summaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/certmonger/apache_dirs.pp55
-rw-r--r--manifests/certmonger/ca/libvirt.pp42
-rw-r--r--manifests/certmonger/etcd.pp73
-rw-r--r--manifests/certmonger/haproxy.pp14
-rw-r--r--manifests/certmonger/httpd.pp15
-rw-r--r--manifests/certmonger/libvirt.pp78
-rw-r--r--manifests/certmonger/libvirt_dirs.pp60
-rw-r--r--manifests/haproxy.pp193
-rw-r--r--manifests/keepalived.pp37
-rw-r--r--manifests/profile/base/aodh/api.pp1
-rw-r--r--manifests/profile/base/barbican/api.pp1
-rw-r--r--manifests/profile/base/ceilometer.pp18
-rw-r--r--manifests/profile/base/ceilometer/api.pp3
-rw-r--r--manifests/profile/base/ceilometer/collector.pp9
-rw-r--r--manifests/profile/base/certmonger_user.pp22
-rw-r--r--manifests/profile/base/cinder/api.pp1
-rw-r--r--manifests/profile/base/cinder/volume.pp13
-rw-r--r--manifests/profile/base/cinder/volume/dellsc.pp23
-rw-r--r--manifests/profile/base/cinder/volume/pure.pp65
-rw-r--r--manifests/profile/base/database/mysql/client.pp1
-rw-r--r--manifests/profile/base/docker.pp32
-rw-r--r--manifests/profile/base/docker_registry.pp24
-rw-r--r--manifests/profile/base/etcd.pp59
-rw-r--r--manifests/profile/base/gnocchi/api.pp17
-rw-r--r--manifests/profile/base/heat/api.pp1
-rw-r--r--manifests/profile/base/heat/api_cfn.pp1
-rw-r--r--manifests/profile/base/heat/api_cloudwatch.pp1
-rw-r--r--manifests/profile/base/ironic/conductor.pp7
-rw-r--r--manifests/profile/base/keystone.pp24
-rw-r--r--manifests/profile/base/neutron/agents/bagpipe.pp37
-rw-r--r--manifests/profile/base/neutron/agents/bigswitch.pp31
-rw-r--r--manifests/profile/base/neutron/agents/vpp.pp49
-rw-r--r--manifests/profile/base/neutron/linuxbridge.pp20
-rw-r--r--manifests/profile/base/neutron/plugins/ml2.pp4
-rw-r--r--manifests/profile/base/neutron/plugins/ml2/bagpipe.pp37
-rw-r--r--manifests/profile/base/neutron/plugins/ml2/vpp.pp49
-rw-r--r--manifests/profile/base/neutron/plugins/nsx_v3.pp45
-rw-r--r--manifests/profile/base/nova/api.pp1
-rw-r--r--manifests/profile/base/nova/placement.pp1
-rw-r--r--manifests/profile/base/pacemaker.pp25
-rw-r--r--manifests/profile/base/panko/api.pp1
-rw-r--r--manifests/profile/base/rabbitmq.pp2
-rw-r--r--manifests/profile/base/sshd.pp34
-rw-r--r--manifests/profile/base/swift/proxy.pp2
-rw-r--r--manifests/profile/base/swift/ringbuilder.pp36
-rw-r--r--manifests/profile/base/zaqar.pp8
-rw-r--r--manifests/profile/pacemaker/database/mysql.pp5
-rw-r--r--manifests/profile/pacemaker/rabbitmq.pp8
-rw-r--r--manifests/tls_proxy.pp1
-rw-r--r--manifests/ui.pp4
50 files changed, 1108 insertions, 182 deletions
diff --git a/manifests/certmonger/apache_dirs.pp b/manifests/certmonger/apache_dirs.pp
new file mode 100644
index 0000000..2588e46
--- /dev/null
+++ b/manifests/certmonger/apache_dirs.pp
@@ -0,0 +1,55 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# : = Class: tripleo::certmonger::apache_dirs
+#
+# Creates the necessary directories for apache's certificates and keys in the
+# assigned locations if specified. It also assigns the correct SELinux tags.
+#
+# === Parameters:
+#
+# [*certificate_dir*]
+# (Optional) Directory where apache's certificates will be stored. If left
+# unspecified, it won't be created.
+# Defaults to undef
+#
+# [*key_dir*]
+# (Optional) Directory where apache's keys will be stored.
+# Defaults to undef
+#
+class tripleo::certmonger::apache_dirs(
+ $certificate_dir = undef,
+ $key_dir = undef,
+){
+
+ if $certificate_dir {
+ file { $certificate_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
+ }
+
+ if $key_dir {
+ file { $key_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
+ }
+}
diff --git a/manifests/certmonger/ca/libvirt.pp b/manifests/certmonger/ca/libvirt.pp
new file mode 100644
index 0000000..9fa9e74
--- /dev/null
+++ b/manifests/certmonger/ca/libvirt.pp
@@ -0,0 +1,42 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ca::libvirt
+#
+# Sets the necessary file that will be used by both libvirt servers and
+# clients.
+#
+# === Parameters:
+#
+# [*origin_ca_pem*]
+# (Optional) Path to the CA certificate that libvirt will use. This is not
+# assumed automatically or uses the system CA bundle as is the case of other
+# services because a limitation with the file sizes in GNU TLS, which libvirt
+# uses as a TLS backend.
+# Defaults to undef
+#
+class tripleo::certmonger::ca::libvirt(
+ $origin_ca_pem = undef
+){
+ if $origin_ca_pem {
+ $ensure_file = 'link'
+ } else {
+ $ensure_file = 'absent'
+ }
+ file { '/etc/pki/CA/cacert.pem':
+ ensure => $ensure_file,
+ mode => '0644',
+ target => $origin_ca_pem,
+ }
+}
diff --git a/manifests/certmonger/etcd.pp b/manifests/certmonger/etcd.pp
new file mode 100644
index 0000000..0bddfb4
--- /dev/null
+++ b/manifests/certmonger/etcd.pp
@@ -0,0 +1,73 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::etcd
+#
+# Request a certificate for the etcd service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*principal*]
+# (Optional) The haproxy service principal that is set for etcd in kerberos.
+# Defaults to undef
+#
+class tripleo::certmonger::etcd (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $principal = undef,
+) {
+ include ::certmonger
+
+ $postsave_cmd = 'systemctl reload etcd'
+ certmonger_certificate { 'etcd' :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ require => Class['::certmonger'],
+ }
+ file { $service_certificate :
+ owner => 'etcd',
+ group => 'etcd',
+ require => Certmonger_certificate['etcd'],
+ }
+ file { $service_key :
+ owner => 'etcd',
+ group => 'etcd',
+ require => Certmonger_certificate['etcd'],
+ }
+
+ File[$service_certificate] ~> Service<| title == 'etcd' |>
+ File[$service_key] ~> Service<| title == 'etcd' |>
+}
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index 6668440..a5d1bf8 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -40,6 +40,11 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
+# [*dnsnames*]
+# (Optional) The DNS names that will be added for the SubjectAltNames entry
+# in the certificate. If left unset, the value will be set to the $hostname.
+# Defaults to undef
+#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
@@ -50,6 +55,7 @@ define tripleo::certmonger::haproxy (
$hostname,
$postsave_cmd,
$certmonger_ca = hiera('certmonger_ca', 'local'),
+ $dnsnames = undef,
$principal = undef,
){
include ::certmonger
@@ -62,11 +68,17 @@ define tripleo::certmonger::haproxy (
}
}
+ if $dnsnames {
+ $dnsnames_real = $dnsnames
+ } else {
+ $dnsnames_real = $hostname
+ }
+
certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,
hostname => $hostname,
- dnsname => $hostname,
+ dnsname => $dnsnames_real,
certfile => $service_certificate,
keyfile => $service_key,
postsave_cmd => $postsave_cmd,
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
index 94b48b7..e9754f7 100644
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -31,6 +31,11 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
+# [*dnsnames*]
+# (Optional) The DNS names that will be added for the SubjectAltNames entry
+# in the certificate. If left unset, the value will be set to the $hostname.
+# Defaults to undef
+#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
@@ -39,22 +44,30 @@ define tripleo::certmonger::httpd (
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
+ $dnsnames = undef,
$principal = undef,
) {
include ::certmonger
include ::apache::params
+ if $dnsnames {
+ $dnsnames_real = $dnsnames
+ } else {
+ $dnsnames_real = $hostname
+ }
+
$postsave_cmd = "systemctl reload ${::apache::params::service_name}"
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
- dnsname => $hostname,
+ dnsname => $dnsnames_real,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
+ tag => 'apache-cert',
require => Class['::certmonger'],
}
diff --git a/manifests/certmonger/libvirt.pp b/manifests/certmonger/libvirt.pp
new file mode 100644
index 0000000..b7dbb0a
--- /dev/null
+++ b/manifests/certmonger/libvirt.pp
@@ -0,0 +1,78 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Resource: tripleo::certmonger::libvirt
+#
+# Request a certificate for libvirt and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*file_owner*]
+# (Optional) The user which the certificate and key files belong to.
+# Defaults to 'root'
+#
+# [*principal*]
+# (Optional) The service principal that is set for the service in kerberos.
+# Defaults to undef
+#
+define tripleo::certmonger::libvirt (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $principal = undef,
+) {
+ include ::certmonger
+ include ::nova::params
+
+ $postsave_cmd = "systemctl restart ${::nova::params::libvirt_service_name}"
+ certmonger_certificate { $name :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ tag => 'libvirt-cert',
+ require => Class['::certmonger'],
+ }
+
+ # Just register the files in puppet's resource catalog. Certmonger should
+ # give the right permissions.
+ file { $service_certificate :
+ require => Certmonger_certificate[$name],
+ }
+ file { $service_key :
+ require => Certmonger_certificate[$name],
+ }
+
+ File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |>
+ File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |>
+}
diff --git a/manifests/certmonger/libvirt_dirs.pp b/manifests/certmonger/libvirt_dirs.pp
new file mode 100644
index 0000000..c42ca0d
--- /dev/null
+++ b/manifests/certmonger/libvirt_dirs.pp
@@ -0,0 +1,60 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::libvirt_dirs
+#
+# Creates the necessary directories for libvirt's certificates and keys in the
+# assigned locations if specified. It also assigns the correct SELinux tags.
+#
+# === Parameters:
+#
+# [*certificate_dir*]
+# (Optional) Directory where libvirt's certificates will be stored. If left
+# unspecified, it won't be created.
+# Defaults to undef
+#
+# [*certificate_dir*]
+# (Optional) Directory where libvirt's certificates will be stored.
+# Defaults to undef
+#
+# [*key_dir*]
+# (Optional) Directory where libvirt's keys will be stored.
+# Defaults to undef
+#
+class tripleo::certmonger::libvirt_dirs(
+ $certificate_dir = undef,
+ $key_dir = undef,
+){
+
+ if $certificate_dir {
+ file { $certificate_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
+ }
+
+ if $key_dir {
+ file { $key_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
+ }
+
+}
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 0b69245..a449a49 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -49,6 +49,10 @@
# The IPv4, IPv6 or filesystem socket path of the syslog server.
# Defaults to '/dev/log'
#
+# [*haproxy_daemon*]
+# Should haproxy run in daemon mode or not
+# Defaults to true
+#
# [*controller_hosts*]
# IPs of host or group of hosts to load-balance the services
# Can be a string or an array.
@@ -428,6 +432,10 @@
# (optional) Specify the network ec2_api_metadata is running on.
# Defaults to hiera('ec2_api_network', undef)
#
+# [*etcd_network*]
+# (optional) Specify the network etcd is running on.
+# Defaults to hiera('etcd_network', undef)
+#
# [*opendaylight_network*]
# (optional) Specify the network opendaylight is running on.
# Defaults to hiera('opendaylight_api_network', undef)
@@ -535,6 +543,7 @@ class tripleo::haproxy (
$haproxy_listen_bind_param = [ 'transparent' ],
$haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ],
$haproxy_log_address = '/dev/log',
+ $haproxy_daemon = true,
$haproxy_stats_user = 'admin',
$haproxy_stats_password = undef,
$controller_hosts = hiera('controller_node_ips'),
@@ -623,6 +632,7 @@ class tripleo::haproxy (
$ovn_dbs_network = hiera('ovn_dbs_network', undef),
$ec2_api_network = hiera('ec2_api_network', undef),
$ec2_api_metadata_network = hiera('ec2_api_network', undef),
+ $etcd_network = hiera('etcd_network', undef),
$sahara_network = hiera('sahara_api_network', undef),
$swift_proxy_server_network = hiera('swift_proxy_network', undef),
$tacker_network = hiera('tacker_api_network', undef),
@@ -651,6 +661,7 @@ class tripleo::haproxy (
contrail_webui_https_port => 8143,
docker_registry_port => 8787,
docker_registry_ssl_port => 13787,
+ etcd_port => 2379,
glance_api_port => 9292,
glance_api_ssl_port => 13292,
gnocchi_api_port => 8041,
@@ -712,6 +723,9 @@ class tripleo::haproxy (
if $enable_internal_tls {
$internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+ Haproxy::Balancermember {
+ verifyhost => true
+ }
} else {
$internal_tls_member_options = []
}
@@ -750,7 +764,7 @@ class tripleo::haproxy (
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
- 'option' => 'forwardfor',
+ 'option' => [ 'forwardfor', 'httpchk' ],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
@@ -762,7 +776,7 @@ class tripleo::haproxy (
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
- 'option' => 'forwardfor',
+ 'option' => [ 'forwardfor', 'httpchk' ],
}
}
@@ -791,27 +805,30 @@ class tripleo::haproxy (
"${redis_vip}:6379" => $haproxy_listen_bind_param,
}
- $etcd_vip = hiera('etcd_vip', $controller_virtual_ip)
- $etcd_bind_opts = {
- "${etcd_vip}:2379" => $haproxy_listen_bind_param,
+ $haproxy_global_options = {
+ 'log' => "${haproxy_log_address} local0",
+ 'pidfile' => '/var/run/haproxy.pid',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'maxconn' => $haproxy_global_maxconn,
+ 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+ 'ssl-default-bind-options' => $ssl_options,
+ 'stats' => [
+ 'socket /var/lib/haproxy/stats mode 600 level user',
+ 'timeout 2m'
+ ],
+ }
+ if $haproxy_daemon == true {
+ $haproxy_daemonize = {
+ 'daemon' => '',
+ }
+ } else {
+ $haproxy_daemonize = {}
}
class { '::haproxy':
service_manage => $haproxy_service_manage,
- global_options => {
- 'log' => "${haproxy_log_address} local0",
- 'pidfile' => '/var/run/haproxy.pid',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'maxconn' => $haproxy_global_maxconn,
- 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
- 'ssl-default-bind-options' => $ssl_options,
- 'stats' => [
- 'socket /var/lib/haproxy/stats mode 600 level user',
- 'timeout 2m'
- ],
- },
+ global_options => merge($haproxy_global_options, $haproxy_daemonize),
defaults_options => {
'mode' => 'tcp',
'log' => 'global',
@@ -821,12 +838,20 @@ class tripleo::haproxy (
},
}
+
+ $default_listen_options = {
+ 'option' => [ 'httpchk', ],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ }
Tripleo::Haproxy::Endpoint {
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
+ listen_options => $default_listen_options,
}
$stats_base = ['enable', 'uri /']
@@ -852,11 +877,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
public_ssl_port => $ports[keystone_admin_api_ssl_port],
service_network => $keystone_admin_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -864,11 +885,6 @@ class tripleo::haproxy (
}
if $keystone_public {
- $keystone_listen_opts = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- }
if $service_certificate {
$keystone_public_tls_listen_opts = {
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
@@ -877,7 +893,9 @@ class tripleo::haproxy (
'option' => 'forwardfor',
}
} else {
- $keystone_public_tls_listen_opts = {}
+ $keystone_public_tls_listen_opts = {
+ 'option' => [ 'httpchk GET /v3', ],
+ }
}
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
@@ -886,7 +904,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
+ listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -901,11 +919,6 @@ class tripleo::haproxy (
ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
server_names => hiera('neutron_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[neutron_api_ssl_port],
service_network => $neutron_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -920,11 +933,6 @@ class tripleo::haproxy (
ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
server_names => hiera('cinder_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[cinder_api_ssl_port],
service_network => $cinder_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -939,11 +947,6 @@ class tripleo::haproxy (
ip_addresses => hiera('congress_node_ips', $controller_hosts_real),
server_names => hiera('congress_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[congress_api_ssl_port],
service_network => $congress_network,
}
@@ -957,11 +960,6 @@ class tripleo::haproxy (
ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
server_names => hiera('manila_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[manila_api_ssl_port],
service_network => $manila_network,
}
@@ -987,11 +985,6 @@ class tripleo::haproxy (
ip_addresses => hiera('tacker_node_ips', $controller_hosts_real),
server_names => hiera('tacker_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[tacker_api_ssl_port],
service_network => $tacker_network,
}
@@ -1018,11 +1011,7 @@ class tripleo::haproxy (
server_names => hiera('glance_api_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[glance_api_ssl_port],
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}),
service_network => $glance_api_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
}
@@ -1037,11 +1026,6 @@ class tripleo::haproxy (
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[nova_api_ssl_port],
service_network => $nova_osapi_network,
#member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1057,11 +1041,6 @@ class tripleo::haproxy (
ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real),
server_names => hiera('nova_placement_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[nova_placement_ssl_port],
service_network => $nova_placement_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1074,6 +1053,9 @@ class tripleo::haproxy (
service_port => $ports[nova_metadata_port],
ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real),
+ listen_options => {
+ 'option' => [ 'httpchk', ],
+ },
service_network => $nova_metadata_network,
}
}
@@ -1085,10 +1067,11 @@ class tripleo::haproxy (
service_port => $ports[nova_novnc_port],
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
- listen_options => {
+ listen_options => merge($default_listen_options, {
+ 'option' => [ 'tcpka' ],
'balance' => 'source',
'timeout' => [ 'tunnel 1h' ],
- },
+ }),
public_ssl_port => $ports[nova_novnc_ssl_port],
service_network => $nova_novncproxy_network,
}
@@ -1102,11 +1085,6 @@ class tripleo::haproxy (
ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real),
server_names => hiera('ec2_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[ec2_api_ssl_port],
service_network => $ec2_api_network,
}
@@ -1130,11 +1108,6 @@ class tripleo::haproxy (
ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[ceilometer_api_ssl_port],
service_network => $ceilometer_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1149,11 +1122,6 @@ class tripleo::haproxy (
ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
server_names => hiera('aodh_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[aodh_api_ssl_port],
service_network => $aodh_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1167,11 +1135,6 @@ class tripleo::haproxy (
service_port => $ports[panko_api_port],
ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real),
server_names => hiera('panko_api_node_names', $controller_hosts_names_real),
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[panko_api_ssl_port],
service_network => $panko_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1199,11 +1162,6 @@ class tripleo::haproxy (
ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[gnocchi_api_ssl_port],
service_network => $gnocchi_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1224,6 +1182,7 @@ class tripleo::haproxy (
if $swift_proxy_server {
$swift_proxy_server_listen_options = {
+ 'option' => [ 'httpchk GET /healthcheck', ],
'timeout client' => '2m',
'timeout server' => '2m',
}
@@ -1242,17 +1201,17 @@ class tripleo::haproxy (
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
- $heat_base_options = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
+ $heat_timeout_options = {
+ 'timeout client' => '10m',
+ 'timeout server' => '10m',
+ }
if $service_certificate {
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
- $heat_options = merge($heat_base_options, $heat_ssl_options)
+ $heat_options = merge($default_listen_options, $heat_ssl_options, $heat_timeout_options)
} else {
- $heat_options = $heat_base_options
+ $heat_options = merge($default_listen_options, $heat_timeout_options)
}
if $heat_api {
@@ -1408,19 +1367,16 @@ class tripleo::haproxy (
}
if $etcd {
- haproxy::listen { 'etcd':
- bind => $etcd_bind_opts,
- options => {
+ ::tripleo::haproxy::endpoint { 'etcd':
+ internal_ip => hiera('etcd_vip', $controller_virtual_ip),
+ service_port => $ports[etcd_port],
+ ip_addresses => hiera('etcd_node_ips', $controller_hosts_real),
+ server_names => hiera('etcd_node_names', $controller_hosts_names_real),
+ service_network => $etcd_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
+ listen_options => {
'balance' => 'source',
- },
- collect_exported => false,
- }
- haproxy::balancermember { 'etcd':
- listening_service => 'etcd',
- ports => '2379',
- ipaddresses => hiera('etcd_node_ips', $controller_hosts_real),
- server_names => hiera('etcd_node_names', $controller_hosts_names_real),
- options => $haproxy_member_options,
+ }
}
}
@@ -1515,6 +1471,7 @@ class tripleo::haproxy (
server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[ceph_rgw_ssl_port],
service_network => $ceph_rgw_network,
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk HEAD /' ] }),
}
}
@@ -1648,6 +1605,10 @@ class tripleo::haproxy (
ip_addresses => hiera('contrail_config_node_ips'),
server_names => hiera('contrail_config_node_ips'),
public_ssl_port => $ports[contrail_webui_https_port],
+ listen_options => {
+ 'balance' => 'source',
+ 'hash-type' => 'consistent',
+ }
}
}
}
diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp
index a6d5832..35b0821 100644
--- a/manifests/keepalived.pp
+++ b/manifests/keepalived.pp
@@ -59,6 +59,17 @@
# A string.
# Defaults to false
#
+# [*ovndbs_virtual_ip*]
+# Virtual IP on the OVNDBs service.
+# A string.
+# Defaults to false
+#
+# [*virtual_router_id_base*]
+# Base for range used for virtual router IDs.
+# An integer.
+# Defaults to 50
+#
+
class tripleo::keepalived (
$controller_virtual_ip,
$control_virtual_interface,
@@ -68,6 +79,8 @@ class tripleo::keepalived (
$storage_virtual_ip = false,
$storage_mgmt_virtual_ip = false,
$redis_virtual_ip = false,
+ $ovndbs_virtual_ip = false,
+ $virtual_router_id_base = 50,
) {
case $::osfamily {
@@ -93,7 +106,7 @@ class tripleo::keepalived (
}
# KEEPALIVE INSTANCE CONTROL
- keepalived::instance { '51':
+ keepalived::instance { "${$virtual_router_id_base + 1}":
interface => $control_virtual_interface,
virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])],
state => 'MASTER',
@@ -102,7 +115,7 @@ class tripleo::keepalived (
}
# KEEPALIVE INSTANCE PUBLIC
- keepalived::instance { '52':
+ keepalived::instance { "${$virtual_router_id_base + 2}":
interface => $public_virtual_interface,
virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])],
state => 'MASTER',
@@ -119,7 +132,7 @@ class tripleo::keepalived (
$internal_api_virtual_netmask = '32'
}
# KEEPALIVE INTERNAL API NETWORK
- keepalived::instance { '53':
+ keepalived::instance { "${$virtual_router_id_base + 3}":
interface => $internal_api_virtual_interface,
virtual_ips => [join(["${internal_api_virtual_ip}/${internal_api_virtual_netmask}", ' dev ', $internal_api_virtual_interface])],
state => 'MASTER',
@@ -136,7 +149,7 @@ class tripleo::keepalived (
$storage_virtual_netmask = '32'
}
# KEEPALIVE STORAGE NETWORK
- keepalived::instance { '54':
+ keepalived::instance { "${$virtual_router_id_base + 4}":
interface => $storage_virtual_interface,
virtual_ips => [join(["${storage_virtual_ip}/${storage_virtual_netmask}", ' dev ', $storage_virtual_interface])],
state => 'MASTER',
@@ -153,7 +166,7 @@ class tripleo::keepalived (
$storage_mgmt_virtual_netmask = '32'
}
# KEEPALIVE STORAGE MANAGEMENT NETWORK
- keepalived::instance { '55':
+ keepalived::instance { "${$virtual_router_id_base + 5}":
interface => $storage_mgmt_virtual_interface,
virtual_ips => [join(["${storage_mgmt_virtual_ip}/${storage_mgmt_virtual_netmask}", ' dev ', $storage_mgmt_virtual_interface])],
state => 'MASTER',
@@ -170,7 +183,7 @@ class tripleo::keepalived (
$redis_virtual_netmask = '32'
}
# KEEPALIVE STORAGE MANAGEMENT NETWORK
- keepalived::instance { '56':
+ keepalived::instance { "${$virtual_router_id_base + 6}":
interface => $redis_virtual_interface,
virtual_ips => [join(["${redis_virtual_ip}/${redis_virtual_netmask}", ' dev ', $redis_virtual_interface])],
state => 'MASTER',
@@ -178,4 +191,16 @@ class tripleo::keepalived (
priority => 101,
}
}
+
+ if $ovndbs_virtual_ip and $ovndbs_virtual_ip != $controller_virtual_ip {
+ $ovndbs_virtual_interface = interface_for_ip($ovndbs_virtual_ip)
+ # KEEPALIVE OVNDBS MANAGEMENT NETWORK
+ keepalived::instance { "${$virtual_router_id_base + 7}":
+ interface => $ovndbs_virtual_interface,
+ virtual_ips => [join([$ovndbs_virtual_ip, ' dev ', $ovndbs_virtual_interface])],
+ state => 'MASTER',
+ track_script => ['haproxy'],
+ priority => 101,
+ }
+ }
}
diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp
index 22fc000..5c539fc 100644
--- a/manifests/profile/base/aodh/api.pp
+++ b/manifests/profile/base/aodh/api.pp
@@ -68,6 +68,7 @@ class tripleo::profile::base::aodh::api (
if $step >= 3 {
include ::aodh::api
+ include ::apache::mod::ssl
class { '::aodh::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index 71e4ea1..211e442 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -158,6 +158,7 @@ class tripleo::profile::base::barbican::api (
include ::barbican::api::logging
include ::barbican::keystone::notification
include ::barbican::quota
+ include ::apache::mod::ssl
class { '::barbican::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/ceilometer.pp b/manifests/profile/base/ceilometer.pp
index 2855bd2..e6a2f11 100644
--- a/manifests/profile/base/ceilometer.pp
+++ b/manifests/profile/base/ceilometer.pp
@@ -18,6 +18,10 @@
#
# === Parameters
#
+# [*bootstrap_node*]
+# (Optional) The hostname of the node responsible for bootstrapping tasks
+# Defaults to hiera('bootstrap_nodeid')
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -68,6 +72,7 @@
# Defaults to hiera('ceilometer::rabbit_use_ssl', '0')
class tripleo::profile::base::ceilometer (
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
$step = hiera('step'),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
$oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
@@ -81,6 +86,11 @@ class tripleo::profile::base::ceilometer (
$oslomsg_notify_username = hiera('ceilometer::rabbit_userid', 'guest'),
$oslomsg_use_ssl = hiera('ceilometer::rabbit_use_ssl', '0'),
) {
+ if $::hostname == downcase($bootstrap_node) {
+ $sync_db = true
+ } else {
+ $sync_db = false
+ }
if $step >= 3 {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
@@ -105,4 +115,12 @@ class tripleo::profile::base::ceilometer (
include ::ceilometer::config
}
+ # Run ceilometer-upgrade in step 5 so gnocchi resource types
+ # are created safely.
+ if $step >= 5 and $sync_db {
+ exec {'ceilometer-db-upgrade':
+ command => 'ceilometer-upgrade --skip-metering-database',
+ path => ['/usr/bin', '/usr/sbin'],
+ }
+ }
}
diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp
index 28504c5..0176380 100644
--- a/manifests/profile/base/ceilometer/api.pp
+++ b/manifests/profile/base/ceilometer/api.pp
@@ -63,8 +63,9 @@ class tripleo::profile::base::ceilometer::api (
$tls_keyfile = undef
}
- if $step >= 4 {
+ if $step >= 3 {
include ::ceilometer::api
+ include ::apache::mod::ssl
class { '::ceilometer::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp
index 6b58286..a2c1e29 100644
--- a/manifests/profile/base/ceilometer/collector.pp
+++ b/manifests/profile/base/ceilometer/collector.pp
@@ -84,13 +84,4 @@ class tripleo::profile::base::ceilometer::collector (
include ::ceilometer::collector
include ::ceilometer::dispatcher::gnocchi
}
-
- # Re-run ceilometer-upgrade again in step 5 so gnocchi resource types
- # are created safely.
- if $step >= 5 and $sync_db {
- exec {'ceilometer-db-upgrade':
- command => 'ceilometer-upgrade --skip-metering-database',
- path => ['/usr/bin', '/usr/sbin'],
- }
- }
}
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 586c7e4..b63fb7f 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -43,6 +43,11 @@
# it will create.
# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
#
+# [*libvirt_certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('libvirt_certificates_specs', {}).
+#
# [*mysql_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@@ -53,15 +58,29 @@
# it will create.
# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
#
+# [*etcd_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}).
+#
class tripleo::profile::base::certmonger_user (
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+ $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
+ $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
) {
+ include ::tripleo::certmonger::ca::libvirt
+
unless empty($apache_certificates_specs) {
+ include ::tripleo::certmonger::apache_dirs
ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
}
+ unless empty($libvirt_certificates_specs) {
+ include ::tripleo::certmonger::libvirt_dirs
+ ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs)
+ }
unless empty($haproxy_certificates_specs) {
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
# The haproxy fronends (or listen resources) depend on the certificate
@@ -74,4 +93,7 @@ class tripleo::profile::base::certmonger_user (
unless empty($rabbitmq_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
}
+ unless empty($etcd_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
+ }
}
diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp
index c432fd6..2fd9a65 100644
--- a/manifests/profile/base/cinder/api.pp
+++ b/manifests/profile/base/cinder/api.pp
@@ -76,6 +76,7 @@ class tripleo::profile::base::cinder::api (
if $step >= 4 or ($step >= 3 and $sync_db) {
include ::cinder::api
+ include ::apache::mod::ssl
class { '::cinder::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp
index 9fb1594..e1370a3 100644
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@@ -18,6 +18,10 @@
#
# === Parameters
#
+# [*cinder_enable_pure_backend*]
+# (Optional) Whether to enable the pure backend
+# Defaults to true
+#
# [*cinder_enable_dellsc_backend*]
# (Optional) Whether to enable the delsc backend
# Defaults to true
@@ -60,6 +64,7 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::cinder::volume (
+ $cinder_enable_pure_backend = false,
$cinder_enable_dellsc_backend = false,
$cinder_enable_hpelefthand_backend = false,
$cinder_enable_dellps_backend = false,
@@ -76,6 +81,13 @@ class tripleo::profile::base::cinder::volume (
if $step >= 4 {
include ::cinder::volume
+ if $cinder_enable_pure_backend {
+ include ::tripleo::profile::base::cinder::volume::pure
+ $cinder_pure_backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure')
+ } else {
+ $cinder_pure_backend_name = undef
+ }
+
if $cinder_enable_dellsc_backend {
include ::tripleo::profile::base::cinder::volume::dellsc
$cinder_dellsc_backend_name = hiera('cinder::backend::dellsc_iscsi::volume_backend_name', 'tripleo_dellsc')
@@ -134,6 +146,7 @@ class tripleo::profile::base::cinder::volume (
$backends = delete_undef_values([$cinder_iscsi_backend_name,
$cinder_rbd_backend_name,
+ $cinder_pure_backend_name,
$cinder_dellps_backend_name,
$cinder_dellsc_backend_name,
$cinder_hpelefthand_backend_name,
diff --git a/manifests/profile/base/cinder/volume/dellsc.pp b/manifests/profile/base/cinder/volume/dellsc.pp
index 534bcb7..a60eadf 100644
--- a/manifests/profile/base/cinder/volume/dellsc.pp
+++ b/manifests/profile/base/cinder/volume/dellsc.pp
@@ -35,15 +35,20 @@ class tripleo::profile::base::cinder::volume::dellsc (
if $step >= 4 {
cinder::backend::dellsc_iscsi { $backend_name :
- san_ip => hiera('cinder::backend::dellsc_iscsi::san_ip', undef),
- san_login => hiera('cinder::backend::dellsc_iscsi::san_login', undef),
- san_password => hiera('cinder::backend::dellsc_iscsi::san_password', undef),
- dell_sc_ssn => hiera('cinder::backend::dellsc_iscsi::dell_sc_ssn', undef),
- iscsi_ip_address => hiera('cinder::backend::dellsc_iscsi::iscsi_ip_address', undef),
- iscsi_port => hiera('cinder::backend::dellsc_iscsi::iscsi_port', undef),
- dell_sc_api_port => hiera('cinder::backend::dellsc_iscsi::dell_sc_api_port', undef),
- dell_sc_server_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_server_folder', undef),
- dell_sc_volume_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_volume_folder', undef),
+ san_ip => hiera('cinder::backend::dellsc_iscsi::san_ip', undef),
+ san_login => hiera('cinder::backend::dellsc_iscsi::san_login', undef),
+ san_password => hiera('cinder::backend::dellsc_iscsi::san_password', undef),
+ dell_sc_ssn => hiera('cinder::backend::dellsc_iscsi::dell_sc_ssn', undef),
+ iscsi_ip_address => hiera('cinder::backend::dellsc_iscsi::iscsi_ip_address', undef),
+ iscsi_port => hiera('cinder::backend::dellsc_iscsi::iscsi_port', undef),
+ dell_sc_api_port => hiera('cinder::backend::dellsc_iscsi::dell_sc_api_port', undef),
+ dell_sc_server_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_server_folder', undef),
+ dell_sc_volume_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_volume_folder', undef),
+ excluded_domain_ip => hiera('cinder::backend::dellsc_iscsi::excluded_domain_ip', undef),
+ secondary_san_ip => hiera('cinder::backend::dellsc_iscsi::secondary_san_ip', undef),
+ secondary_san_login => hiera('cinder::backend::dellsc_iscsi::secondary_san_login', undef),
+ secondary_san_password => hiera('cinder::backend::dellsc_iscsi::secondary_san_password', undef),
+ secondary_sc_api_port => hiera('cinder::backend::dellsc_iscsi::secondary_sc_api_port', undef),
}
}
diff --git a/manifests/profile/base/cinder/volume/pure.pp b/manifests/profile/base/cinder/volume/pure.pp
new file mode 100644
index 0000000..e524919
--- /dev/null
+++ b/manifests/profile/base/cinder/volume/pure.pp
@@ -0,0 +1,65 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::cinder::volume::pure
+#
+# Cinder Volume pure profile for tripleo
+#
+# === Parameters
+#
+# [*san_ip*]
+# (required) IP address of PureStorage management VIP.
+#
+# [*pure_api_token*]
+# (required) API token for management of PureStorage array.
+#
+# [*backend_name*]
+# (Optional) Name given to the Cinder backend stanza
+# Defaults to 'tripleo_pure'
+#
+# [*pure_storage_protocol*]
+# (optional) Must be either 'iSCSI' or 'FC'. This will determine
+# which Volume Driver will be configured; PureISCSIDriver or PureFCDriver.
+# Defaults to 'iSCSI'
+#
+# [*use_multipath_for_image_xfer*]
+# (optional) .
+# Defaults to True
+#
+# [*use_chap_auth*]
+# (optional) Only affects the PureISCSIDriver.
+# Defaults to False
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::cinder::volume::pure (
+ $backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure'),
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::cinder::volume
+
+ if $step >= 4 {
+ cinder::backend::pure { $backend_name :
+ san_ip => hiera('cinder::backend::pure::san_ip', undef),
+ pure_api_token => hiera('cinder::backend::pure::pure_api_token', undef),
+ pure_storage_protocol => hiera('cinder::backend::pure::pure_storage_protocol', undef),
+ use_chap_auth => hiera('cinder::backend::pure::use_chap_auth', undef),
+ use_multipath_for_image_xfer => hiera('cinder::backend::pure::use_multipath_for_image_xfer', undef),
+ }
+ }
+
+}
diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp
index 22384a9..014ef35 100644
--- a/manifests/profile/base/database/mysql/client.pp
+++ b/manifests/profile/base/database/mysql/client.pp
@@ -82,6 +82,7 @@ class tripleo::profile::base::database::mysql::client (
# Create /etc/my.cnf.d/tripleo.cnf
exec { 'directory-create-etc-my.cnf.d':
command => 'mkdir -p /etc/my.cnf.d',
+ unless => 'test -d /etc/my.cnf.d',
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
} ->
augeas { 'tripleo-mysql-client-conf':
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index 5e18a85..d035f6a 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -28,12 +28,17 @@
# Set docker_namespace to INSECURE_REGISTRY, used when a local registry
# is enabled (defaults to false)
#
+# [*registry_mirror*]
+# Configure a registry-mirror in the /etc/docker/daemon.json file.
+# (defaults to false)
+#
# [*step*]
# step defaults to hiera('step')
#
class tripleo::profile::base::docker (
$docker_namespace = undef,
$insecure_registry = false,
+ $registry_mirror = false,
$step = hiera('step'),
) {
if $step >= 1 {
@@ -64,5 +69,32 @@ class tripleo::profile::base::docker (
subscribe => Package['docker'],
notify => Service['docker'],
}
+
+ if $registry_mirror {
+ $mirror_changes = [
+ 'set dict/entry[. = "registry-mirrors"] "registry-mirrors',
+ "set dict/entry[. = \"registry-mirrors\"]/array/string \"${registry_mirror}\""
+ ]
+ } else {
+ $mirror_changes = [ 'rm dict/entry[. = "registry-mirrors"]', ]
+ }
+
+ file { '/etc/docker/daemon.json':
+ ensure => 'present',
+ content => '{}',
+ mode => '0644',
+ replace => false,
+ require => Package['docker']
+ }
+
+ augeas { 'docker-daemon.json':
+ lens => 'Json.lns',
+ incl => '/etc/docker/daemon.json',
+ changes => $mirror_changes,
+ subscribe => Package['docker'],
+ notify => Service['docker'],
+ require => File['/etc/docker/daemon.json'],
+ }
+
}
}
diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp
index 2f1783d..cb262d9 100644
--- a/manifests/profile/base/docker_registry.pp
+++ b/manifests/profile/base/docker_registry.pp
@@ -31,19 +31,28 @@
# network
# Defaults to hiera('controller_admin_host')
#
+# [*enable_container_images_build*]
+# (Optional) Whether to install tools to build docker container images
+# Defaults to hiera('enable_container_images_build', true)
+#
class tripleo::profile::base::docker_registry (
- $registry_host = hiera('controller_host'),
- $registry_port = 8787,
- $registry_admin_host = hiera('controller_admin_host'),
+ $registry_host = hiera('controller_host'),
+ $registry_port = 8787,
+ $registry_admin_host = hiera('controller_admin_host'),
+ $enable_container_images_build = hiera('enable_container_images_build', true),
) {
+
+ include ::tripleo::profile::base::docker
+
# We want a v2 registry
package{'docker-registry':
ensure => absent,
allow_virtual => false,
}
package{'docker-distribution': }
- package{'docker': }
- package{'openstack-kolla': }
+ if str2bool($enable_container_images_build) {
+ package{'openstack-kolla': }
+ }
file { '/etc/docker-distribution/registry/config.yml' :
ensure => file,
content => template('tripleo/docker_distribution/registry_config.yml.erb'),
@@ -68,9 +77,4 @@ class tripleo::profile::base::docker_registry (
enable => true,
require => Package['docker-distribution'],
}
- service { 'docker':
- ensure => running,
- enable => true,
- require => Package['docker'],
- }
}
diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp
index fc4771f..9f5d180 100644
--- a/manifests/profile/base/etcd.pp
+++ b/manifests/profile/base/etcd.pp
@@ -34,26 +34,63 @@
# (Optional) Array of host(s) for etcd nodes.
# Defaults to hiera('etcd_node_ips', []).
#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'etcd' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::etcd::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "etcd/<overcloud controller fqdn>"
+# Defaults to {}.
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::etcd (
- $bind_ip = '127.0.0.1',
- $client_port = '2379',
- $peer_port = '2380',
- $nodes = hiera('etcd_node_names', []),
- $step = hiera('step'),
+ $bind_ip = '127.0.0.1',
+ $client_port = '2379',
+ $peer_port = '2380',
+ $nodes = hiera('etcd_node_names', []),
+ $certificate_specs = {},
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $step = hiera('step'),
) {
- if $step >= 1 {
+
+ validate_hash($certificate_specs)
+
+ if $enable_internal_tls {
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ $protocol = 'https'
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ $protocol = 'http'
+ }
+
+ if $step >= 2 {
class {'::etcd':
- listen_client_urls => "http://${bind_ip}:${client_port}",
- advertise_client_urls => "http://${bind_ip}:${client_port}",
- listen_peer_urls => "http://${bind_ip}:${peer_port}",
- initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}",
- initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"),
+ listen_client_urls => "${protocol}://${bind_ip}:${client_port}",
+ advertise_client_urls => "${protocol}://${bind_ip}:${client_port}",
+ listen_peer_urls => "${protocol}://${bind_ip}:${peer_port}",
+ initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}",
+ initial_cluster => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"),
proxy => 'off',
+ cert_file => $tls_certfile,
+ key_file => $tls_keyfile,
+ client_cert_auth => $enable_internal_tls,
+ peer_cert_file => $tls_certfile,
+ peer_key_file => $tls_keyfile,
+ peer_client_cert_auth => $enable_internal_tls,
}
}
}
diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp
index 79ee265..a4e9a30 100644
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@@ -47,6 +47,14 @@
# This is set by t-h-t.
# Defaults to hiera('gnocchi_api_network', undef)
#
+# [*gnocchi_redis_password*]
+# (Required) Password for the gnocchi redis user for the coordination url
+# Defaults to hiera('gnocchi_redis_password')
+#
+# [*redis_vip*]
+# (Required) Redis ip address for the coordination url
+# Defaults to hiera('redis_vip')
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -58,6 +66,8 @@ class tripleo::profile::base::gnocchi::api (
$enable_internal_tls = hiera('enable_internal_tls', false),
$gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
$gnocchi_network = hiera('gnocchi_api_network', undef),
+ $gnocchi_redis_password = hiera('gnocchi_redis_password'),
+ $redis_vip = hiera('redis_vip'),
$step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
@@ -83,15 +93,18 @@ class tripleo::profile::base::gnocchi::api (
include ::gnocchi::db::sync
}
- if $step >= 4 {
+ if $step >= 3 {
include ::gnocchi::api
+ include ::apache::mod::ssl
class { '::gnocchi::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
}
+ }
+ if $step >= 4 {
class { '::gnocchi::storage':
- coordination_url => join(['redis://:', hiera('gnocchi_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']),
+ coordination_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']),
}
case $gnocchi_backend {
'swift': { include ::gnocchi::storage::swift }
diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp
index 8e2da7e..79eb77e 100644
--- a/manifests/profile/base/heat/api.pp
+++ b/manifests/profile/base/heat/api.pp
@@ -65,6 +65,7 @@ class tripleo::profile::base::heat::api (
if $step >= 3 {
include ::heat::api
+ include ::apache::mod::ssl
class { '::heat::wsgi::apache_api':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp
index 02eb82a..dad7b76 100644
--- a/manifests/profile/base/heat/api_cfn.pp
+++ b/manifests/profile/base/heat/api_cfn.pp
@@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cfn (
if $step >= 3 {
include ::heat::api_cfn
+ include ::apache::mod::ssl
class { '::heat::wsgi::apache_api_cfn':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp
index 558d247..428bcf2 100644
--- a/manifests/profile/base/heat/api_cloudwatch.pp
+++ b/manifests/profile/base/heat/api_cloudwatch.pp
@@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cloudwatch (
if $step >= 3 {
include ::heat::api_cloudwatch
+ include ::apache::mod::ssl
class { '::heat::wsgi::apache_api_cloudwatch':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp
index 7f90da9..5ebf167 100644
--- a/manifests/profile/base/ironic/conductor.pp
+++ b/manifests/profile/base/ironic/conductor.pp
@@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor (
if $step >= 4 {
include ::ironic::conductor
+ include ::ironic::drivers::interfaces
include ::ironic::drivers::pxe
if $manage_pxe {
include ::ironic::pxe
@@ -43,7 +44,11 @@ class tripleo::profile::base::ironic::conductor (
include ::ironic::drivers::drac
include ::ironic::drivers::ilo
include ::ironic::drivers::ipmi
- include ::ironic::drivers::ssh
+ include ::ironic::drivers::redfish
+ # TODO: deprecated code cleanup, remove in Queens
+ ironic_config {
+ 'ssh/libvirt_uri': ensure => absent;
+ }
# Configure access to other services
include ::ironic::drivers::inspector
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index bb3f387..31f5c93 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -59,6 +59,15 @@
# heat admin user name
# Defaults to undef
#
+# [*ldap_backends_config*]
+# Configuration for keystone::ldap_backend. This takes a hash that will
+# create each backend specified.
+# Defaults to undef
+#
+# [*ldap_backend_enable*]
+# Enables creating per-domain LDAP backends for keystone.
+# Default to false
+#
# [*manage_db_purge*]
# (Optional) Whether keystone token flushing should be enabled
# Defaults to hiera('keystone_enable_db_purge', true)
@@ -126,6 +135,8 @@ class tripleo::profile::base::keystone (
$heat_admin_email = undef,
$heat_admin_password = undef,
$heat_admin_user = undef,
+ $ldap_backends_config = undef,
+ $ldap_backend_enable = false,
$manage_db_purge = hiera('keystone_enable_db_purge', true),
$public_endpoint_network = hiera('keystone_public_api_network', undef),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
@@ -200,6 +211,7 @@ class tripleo::profile::base::keystone (
}
include ::keystone::config
+ include ::apache::mod::ssl
class { '::keystone::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
@@ -207,6 +219,13 @@ class tripleo::profile::base::keystone (
ssl_key_admin => $tls_keyfile_admin,
}
include ::keystone::cors
+
+ if $ldap_backend_enable {
+ validate_hash($ldap_backends_config)
+ create_resources('::keystone::ldap_backend', $ldap_backends_config, {
+ create_domain_entry => $manage_domain,
+ })
+ }
}
if $step >= 4 and $manage_db_purge {
@@ -294,13 +313,16 @@ class tripleo::profile::base::keystone (
if hiera('nova_placement_enabled', false) {
include ::nova::keystone::auth_placement
}
+ if hiera('octavia_api_enabled', false) {
+ include ::octavia::keystone::auth
+ }
if hiera('panko_api_enabled', false) {
include ::panko::keystone::auth
}
if hiera('sahara_api_enabled', false) {
include ::sahara::keystone::auth
}
- if hiera('swift_proxy_enabled', false) {
+ if hiera('swift_proxy_enabled', false) or hiera('external_swift_proxy_enabled',false) {
include ::swift::keystone::auth
}
if hiera('tacker_enabled', false) {
diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp
new file mode 100644
index 0000000..fb5e000
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/bagpipe.pp
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Ricardo Noriega <rnoriega@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agents::bagpipe
+#
+# Neutron Bagpipe Agent profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::agents::bagpipe (
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 {
+ include ::neutron::agents::bagpipe
+ }
+}
diff --git a/manifests/profile/base/neutron/agents/bigswitch.pp b/manifests/profile/base/neutron/agents/bigswitch.pp
new file mode 100644
index 0000000..137dec0
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/bigswitch.pp
@@ -0,0 +1,31 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agents::bigswitch
+#
+# Bigswitch Neutron agent profile
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step of the deployment
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::agents::bigswitch(
+ $step = hiera('step'),
+) {
+ if $step >= 4 {
+ include ::neutron::agents::bigswitch
+ }
+}
diff --git a/manifests/profile/base/neutron/agents/vpp.pp b/manifests/profile/base/neutron/agents/vpp.pp
new file mode 100644
index 0000000..e961aa7
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/vpp.pp
@@ -0,0 +1,49 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agents::vpp
+#
+# Neutron VPP Agent profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+# [*etcd_host*]
+# (Optional) etcd server VIP.
+# Defaults to hiera('etcd_vip')
+#
+# [*etcd_port*]
+# (Optional) etcd server listening port.
+# Defaults to 2379
+#
+class tripleo::profile::base::neutron::agents::vpp(
+ $step = hiera('step'),
+ $etcd_host = hiera('etcd_vip'),
+ $etcd_port = 2379,
+) {
+ if empty($etcd_host) {
+ fail('etcd_vip not set in hieradata')
+ }
+
+ if $step >= 4 {
+ class { '::neutron::agents::ml2::vpp':
+ etcd_host => $etcd_host,
+ etcd_port => $etcd_port,
+ }
+ }
+}
diff --git a/manifests/profile/base/neutron/linuxbridge.pp b/manifests/profile/base/neutron/linuxbridge.pp
new file mode 100644
index 0000000..9f4899a
--- /dev/null
+++ b/manifests/profile/base/neutron/linuxbridge.pp
@@ -0,0 +1,20 @@
+# == Class: tripleo::profile::base::neutron::linuxbridge
+#
+# Neutron linuxbridge agent profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templatee
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::linuxbridge(
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 5 {
+ include ::neutron::agents::ml2::linuxbridge
+ }
+}
diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp
index 52d4ca1..1702fed 100644
--- a/manifests/profile/base/neutron/plugins/ml2.pp
+++ b/manifests/profile/base/neutron/plugins/ml2.pp
@@ -81,5 +81,9 @@ class tripleo::profile::base::neutron::plugins::ml2 (
include ::neutron::plugins::ml2::fujitsu
include ::neutron::plugins::ml2::fujitsu::fossw
}
+
+ if 'vpp' in $mechanism_drivers {
+ include ::tripleo::profile::base::neutron::plugins::ml2::vpp
+ }
}
}
diff --git a/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp b/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp
new file mode 100644
index 0000000..161cd75
--- /dev/null
+++ b/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Ricardo Noriega <rnoriega@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::plugins::ml2::bagpipe
+#
+# Neutron Bagpipe ML2 profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::plugins::ml2::bagpipe (
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 {
+ include ::neutron::plugins::ml2::bagpipe
+ }
+}
diff --git a/manifests/profile/base/neutron/plugins/ml2/vpp.pp b/manifests/profile/base/neutron/plugins/ml2/vpp.pp
new file mode 100644
index 0000000..217e4cf
--- /dev/null
+++ b/manifests/profile/base/neutron/plugins/ml2/vpp.pp
@@ -0,0 +1,49 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::plugins::ml2::vpp
+#
+# VPP Neutron ML2 profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+# [*etcd_host*]
+# (Optional) etcd server VIP.
+# Defaults to hiera('etcd_vip')
+#
+# [*etcd_port*]
+# (Optional) etcd server listening port.
+# Defaults to 2379
+#
+class tripleo::profile::base::neutron::plugins::ml2::vpp (
+ $step = hiera('step'),
+ $etcd_host = hiera('etcd_vip'),
+ $etcd_port = 2379,
+) {
+ if empty($etcd_host) {
+ fail('etcd_vip not set in hieradata')
+ }
+
+ if $step >= 4 {
+ class { '::neutron::plugins::ml2::vpp':
+ etcd_host => $etcd_host,
+ etcd_port => $etcd_port,
+ }
+ }
+}
diff --git a/manifests/profile/base/neutron/plugins/nsx_v3.pp b/manifests/profile/base/neutron/plugins/nsx_v3.pp
new file mode 100644
index 0000000..33fa0cf
--- /dev/null
+++ b/manifests/profile/base/neutron/plugins/nsx_v3.pp
@@ -0,0 +1,45 @@
+# Copyright 2017 VMware, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::plugins::nsx_v3
+#
+# VMware NSXv3 Neutron profile for tripleo
+#
+# === Parameters
+#
+# [*bootstrap_node*]
+# (Optional) The hostname of the node responsible for bootstrapping tasks
+# Defaults to hiera('bootstrap_nodeid')
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::plugins::nsx_v3 (
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $step = hiera('step'),
+) {
+ if $::hostname == downcase($bootstrap_node) {
+ $sync_db = true
+ } else {
+ $sync_db = false
+ }
+
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 or ( $step >= 3 and $sync_db ) {
+ include ::neutron::plugins::nsx_v3
+ }
+}
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp
index 95a1721..bdb3007 100644
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -94,6 +94,7 @@ class tripleo::profile::base::nova::api (
$tls_keyfile = undef
}
if $step >= 4 or ($step >= 3 and $sync_db) {
+ include ::apache::mod::ssl
class { '::nova::wsgi::apache_api':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp
index 16bfe17..c78b3c2 100644
--- a/manifests/profile/base/nova/placement.pp
+++ b/manifests/profile/base/nova/placement.pp
@@ -74,6 +74,7 @@ class tripleo::profile::base::nova::placement (
}
if $step >= 3 {
+ include ::apache::mod::ssl
class { '::nova::wsgi::apache_placement':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index 6021731..c1d745a 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -55,6 +55,14 @@
# (Optional) Number of seconds to sleep between remote creation tries
# Defaults to hiera('pacemaker_remote_try_sleep', 60)
#
+# [*cluster_recheck_interval*]
+# (Optional) Set the cluster-wide cluster-recheck-interval property
+# If the hiera key does not exist or if it is set to undef, the property
+# won't be changed from its default value when there are no pacemaker_remote
+# nodes. In presence of pacemaker_remote nodes and an undef value it will
+# be set to 60s.
+# Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
+#
class tripleo::profile::base::pacemaker (
$step = hiera('step'),
$pcs_tries = hiera('pcs_tries', 20),
@@ -65,6 +73,7 @@ class tripleo::profile::base::pacemaker (
$remote_monitor_interval = hiera('pacemaker_remote_monitor_interval', 20),
$remote_tries = hiera('pacemaker_remote_tries', 5),
$remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60),
+ $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef),
) {
if count($remote_short_node_names) != count($remote_node_ips) {
@@ -136,6 +145,22 @@ class tripleo::profile::base::pacemaker (
if $step >= 2 {
if $pacemaker_master {
include ::pacemaker::resource_defaults
+ # When we have a non-zero number of pacemaker remote nodes we
+ # want to set the cluster-recheck-interval property to something
+ # lower (unless the operator has explicitely set a value)
+ if count($remote_short_node_names) > 0 and $cluster_recheck_interval == undef {
+ pacemaker::property{ 'cluster-recheck-interval-property':
+ property => 'cluster-recheck-interval',
+ value => '60s',
+ tries => $pcs_tries,
+ }
+ } elsif $cluster_recheck_interval != undef {
+ pacemaker::property{ 'cluster-recheck-interval-property':
+ property => 'cluster-recheck-interval',
+ value => $cluster_recheck_interval,
+ tries => $pcs_tries,
+ }
+ }
}
}
diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp
index 90e80a2..165969f 100644
--- a/manifests/profile/base/panko/api.pp
+++ b/manifests/profile/base/panko/api.pp
@@ -79,6 +79,7 @@ class tripleo::profile::base::panko::api (
class { '::panko::api':
sync_db => $sync_db,
}
+ include ::apache::mod::ssl
class { '::panko::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp
index 9d1417c..8551f19 100644
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@@ -110,7 +110,7 @@ class tripleo::profile::base::rabbitmq (
if $inet_dist_interface {
$real_kernel_variables = merge(
$kernel_variables,
- { 'inet_dist_use_interface' => ip_to_erl_format($inet_dist_interface) },
+ { 'inet_dist_use_interface' => ip_to_erl_format($inet_dist_interface) }
)
} else {
$real_kernel_variables = $kernel_variables
diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp
index f43089c..3f0245d 100644
--- a/manifests/profile/base/sshd.pp
+++ b/manifests/profile/base/sshd.pp
@@ -27,14 +27,19 @@
# The text used within SSH Banner
# Defaults to hiera('MOTD')
#
+# [*options*]
+# Hash of SSHD options to set. See the puppet-ssh module documentation for
+# details.
+# Defaults to {}
+
class tripleo::profile::base::sshd (
$bannertext = hiera('BannerText', undef),
$motd = hiera('MOTD', undef),
+ $options = {}
) {
- include ::ssh
-
- if $bannertext {
+ if $bannertext and $bannertext != '' {
+ $sshd_options_banner = {'Banner' => '/etc/issue.net'}
$filelist = [ '/etc/issue', '/etc/issue.net', ]
file { $filelist:
ensure => file,
@@ -44,9 +49,12 @@ class tripleo::profile::base::sshd (
group => 'root',
mode => '0644'
}
+ } else {
+ $sshd_options_banner = {}
}
- if $motd {
+ if $motd and $motd != '' {
+ $sshd_options_motd = {'PrintMotd' => 'yes'}
file { '/etc/motd':
ensure => file,
backup => false,
@@ -55,5 +63,23 @@ class tripleo::profile::base::sshd (
group => 'root',
mode => '0644'
}
+ } else {
+ $sshd_options_motd = {}
+ }
+
+ $sshd_options = merge(
+ $options,
+ $sshd_options_banner,
+ $sshd_options_motd
+ )
+
+ # NB (owalsh) in puppet-ssh hiera takes precedence over the class param
+ # we need to control this, so error if it's set in hiera
+ if hiera('ssh:server::options', undef) {
+ err('ssh:server::options must not be set, use tripleo::profile::base::sshd::options')
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => $sshd_options
}
}
diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp
index e80c8c9..4e0e568 100644
--- a/manifests/profile/base/swift/proxy.pp
+++ b/manifests/profile/base/swift/proxy.pp
@@ -127,7 +127,7 @@ class tripleo::profile::base::swift::proxy (
port => $tls_proxy_port,
tls_cert => $tls_certfile,
tls_key => $tls_keyfile,
- notify => Class['::neutron::server'],
+ notify => Class['::swift::proxy'],
}
}
$swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}")
diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp
index 7e5fc74..f7cfea4 100644
--- a/manifests/profile/base/swift/ringbuilder.pp
+++ b/manifests/profile/base/swift/ringbuilder.pp
@@ -63,6 +63,12 @@
# Minimum amount of time before partitions can be moved.
# Defaults to undef
#
+# [*swift_ring_get_tempurl*]
+# GET tempurl to fetch Swift rings from
+#
+# [*swift_ring_put_tempurl*]
+# PUT tempurl to upload Swift rings to
+#
class tripleo::profile::base::swift::ringbuilder (
$replicas,
$build_ring = true,
@@ -74,7 +80,23 @@ class tripleo::profile::base::swift::ringbuilder (
$swift_storage_node_ips = hiera('swift_storage_node_ips', []),
$part_power = undef,
$min_part_hours = undef,
+ $swift_ring_get_tempurl = hiera('swift_ring_get_tempurl', ''),
+ $swift_ring_put_tempurl = hiera('swift_ring_put_tempurl', ''),
) {
+
+ if $step == 2 and $swift_ring_get_tempurl != '' {
+ exec{'fetch_swift_ring_tarball':
+ path => ['/usr/bin'],
+ command => "curl --insecure --silent '${swift_ring_get_tempurl}' -o /tmp/swift-rings.tar.gz",
+ returns => [0, 3]
+ } ~>
+ exec{'extract_swift_ring_tarball':
+ path => ['/bin'],
+ command => 'tar xzf /tmp/swift-rings.tar.gz -C /',
+ returns => [0, 2]
+ }
+ }
+
if $step >= 2 {
# pre-install swift here so we can build rings
include ::swift
@@ -112,4 +134,18 @@ class tripleo::profile::base::swift::ringbuilder (
Ring_object_device<| |> ~> Exec['rebalance_container']
}
}
+
+ if $step == 5 and $build_ring and $swift_ring_put_tempurl != '' {
+ exec{'create_swift_ring_tarball':
+ path => ['/bin', '/usr/bin'],
+ command => 'tar cvzf /tmp/swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/',
+ unless => 'swift-recon --md5 | grep -q "doesn\'t match"'
+ } ~>
+ exec{'upload_swift_ring_tarball':
+ path => ['/usr/bin'],
+ command => "curl --insecure --silent -X PUT '${$swift_ring_put_tempurl}' --data-binary @/tmp/swift-rings.tar.gz",
+ require => Exec['create_swift_ring_tarball'],
+ refreshonly => true,
+ }
+ }
}
diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp
index 89a03ad..243dcc7 100644
--- a/manifests/profile/base/zaqar.pp
+++ b/manifests/profile/base/zaqar.pp
@@ -50,11 +50,15 @@ class tripleo::profile::base::zaqar (
uri => $database_connection,
}
include ::zaqar::transport::websocket
+ include ::apache::mod::ssl
include ::zaqar::transport::wsgi
# TODO (bcrochet): At some point, the transports should be split out to
- # seperate services.
- include ::zaqar::server
+ # separate services.
+ class { '::zaqar::server':
+ service_name => 'httpd', # TODO cleanup when passed by t-h-t.
+ }
+ include ::zaqar::wsgi::apache
zaqar::server_instance{ '1':
transport => 'websocket'
}
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp
index bc5e644..031e80c 100644
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@@ -120,7 +120,7 @@ class tripleo::profile::pacemaker::database::mysql (
if $step >= 1 and $pacemaker_master and hiera('stack_action') == 'UPDATE' {
tripleo::pacemaker::resource_restart_flag { 'galera-master':
subscribe => File['mysql-config-file'],
- }
+ } ~> Exec<| title == 'galera-ready' |>
}
if $step >= 2 {
@@ -145,7 +145,7 @@ class tripleo::profile::pacemaker::database::mysql (
},
require => [Class['::mysql::server'],
Pacemaker::Property['galera-role-node-property']],
- before => Exec['galera-ready'],
+ notify => Exec['galera-ready'],
}
exec { 'galera-ready' :
command => '/usr/bin/clustercheck >/dev/null',
@@ -153,6 +153,7 @@ class tripleo::profile::pacemaker::database::mysql (
tries => 180,
try_sleep => 10,
environment => ['AVAILABLE_WHEN_READONLY=0'],
+ refreshonly => true,
require => Exec['create-root-sysconfig-clustercheck'],
}
# We add a clustercheck db user and we will switch /etc/sysconfig/clustercheck
diff --git a/manifests/profile/pacemaker/rabbitmq.pp b/manifests/profile/pacemaker/rabbitmq.pp
index f4b679a..bf6a38d 100644
--- a/manifests/profile/pacemaker/rabbitmq.pp
+++ b/manifests/profile/pacemaker/rabbitmq.pp
@@ -30,7 +30,7 @@
# (Optional) The number of HA queues in to be configured in rabbitmq
# Defaults to hiera('rabbitmq::nr_ha_queues'), which is usually 0 meaning
# that the queues number will be CEIL(N/2) where N is the number of rabbitmq
-# nodes.
+# nodes. The special value of -1 represents the mode 'ha-mode: all'
#
# [*rabbit_nodes*]
# (Optional) The list of rabbitmq nodes names
@@ -90,12 +90,16 @@ class tripleo::profile::pacemaker::rabbitmq (
if $user_ha_queues == 0 {
$nr_rabbit_nodes = size($rabbit_nodes)
$nr_ha_queues = $nr_rabbit_nodes / 2 + ($nr_rabbit_nodes % 2)
+ $params = "set_policy='ha-all ^(?!amq\\.).* {\"ha-mode\":\"exactly\",\"ha-params\":${nr_ha_queues}}'"
+ } elsif $user_ha_queues == -1 {
+ $params = 'set_policy=\'ha-all ^(?!amq\.).* {"ha-mode":"all"}\''
} else {
$nr_ha_queues = $user_ha_queues
+ $params = "set_policy='ha-all ^(?!amq\\.).* {\"ha-mode\":\"exactly\",\"ha-params\":${nr_ha_queues}}'"
}
pacemaker::resource::ocf { 'rabbitmq':
ocf_agent_name => 'heartbeat:rabbitmq-cluster',
- resource_params => "set_policy='ha-all ^(?!amq\\.).* {\"ha-mode\":\"exactly\",\"ha-params\":${nr_ha_queues}}'",
+ resource_params => $params,
clone_params => 'ordered=true interleave=true',
meta_params => 'notify=true',
op_params => 'start timeout=200s stop timeout=200s',
diff --git a/manifests/tls_proxy.pp b/manifests/tls_proxy.pp
index 36d6b6d..607e20f 100644
--- a/manifests/tls_proxy.pp
+++ b/manifests/tls_proxy.pp
@@ -40,6 +40,7 @@ define tripleo::tls_proxy(
$tls_cert,
$tls_key,
) {
+ include ::apache
::apache::vhost { "${title}-proxy":
ensure => 'present',
docroot => undef, # This is required by the manifest
diff --git a/manifests/ui.pp b/manifests/ui.pp
index d810b5d..1745535 100644
--- a/manifests/ui.pp
+++ b/manifests/ui.pp
@@ -38,8 +38,8 @@
# {
# 'de' => 'German',
# 'en' => 'English',
-# 'en-GB' => 'British English',
# 'es' => 'Spanish',
+# 'id' => 'Indonesian',
# 'ja' => 'Japanese',
# 'ko-KR' => 'Korean',
# 'zh-CN' => 'Simplified Chinese'
@@ -106,8 +106,8 @@ class tripleo::ui (
$enabled_languages = {
'de' => 'German',
'en' => 'English',
- 'en-GB' => 'British English',
'es' => 'Spanish',
+ 'id' => 'Indonesian',
'ja' => 'Japanese',
'ko-KR' => 'Korean',
'zh-CN' => 'Simplified Chinese'