diff options
Diffstat (limited to 'manifests/profile/base')
| -rw-r--r-- | manifests/profile/base/barbican/api.pp | 4 | ||||
| -rw-r--r-- | manifests/profile/base/certmonger_user.pp | 23 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/api.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume.pp | 40 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp | 42 | ||||
| -rw-r--r-- | manifests/profile/base/database/mysql.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/docker.pp | 24 | ||||
| -rw-r--r-- | manifests/profile/base/horizon.pp | 45 | ||||
| -rw-r--r-- | manifests/profile/base/ironic.pp | 5 | ||||
| -rw-r--r-- | manifests/profile/base/logging/logrotate.pp | 112 | ||||
| -rw-r--r-- | manifests/profile/base/manila/api.pp | 7 | ||||
| -rw-r--r-- | manifests/profile/base/nova/api.pp | 40 | ||||
| -rw-r--r-- | manifests/profile/base/nova/compute.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/rabbitmq.pp | 15 |
14 files changed, 336 insertions, 46 deletions
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 40a0a99..48bf4b8 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api ( include ::tripleo::profile::base::barbican - if $step >= 3 and $sync_db { - include ::barbican::db::mysql - } - if $step >= 4 or ( $step >= 3 and $sync_db ) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::barbican::api': diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 231a1d0..c3dde96 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -38,11 +38,21 @@ # it will create. # Defaults to hiera('apache_certificate_specs', {}). # +# [*apache_postsave_cmd*] +# (Optional) If set, it overrides the default way to restart apache when the +# certificate is renewed. +# Defaults to undef +# # [*haproxy_certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. # Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). # +# [*haproxy_postsave_cmd*] +# (Optional) If set, it overrides the default way to restart haproxy when the +# certificate is renewed. +# Defaults to undef +# # [*libvirt_certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -70,7 +80,9 @@ # class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), + $apache_postsave_cmd = undef, $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $haproxy_postsave_cmd = undef, $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), $mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), @@ -80,18 +92,22 @@ class tripleo::profile::base::certmonger_user ( unless empty($haproxy_certificates_specs) { $reload_haproxy = ['systemctl reload haproxy'] Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||> - Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + if defined(Class['::haproxy']) { + Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + } } else { $reload_haproxy = [] } class { '::tripleo::certmonger::ca::crl' : reload_cmds => $reload_haproxy, } + Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl'] include ::tripleo::certmonger::ca::libvirt unless empty($apache_certificates_specs) { include ::tripleo::certmonger::apache_dirs - ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) + ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs, + {'postsave_cmd' => $apache_postsave_cmd}) } unless empty($libvirt_certificates_specs) { include ::tripleo::certmonger::libvirt_dirs @@ -99,7 +115,8 @@ class tripleo::profile::base::certmonger_user ( } unless empty($haproxy_certificates_specs) { include ::tripleo::certmonger::haproxy_dirs - ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) + ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs, + {'postsave_cmd' => $haproxy_postsave_cmd}) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 54880ad..892e4ed 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -43,6 +43,12 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Cinder's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -53,6 +59,7 @@ class tripleo::profile::base::cinder::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $cinder_api_network = hiera('cinder_api_network', undef), $enable_internal_tls = hiera('enable_internal_tls', false), + $keymgr_api_class = hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager'), $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { @@ -75,7 +82,9 @@ class tripleo::profile::base::cinder::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { - include ::cinder::api + class { '::cinder::api': + keymgr_api_class => $keymgr_api_class, + } include ::apache::mod::ssl class { '::cinder::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 252bae1..b9cee83 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -30,6 +30,10 @@ # (Optional) Whether to enable the unity backend # Defaults to false # +# [*cinder_enable_dellemc_vmax_iscsi_backend*] +# (Optional) Whether to enable the vmax iscsi backend +# Defaults to false +# # [*cinder_enable_hpelefthand_backend*] # (Optional) Whether to enable the hpelefthand backend # Defaults to false @@ -72,19 +76,20 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( - $cinder_enable_pure_backend = false, - $cinder_enable_dellsc_backend = false, - $cinder_enable_dellemc_unity_backend = false, - $cinder_enable_hpelefthand_backend = false, - $cinder_enable_dellps_backend = false, - $cinder_enable_iscsi_backend = true, - $cinder_enable_netapp_backend = false, - $cinder_enable_nfs_backend = false, - $cinder_enable_rbd_backend = false, - $cinder_enable_scaleio_backend = false, - $cinder_enable_vrts_hs_backend = false, - $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), - $step = Integer(hiera('step')), + $cinder_enable_pure_backend = false, + $cinder_enable_dellsc_backend = false, + $cinder_enable_dellemc_unity_backend = false, + $cinder_enable_dellemc_vmax_iscsi_backend = false, + $cinder_enable_hpelefthand_backend = false, + $cinder_enable_dellps_backend = false, + $cinder_enable_iscsi_backend = true, + $cinder_enable_netapp_backend = false, + $cinder_enable_nfs_backend = false, + $cinder_enable_rbd_backend = false, + $cinder_enable_scaleio_backend = false, + $cinder_enable_vrts_hs_backend = false, + $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), + $step = Integer(hiera('step')), ) { include ::tripleo::profile::base::cinder @@ -112,6 +117,14 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellemc_unity_backend_name = undef } + if $cinder_enable_dellemc_vmax_iscsi_backend { + include ::tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi + $cinder_dellemc_vmax_iscsi_backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name', + 'tripleo_dellemc_vmax_iscsi') + } else { + $cinder_dellemc_vmax_iscsi_backend_name = undef + } + if $cinder_enable_hpelefthand_backend { include ::tripleo::profile::base::cinder::volume::hpelefthand $cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand') @@ -174,6 +187,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellps_backend_name, $cinder_dellsc_backend_name, $cinder_dellemc_unity_backend_name, + $cinder_dellemc_vmax_iscsi_backend_name, $cinder_hpelefthand_backend_name, $cinder_netapp_backend_name, $cinder_nfs_backend_name, diff --git a/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp new file mode 100644 index 0000000..d09481f --- /dev/null +++ b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp @@ -0,0 +1,42 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi +# +# Cinder Volume dellemc_vmax_iscsi profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_dellemc_vmax_iscsi' +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi ( + $backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name', 'tripleo_dellemc_vmax_iscsi'), + $step = Integer(hiera('step')), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::dellemc_vmax_iscsi { $backend_name : + cinder_emc_config_file => hiera('cinder::backend::dellemc_vmax_iscsi::cinder_emc_config_file', undef), + } + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 7e7d68b..7bb8c74 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -171,6 +171,9 @@ class tripleo::profile::base::database::mysql ( if hiera('cinder_api_enabled', false) { include ::cinder::db::mysql } + if hiera('barbican_api_enabled', false) { + include ::barbican::db::mysql + } if hiera('congress_enabled', false) { include ::congress::db::mysql } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index d230366..8cb4cdd 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -19,10 +19,11 @@ # # === Parameters # -# [*insecure_registry_address*] -# The host/port combiniation of the insecure registry. This is used to configure -# /etc/sysconfig/docker so that a local (insecure) registry can be accessed. -# Example: 127.0.0.1:8787 (defaults to unset) +# [*insecure_registries*] +# An array of host/port combiniations of insecure registries. This is used to configure +# /etc/sysconfig/docker so that local (insecure) registries can be accessed. +# Example: ['127.0.0.1:8787'] +# (defaults to unset) # # [*registry_mirror*] # Configure a registry-mirror in the /etc/docker/daemon.json file. @@ -45,6 +46,11 @@ # # DEPRECATED PARAMETERS # +# [*insecure_registry_address*] +# DEPRECATED: The host/port combiniation of the insecure registry. This is used to configure +# /etc/sysconfig/docker so that a local (insecure) registry can be accessed. +# Example: 127.0.0.1:8787 (defaults to unset) +# # [*docker_namespace*] # DEPRECATED: The namespace to be used when setting INSECURE_REGISTRY # this will be split on "/" to derive the docker registry @@ -55,13 +61,14 @@ # is enabled (defaults to false) # class tripleo::profile::base::docker ( - $insecure_registry_address = undef, + $insecure_registries = undef, $registry_mirror = false, $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), # DEPRECATED PARAMETERS + $insecure_registry_address = undef, $docker_namespace = undef, $insecure_registry = false, ) { @@ -92,14 +99,19 @@ class tripleo::profile::base::docker ( } if $insecure_registry { - warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registry_address instead.') + warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registries instead.') if $docker_namespace == undef { fail('You must provide a $docker_namespace in order to configure insecure registry') } $namespace = strip($docker_namespace.split('/')[0]) $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'" ] } elsif $insecure_registry_address { + warning('The $insecure_registry_address parameter is deprecated. Use $insecure_registries instead.') $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${insecure_registry_address}\"'" ] + } elsif $insecure_registries { + $registry_changes = [ join(['set INSECURE_REGISTRY \'"--insecure-registry ', + join($insecure_registries, ' --insecure-registry '), + '"\''], '') ] } else { $registry_changes = [ 'rm INSECURE_REGISTRY' ] } diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 3f01d01..9441329 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -27,6 +27,27 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*horizon_network*] +# (Optional) The network name where the horizon endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('horizon_network', undef) +# # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron # Defaults to hiera('horizon::neutron_options', {}) @@ -36,10 +57,13 @@ # Defaults to hiera('memcached_node_ips') # class tripleo::profile::base::horizon ( - $step = Integer(hiera('step')), - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $neutron_options = hiera('horizon::neutron_options', {}), - $memcached_ips = hiera('memcached_node_ips') + $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $horizon_network = hiera('horizon_network', undef), + $neutron_options = hiera('horizon::neutron_options', {}), + $memcached_ips = hiera('memcached_node_ips') ) { if $::hostname == downcase($bootstrap_node) { $is_bootstrap = true @@ -47,6 +71,17 @@ class tripleo::profile::base::horizon ( $is_bootstrap = false } + if $enable_internal_tls { + if !$horizon_network { + fail('horizon_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${horizon_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${horizon_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { # Horizon include ::apache::mod::remoteip @@ -68,6 +103,8 @@ class tripleo::profile::base::horizon ( class { '::horizon': cache_server_ip => $horizon_memcached_servers, neutron_options => $neutron_options_real, + horizon_cert => $tls_certfile, + horizon_key => $tls_keyfile, } } } diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index 2739f33..7e6efec 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -70,8 +70,9 @@ class tripleo::profile::base::ironic ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::ironic': - sync_db => $sync_db, - default_transport_url => os_transport_url({ + sync_db => $sync_db, + db_online_data_migrations => $sync_db, + default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, 'port' => sprintf('%s', $oslomsg_rpc_port), diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp new file mode 100644 index 0000000..1545875 --- /dev/null +++ b/manifests/profile/base/logging/logrotate.pp @@ -0,0 +1,112 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::logging::logrotate +# +# Installs a cron job that rotates containerized services logs. +# +# === Parameters +# +# [*step*] +# (Optional) String. The current step of the deployment +# Defaults to hiera('step') +# +# [*ensure*] +# (optional) Defaults to present. +# Valid values are present, absent. +# +# [*minute*] +# (optional) Defaults to '0'. Configures cron job for logrotate. +# +# [*hour*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*monthday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*month*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*weekday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*maxdelay*] +# (optional) Seconds. Defaults to 90. Should be a positive integer. +# Induces a random delay before running the cronjob to avoid running all +# cron jobs at the same time on all hosts this job is configured. +# +# [*user*] +# (optional) Defaults to 'root'. Configures cron job for logrotate. +# +# [*delaycompress*] +# (optional) Defaults to True. +# Configures the logrotate delaycompress parameter. +# +# [*size*] +# (optional) Defaults to '10M'. +# Configures the logrotate size parameter. +# +# [*rotate*] +# (optional) Defaults to 14. +# Configures the logrotate rotate parameter. +# +class tripleo::profile::base::logging::logrotate ( + $step = Integer(hiera('step')), + $ensure = present, + $minute = 0, + $hour = '*', + $monthday = '*', + $month = '*', + $weekday = '*', + Integer $maxdelay = 90, + $user = 'root', + $delaycompress = true, + $size = '10M', + $rotate = 14, +) { + + if $step >= 4 { + if $maxdelay == 0 { + $sleep = '' + } else { + $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " + } + + $svc = 'logrotate-crond' + $config = "/etc/${svc}.conf" + $state = "/var/lib/logrotate/${svc}.status" + $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}" + + file { "${config}": + ensure => $ensure, + owner => $user, + group => $user, + mode => '0640', + content => template('tripleo/logrotate/containers_logrotate.conf.erb'), + } + + cron { "${svc}": + ensure => $ensure, + command => "${cmd} 2>&1|logger -t ${svc}", + environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh', + user => $user, + minute => $minute, + hour => $hour, + monthday => $monthday, + month => $month, + weekday => $weekday, + } + } +} diff --git a/manifests/profile/base/manila/api.pp b/manifests/profile/base/manila/api.pp index 95607ae..25c3890 100644 --- a/manifests/profile/base/manila/api.pp +++ b/manifests/profile/base/manila/api.pp @@ -26,6 +26,10 @@ # (Optional) Whether or not the netapp backend is enabled # Defaults to hiera('manila_backend_netapp_enabled', false) # +# [*backend_vmax_enabled*] +# (Optional) Whether or not the vmax backend is enabled +# Defaults to hiera('manila_backend_vmax_enabled', false) +# # [*backend_cephfs_enabled*] # (Optional) Whether or not the cephfs backend is enabled # Defaults to hiera('manila_backend_cephfs_enabled', false) @@ -42,6 +46,7 @@ class tripleo::profile::base::manila::api ( $backend_generic_enabled = hiera('manila_backend_generic_enabled', false), $backend_netapp_enabled = hiera('manila_backend_netapp_enabled', false), + $backend_vmax_enabled = hiera('manila_backend_vmax_enabled', false), $backend_cephfs_enabled = hiera('manila_backend_cephfs_enabled', false), $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = Integer(hiera('step')), @@ -55,7 +60,7 @@ class tripleo::profile::base::manila::api ( include ::tripleo::profile::base::manila if $step >= 4 or ($step >= 3 and $sync_db) { - if $backend_generic_enabled or $backend_netapp_enabled { + if $backend_generic_enabled or $backend_netapp_enabled or $backend_vmax_enabled { $nfs_protocol = 'NFS' $cifs_protocol = 'CIFS' } else { diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 0dcc754..2ff1add 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -46,18 +46,42 @@ # Nova Team discourages it. # Defaults to hiera('nova_wsgi_enabled', false) # +# [*nova_metadata_network*] +# (Optional) The network name where the nova metadata endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('nova_metadata_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # +# [*metadata_tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to undef +# +# [*metadata_tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*metadata_tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::nova::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $nova_api_network = hiera('nova_api_network', undef), $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false), + $nova_metadata_network = hiera('nova_metadata_network', undef), $step = Integer(hiera('step')), + $metadata_tls_proxy_bind_ip = undef, + $metadata_tls_proxy_fqdn = undef, + $metadata_tls_proxy_port = 8775, ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -73,6 +97,22 @@ class tripleo::profile::base::nova::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { + if $enable_internal_tls { + if !$nova_metadata_network { + fail('nova_metadata_network is not set in the hieradata.') + } + $metadata_tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate'] + $metadata_tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key'] + + ::tripleo::tls_proxy { 'nova-metadata-api': + servername => $metadata_tls_proxy_fqdn, + ip => $metadata_tls_proxy_bind_ip, + port => $metadata_tls_proxy_port, + tls_cert => $metadata_tls_certfile, + tls_key => $metadata_tls_keyfile, + } + Tripleo::Tls_proxy['nova-metadata-api'] ~> Anchor<| title == 'nova::service::begin' |> + } class { '::nova::api': sync_db => $sync_db, diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index 3eae880..a9a1f94 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -27,9 +27,16 @@ # (Optional) Whether or not Cinder is backed by NFS. # Defaults to hiera('cinder_enable_nfs_backend', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Nova's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager') +# class tripleo::profile::base::nova::compute ( $step = Integer(hiera('step')), $cinder_nfs_backend = hiera('cinder_enable_nfs_backend', false), + $keymgr_api_class = hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager'), ) { if $step >= 4 { @@ -37,7 +44,9 @@ class tripleo::profile::base::nova::compute ( include ::tripleo::profile::base::nova # deploy basic bits for nova-compute - include ::nova::compute + class { '::nova::compute': + keymgr_api_class => $keymgr_api_class, + } # If Service['nova-conductor'] is in catalog, make sure we start it # before nova-compute. Service<| title == 'nova-conductor' |> -> Service['nova-compute'] diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index d0b4a05..fbe5113 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -98,15 +98,6 @@ class tripleo::profile::base::rabbitmq ( $tls_keyfile = undef } - # IPv6 environment, necessary for RabbitMQ. - if $ipv6 { - $rabbit_env = merge($environment, { - 'RABBITMQ_SERVER_START_ARGS' => '"-proto_dist inet6_tcp"', - 'RABBITMQ_CTL_ERL_ARGS' => '"-proto_dist inet6_tcp"' - }) - } else { - $rabbit_env = $environment - } if $inet_dist_interface { $real_kernel_variables = merge( $kernel_variables, @@ -125,10 +116,11 @@ class tripleo::profile::base::rabbitmq ( cluster_nodes => $nodes, config_kernel_variables => $real_kernel_variables, config_variables => $config_variables, - environment_variables => $rabbit_env, + environment_variables => $environment, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, + ipv6 => $ipv6, } # when running multi-nodes without Pacemaker if $manage_service { @@ -144,10 +136,11 @@ class tripleo::profile::base::rabbitmq ( class { '::rabbitmq': config_kernel_variables => $kernel_variables, config_variables => $config_variables, - environment_variables => $rabbit_env, + environment_variables => $environment, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, + ipv6 => $ipv6, } } } |