summaryrefslogtreecommitdiffstats
path: root/manifests/profile/pacemaker
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile/pacemaker')
-rw-r--r--manifests/profile/pacemaker/cinder/backup_bundle.pp9
-rw-r--r--manifests/profile/pacemaker/cinder/volume_bundle.pp4
-rw-r--r--manifests/profile/pacemaker/database/mysql.pp110
-rw-r--r--manifests/profile/pacemaker/database/mysql_bundle.pp2
-rw-r--r--manifests/profile/pacemaker/database/redis_bundle.pp43
-rw-r--r--manifests/profile/pacemaker/haproxy_bundle.pp25
-rw-r--r--manifests/profile/pacemaker/rabbitmq_bundle.pp4
7 files changed, 117 insertions, 80 deletions
diff --git a/manifests/profile/pacemaker/cinder/backup_bundle.pp b/manifests/profile/pacemaker/cinder/backup_bundle.pp
index a5e1a9b..2a82c3e 100644
--- a/manifests/profile/pacemaker/cinder/backup_bundle.pp
+++ b/manifests/profile/pacemaker/cinder/backup_bundle.pp
@@ -85,13 +85,8 @@ class tripleo::profile::pacemaker::cinder::backup_bundle (
'options' => 'ro',
},
'cinder-backup-cfg-data' => {
- 'source-dir' => '/var/lib/config-data/cinder/etc/cinder',
- 'target-dir' => '/etc/cinder',
- 'options' => 'ro',
- },
- 'cinder-backup-cfg-ceph' => {
- 'source-dir' => '/var/lib/config-data/cinder/etc/ceph',
- 'target-dir' => '/etc/ceph',
+ 'source-dir' => '/var/lib/config-data/puppet-generated/cinder/',
+ 'target-dir' => '/var/lib/kolla/config_files/src',
'options' => 'ro',
},
'cinder-backup-hosts' => {
diff --git a/manifests/profile/pacemaker/cinder/volume_bundle.pp b/manifests/profile/pacemaker/cinder/volume_bundle.pp
index 39199a5..8d58036 100644
--- a/manifests/profile/pacemaker/cinder/volume_bundle.pp
+++ b/manifests/profile/pacemaker/cinder/volume_bundle.pp
@@ -85,8 +85,8 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
'options' => 'ro',
},
'cinder-volume-cfg-data' => {
- 'source-dir' => '/var/lib/config-data/cinder/etc/cinder',
- 'target-dir' => '/etc/cinder',
+ 'source-dir' => '/var/lib/config-data/puppet-generated/cinder/',
+ 'target-dir' => '/var/lib/kolla/config_files/src',
'options' => 'ro',
},
'cinder-volume-hosts' => {
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp
index 3aff62f..b9f2a65 100644
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@@ -26,11 +26,39 @@
# (Optional) The address that the local mysql instance should bind to.
# Defaults to $::hostname
#
+# [*ca_file*]
+# (Optional) The path to the CA file that will be used for the TLS
+# configuration. It's only used if internal TLS is enabled.
+# Defaults to undef
+#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'mysql' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::database::mysql::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*gmcast_listen_addr*]
# (Optional) This variable defines the address on which the node listens to
# connections from other nodes in the cluster.
# Defaults to hiera('mysql_bind_host')
#
+# [*innodb_flush_log_at_trx_commit*]
+# (Optional) Disk flush behavior for MySQL under Galera. A value of
+# '1' indicates flush to disk per transaction. A value of '2' indicates
+# flush to disk every second, flushing all unflushed transactions in
+# one step.
+# Defaults to hiera('innodb_flush_log_at_trx_commit', '1')
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -41,11 +69,15 @@
# Defaults to hiera('pcs_tries', 20)
#
class tripleo::profile::pacemaker::database::mysql (
- $bootstrap_node = hiera('mysql_short_bootstrap_node_name'),
- $bind_address = $::hostname,
- $gmcast_listen_addr = hiera('mysql_bind_host'),
- $step = Integer(hiera('step')),
- $pcs_tries = hiera('pcs_tries', 20),
+ $bootstrap_node = hiera('mysql_short_bootstrap_node_name'),
+ $bind_address = $::hostname,
+ $ca_file = undef,
+ $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $gmcast_listen_addr = hiera('mysql_bind_host'),
+ $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'),
+ $step = Integer(hiera('step')),
+ $pcs_tries = hiera('pcs_tries', 20),
) {
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
@@ -70,35 +102,49 @@ class tripleo::profile::pacemaker::database::mysql (
$processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') }
$cluster_host_map = join($processed_galera_name_pairs, ';')
+ if $enable_internal_tls {
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ if $ca_file {
+ $tls_ca_options = "socket.ssl_ca=${ca_file}"
+ } else {
+ $tls_ca_options = ''
+ }
+ $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+ } else {
+ $tls_options = ''
+ }
+
$mysqld_options = {
'mysqld' => {
- 'skip-name-resolve' => '1',
- 'binlog_format' => 'ROW',
- 'default-storage-engine' => 'innodb',
- 'innodb_autoinc_lock_mode' => '2',
- 'innodb_locks_unsafe_for_binlog'=> '1',
- 'innodb_file_per_table' => 'ON',
- 'query_cache_size' => '0',
- 'query_cache_type' => '0',
- 'bind-address' => $bind_address,
- 'max_connections' => hiera('mysql_max_connections'),
- 'open_files_limit' => '-1',
- 'wsrep_on' => 'ON',
- 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so',
- 'wsrep_cluster_name' => 'galera_cluster',
- 'wsrep_cluster_address' => "gcomm://${galera_nodes}",
- 'wsrep_slave_threads' => '1',
- 'wsrep_certify_nonPK' => '1',
- 'wsrep_max_ws_rows' => '131072',
- 'wsrep_max_ws_size' => '1073741824',
- 'wsrep_debug' => '0',
- 'wsrep_convert_LOCK_to_trx' => '0',
- 'wsrep_retry_autocommit' => '1',
- 'wsrep_auto_increment_control' => '1',
- 'wsrep_drupal_282555_workaround'=> '0',
- 'wsrep_causal_reads' => '0',
- 'wsrep_sst_method' => 'rsync',
- 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;",
+ 'skip-name-resolve' => '1',
+ 'binlog_format' => 'ROW',
+ 'default-storage-engine' => 'innodb',
+ 'innodb_autoinc_lock_mode' => '2',
+ 'innodb_locks_unsafe_for_binlog' => '1',
+ 'innodb_file_per_table' => 'ON',
+ 'innodb_flush_log_at_trx_commit' => $innodb_flush_log_at_trx_commit,
+ 'query_cache_size' => '0',
+ 'query_cache_type' => '0',
+ 'bind-address' => $bind_address,
+ 'max_connections' => hiera('mysql_max_connections'),
+ 'open_files_limit' => '-1',
+ 'wsrep_on' => 'ON',
+ 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so',
+ 'wsrep_cluster_name' => 'galera_cluster',
+ 'wsrep_cluster_address' => "gcomm://${galera_nodes}",
+ 'wsrep_slave_threads' => '1',
+ 'wsrep_certify_nonPK' => '1',
+ 'wsrep_max_ws_rows' => '131072',
+ 'wsrep_max_ws_size' => '1073741824',
+ 'wsrep_debug' => '0',
+ 'wsrep_convert_LOCK_to_trx' => '0',
+ 'wsrep_retry_autocommit' => '1',
+ 'wsrep_auto_increment_control' => '1',
+ 'wsrep_drupal_282555_workaround' => '0',
+ 'wsrep_causal_reads' => '0',
+ 'wsrep_sst_method' => 'rsync',
+ 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}",
}
}
diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp
index 56e9e28..a80b2de 100644
--- a/manifests/profile/pacemaker/database/mysql_bundle.pp
+++ b/manifests/profile/pacemaker/database/mysql_bundle.pp
@@ -215,7 +215,7 @@ MYSQL_HOST=localhost\n",
'options' => 'ro',
},
'mysql-cfg-data' => {
- 'source-dir' => '/var/lib/config-data/mysql',
+ 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/',
'target-dir' => '/var/lib/kolla/config_files/src',
'options' => 'ro',
},
diff --git a/manifests/profile/pacemaker/database/redis_bundle.pp b/manifests/profile/pacemaker/database/redis_bundle.pp
index dd090d7..ea153a8 100644
--- a/manifests/profile/pacemaker/database/redis_bundle.pp
+++ b/manifests/profile/pacemaker/database/redis_bundle.pp
@@ -83,77 +83,62 @@ class tripleo::profile::pacemaker::database::redis_bundle (
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${redis_docker_control_port}",
storage_maps => {
- 'redis-cfg-files' => {
+ 'redis-cfg-files' => {
'source-dir' => '/var/lib/kolla/config_files/redis.json',
'target-dir' => '/var/lib/kolla/config_files/config.json',
'options' => 'ro',
},
- 'redis-cfg-data-redis' => {
- 'source-dir' => '/var/lib/config-data/redis/etc/redis',
- 'target-dir' => '/etc/redis',
+ 'redis-cfg-data-redis' => {
+ 'source-dir' => '/var/lib/config-data/puppet-generated/redis/',
+ 'target-dir' => '/var/lib/kolla/config_files/src',
'options' => 'ro',
},
- 'redis-cfg-data-redis-conf' => {
- 'source-dir' => '/var/lib/config-data/redis/etc/redis.conf',
- 'target-dir' => '/etc/redis.conf',
- 'options' => 'ro',
- },
- 'redis-cfg-data-redis-conf-puppet' => {
- 'source-dir' => '/var/lib/config-data/redis/etc/redis.conf.puppet',
- 'target-dir' => '/etc/redis.conf.puppet',
- 'options' => 'ro',
- },
- 'redis-cfg-data-redis-sentinel' => {
- 'source-dir' => '/var/lib/config-data/redis/etc/redis-sentinel.conf',
- 'target-dir' => '/etc/redis-sentinel.conf',
- 'options' => 'ro',
- },
- 'redis-hosts' => {
+ 'redis-hosts' => {
'source-dir' => '/etc/hosts',
'target-dir' => '/etc/hosts',
'options' => 'ro',
},
- 'redis-localtime' => {
+ 'redis-localtime' => {
'source-dir' => '/etc/localtime',
'target-dir' => '/etc/localtime',
'options' => 'ro',
},
- 'redis-lib' => {
+ 'redis-lib' => {
'source-dir' => '/var/lib/redis',
'target-dir' => '/var/lib/redis',
'options' => 'rw',
},
- 'redis-log' => {
+ 'redis-log' => {
'source-dir' => '/var/log/redis',
'target-dir' => '/var/log/redis',
'options' => 'rw',
},
- 'redis-run' => {
+ 'redis-run' => {
'source-dir' => '/var/run/redis',
'target-dir' => '/var/run/redis',
'options' => 'rw',
},
- 'redis-pki-extracted' => {
+ 'redis-pki-extracted' => {
'source-dir' => '/etc/pki/ca-trust/extracted',
'target-dir' => '/etc/pki/ca-trust/extracted',
'options' => 'ro',
},
- 'redis-pki-ca-bundle-crt' => {
+ 'redis-pki-ca-bundle-crt' => {
'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
'options' => 'ro',
},
- 'redis-pki-ca-bundle-trust-crt' => {
+ 'redis-pki-ca-bundle-trust-crt' => {
'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
'options' => 'ro',
},
- 'redis-pki-cert' => {
+ 'redis-pki-cert' => {
'source-dir' => '/etc/pki/tls/cert.pem',
'target-dir' => '/etc/pki/tls/cert.pem',
'options' => 'ro',
},
- 'redis-dev-log' => {
+ 'redis-dev-log' => {
'source-dir' => '/dev/log',
'target-dir' => '/dev/log',
'options' => 'rw',
diff --git a/manifests/profile/pacemaker/haproxy_bundle.pp b/manifests/profile/pacemaker/haproxy_bundle.pp
index 9c1bdf3..b785ea7 100644
--- a/manifests/profile/pacemaker/haproxy_bundle.pp
+++ b/manifests/profile/pacemaker/haproxy_bundle.pp
@@ -30,6 +30,11 @@
# (Optional) Whether load balancing is enabled for this cluster
# Defaults to hiera('enable_load_balancer', true)
#
+# [*deployed_ssl_cert_path*]
+# (Optional) The filepath of the certificate as it will be stored in
+# the controller.
+# Defaults to '/etc/pki/tls/private/overcloud_endpoint.pem'
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -40,11 +45,12 @@
# Defaults to hiera('pcs_tries', 20)
#
class tripleo::profile::pacemaker::haproxy_bundle (
- $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef),
- $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'),
- $enable_load_balancer = hiera('enable_load_balancer', true),
- $step = Integer(hiera('step')),
- $pcs_tries = hiera('pcs_tries', 20),
+ $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef),
+ $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'),
+ $enable_load_balancer = hiera('enable_load_balancer', true),
+ $deployed_ssl_cert_path = '/etc/pki/tls/private/overcloud_endpoint.pem',
+ $step = Integer(hiera('step')),
+ $pcs_tries = hiera('pcs_tries', 20),
) {
include ::tripleo::profile::base::haproxy
@@ -98,8 +104,8 @@ class tripleo::profile::pacemaker::haproxy_bundle (
'options' => 'ro',
},
'haproxy-cfg-data' => {
- 'source-dir' => '/var/lib/config-data/haproxy/etc',
- 'target-dir' => '/etc',
+ 'source-dir' => '/var/lib/config-data/puppet-generated/haproxy/',
+ 'target-dir' => '/var/lib/kolla/config_files/src',
'options' => 'ro',
},
'haproxy-hosts' => {
@@ -137,6 +143,11 @@ class tripleo::profile::pacemaker::haproxy_bundle (
'target-dir' => '/dev/log',
'options' => 'rw',
},
+ 'haproxy-cert' => {
+ 'source-dir' => $deployed_ssl_cert_path,
+ 'target-dir' => $deployed_ssl_cert_path,
+ 'options' => 'ro',
+ },
},
}
$control_vip = hiera('controller_virtual_ip')
diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp
index 0a6295c..2f848b4 100644
--- a/manifests/profile/pacemaker/rabbitmq_bundle.pp
+++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp
@@ -121,8 +121,8 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
'options' => 'ro',
},
'rabbitmq-cfg-data' => {
- 'source-dir' => '/var/lib/config-data/rabbitmq/etc/rabbitmq',
- 'target-dir' => '/etc/rabbitmq',
+ 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/',
+ 'target-dir' => '/var/lib/kolla/config_files/src',
'options' => 'ro',
},
'rabbitmq-hosts' => {