5 files changed, 118 insertions, 67 deletions

diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 3bf41cf..7e7d68b 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -47,6 +47,10 @@
 #   limit for the mysql service.
 #   Defaults to false
 #
+# [*innodb_buffer_pool_size*]
+#   (Optional) Configure the size of the MySQL buffer pool.
+#   Defaults to hiera('innodb_buffer_pool_size', undef)
+#
 # [*manage_resources*]
 #   (Optional) Whether or not manage root user, root my.cnf, and service.
 #   Defaults to true
@@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql (
   $certificate_specs             = {},
   $enable_internal_tls           = hiera('enable_internal_tls', false),
   $generate_dropin_file_limit    = false,
+  $innodb_buffer_pool_size       = hiera('innodb_buffer_pool_size', undef),
   $manage_resources              = true,
   $mysql_server_options          = {},
   $mysql_max_connections         = hiera('mysql_max_connections', undef),
@@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql (
     # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap
     $mysql_server_default = {
       'mysqld' => {
-        'bind-address'          => $bind_address,
-        'max_connections'       => $mysql_max_connections,
-        'open_files_limit'      => '-1',
-        'innodb_file_per_table' => 'ON',
-        'ssl'                   => $enable_internal_tls,
-        'ssl-key'               => $tls_keyfile,
-        'ssl-cert'              => $tls_certfile,
-        'ssl-ca'                => undef,
+        'bind-address'            => $bind_address,
+        'max_connections'         => $mysql_max_connections,
+        'open_files_limit'        => '-1',
+        'innodb_buffer_pool_size' => $innodb_buffer_pool_size,
+        'innodb_file_per_table'   => 'ON',
+        'ssl'                     => $enable_internal_tls,
+        'ssl-key'                 => $tls_keyfile,
+        'ssl-cert'                => $tls_certfile,
+        'ssl-ca'                  => undef,
       }
     }
     $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options)
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index 5f6d97c..d230366 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,7 +32,7 @@
 #   OPTIONS that are used to startup the docker service.  NOTE:
 #   --selinux-enabled is dropped due to recommendations here:
 #   https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
-#   Defaults to '--log-driver=journald --signature-verification=false'
+#   Defaults to '--log-driver=journald --signature-verification=false --iptables=false'
 #
 # [*configure_storage*]
 #   Boolean. Whether to configure a docker storage backend. Defaults to true.
@@ -57,7 +57,7 @@
 class tripleo::profile::base::docker (
   $insecure_registry_address = undef,
   $registry_mirror = false,
-  $docker_options = '--log-driver=journald --signature-verification=false',
+  $docker_options = '--log-driver=journald --signature-verification=false --iptables=false',
   $configure_storage = true,
   $storage_options = '-s overlay2',
   $step = Integer(hiera('step')),
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index d468110..de7e069 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -63,6 +63,10 @@
 #   be set to 60s.
 #   Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
 #
+# [*encryption*]
+#   (Optional) Whether or not to enable encryption of the pacemaker traffic
+#   Defaults to true
+#
 class tripleo::profile::base::pacemaker (
   $step                      = Integer(hiera('step')),
   $pcs_tries                 = hiera('pcs_tries', 20),
@@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker (
   $remote_tries              = hiera('pacemaker_remote_tries', 5),
   $remote_try_sleep          = hiera('pacemaker_remote_try_sleep', 60),
   $cluster_recheck_interval  = hiera('pacemaker_cluster_recheck_interval', undef),
+  $encryption                = true,
 ) {
 
   if count($remote_short_node_names) != count($remote_node_ips) {
@@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker (
     $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G'))
     $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false))
     if $corosync_ipv6 {
-      $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' }
+      $cluster_setup_extras_pre = {
+        '--token' => hiera('corosync_token_timeout', 1000),
+        '--ipv6' => ''
+      }
+    } else {
+      $cluster_setup_extras_pre = {
+        '--token' => hiera('corosync_token_timeout', 1000)
+      }
+    }
+
+    if $encryption {
+      $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'})
     } else {
-      $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) }
+      $cluster_setup_extras = $cluster_setup_extras_pre
     }
     class { '::pacemaker':
       hacluster_pwd => hiera('hacluster_pwd'),
diff --git a/manifests/profile/pacemaker/clustercheck.pp b/manifests/profile/pacemaker/clustercheck.pp
index 958f4a2..c08bafc 100644
--- a/manifests/profile/pacemaker/clustercheck.pp
+++ b/manifests/profile/pacemaker/clustercheck.pp
@@ -26,14 +26,19 @@
 #   (Optional) The address that the local mysql instance should bind to.
 #   Defaults to hiera('mysql_bind_host')
 #
+# [*clustercheck_user*]
+#   (Optional) The name of the clustercheck user.
+#   Defaults to 'clustercheck'
+#
 # [*clustercheck_password*]
 #   (Optional) The password for the clustercheck user.
-#   Defaults to hiera('mysql::server::root_password')
+#   Defaults to hiera('mysql_clustercheck_password')
 #
 #
 class tripleo::profile::pacemaker::clustercheck (
   $step                  = Integer(hiera('step')),
-  $clustercheck_password = hiera('mysql::server::root_password'),
+  $clustercheck_user     = 'clustercheck',
+  $clustercheck_password = hiera('mysql_clustercheck_password'),
   $bind_address          = hiera('mysql_bind_host'),
 ) {
 
@@ -43,7 +48,7 @@ class tripleo::profile::pacemaker::clustercheck (
       mode    => '0600',
       owner   => 'mysql',
       group   => 'mysql',
-      content => "MYSQL_USERNAME=root\n
+      content => "MYSQL_USERNAME=${clustercheck_user}\n
 MYSQL_PASSWORD='${clustercheck_password}'\n
 MYSQL_HOST=localhost\n",
     }
diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp
index 5dd22d2..4d6b9af 100644
--- a/manifests/profile/pacemaker/rabbitmq_bundle.pp
+++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp
@@ -44,6 +44,10 @@
 #   (Optional) The list of rabbitmq nodes names
 #   Defaults to hiera('rabbitmq_node_names')
 #
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -60,6 +64,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
   $erlang_cookie                = hiera('rabbitmq::erlang_cookie'),
   $user_ha_queues               = hiera('rabbitmq::nr_ha_queues', 0),
   $rabbit_nodes                 = hiera('rabbitmq_node_names'),
+  $enable_internal_tls          = hiera('enable_internal_tls', false),
   $pcs_tries                    = hiera('pcs_tries', 20),
   $step                         = Integer(hiera('step')),
 ) {
@@ -102,6 +107,76 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
         }
       }
 
+      $storage_maps = {
+        'rabbitmq-cfg-files'               => {
+          'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json',
+          'target-dir' => '/var/lib/kolla/config_files/config.json',
+          'options'    => 'ro',
+        },
+        'rabbitmq-cfg-data'                => {
+          'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/',
+          'target-dir' => '/var/lib/kolla/config_files/src',
+          'options'    => 'ro',
+        },
+        'rabbitmq-hosts'                   => {
+          'source-dir' => '/etc/hosts',
+          'target-dir' => '/etc/hosts',
+          'options'    => 'ro',
+        },
+        'rabbitmq-localtime'               => {
+          'source-dir' => '/etc/localtime',
+          'target-dir' => '/etc/localtime',
+          'options'    => 'ro',
+        },
+        'rabbitmq-lib'                     => {
+          'source-dir' => '/var/lib/rabbitmq',
+          'target-dir' => '/var/lib/rabbitmq',
+          'options'    => 'rw',
+        },
+        'rabbitmq-pki-extracted'           => {
+          'source-dir' => '/etc/pki/ca-trust/extracted',
+          'target-dir' => '/etc/pki/ca-trust/extracted',
+          'options'    => 'ro',
+        },
+        'rabbitmq-pki-ca-bundle-crt'       => {
+          'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
+          'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
+          'options'    => 'ro',
+        },
+        'rabbitmq-pki-ca-bundle-trust-crt' => {
+          'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
+          'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
+          'options'    => 'ro',
+        },
+        'rabbitmq-pki-cert'                => {
+          'source-dir' => '/etc/pki/tls/cert.pem',
+          'target-dir' => '/etc/pki/tls/cert.pem',
+          'options'    => 'ro',
+        },
+        'rabbitmq-dev-log'                 => {
+          'source-dir' => '/dev/log',
+          'target-dir' => '/dev/log',
+          'options'    => 'rw',
+        },
+      }
+
+      if $enable_internal_tls {
+        $storage_maps_tls = {
+          'rabbitmq-pki-cert' => {
+            'source-dir' => '/etc/pki/tls/certs/rabbitmq.crt',
+            'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt',
+            'options'    => 'ro',
+          },
+          'rabbitmq-pki-key'  => {
+            'source-dir' => '/etc/pki/tls/private/rabbitmq.key',
+            'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key',
+            'options'    => 'ro',
+          },
+        }
+      } else {
+        $storage_maps_tls = {}
+      }
+
       pacemaker::resource::bundle { 'rabbitmq-bundle':
         image             => $rabbitmq_docker_image,
         replicas          => $rabbitmq_nodes_count,
@@ -114,58 +189,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
         options           => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
         run_command       => '/bin/bash /usr/local/bin/kolla_start',
         network           => "control-port=${rabbitmq_docker_control_port}",
-        storage_maps      => {
-          'rabbitmq-cfg-files'               => {
-            'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json',
-            'target-dir' => '/var/lib/kolla/config_files/config.json',
-            'options'    => 'ro',
-          },
-          'rabbitmq-cfg-data'                => {
-            'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/',
-            'target-dir' => '/var/lib/kolla/config_files/src',
-            'options'    => 'ro',
-          },
-          'rabbitmq-hosts'                   => {
-            'source-dir' => '/etc/hosts',
-            'target-dir' => '/etc/hosts',
-            'options'    => 'ro',
-          },
-          'rabbitmq-localtime'               => {
-            'source-dir' => '/etc/localtime',
-            'target-dir' => '/etc/localtime',
-            'options'    => 'ro',
-          },
-          'rabbitmq-lib'                     => {
-            'source-dir' => '/var/lib/rabbitmq',
-            'target-dir' => '/var/lib/rabbitmq',
-            'options'    => 'rw',
-          },
-          'rabbitmq-pki-extracted'           => {
-            'source-dir' => '/etc/pki/ca-trust/extracted',
-            'target-dir' => '/etc/pki/ca-trust/extracted',
-            'options'    => 'ro',
-          },
-          'rabbitmq-pki-ca-bundle-crt'       => {
-            'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
-            'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
-            'options'    => 'ro',
-          },
-          'rabbitmq-pki-ca-bundle-trust-crt' => {
-            'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
-            'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
-            'options'    => 'ro',
-          },
-          'rabbitmq-pki-cert'                => {
-            'source-dir' => '/etc/pki/tls/cert.pem',
-            'target-dir' => '/etc/pki/tls/cert.pem',
-            'options'    => 'ro',
-          },
-          'rabbitmq-dev-log'                 => {
-            'source-dir' => '/dev/log',
-            'target-dir' => '/dev/log',
-            'options'    => 'rw',
-          },
-        },
+        storage_maps      => merge($storage_maps, $storage_maps_tls),
       }
 
       # The default nr of ha queues is ceiling(N/2)