diff options
Diffstat (limited to 'manifests/profile/base')
| -rw-r--r-- | manifests/profile/base/barbican/api.pp | 4 | ||||
| -rw-r--r-- | manifests/profile/base/certmonger_user.pp | 5 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/api.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/database/mysql.pp | 25 | ||||
| -rw-r--r-- | manifests/profile/base/horizon.pp | 45 | ||||
| -rw-r--r-- | manifests/profile/base/ironic.pp | 5 | ||||
| -rw-r--r-- | manifests/profile/base/logging/logrotate.pp | 112 | ||||
| -rw-r--r-- | manifests/profile/base/nova/api.pp | 40 | ||||
| -rw-r--r-- | manifests/profile/base/nova/compute.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/rabbitmq.pp | 15 |
10 files changed, 241 insertions, 32 deletions
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 40a0a99..48bf4b8 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api ( include ::tripleo::profile::base::barbican - if $step >= 3 and $sync_db { - include ::barbican::db::mysql - } - if $step >= 4 or ( $step >= 3 and $sync_db ) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::barbican::api': diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 231a1d0..2ac4b6e 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -80,13 +80,16 @@ class tripleo::profile::base::certmonger_user ( unless empty($haproxy_certificates_specs) { $reload_haproxy = ['systemctl reload haproxy'] Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||> - Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + if defined(Class['::haproxy']) { + Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + } } else { $reload_haproxy = [] } class { '::tripleo::certmonger::ca::crl' : reload_cmds => $reload_haproxy, } + Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl'] include ::tripleo::certmonger::ca::libvirt unless empty($apache_certificates_specs) { diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 54880ad..892e4ed 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -43,6 +43,12 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Cinder's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -53,6 +59,7 @@ class tripleo::profile::base::cinder::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $cinder_api_network = hiera('cinder_api_network', undef), $enable_internal_tls = hiera('enable_internal_tls', false), + $keymgr_api_class = hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager'), $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { @@ -75,7 +82,9 @@ class tripleo::profile::base::cinder::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { - include ::cinder::api + class { '::cinder::api': + keymgr_api_class => $keymgr_api_class, + } include ::apache::mod::ssl class { '::cinder::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 3bf41cf..7bb8c74 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,6 +47,10 @@ # limit for the mysql service. # Defaults to false # +# [*innodb_buffer_pool_size*] +# (Optional) Configure the size of the MySQL buffer pool. +# Defaults to hiera('innodb_buffer_pool_size', undef) +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, + $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef), $manage_resources = true, $mysql_server_options = {}, $mysql_max_connections = hiera('mysql_max_connections', undef), @@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql ( # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap $mysql_server_default = { 'mysqld' => { - 'bind-address' => $bind_address, - 'max_connections' => $mysql_max_connections, - 'open_files_limit' => '-1', - 'innodb_file_per_table' => 'ON', - 'ssl' => $enable_internal_tls, - 'ssl-key' => $tls_keyfile, - 'ssl-cert' => $tls_certfile, - 'ssl-ca' => undef, + 'bind-address' => $bind_address, + 'max_connections' => $mysql_max_connections, + 'open_files_limit' => '-1', + 'innodb_buffer_pool_size' => $innodb_buffer_pool_size, + 'innodb_file_per_table' => 'ON', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) @@ -165,6 +171,9 @@ class tripleo::profile::base::database::mysql ( if hiera('cinder_api_enabled', false) { include ::cinder::db::mysql } + if hiera('barbican_api_enabled', false) { + include ::barbican::db::mysql + } if hiera('congress_enabled', false) { include ::congress::db::mysql } diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 3f01d01..9441329 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -27,6 +27,27 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*horizon_network*] +# (Optional) The network name where the horizon endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('horizon_network', undef) +# # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron # Defaults to hiera('horizon::neutron_options', {}) @@ -36,10 +57,13 @@ # Defaults to hiera('memcached_node_ips') # class tripleo::profile::base::horizon ( - $step = Integer(hiera('step')), - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $neutron_options = hiera('horizon::neutron_options', {}), - $memcached_ips = hiera('memcached_node_ips') + $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $horizon_network = hiera('horizon_network', undef), + $neutron_options = hiera('horizon::neutron_options', {}), + $memcached_ips = hiera('memcached_node_ips') ) { if $::hostname == downcase($bootstrap_node) { $is_bootstrap = true @@ -47,6 +71,17 @@ class tripleo::profile::base::horizon ( $is_bootstrap = false } + if $enable_internal_tls { + if !$horizon_network { + fail('horizon_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${horizon_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${horizon_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { # Horizon include ::apache::mod::remoteip @@ -68,6 +103,8 @@ class tripleo::profile::base::horizon ( class { '::horizon': cache_server_ip => $horizon_memcached_servers, neutron_options => $neutron_options_real, + horizon_cert => $tls_certfile, + horizon_key => $tls_keyfile, } } } diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index 2739f33..7e6efec 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -70,8 +70,9 @@ class tripleo::profile::base::ironic ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::ironic': - sync_db => $sync_db, - default_transport_url => os_transport_url({ + sync_db => $sync_db, + db_online_data_migrations => $sync_db, + default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, 'port' => sprintf('%s', $oslomsg_rpc_port), diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp new file mode 100644 index 0000000..1545875 --- /dev/null +++ b/manifests/profile/base/logging/logrotate.pp @@ -0,0 +1,112 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::logging::logrotate +# +# Installs a cron job that rotates containerized services logs. +# +# === Parameters +# +# [*step*] +# (Optional) String. The current step of the deployment +# Defaults to hiera('step') +# +# [*ensure*] +# (optional) Defaults to present. +# Valid values are present, absent. +# +# [*minute*] +# (optional) Defaults to '0'. Configures cron job for logrotate. +# +# [*hour*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*monthday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*month*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*weekday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*maxdelay*] +# (optional) Seconds. Defaults to 90. Should be a positive integer. +# Induces a random delay before running the cronjob to avoid running all +# cron jobs at the same time on all hosts this job is configured. +# +# [*user*] +# (optional) Defaults to 'root'. Configures cron job for logrotate. +# +# [*delaycompress*] +# (optional) Defaults to True. +# Configures the logrotate delaycompress parameter. +# +# [*size*] +# (optional) Defaults to '10M'. +# Configures the logrotate size parameter. +# +# [*rotate*] +# (optional) Defaults to 14. +# Configures the logrotate rotate parameter. +# +class tripleo::profile::base::logging::logrotate ( + $step = Integer(hiera('step')), + $ensure = present, + $minute = 0, + $hour = '*', + $monthday = '*', + $month = '*', + $weekday = '*', + Integer $maxdelay = 90, + $user = 'root', + $delaycompress = true, + $size = '10M', + $rotate = 14, +) { + + if $step >= 4 { + if $maxdelay == 0 { + $sleep = '' + } else { + $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " + } + + $svc = 'logrotate-crond' + $config = "/etc/${svc}.conf" + $state = "/var/lib/logrotate/${svc}.status" + $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}" + + file { "${config}": + ensure => $ensure, + owner => $user, + group => $user, + mode => '0640', + content => template('tripleo/logrotate/containers_logrotate.conf.erb'), + } + + cron { "${svc}": + ensure => $ensure, + command => "${cmd} 2>&1|logger -t ${svc}", + environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh', + user => $user, + minute => $minute, + hour => $hour, + monthday => $monthday, + month => $month, + weekday => $weekday, + } + } +} diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 0dcc754..2ff1add 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -46,18 +46,42 @@ # Nova Team discourages it. # Defaults to hiera('nova_wsgi_enabled', false) # +# [*nova_metadata_network*] +# (Optional) The network name where the nova metadata endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('nova_metadata_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # +# [*metadata_tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to undef +# +# [*metadata_tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*metadata_tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::nova::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $nova_api_network = hiera('nova_api_network', undef), $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false), + $nova_metadata_network = hiera('nova_metadata_network', undef), $step = Integer(hiera('step')), + $metadata_tls_proxy_bind_ip = undef, + $metadata_tls_proxy_fqdn = undef, + $metadata_tls_proxy_port = 8775, ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -73,6 +97,22 @@ class tripleo::profile::base::nova::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { + if $enable_internal_tls { + if !$nova_metadata_network { + fail('nova_metadata_network is not set in the hieradata.') + } + $metadata_tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate'] + $metadata_tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key'] + + ::tripleo::tls_proxy { 'nova-metadata-api': + servername => $metadata_tls_proxy_fqdn, + ip => $metadata_tls_proxy_bind_ip, + port => $metadata_tls_proxy_port, + tls_cert => $metadata_tls_certfile, + tls_key => $metadata_tls_keyfile, + } + Tripleo::Tls_proxy['nova-metadata-api'] ~> Anchor<| title == 'nova::service::begin' |> + } class { '::nova::api': sync_db => $sync_db, diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index 3eae880..a9a1f94 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -27,9 +27,16 @@ # (Optional) Whether or not Cinder is backed by NFS. # Defaults to hiera('cinder_enable_nfs_backend', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Nova's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager') +# class tripleo::profile::base::nova::compute ( $step = Integer(hiera('step')), $cinder_nfs_backend = hiera('cinder_enable_nfs_backend', false), + $keymgr_api_class = hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager'), ) { if $step >= 4 { @@ -37,7 +44,9 @@ class tripleo::profile::base::nova::compute ( include ::tripleo::profile::base::nova # deploy basic bits for nova-compute - include ::nova::compute + class { '::nova::compute': + keymgr_api_class => $keymgr_api_class, + } # If Service['nova-conductor'] is in catalog, make sure we start it # before nova-compute. Service<| title == 'nova-conductor' |> -> Service['nova-compute'] diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index d0b4a05..fbe5113 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -98,15 +98,6 @@ class tripleo::profile::base::rabbitmq ( $tls_keyfile = undef } - # IPv6 environment, necessary for RabbitMQ. - if $ipv6 { - $rabbit_env = merge($environment, { - 'RABBITMQ_SERVER_START_ARGS' => '"-proto_dist inet6_tcp"', - 'RABBITMQ_CTL_ERL_ARGS' => '"-proto_dist inet6_tcp"' - }) - } else { - $rabbit_env = $environment - } if $inet_dist_interface { $real_kernel_variables = merge( $kernel_variables, @@ -125,10 +116,11 @@ class tripleo::profile::base::rabbitmq ( cluster_nodes => $nodes, config_kernel_variables => $real_kernel_variables, config_variables => $config_variables, - environment_variables => $rabbit_env, + environment_variables => $environment, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, + ipv6 => $ipv6, } # when running multi-nodes without Pacemaker if $manage_service { @@ -144,10 +136,11 @@ class tripleo::profile::base::rabbitmq ( class { '::rabbitmq': config_kernel_variables => $kernel_variables, config_variables => $config_variables, - environment_variables => $rabbit_env, + environment_variables => $environment, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, + ipv6 => $ipv6, } } } |