [*metadata_tls_proxy_bind_ip*]
+# IP on which the TLS proxy will listen on. Required only if
+# enable_internal_tls is set.
+# Defaults to undef
+#
+# [*metadata_tls_proxy_fqdn*]
+# fqdn on which the tls proxy will listen on. required only used if
+# enable_internal_tls is set.
+# defaults to undef
+#
+# [*metadata_tls_proxy_port*]
+# port on which the tls proxy will listen on. Only used if
+# enable_internal_tls is set.
+# defaults to 8080
+#
class tripleo::profile::base::nova::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
$nova_api_network = hiera('nova_api_network', undef),
$nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false),
+ $nova_metadata_network = hiera('nova_metadata_network', undef),
$step = Integer(hiera('step')),
+ $metadata_tls_proxy_bind_ip = undef,
+ $metadata_tls_proxy_fqdn = undef,
+ $metadata_tls_proxy_port = 8775,
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
@@ -73,6 +97,22 @@ class tripleo::profile::base::nova::api (
}
if $step >= 4 or ($step >= 3 and $sync_db) {
+ if $enable_internal_tls {
+ if !$nova_metadata_network {
+ fail('nova_metadata_network is not set in the hieradata.')
+ }
+ $metadata_tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate']
+ $metadata_tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key']
+
+ ::tripleo::tls_proxy { 'nova-metadata-api':
+ servername => $metadata_tls_proxy_fqdn,
+ ip => $metadata_tls_proxy_bind_ip,
+ port => $metadata_tls_proxy_port,
+ tls_cert => $metadata_tls_certfile,
+ tls_key => $metadata_tls_keyfile,
+ }
+ Tripleo::Tls_proxy['nova-metadata-api'] ~> Anchor<| title == 'nova::service::begin' |>
+ }
class { '::nova::api':
sync_db => $sync_db,
diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp
index 3eae880..a9a1f94 100644
--- a/manifests/profile/base/nova/compute.pp
+++ b/manifests/profile/base/nova/compute.pp
@@ -27,9 +27,16 @@
# (Optional) Whether or not Cinder is backed by NFS.
# Defaults to hiera('cinder_enable_nfs_backend', false)
#
+# [*keymgr_api_class*]
+# (Optional) The encryption key manager API class. The default value
+# ensures Nova's legacy key manager is enabled when no hiera value is
+# specified.
+# Defaults to hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager')
+#
class tripleo::profile::base::nova::compute (
$step = Integer(hiera('step')),
$cinder_nfs_backend = hiera('cinder_enable_nfs_backend', false),
+ $keymgr_api_class = hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager'),
) {
if $step >= 4 {
@@ -37,7 +44,9 @@ class tripleo::profile::base::nova::compute (
include ::tripleo::profile::base::nova
# deploy basic bits for nova-compute
- include ::nova::compute
+ class { '::nova::compute':
+ keymgr_api_class => $keymgr_api_class,
+ }
# If Service['nova-conductor'] is in catalog, make sure we start it
# before nova-compute.
Service<| title == 'nova-conductor' |> -> Service['nova-compute']
diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp
index d0b4a05..fbe5113 100644
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@@ -98,15 +98,6 @@ class tripleo::profile::base::rabbitmq (
$tls_keyfile = undef
}
- # IPv6 environment, necessary for RabbitMQ.
- if $ipv6 {
- $rabbit_env = merge($environment, {
- 'RABBITMQ_SERVER_START_ARGS' => '"-proto_dist inet6_tcp"',
- 'RABBITMQ_CTL_ERL_ARGS' => '"-proto_dist inet6_tcp"'
- })
- } else {
- $rabbit_env = $environment
- }
if $inet_dist_interface {
$real_kernel_variables = merge(
$kernel_variables,
@@ -125,10 +116,11 @@ class tripleo::profile::base::rabbitmq (
cluster_nodes => $nodes,
config_kernel_variables => $real_kernel_variables,
config_variables => $config_variables,
- environment_variables => $rabbit_env,
+ environment_variables => $environment,
# TLS options
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
+ ipv6 => $ipv6,
}
# when running multi-nodes without Pacemaker
if $manage_service {
@@ -144,10 +136,11 @@ class tripleo::profile::base::rabbitmq (
class { '::rabbitmq':
config_kernel_variables => $kernel_variables,
config_variables => $config_variables,
- environment_variables => $rabbit_env,
+ environment_variables => $environment,
# TLS options
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
+ ipv6 => $ipv6,
}
}
}