aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile')
-rw-r--r--manifests/profile/base/etcd.pp7
-rw-r--r--manifests/profile/base/ironic/conductor.pp1
-rw-r--r--manifests/profile/base/keystone.pp16
-rw-r--r--manifests/profile/base/logging/fluentd.pp160
-rw-r--r--manifests/profile/base/neutron/agents/bagpipe.pp37
-rw-r--r--manifests/profile/base/neutron/agents/l2gw.pp35
-rw-r--r--manifests/profile/base/neutron/sriov.pp2
-rw-r--r--manifests/profile/base/nova.pp87
-rw-r--r--manifests/profile/base/sshd.pp56
-rw-r--r--manifests/profile/base/swift/proxy.pp58
10 files changed, 327 insertions, 132 deletions
diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp
index 505e29f..fc4771f 100644
--- a/manifests/profile/base/etcd.pp
+++ b/manifests/profile/base/etcd.pp
@@ -47,19 +47,12 @@ class tripleo::profile::base::etcd (
$step = hiera('step'),
) {
if $step >= 1 {
- if count($nodes) > 1 {
- $cluster_enabled = true
- } else {
- $cluster_enabled = false
- }
-
class {'::etcd':
listen_client_urls => "http://${bind_ip}:${client_port}",
advertise_client_urls => "http://${bind_ip}:${client_port}",
listen_peer_urls => "http://${bind_ip}:${peer_port}",
initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}",
initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"),
- cluster_enabled => $cluster_enabled,
proxy => 'off',
}
}
diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp
index 7f90da9..cb0524b 100644
--- a/manifests/profile/base/ironic/conductor.pp
+++ b/manifests/profile/base/ironic/conductor.pp
@@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor (
if $step >= 4 {
include ::ironic::conductor
+ include ::ironic::drivers::interfaces
include ::ironic::drivers::pxe
if $manage_pxe {
include ::ironic::pxe
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index bb3f387..5909337 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -59,6 +59,15 @@
# heat admin user name
# Defaults to undef
#
+# [*ldap_backends_config*]
+# Configuration for keystone::ldap_backend. This takes a hash that will
+# create each backend specified.
+# Defaults to undef
+#
+# [*ldap_backend_enable*]
+# Enables creating per-domain LDAP backends for keystone.
+# Default to false
+#
# [*manage_db_purge*]
# (Optional) Whether keystone token flushing should be enabled
# Defaults to hiera('keystone_enable_db_purge', true)
@@ -126,6 +135,8 @@ class tripleo::profile::base::keystone (
$heat_admin_email = undef,
$heat_admin_password = undef,
$heat_admin_user = undef,
+ $ldap_backends_config = undef,
+ $ldap_backend_enable = false,
$manage_db_purge = hiera('keystone_enable_db_purge', true),
$public_endpoint_network = hiera('keystone_public_api_network', undef),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
@@ -207,6 +218,11 @@ class tripleo::profile::base::keystone (
ssl_key_admin => $tls_keyfile_admin,
}
include ::keystone::cors
+
+ if $ldap_backend_enable {
+ validate_hash($ldap_backends_config)
+ create_resources('::keystone::ldap_backend', $ldap_backends_config)
+ }
}
if $step >= 4 and $manage_db_purge {
diff --git a/manifests/profile/base/logging/fluentd.pp b/manifests/profile/base/logging/fluentd.pp
index 9e1aa8d..fc996e9 100644
--- a/manifests/profile/base/logging/fluentd.pp
+++ b/manifests/profile/base/logging/fluentd.pp
@@ -71,105 +71,109 @@ class tripleo::profile::base::logging::fluentd (
$fluentd_listen_syslog = true,
$fluentd_syslog_port = 42185
) {
- include ::fluentd
- if $fluentd_groups {
- user { $::fluentd::config_owner:
- ensure => present,
- groups => $fluentd_groups,
- membership => 'minimum',
+ if $step >= 4 {
+ include ::fluentd
+
+ if $fluentd_groups {
+ Package<| tag == 'openstack' |> ->
+ user { $::fluentd::config_owner:
+ ensure => present,
+ groups => $fluentd_groups,
+ membership => 'minimum',
+ }
}
- }
- if $fluentd_pos_file_path {
- file { $fluentd_pos_file_path:
- ensure => 'directory',
- owner => $::fluentd::config_owner,
- group => $::fluentd::config_group,
- mode => '0750',
+ if $fluentd_pos_file_path {
+ file { $fluentd_pos_file_path:
+ ensure => 'directory',
+ owner => $::fluentd::config_owner,
+ group => $::fluentd::config_group,
+ mode => '0750',
+ }
}
- }
- ::fluentd::plugin { 'rubygem-fluent-plugin-add':
- plugin_provider => 'yum',
- }
+ ::fluentd::plugin { 'rubygem-fluent-plugin-add':
+ plugin_provider => 'yum',
+ }
- if $fluentd_sources {
- ::fluentd::config { '100-openstack-sources.conf':
- config => {
- 'source' => $fluentd_sources,
+ if $fluentd_sources {
+ ::fluentd::config { '100-openstack-sources.conf':
+ config => {
+ 'source' => $fluentd_sources,
+ }
}
}
- }
- if $fluentd_listen_syslog {
- # fluentd will receive syslog messages by listening on a local udp
- # socket.
- ::fluentd::config { '110-system-sources.conf':
- config => {
- 'source' => {
- 'type' => 'syslog',
- 'tag' => 'system.messages',
- 'port' => $fluentd_syslog_port,
+ if $fluentd_listen_syslog {
+ # fluentd will receive syslog messages by listening on a local udp
+ # socket.
+ ::fluentd::config { '110-system-sources.conf':
+ config => {
+ 'source' => {
+ 'type' => 'syslog',
+ 'tag' => 'system.messages',
+ 'port' => $fluentd_syslog_port,
+ }
}
}
- }
- file { '/etc/rsyslog.d/fluentd.conf':
- content => "*.* @127.0.0.1:${fluentd_syslog_port}",
- owner => 'root',
- group => 'root',
- mode => '0644',
- } ~> exec { 'reload rsyslog':
- command => '/bin/systemctl restart rsyslog',
+ file { '/etc/rsyslog.d/fluentd.conf':
+ content => "*.* @127.0.0.1:${fluentd_syslog_port}",
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ } ~> exec { 'reload rsyslog':
+ command => '/bin/systemctl restart rsyslog',
+ }
}
- }
- if $fluentd_filters {
- ::fluentd::config { '200-openstack-filters.conf':
- config => {
- 'filter' => $fluentd_filters,
+ if $fluentd_filters {
+ ::fluentd::config { '200-openstack-filters.conf':
+ config => {
+ 'filter' => $fluentd_filters,
+ }
}
}
- }
- if $fluentd_servers and !empty($fluentd_servers) {
- if $fluentd_use_ssl {
- ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward':
- plugin_provider => 'yum',
- }
+ if $fluentd_servers and !empty($fluentd_servers) {
+ if $fluentd_use_ssl {
+ ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward':
+ plugin_provider => 'yum',
+ }
- file {'/etc/fluentd/ca_cert.pem':
- content => $fluentd_ssl_certificate,
- owner => $::fluentd::config_owner,
- group => $::fluentd::config_group,
- mode => '0444',
- }
+ file {'/etc/fluentd/ca_cert.pem':
+ content => $fluentd_ssl_certificate,
+ owner => $::fluentd::config_owner,
+ group => $::fluentd::config_group,
+ mode => '0444',
+ }
- ::fluentd::config { '300-openstack-matches.conf':
- config => {
- 'match' => {
- # lint:ignore:single_quote_string_with_variables
- # lint:ignore:quoted_booleans
- 'type' => 'secure_forward',
- 'tag_pattern' => '**',
- 'self_hostname' => '${hostname}',
- 'secure' => 'true',
- 'ca_cert_path' => '/etc/fluentd/ca_cert.pem',
- 'shared_key' => $fluentd_shared_key,
- 'server' => $fluentd_servers,
- # lint:endignore
- # lint:endignore
+ ::fluentd::config { '300-openstack-matches.conf':
+ config => {
+ 'match' => {
+ # lint:ignore:single_quote_string_with_variables
+ # lint:ignore:quoted_booleans
+ 'type' => 'secure_forward',
+ 'tag_pattern' => '**',
+ 'self_hostname' => '${hostname}',
+ 'secure' => 'true',
+ 'ca_cert_path' => '/etc/fluentd/ca_cert.pem',
+ 'shared_key' => $fluentd_shared_key,
+ 'server' => $fluentd_servers,
+ # lint:endignore
+ # lint:endignore
+ }
}
}
- }
- } else {
- ::fluentd::config { '300-openstack-matches.conf':
- config => {
- 'match' => {
- 'type' => 'forward',
- 'tag_pattern' => '**',
- 'server' => $fluentd_servers,
+ } else {
+ ::fluentd::config { '300-openstack-matches.conf':
+ config => {
+ 'match' => {
+ 'type' => 'forward',
+ 'tag_pattern' => '**',
+ 'server' => $fluentd_servers,
+ }
}
}
}
diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp
new file mode 100644
index 0000000..fb5e000
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/bagpipe.pp
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Ricardo Noriega <rnoriega@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agents::bagpipe
+#
+# Neutron Bagpipe Agent profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::agents::bagpipe (
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 {
+ include ::neutron::agents::bagpipe
+ }
+}
diff --git a/manifests/profile/base/neutron/agents/l2gw.pp b/manifests/profile/base/neutron/agents/l2gw.pp
new file mode 100644
index 0000000..10cd662
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/l2gw.pp
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Peng Liu <pliu@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agent::l2gw
+#
+# Neutron L2 Gateway agent profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::agents::l2gw (
+ $step = hiera('step'),
+) {
+ if $step >= 4 {
+ include ::neutron::agents::l2gw
+ }
+}
diff --git a/manifests/profile/base/neutron/sriov.pp b/manifests/profile/base/neutron/sriov.pp
index 00ecc21..24c7b63 100644
--- a/manifests/profile/base/neutron/sriov.pp
+++ b/manifests/profile/base/neutron/sriov.pp
@@ -33,6 +33,8 @@ class tripleo::profile::base::neutron::sriov(
$mechanism_drivers = hiera('neutron::plugins::ml2::mechanism_drivers'),
) {
+ include ::tripleo::profile::base::neutron
+
if $step >= 4 {
if 'sriovnicswitch' in $mechanism_drivers {
include ::neutron::agents::ml2::sriov
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index 36425f6..ab9b615 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -82,6 +82,15 @@
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
+# [*migration_ssh_key*]
+# (Optional) SSH key pair for migration SSH tunnel.
+# Expects a hash with keys 'private_key' and 'public_key'.
+# Defaults to {}
+#
+# [*libvirt_tls*]
+# (Optional) Whether or not libvird TLS service is enabled.
+# Defaults to false
+
class tripleo::profile::base::nova (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$libvirt_enabled = false,
@@ -99,6 +108,8 @@ class tripleo::profile::base::nova (
$oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'),
$nova_compute_enabled = false,
$step = hiera('step'),
+ $migration_ssh_key = {},
+ $libvirt_tls = false
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
@@ -114,7 +125,62 @@ class tripleo::profile::base::nova (
if $step >= 4 or ($step >= 3 and $sync_db) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
- class { '::nova' :
+ include ::nova::config
+ class { '::nova::cache':
+ enabled => true,
+ backend => 'oslo_cache.memcache_pool',
+ memcache_servers => $memcache_servers,
+ }
+ include ::nova::placement
+
+ if $step >= 4 and $manage_migration {
+
+ # Libvirt setup (live-migration)
+ if $libvirt_tls {
+ class { '::nova::migration::libvirt':
+ transport => 'tls',
+ configure_libvirt => $libvirt_enabled,
+ configure_nova => $nova_compute_enabled,
+ }
+ } else {
+ # Reuse the cold-migration SSH tunnel when TLS is not enabled
+ class { '::nova::migration::libvirt':
+ transport => 'ssh',
+ configure_libvirt => $libvirt_enabled,
+ configure_nova => $nova_compute_enabled,
+ client_user => 'nova',
+ client_extraparams => {'keyfile' => '/var/lib/nova/.ssh/id_rsa'}
+ }
+ }
+
+ if $migration_ssh_key != {} {
+ # Nova SSH tunnel setup (cold-migration)
+
+ #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands
+ user { 'nova':
+ ensure => present,
+ shell => '/bin/bash',
+ }
+
+ $private_key_parts = split($migration_ssh_key['public_key'], ' ')
+ $nova_public_key = {
+ type => $private_key_parts[0],
+ key => $private_key_parts[1]
+ }
+ $nova_private_key = {
+ type => $private_key_parts[0],
+ key => $migration_ssh_key['private_key']
+ }
+ } else {
+ $nova_public_key = undef
+ $nova_private_key = undef
+ }
+ } else {
+ $nova_public_key = undef
+ $nova_private_key = undef
+ }
+
+ class { '::nova':
default_transport_url => os_transport_url({
'transport' => $oslomsg_rpc_proto,
'hosts' => $oslomsg_rpc_hosts,
@@ -131,23 +197,8 @@ class tripleo::profile::base::nova (
'password' => $oslomsg_notify_password,
'ssl' => $oslomsg_use_ssl_real,
}),
+ nova_public_key => $nova_public_key,
+ nova_private_key => $nova_private_key,
}
- include ::nova::config
- class { '::nova::cache':
- enabled => true,
- backend => 'oslo_cache.memcache_pool',
- memcache_servers => $memcache_servers,
- }
- include ::nova::placement
}
-
- if $step >= 4 {
- if $manage_migration {
- class { '::nova::migration::libvirt':
- configure_libvirt => $libvirt_enabled,
- configure_nova => $nova_compute_enabled,
- }
- }
- }
-
}
diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp
index e7916c1..f43089c 100644
--- a/manifests/profile/base/sshd.pp
+++ b/manifests/profile/base/sshd.pp
@@ -15,47 +15,45 @@
#
# == Class: tripleo::profile::base::sshd
#
-# SSH profile for tripleo
+# SSH composable service for TripleO
#
# === Parameters
#
# [*bannertext*]
-# The text used within SSH Banner
+# The text used within /etc/issue and /etc/issue.net
# Defaults to hiera('BannerText')
#
+# [*motd*]
+# The text used within SSH Banner
+# Defaults to hiera('MOTD')
+#
class tripleo::profile::base::sshd (
$bannertext = hiera('BannerText', undef),
+ $motd = hiera('MOTD', undef),
) {
- if $bannertext {
- $action = 'set'
- } else {
- $action = 'rm'
- }
-
- package {'openssh-server':
- ensure => installed,
- }
+ include ::ssh
- augeas { 'sshd_config_banner':
- context => '/files/etc/ssh/sshd_config',
- changes => [ "${action} Banner /etc/issue" ],
- notify => Service['sshd']
- }
-
- file { '/etc/issue':
- ensure => file,
- backup => false,
- content => $bannertext,
- owner => 'root',
- group => 'root',
- mode => '0600'
+ if $bannertext {
+ $filelist = [ '/etc/issue', '/etc/issue.net', ]
+ file { $filelist:
+ ensure => file,
+ backup => false,
+ content => $bannertext,
+ owner => 'root',
+ group => 'root',
+ mode => '0644'
+ }
}
- service { 'sshd':
- ensure => 'running',
- enable => true,
- hasstatus => false,
- require => Package['openssh-server'],
+ if $motd {
+ file { '/etc/motd':
+ ensure => file,
+ backup => false,
+ content => $motd,
+ owner => 'root',
+ group => 'root',
+ mode => '0644'
+ }
}
}
diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp
index 0d9ba68..e80c8c9 100644
--- a/manifests/profile/base/swift/proxy.pp
+++ b/manifests/profile/base/swift/proxy.pp
@@ -46,6 +46,22 @@
# Username for messaging nova queue
# Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest')
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*memcache_port*]
# (Optional) memcache port
# Defaults to 11211
@@ -59,6 +75,26 @@
# for more details.
# Defaults to hiera('step')
#
+# [*swift_proxy_network*]
+# (Optional) The network name where the swift proxy endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('swift_proxy_network', undef)
+#
+# [*tls_proxy_bind_ip*]
+# IP on which the TLS proxy will listen on. Required only if
+# enable_internal_tls is set.
+# Defaults to undef
+#
+# [*tls_proxy_fqdn*]
+# fqdn on which the tls proxy will listen on. required only used if
+# enable_internal_tls is set.
+# defaults to undef
+#
+# [*tls_proxy_port*]
+# port on which the tls proxy will listen on. Only used if
+# enable_internal_tls is set.
+# defaults to 8080
+#
class tripleo::profile::base::swift::proxy (
$ceilometer_enabled = true,
$ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'),
@@ -67,11 +103,33 @@ class tripleo::profile::base::swift::proxy (
$ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'),
$ceilometer_messaging_use_ssl = '0',
$ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
$memcache_port = 11211,
$memcache_servers = hiera('memcached_node_ips'),
$step = hiera('step'),
+ $swift_proxy_network = hiera('swift_proxy_network', undef),
+ $tls_proxy_bind_ip = undef,
+ $tls_proxy_fqdn = undef,
+ $tls_proxy_port = 8080,
) {
if $step >= 4 {
+ if $enable_internal_tls {
+ if !$swift_proxy_network {
+ fail('swift_proxy_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key']
+
+ ::tripleo::tls_proxy { 'swift-proxy-api':
+ servername => $tls_proxy_fqdn,
+ ip => $tls_proxy_bind_ip,
+ port => $tls_proxy_port,
+ tls_cert => $tls_certfile,
+ tls_key => $tls_keyfile,
+ notify => Class['::neutron::server'],
+ }
+ }
$swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}")
include ::swift::config
include ::swift::proxy