diff options
Diffstat (limited to 'manifests/profile')
| -rw-r--r-- | manifests/profile/base/certmonger_user.pp | 6 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume.pp | 37 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/volume/dellemc_unity.pp | 47 | ||||
| -rw-r--r-- | manifests/profile/base/database/mysql.pp | 22 | ||||
| -rw-r--r-- | manifests/profile/base/docker.pp | 62 | ||||
| -rw-r--r-- | manifests/profile/base/haproxy.pp | 7 | ||||
| -rw-r--r-- | manifests/profile/base/ironic.pp | 5 | ||||
| -rw-r--r-- | manifests/profile/base/nova/libvirt.pp | 21 | ||||
| -rw-r--r-- | manifests/profile/base/pacemaker.pp | 20 | ||||
| -rw-r--r-- | manifests/profile/base/zaqar.pp | 48 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/clustercheck.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql_bundle.pp | 192 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/haproxy.pp | 10 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/manila.pp | 22 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/rabbitmq_bundle.pp | 128 |
15 files changed, 406 insertions, 232 deletions
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 7a6559e..2ac4b6e 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -80,13 +80,16 @@ class tripleo::profile::base::certmonger_user ( unless empty($haproxy_certificates_specs) { $reload_haproxy = ['systemctl reload haproxy'] Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||> - Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + if defined(Class['::haproxy']) { + Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + } } else { $reload_haproxy = [] } class { '::tripleo::certmonger::ca::crl' : reload_cmds => $reload_haproxy, } + Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl'] include ::tripleo::certmonger::ca::libvirt unless empty($apache_certificates_specs) { @@ -98,6 +101,7 @@ class tripleo::profile::base::certmonger_user ( ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs) } unless empty($haproxy_certificates_specs) { + include ::tripleo::certmonger::haproxy_dirs ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index bdfdd17..252bae1 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -26,6 +26,10 @@ # (Optional) Whether to enable the delsc backend # Defaults to false # +# [*cinder_enable_dellemc_unity_backend*] +# (Optional) Whether to enable the unity backend +# Defaults to false +# # [*cinder_enable_hpelefthand_backend*] # (Optional) Whether to enable the hpelefthand backend # Defaults to false @@ -68,18 +72,19 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( - $cinder_enable_pure_backend = false, - $cinder_enable_dellsc_backend = false, - $cinder_enable_hpelefthand_backend = false, - $cinder_enable_dellps_backend = false, - $cinder_enable_iscsi_backend = true, - $cinder_enable_netapp_backend = false, - $cinder_enable_nfs_backend = false, - $cinder_enable_rbd_backend = false, - $cinder_enable_scaleio_backend = false, - $cinder_enable_vrts_hs_backend = false, - $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), - $step = Integer(hiera('step')), + $cinder_enable_pure_backend = false, + $cinder_enable_dellsc_backend = false, + $cinder_enable_dellemc_unity_backend = false, + $cinder_enable_hpelefthand_backend = false, + $cinder_enable_dellps_backend = false, + $cinder_enable_iscsi_backend = true, + $cinder_enable_netapp_backend = false, + $cinder_enable_nfs_backend = false, + $cinder_enable_rbd_backend = false, + $cinder_enable_scaleio_backend = false, + $cinder_enable_vrts_hs_backend = false, + $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), + $step = Integer(hiera('step')), ) { include ::tripleo::profile::base::cinder @@ -100,6 +105,13 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellsc_backend_name = undef } + if $cinder_enable_dellemc_unity_backend { + include ::tripleo::profile::base::cinder::volume::dellemc_unity + $cinder_dellemc_unity_backend_name = hiera('cinder::backend::dellemc_unity::volume_backend_name', 'tripleo_dellemc_unity') + } else { + $cinder_dellemc_unity_backend_name = undef + } + if $cinder_enable_hpelefthand_backend { include ::tripleo::profile::base::cinder::volume::hpelefthand $cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand') @@ -161,6 +173,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_pure_backend_name, $cinder_dellps_backend_name, $cinder_dellsc_backend_name, + $cinder_dellemc_unity_backend_name, $cinder_hpelefthand_backend_name, $cinder_netapp_backend_name, $cinder_nfs_backend_name, diff --git a/manifests/profile/base/cinder/volume/dellemc_unity.pp b/manifests/profile/base/cinder/volume/dellemc_unity.pp new file mode 100644 index 0000000..fb9c36f --- /dev/null +++ b/manifests/profile/base/cinder/volume/dellemc_unity.pp @@ -0,0 +1,47 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::dellemc_unity +# +# Cinder Volume dellemc_unity profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_dellemc_unity' +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::dellemc_unity ( + $backend_name = hiera('cinder::backend::dellemc_unity::volume_backend_name', 'tripleo_dellemc_unity'), + $step = Integer(hiera('step')), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::dellemc_unity { $backend_name : + san_ip => hiera('cinder::backend::dellemc_unity::san_ip', undef), + san_login => hiera('cinder::backend::dellemc_unity::san_login', undef), + san_password => hiera('cinder::backend::dellemc_unity::san_password', undef), + storage_protocol => hiera('cinder::backend::dellemc_unity::storage_protocol', undef), + unity_io_ports => hiera('cinder::backend::dellemc_unity::unity_io_ports', undef), + unity_storage_pool_names => hiera('cinder::backend::dellemc_unity::unity_storage_pool_names', undef), + } + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 3bf41cf..7e7d68b 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,6 +47,10 @@ # limit for the mysql service. # Defaults to false # +# [*innodb_buffer_pool_size*] +# (Optional) Configure the size of the MySQL buffer pool. +# Defaults to hiera('innodb_buffer_pool_size', undef) +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, + $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef), $manage_resources = true, $mysql_server_options = {}, $mysql_max_connections = hiera('mysql_max_connections', undef), @@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql ( # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap $mysql_server_default = { 'mysqld' => { - 'bind-address' => $bind_address, - 'max_connections' => $mysql_max_connections, - 'open_files_limit' => '-1', - 'innodb_file_per_table' => 'ON', - 'ssl' => $enable_internal_tls, - 'ssl-key' => $tls_keyfile, - 'ssl-cert' => $tls_certfile, - 'ssl-ca' => undef, + 'bind-address' => $bind_address, + 'max_connections' => $mysql_max_connections, + 'open_files_limit' => '-1', + 'innodb_buffer_pool_size' => $innodb_buffer_pool_size, + 'innodb_file_per_table' => 'ON', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index e042947..d230366 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,7 +32,7 @@ # OPTIONS that are used to startup the docker service. NOTE: # --selinux-enabled is dropped due to recommendations here: # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html -# Defaults to '--log-driver=journald --signature-verification=false' +# Defaults to '--log-driver=journald --signature-verification=false --iptables=false' # # [*configure_storage*] # Boolean. Whether to configure a docker storage backend. Defaults to true. @@ -43,18 +43,6 @@ # [*step*] # step defaults to hiera('step') # -# [*configure_libvirt_polkit*] -# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host. -# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled -# -# [*docker_nova_uid*] -# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container. -# Defaults to 42436 -# -# [*services_enabled*] -# List of TripleO services enabled on the role. -# Defaults to hiera('services_names') -# # DEPRECATED PARAMETERS # # [*docker_namespace*] @@ -69,24 +57,15 @@ class tripleo::profile::base::docker ( $insecure_registry_address = undef, $registry_mirror = false, - $docker_options = '--log-driver=journald --signature-verification=false', + $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), - $configure_libvirt_polkit = undef, - $docker_nova_uid = 42436, - $services_enabled = hiera('service_names', []), # DEPRECATED PARAMETERS $docker_namespace = undef, $insecure_registry = false, ) { - if $configure_libvirt_polkit == undef { - $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled - } else { - $configure_libvirt_polkit_real = $configure_libvirt_polkit - } - if $step >= 1 { package {'docker': ensure => installed, @@ -176,41 +155,4 @@ class tripleo::profile::base::docker ( } } - if ($step >= 4 and $configure_libvirt_polkit_real) { - # Workaround for polkit authorization for libvirtd socket on host - # - # This creates a local user with the kolla nova uid, and sets the polkit rule to - # allow both it and the nova user from the nova rpms, should it exist (uid 162). - - group { 'docker_nova_group': - name => 'docker_nova', - gid => $docker_nova_uid - } - -> user { 'docker_nova_user': - name => 'docker_nova', - uid => $docker_nova_uid, - gid => $docker_nova_uid, - shell => '/sbin/nologin', - comment => 'OpenStack Nova Daemons', - groups => ['nobody'] - } - - # Similar to the polkit rule in the openstack-nova rpm spec - # but allow both the 'docker_nova' and 'nova' user - $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions -polkit.addRule(function(action, subject) { - if (action.id == "org.libvirt.unix.manage" && - /^(docker_)?nova$/.test(subject.user)) { - return polkit.Result.YES; - } -}); -' - package {'polkit': - ensure => installed, - } - -> file {'/etc/polkit-1/rules.d/50-nova.rules': - content => $docker_nova_polkit_rule, - mode => '0644' - } - } } diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index 4f3322c..145f283 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -36,6 +36,11 @@ # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -44,12 +49,14 @@ class tripleo::profile::base::haproxy ( $certificates_specs = {}, $enable_load_balancer = hiera('enable_load_balancer', true), + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), $step = Integer(hiera('step')), ) { if $step >= 1 { if $enable_load_balancer { class {'::tripleo::haproxy': internal_certificates_specs => $certificates_specs, + manage_firewall => $manage_firewall, } unless hiera('tripleo::haproxy::haproxy_service_manage', true) { diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index 2739f33..7e6efec 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -70,8 +70,9 @@ class tripleo::profile::base::ironic ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::ironic': - sync_db => $sync_db, - default_transport_url => os_transport_url({ + sync_db => $sync_db, + db_online_data_migrations => $sync_db, + default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, 'port' => sprintf('%s', $oslomsg_rpc_port), diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp index 332e33b..6c865dc 100644 --- a/manifests/profile/base/nova/libvirt.pp +++ b/manifests/profile/base/nova/libvirt.pp @@ -23,14 +23,33 @@ # for more details. # Defaults to hiera('step') # +# [*libvirtd_config*] +# (Optional) Overrides for libvirtd config options +# Default to {} +# class tripleo::profile::base::nova::libvirt ( $step = Integer(hiera('step')), + $libvirtd_config = {}, ) { + include ::tripleo::profile::base::nova::compute_libvirt_shared + if $step >= 4 { include ::tripleo::profile::base::nova include ::tripleo::profile::base::nova::migration::client include ::nova::compute::libvirt::services + $libvirtd_config_default = { + unix_sock_group => {value => '"libvirt"'}, + auth_unix_ro => {value => '"none"'}, + auth_unix_rw => {value => '"none"'}, + unix_sock_ro_perms => {value => '"0777"'}, + unix_sock_rw_perms => {value => '"0770"'} + } + + class { '::nova::compute::libvirt::config': + libvirtd_config => merge($libvirtd_config_default, $libvirtd_config) + } + file { ['/etc/libvirt/qemu/networks/autostart/default.xml', '/etc/libvirt/qemu/networks/default.xml']: ensure => absent, @@ -47,6 +66,4 @@ class tripleo::profile::base::nova::libvirt ( include ::nova::compute::libvirt::qemu } - include ::tripleo::profile::base::nova::compute_libvirt_shared - } diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index d468110..de7e069 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -63,6 +63,10 @@ # be set to 60s. # Defaults to hiera('pacemaker_cluster_recheck_interval', undef) # +# [*encryption*] +# (Optional) Whether or not to enable encryption of the pacemaker traffic +# Defaults to true +# class tripleo::profile::base::pacemaker ( $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker ( $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), + $encryption = true, ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker ( $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000), + '--ipv6' => '' + } + } else { + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000) + } + } + + if $encryption { + $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'}) } else { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) } + $cluster_setup_extras = $cluster_setup_extras_pre } class { '::pacemaker': hacluster_pwd => hiera('hacluster_pwd'), diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp index cd84d04..573984d 100644 --- a/manifests/profile/base/zaqar.pp +++ b/manifests/profile/base/zaqar.pp @@ -30,16 +30,40 @@ # (Optional) The messaging store for Zaqar. # Defaults to 'mongodb' # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*zaqar_api_network*] +# (Optional) The network name where the zaqar API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('zaqar_api_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::zaqar ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $management_store = 'mongodb', - $messaging_store = 'mongodb', - $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $management_store = 'mongodb', + $messaging_store = 'mongodb', + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $zaqar_api_network = hiera('zaqar_api_network', undef), + $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { $is_bootstrap = true @@ -47,6 +71,17 @@ class tripleo::profile::base::zaqar ( $is_bootstrap = false } + if $enable_internal_tls { + if !$zaqar_api_network { + fail('zaqar_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${zaqar_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${zaqar_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::zaqar @@ -92,7 +127,10 @@ class tripleo::profile::base::zaqar ( class { '::zaqar::server': service_name => 'httpd', # TODO cleanup when passed by t-h-t. } - include ::zaqar::wsgi::apache + class { '::zaqar::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } zaqar::server_instance{ '1': transport => 'websocket' } diff --git a/manifests/profile/pacemaker/clustercheck.pp b/manifests/profile/pacemaker/clustercheck.pp index 958f4a2..c08bafc 100644 --- a/manifests/profile/pacemaker/clustercheck.pp +++ b/manifests/profile/pacemaker/clustercheck.pp @@ -26,14 +26,19 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to hiera('mysql_bind_host') # +# [*clustercheck_user*] +# (Optional) The name of the clustercheck user. +# Defaults to 'clustercheck' +# # [*clustercheck_password*] # (Optional) The password for the clustercheck user. -# Defaults to hiera('mysql::server::root_password') +# Defaults to hiera('mysql_clustercheck_password') # # class tripleo::profile::pacemaker::clustercheck ( $step = Integer(hiera('step')), - $clustercheck_password = hiera('mysql::server::root_password'), + $clustercheck_user = 'clustercheck', + $clustercheck_password = hiera('mysql_clustercheck_password'), $bind_address = hiera('mysql_bind_host'), ) { @@ -43,7 +48,7 @@ class tripleo::profile::pacemaker::clustercheck ( mode => '0600', owner => 'mysql', group => 'mysql', - content => "MYSQL_USERNAME=root\n + content => "MYSQL_USERNAME=${clustercheck_user}\n MYSQL_PASSWORD='${clustercheck_password}'\n MYSQL_HOST=localhost\n", } diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 21d671c..e07ac2e 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -34,6 +34,27 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to $::hostname # +# [*ca_file*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to undef +# +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*gmcast_listen_addr*] # (Optional) This variable defines the address on which the node listens to # connections from other nodes in the cluster. @@ -50,13 +71,16 @@ # # class tripleo::profile::pacemaker::database::mysql_bundle ( - $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), - $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $gmcast_listen_addr = hiera('mysql_bind_host'), - $pcs_tries = hiera('pcs_tries', 20), - $step = Integer(hiera('step')), + $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), + $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $pcs_tries = hiera('pcs_tries', 20), + $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -64,16 +88,11 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( $pacemaker_master = false } - # use only mysql_node_names when we land a patch in t-h-t that - # switches to autogenerating these values from composable services - # The galera node names need to match the pacemaker node names... so if we - # want to use FQDNs for this, the cluster will not finish bootstrapping, - # since all the nodes will be marked as slaves. For now, we'll stick to the - # short name which is already registered in pacemaker until we get around - # this issue. - $galera_node_names_lookup = hiera('mysql_short_node_names', hiera('mysql_node_names', $::hostname)) + $galera_node_names_lookup = hiera('mysql_short_node_names', $::hostname) + $galera_fqdns_names_lookup = hiera('mysql_node_names', $::hostname) + if is_array($galera_node_names_lookup) { - $galera_nodes = downcase(join($galera_node_names_lookup, ',')) + $galera_nodes = downcase(join($galera_fqdns_names_lookup, ',')) } else { $galera_nodes = downcase($galera_node_names_lookup) } @@ -87,6 +106,19 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( } $cluster_host_map_string = join($host_map_array, ';') + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + if $ca_file { + $tls_ca_options = "socket.ssl_ca=${ca_file}" + } else { + $tls_ca_options = '' + } + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + } else { + $tls_options = '' + } + $mysqld_options = { 'mysqld' => { 'pid-file' => '/var/lib/mysql/mariadb.pid', @@ -116,7 +148,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( 'wsrep_drupal_282555_workaround'=> '0', 'wsrep_causal_reads' => '0', 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;", + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", }, 'mysqld_safe' => { 'pid-file' => '/var/lib/mysql/mariadb.pid', @@ -195,6 +227,74 @@ MYSQL_HOST=localhost\n", } # lint:endignore } + + $storage_maps = { + 'mysql-cfg-files' => { + 'source-dir' => '/var/lib/kolla/config_files/mysql.json', + 'target-dir' => '/var/lib/kolla/config_files/config.json', + 'options' => 'ro', + }, + 'mysql-cfg-data' => { + 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/', + 'target-dir' => '/var/lib/kolla/config_files/src', + 'options' => 'ro', + }, + 'mysql-hosts' => { + 'source-dir' => '/etc/hosts', + 'target-dir' => '/etc/hosts', + 'options' => 'ro', + }, + 'mysql-localtime' => { + 'source-dir' => '/etc/localtime', + 'target-dir' => '/etc/localtime', + 'options' => 'ro', + }, + 'mysql-lib' => { + 'source-dir' => '/var/lib/mysql', + 'target-dir' => '/var/lib/mysql', + 'options' => 'rw', + }, + 'mysql-log-mariadb' => { + 'source-dir' => '/var/log/mariadb', + 'target-dir' => '/var/log/mariadb', + 'options' => 'rw', + }, + 'mysql-dev-log' => { + 'source-dir' => '/dev/log', + 'target-dir' => '/dev/log', + 'options' => 'rw', + }, + } + + if $enable_internal_tls { + $mysql_storage_maps_tls = { + 'mysql-pki-gcomm-key' => { + 'source-dir' => '/etc/pki/tls/private/mysql.key', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key', + 'options' => 'ro', + }, + 'mysql-pki-gcomm-cert' => { + 'source-dir' => '/etc/pki/tls/certs/mysql.crt', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt', + 'options' => 'ro', + }, + } + if $ca_file { + $ca_storage_maps_tls = { + 'mysql-pki-gcomm-ca' => { + 'source-dir' => $ca_file, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${ca_file}", + 'options' => 'ro', + }, + } + } else { + $ca_storage_maps_tls = {} + } + $storage_maps_tls = merge($mysql_storage_maps_tls, $ca_storage_maps_tls) + } else { + $storage_maps_tls = {} + } + pacemaker::resource::bundle { 'galera-bundle': image => $mysql_docker_image, replicas => $galera_nodes_count, @@ -208,63 +308,7 @@ MYSQL_HOST=localhost\n", options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${control_port}", - storage_maps => { - 'mysql-cfg-files' => { - 'source-dir' => '/var/lib/kolla/config_files/mysql.json', - 'target-dir' => '/var/lib/kolla/config_files/config.json', - 'options' => 'ro', - }, - 'mysql-cfg-data' => { - 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/', - 'target-dir' => '/var/lib/kolla/config_files/src', - 'options' => 'ro', - }, - 'mysql-hosts' => { - 'source-dir' => '/etc/hosts', - 'target-dir' => '/etc/hosts', - 'options' => 'ro', - }, - 'mysql-localtime' => { - 'source-dir' => '/etc/localtime', - 'target-dir' => '/etc/localtime', - 'options' => 'ro', - }, - 'mysql-lib' => { - 'source-dir' => '/var/lib/mysql', - 'target-dir' => '/var/lib/mysql', - 'options' => 'rw', - }, - 'mysql-log-mariadb' => { - 'source-dir' => '/var/log/mariadb', - 'target-dir' => '/var/log/mariadb', - 'options' => 'rw', - }, - 'mysql-pki-extracted' => { - 'source-dir' => '/etc/pki/ca-trust/extracted', - 'target-dir' => '/etc/pki/ca-trust/extracted', - 'options' => 'ro', - }, - 'mysql-pki-ca-bundle-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'options' => 'ro', - }, - 'mysql-pki-ca-bundle-trust-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'options' => 'ro', - }, - 'mysql-pki-cert' => { - 'source-dir' => '/etc/pki/tls/cert.pem', - 'target-dir' => '/etc/pki/tls/cert.pem', - 'options' => 'ro', - }, - 'mysql-dev-log' => { - 'source-dir' => '/dev/log', - 'target-dir' => '/dev/log', - 'options' => 'rw', - }, - }, + storage_maps => merge($storage_maps, $storage_maps_tls), } pacemaker::resource::ocf { 'galera': diff --git a/manifests/profile/pacemaker/haproxy.pp b/manifests/profile/pacemaker/haproxy.pp index 7331071..5198243 100644 --- a/manifests/profile/pacemaker/haproxy.pp +++ b/manifests/profile/pacemaker/haproxy.pp @@ -26,6 +26,11 @@ # (Optional) Whether load balancing is enabled for this cluster # Defaults to hiera('enable_load_balancer', true) # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -38,10 +43,13 @@ class tripleo::profile::pacemaker::haproxy ( $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), $enable_load_balancer = hiera('enable_load_balancer', true), + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), ) { - include ::tripleo::profile::base::haproxy + class {'::tripleo::profile::base::haproxy': + manage_firewall => $manage_firewall, + } if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true diff --git a/manifests/profile/pacemaker/manila.pp b/manifests/profile/pacemaker/manila.pp index c22a033..25d389a 100644 --- a/manifests/profile/pacemaker/manila.pp +++ b/manifests/profile/pacemaker/manila.pp @@ -134,17 +134,19 @@ class tripleo::profile::pacemaker::manila ( cephfs_enable_snapshots => hiera('manila::backend::cephfsnative::cephfs_enable_snapshots'), } - ceph::key { "client.${cephfs_auth_id}" : - secret => hiera('manila::backend::cephfsnative::ceph_client_key'), - keyring_path => $keyring_path, - # inject the new key into ceph cluster only if ceph is deployed by - # tripleo (if external ceph is used it should be added manually) - inject => $ceph_mds_enabled, - user => 'manila', - cap_mds => 'allow *', - cap_mon => 'allow r, allow command \"auth del\", allow command \"auth caps\", \ + if !defined(Resource['ceph::key', "client.${cephfs_auth_id}"]) { + ceph::key { "client.${cephfs_auth_id}" : + secret => hiera('manila::backend::cephfsnative::ceph_client_key'), + keyring_path => $keyring_path, + # inject the new key into ceph cluster only if ceph is deployed by + # tripleo (if external ceph is used it should be added manually) + inject => $ceph_mds_enabled, + user => 'manila', + cap_mds => 'allow *', + cap_mon => 'allow r, allow command \"auth del\", allow command \"auth caps\", \ allow command \"auth get\", allow command \"auth get-or-create\"', - cap_osd => 'allow rw' + cap_osd => 'allow rw' + } } ceph_config { diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp index 5dd22d2..4d6b9af 100644 --- a/manifests/profile/pacemaker/rabbitmq_bundle.pp +++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp @@ -44,6 +44,10 @@ # (Optional) The list of rabbitmq nodes names # Defaults to hiera('rabbitmq_node_names') # +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -60,6 +64,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( $erlang_cookie = hiera('rabbitmq::erlang_cookie'), $user_ha_queues = hiera('rabbitmq::nr_ha_queues', 0), $rabbit_nodes = hiera('rabbitmq_node_names'), + $enable_internal_tls = hiera('enable_internal_tls', false), $pcs_tries = hiera('pcs_tries', 20), $step = Integer(hiera('step')), ) { @@ -102,6 +107,76 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( } } + $storage_maps = { + 'rabbitmq-cfg-files' => { + 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json', + 'target-dir' => '/var/lib/kolla/config_files/config.json', + 'options' => 'ro', + }, + 'rabbitmq-cfg-data' => { + 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', + 'target-dir' => '/var/lib/kolla/config_files/src', + 'options' => 'ro', + }, + 'rabbitmq-hosts' => { + 'source-dir' => '/etc/hosts', + 'target-dir' => '/etc/hosts', + 'options' => 'ro', + }, + 'rabbitmq-localtime' => { + 'source-dir' => '/etc/localtime', + 'target-dir' => '/etc/localtime', + 'options' => 'ro', + }, + 'rabbitmq-lib' => { + 'source-dir' => '/var/lib/rabbitmq', + 'target-dir' => '/var/lib/rabbitmq', + 'options' => 'rw', + }, + 'rabbitmq-pki-extracted' => { + 'source-dir' => '/etc/pki/ca-trust/extracted', + 'target-dir' => '/etc/pki/ca-trust/extracted', + 'options' => 'ro', + }, + 'rabbitmq-pki-ca-bundle-crt' => { + 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', + 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-ca-bundle-trust-crt' => { + 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', + 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-cert' => { + 'source-dir' => '/etc/pki/tls/cert.pem', + 'target-dir' => '/etc/pki/tls/cert.pem', + 'options' => 'ro', + }, + 'rabbitmq-dev-log' => { + 'source-dir' => '/dev/log', + 'target-dir' => '/dev/log', + 'options' => 'rw', + }, + } + + if $enable_internal_tls { + $storage_maps_tls = { + 'rabbitmq-pki-cert' => { + 'source-dir' => '/etc/pki/tls/certs/rabbitmq.crt', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-key' => { + 'source-dir' => '/etc/pki/tls/private/rabbitmq.key', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key', + 'options' => 'ro', + }, + } + } else { + $storage_maps_tls = {} + } + pacemaker::resource::bundle { 'rabbitmq-bundle': image => $rabbitmq_docker_image, replicas => $rabbitmq_nodes_count, @@ -114,58 +189,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${rabbitmq_docker_control_port}", - storage_maps => { - 'rabbitmq-cfg-files' => { - 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json', - 'target-dir' => '/var/lib/kolla/config_files/config.json', - 'options' => 'ro', - }, - 'rabbitmq-cfg-data' => { - 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', - 'target-dir' => '/var/lib/kolla/config_files/src', - 'options' => 'ro', - }, - 'rabbitmq-hosts' => { - 'source-dir' => '/etc/hosts', - 'target-dir' => '/etc/hosts', - 'options' => 'ro', - }, - 'rabbitmq-localtime' => { - 'source-dir' => '/etc/localtime', - 'target-dir' => '/etc/localtime', - 'options' => 'ro', - }, - 'rabbitmq-lib' => { - 'source-dir' => '/var/lib/rabbitmq', - 'target-dir' => '/var/lib/rabbitmq', - 'options' => 'rw', - }, - 'rabbitmq-pki-extracted' => { - 'source-dir' => '/etc/pki/ca-trust/extracted', - 'target-dir' => '/etc/pki/ca-trust/extracted', - 'options' => 'ro', - }, - 'rabbitmq-pki-ca-bundle-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'options' => 'ro', - }, - 'rabbitmq-pki-ca-bundle-trust-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'options' => 'ro', - }, - 'rabbitmq-pki-cert' => { - 'source-dir' => '/etc/pki/tls/cert.pem', - 'target-dir' => '/etc/pki/tls/cert.pem', - 'options' => 'ro', - }, - 'rabbitmq-dev-log' => { - 'source-dir' => '/dev/log', - 'target-dir' => '/dev/log', - 'options' => 'rw', - }, - }, + storage_maps => merge($storage_maps, $storage_maps_tls), } # The default nr of ha queues is ceiling(N/2) |