diff options
Diffstat (limited to 'manifests')
50 files changed, 1108 insertions, 182 deletions
diff --git a/manifests/certmonger/apache_dirs.pp b/manifests/certmonger/apache_dirs.pp new file mode 100644 index 0000000..2588e46 --- /dev/null +++ b/manifests/certmonger/apache_dirs.pp @@ -0,0 +1,55 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# : = Class: tripleo::certmonger::apache_dirs +# +# Creates the necessary directories for apache's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where apache's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where apache's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::apache_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> + } +} diff --git a/manifests/certmonger/ca/libvirt.pp b/manifests/certmonger/ca/libvirt.pp new file mode 100644 index 0000000..9fa9e74 --- /dev/null +++ b/manifests/certmonger/ca/libvirt.pp @@ -0,0 +1,42 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::ca::libvirt +# +# Sets the necessary file that will be used by both libvirt servers and +# clients. +# +# === Parameters: +# +# [*origin_ca_pem*] +# (Optional) Path to the CA certificate that libvirt will use. This is not +# assumed automatically or uses the system CA bundle as is the case of other +# services because a limitation with the file sizes in GNU TLS, which libvirt +# uses as a TLS backend. +# Defaults to undef +# +class tripleo::certmonger::ca::libvirt( + $origin_ca_pem = undef +){ + if $origin_ca_pem { + $ensure_file = 'link' + } else { + $ensure_file = 'absent' + } + file { '/etc/pki/CA/cacert.pem': + ensure => $ensure_file, + mode => '0644', + target => $origin_ca_pem, + } +} diff --git a/manifests/certmonger/etcd.pp b/manifests/certmonger/etcd.pp new file mode 100644 index 0000000..0bddfb4 --- /dev/null +++ b/manifests/certmonger/etcd.pp @@ -0,0 +1,73 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::etcd +# +# Request a certificate for the etcd service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*principal*] +# (Optional) The haproxy service principal that is set for etcd in kerberos. +# Defaults to undef +# +class tripleo::certmonger::etcd ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + + $postsave_cmd = 'systemctl reload etcd' + certmonger_certificate { 'etcd' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + file { $service_certificate : + owner => 'etcd', + group => 'etcd', + require => Certmonger_certificate['etcd'], + } + file { $service_key : + owner => 'etcd', + group => 'etcd', + require => Certmonger_certificate['etcd'], + } + + File[$service_certificate] ~> Service<| title == 'etcd' |> + File[$service_key] ~> Service<| title == 'etcd' |> +} diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 6668440..a5d1bf8 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -40,6 +40,11 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*dnsnames*] +# (Optional) The DNS names that will be added for the SubjectAltNames entry +# in the certificate. If left unset, the value will be set to the $hostname. +# Defaults to undef +# # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # @@ -50,6 +55,7 @@ define tripleo::certmonger::haproxy ( $hostname, $postsave_cmd, $certmonger_ca = hiera('certmonger_ca', 'local'), + $dnsnames = undef, $principal = undef, ){ include ::certmonger @@ -62,11 +68,17 @@ define tripleo::certmonger::haproxy ( } } + if $dnsnames { + $dnsnames_real = $dnsnames + } else { + $dnsnames_real = $hostname + } + certmonger_certificate { "${title}-cert": ensure => 'present', ca => $certmonger_ca, hostname => $hostname, - dnsname => $hostname, + dnsname => $dnsnames_real, certfile => $service_certificate, keyfile => $service_key, postsave_cmd => $postsave_cmd, diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp index 94b48b7..e9754f7 100644 --- a/manifests/certmonger/httpd.pp +++ b/manifests/certmonger/httpd.pp @@ -31,6 +31,11 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*dnsnames*] +# (Optional) The DNS names that will be added for the SubjectAltNames entry +# in the certificate. If left unset, the value will be set to the $hostname. +# Defaults to undef +# # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # @@ -39,22 +44,30 @@ define tripleo::certmonger::httpd ( $service_certificate, $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), + $dnsnames = undef, $principal = undef, ) { include ::certmonger include ::apache::params + if $dnsnames { + $dnsnames_real = $dnsnames + } else { + $dnsnames_real = $hostname + } + $postsave_cmd = "systemctl reload ${::apache::params::service_name}" certmonger_certificate { $name : ensure => 'present', certfile => $service_certificate, keyfile => $service_key, hostname => $hostname, - dnsname => $hostname, + dnsname => $dnsnames_real, principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, wait => true, + tag => 'apache-cert', require => Class['::certmonger'], } diff --git a/manifests/certmonger/libvirt.pp b/manifests/certmonger/libvirt.pp new file mode 100644 index 0000000..b7dbb0a --- /dev/null +++ b/manifests/certmonger/libvirt.pp @@ -0,0 +1,78 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Resource: tripleo::certmonger::libvirt +# +# Request a certificate for libvirt and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*file_owner*] +# (Optional) The user which the certificate and key files belong to. +# Defaults to 'root' +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +define tripleo::certmonger::libvirt ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::nova::params + + $postsave_cmd = "systemctl restart ${::nova::params::libvirt_service_name}" + certmonger_certificate { $name : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + tag => 'libvirt-cert', + require => Class['::certmonger'], + } + + # Just register the files in puppet's resource catalog. Certmonger should + # give the right permissions. + file { $service_certificate : + require => Certmonger_certificate[$name], + } + file { $service_key : + require => Certmonger_certificate[$name], + } + + File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |> + File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |> +} diff --git a/manifests/certmonger/libvirt_dirs.pp b/manifests/certmonger/libvirt_dirs.pp new file mode 100644 index 0000000..c42ca0d --- /dev/null +++ b/manifests/certmonger/libvirt_dirs.pp @@ -0,0 +1,60 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::libvirt_dirs +# +# Creates the necessary directories for libvirt's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where libvirt's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*certificate_dir*] +# (Optional) Directory where libvirt's certificates will be stored. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where libvirt's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::libvirt_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |> + } + +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 0b69245..a449a49 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -49,6 +49,10 @@ # The IPv4, IPv6 or filesystem socket path of the syslog server. # Defaults to '/dev/log' # +# [*haproxy_daemon*] +# Should haproxy run in daemon mode or not +# Defaults to true +# # [*controller_hosts*] # IPs of host or group of hosts to load-balance the services # Can be a string or an array. @@ -428,6 +432,10 @@ # (optional) Specify the network ec2_api_metadata is running on. # Defaults to hiera('ec2_api_network', undef) # +# [*etcd_network*] +# (optional) Specify the network etcd is running on. +# Defaults to hiera('etcd_network', undef) +# # [*opendaylight_network*] # (optional) Specify the network opendaylight is running on. # Defaults to hiera('opendaylight_api_network', undef) @@ -535,6 +543,7 @@ class tripleo::haproxy ( $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', + $haproxy_daemon = true, $haproxy_stats_user = 'admin', $haproxy_stats_password = undef, $controller_hosts = hiera('controller_node_ips'), @@ -623,6 +632,7 @@ class tripleo::haproxy ( $ovn_dbs_network = hiera('ovn_dbs_network', undef), $ec2_api_network = hiera('ec2_api_network', undef), $ec2_api_metadata_network = hiera('ec2_api_network', undef), + $etcd_network = hiera('etcd_network', undef), $sahara_network = hiera('sahara_api_network', undef), $swift_proxy_server_network = hiera('swift_proxy_network', undef), $tacker_network = hiera('tacker_api_network', undef), @@ -651,6 +661,7 @@ class tripleo::haproxy ( contrail_webui_https_port => 8143, docker_registry_port => 8787, docker_registry_ssl_port => 13787, + etcd_port => 2379, glance_api_port => 9292, glance_api_ssl_port => 13292, gnocchi_api_port => 8041, @@ -712,6 +723,9 @@ class tripleo::haproxy ( if $enable_internal_tls { $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] + Haproxy::Balancermember { + verifyhost => true + } } else { $internal_tls_member_options = [] } @@ -750,7 +764,7 @@ class tripleo::haproxy ( 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', + 'option' => [ 'forwardfor', 'httpchk' ], 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], @@ -762,7 +776,7 @@ class tripleo::haproxy ( } $horizon_options = { 'cookie' => 'SERVERID insert indirect nocache', - 'option' => 'forwardfor', + 'option' => [ 'forwardfor', 'httpchk' ], } } @@ -791,27 +805,30 @@ class tripleo::haproxy ( "${redis_vip}:6379" => $haproxy_listen_bind_param, } - $etcd_vip = hiera('etcd_vip', $controller_virtual_ip) - $etcd_bind_opts = { - "${etcd_vip}:2379" => $haproxy_listen_bind_param, + $haproxy_global_options = { + 'log' => "${haproxy_log_address} local0", + 'pidfile' => '/var/run/haproxy.pid', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'maxconn' => $haproxy_global_maxconn, + 'ssl-default-bind-ciphers' => $ssl_cipher_suite, + 'ssl-default-bind-options' => $ssl_options, + 'stats' => [ + 'socket /var/lib/haproxy/stats mode 600 level user', + 'timeout 2m' + ], + } + if $haproxy_daemon == true { + $haproxy_daemonize = { + 'daemon' => '', + } + } else { + $haproxy_daemonize = {} } class { '::haproxy': service_manage => $haproxy_service_manage, - global_options => { - 'log' => "${haproxy_log_address} local0", - 'pidfile' => '/var/run/haproxy.pid', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'maxconn' => $haproxy_global_maxconn, - 'ssl-default-bind-ciphers' => $ssl_cipher_suite, - 'ssl-default-bind-options' => $ssl_options, - 'stats' => [ - 'socket /var/lib/haproxy/stats mode 600 level user', - 'timeout 2m' - ], - }, + global_options => merge($haproxy_global_options, $haproxy_daemonize), defaults_options => { 'mode' => 'tcp', 'log' => 'global', @@ -821,12 +838,20 @@ class tripleo::haproxy ( }, } + + $default_listen_options = { + 'option' => [ 'httpchk', ], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } Tripleo::Haproxy::Endpoint { haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, use_internal_certificates => $use_internal_certificates, internal_certificates_specs => $internal_certificates_specs, + listen_options => $default_listen_options, } $stats_base = ['enable', 'uri /'] @@ -852,11 +877,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -864,11 +885,6 @@ class tripleo::haproxy ( } if $keystone_public { - $keystone_listen_opts = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - } if $service_certificate { $keystone_public_tls_listen_opts = { 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', @@ -877,7 +893,9 @@ class tripleo::haproxy ( 'option' => 'forwardfor', } } else { - $keystone_public_tls_listen_opts = {} + $keystone_public_tls_listen_opts = { + 'option' => [ 'httpchk GET /v3', ], + } } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, @@ -886,7 +904,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), + listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -901,11 +919,6 @@ class tripleo::haproxy ( ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -920,11 +933,6 @@ class tripleo::haproxy ( ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), server_names => hiera('cinder_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -939,11 +947,6 @@ class tripleo::haproxy ( ip_addresses => hiera('congress_node_ips', $controller_hosts_real), server_names => hiera('congress_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[congress_api_ssl_port], service_network => $congress_network, } @@ -957,11 +960,6 @@ class tripleo::haproxy ( ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[manila_api_ssl_port], service_network => $manila_network, } @@ -987,11 +985,6 @@ class tripleo::haproxy ( ip_addresses => hiera('tacker_node_ips', $controller_hosts_real), server_names => hiera('tacker_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[tacker_api_ssl_port], service_network => $tacker_network, } @@ -1018,11 +1011,7 @@ class tripleo::haproxy ( server_names => hiera('glance_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[glance_api_ssl_port], mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}), service_network => $glance_api_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } @@ -1037,11 +1026,6 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, #member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1057,11 +1041,6 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real), server_names => hiera('nova_placement_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[nova_placement_ssl_port], service_network => $nova_placement_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1074,6 +1053,9 @@ class tripleo::haproxy ( service_port => $ports[nova_metadata_port], ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real), + listen_options => { + 'option' => [ 'httpchk', ], + }, service_network => $nova_metadata_network, } } @@ -1085,10 +1067,11 @@ class tripleo::haproxy ( service_port => $ports[nova_novnc_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), - listen_options => { + listen_options => merge($default_listen_options, { + 'option' => [ 'tcpka' ], 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], - }, + }), public_ssl_port => $ports[nova_novnc_ssl_port], service_network => $nova_novncproxy_network, } @@ -1102,11 +1085,6 @@ class tripleo::haproxy ( ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real), server_names => hiera('ec2_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[ec2_api_ssl_port], service_network => $ec2_api_network, } @@ -1130,11 +1108,6 @@ class tripleo::haproxy ( ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1149,11 +1122,6 @@ class tripleo::haproxy ( ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1167,11 +1135,6 @@ class tripleo::haproxy ( service_port => $ports[panko_api_port], ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), server_names => hiera('panko_api_node_names', $controller_hosts_names_real), - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[panko_api_ssl_port], service_network => $panko_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1199,11 +1162,6 @@ class tripleo::haproxy ( ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1224,6 +1182,7 @@ class tripleo::haproxy ( if $swift_proxy_server { $swift_proxy_server_listen_options = { + 'option' => [ 'httpchk GET /healthcheck', ], 'timeout client' => '2m', 'timeout server' => '2m', } @@ -1242,17 +1201,17 @@ class tripleo::haproxy ( $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) - $heat_base_options = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} + $heat_timeout_options = { + 'timeout client' => '10m', + 'timeout server' => '10m', + } if $service_certificate { $heat_ssl_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - $heat_options = merge($heat_base_options, $heat_ssl_options) + $heat_options = merge($default_listen_options, $heat_ssl_options, $heat_timeout_options) } else { - $heat_options = $heat_base_options + $heat_options = merge($default_listen_options, $heat_timeout_options) } if $heat_api { @@ -1408,19 +1367,16 @@ class tripleo::haproxy ( } if $etcd { - haproxy::listen { 'etcd': - bind => $etcd_bind_opts, - options => { + ::tripleo::haproxy::endpoint { 'etcd': + internal_ip => hiera('etcd_vip', $controller_virtual_ip), + service_port => $ports[etcd_port], + ip_addresses => hiera('etcd_node_ips', $controller_hosts_real), + server_names => hiera('etcd_node_names', $controller_hosts_names_real), + service_network => $etcd_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), + listen_options => { 'balance' => 'source', - }, - collect_exported => false, - } - haproxy::balancermember { 'etcd': - listening_service => 'etcd', - ports => '2379', - ipaddresses => hiera('etcd_node_ips', $controller_hosts_real), - server_names => hiera('etcd_node_names', $controller_hosts_names_real), - options => $haproxy_member_options, + } } } @@ -1515,6 +1471,7 @@ class tripleo::haproxy ( server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ceph_rgw_ssl_port], service_network => $ceph_rgw_network, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk HEAD /' ] }), } } @@ -1648,6 +1605,10 @@ class tripleo::haproxy ( ip_addresses => hiera('contrail_config_node_ips'), server_names => hiera('contrail_config_node_ips'), public_ssl_port => $ports[contrail_webui_https_port], + listen_options => { + 'balance' => 'source', + 'hash-type' => 'consistent', + } } } } diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp index a6d5832..35b0821 100644 --- a/manifests/keepalived.pp +++ b/manifests/keepalived.pp @@ -59,6 +59,17 @@ # A string. # Defaults to false # +# [*ovndbs_virtual_ip*] +# Virtual IP on the OVNDBs service. +# A string. +# Defaults to false +# +# [*virtual_router_id_base*] +# Base for range used for virtual router IDs. +# An integer. +# Defaults to 50 +# + class tripleo::keepalived ( $controller_virtual_ip, $control_virtual_interface, @@ -68,6 +79,8 @@ class tripleo::keepalived ( $storage_virtual_ip = false, $storage_mgmt_virtual_ip = false, $redis_virtual_ip = false, + $ovndbs_virtual_ip = false, + $virtual_router_id_base = 50, ) { case $::osfamily { @@ -93,7 +106,7 @@ class tripleo::keepalived ( } # KEEPALIVE INSTANCE CONTROL - keepalived::instance { '51': + keepalived::instance { "${$virtual_router_id_base + 1}": interface => $control_virtual_interface, virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])], state => 'MASTER', @@ -102,7 +115,7 @@ class tripleo::keepalived ( } # KEEPALIVE INSTANCE PUBLIC - keepalived::instance { '52': + keepalived::instance { "${$virtual_router_id_base + 2}": interface => $public_virtual_interface, virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])], state => 'MASTER', @@ -119,7 +132,7 @@ class tripleo::keepalived ( $internal_api_virtual_netmask = '32' } # KEEPALIVE INTERNAL API NETWORK - keepalived::instance { '53': + keepalived::instance { "${$virtual_router_id_base + 3}": interface => $internal_api_virtual_interface, virtual_ips => [join(["${internal_api_virtual_ip}/${internal_api_virtual_netmask}", ' dev ', $internal_api_virtual_interface])], state => 'MASTER', @@ -136,7 +149,7 @@ class tripleo::keepalived ( $storage_virtual_netmask = '32' } # KEEPALIVE STORAGE NETWORK - keepalived::instance { '54': + keepalived::instance { "${$virtual_router_id_base + 4}": interface => $storage_virtual_interface, virtual_ips => [join(["${storage_virtual_ip}/${storage_virtual_netmask}", ' dev ', $storage_virtual_interface])], state => 'MASTER', @@ -153,7 +166,7 @@ class tripleo::keepalived ( $storage_mgmt_virtual_netmask = '32' } # KEEPALIVE STORAGE MANAGEMENT NETWORK - keepalived::instance { '55': + keepalived::instance { "${$virtual_router_id_base + 5}": interface => $storage_mgmt_virtual_interface, virtual_ips => [join(["${storage_mgmt_virtual_ip}/${storage_mgmt_virtual_netmask}", ' dev ', $storage_mgmt_virtual_interface])], state => 'MASTER', @@ -170,7 +183,7 @@ class tripleo::keepalived ( $redis_virtual_netmask = '32' } # KEEPALIVE STORAGE MANAGEMENT NETWORK - keepalived::instance { '56': + keepalived::instance { "${$virtual_router_id_base + 6}": interface => $redis_virtual_interface, virtual_ips => [join(["${redis_virtual_ip}/${redis_virtual_netmask}", ' dev ', $redis_virtual_interface])], state => 'MASTER', @@ -178,4 +191,16 @@ class tripleo::keepalived ( priority => 101, } } + + if $ovndbs_virtual_ip and $ovndbs_virtual_ip != $controller_virtual_ip { + $ovndbs_virtual_interface = interface_for_ip($ovndbs_virtual_ip) + # KEEPALIVE OVNDBS MANAGEMENT NETWORK + keepalived::instance { "${$virtual_router_id_base + 7}": + interface => $ovndbs_virtual_interface, + virtual_ips => [join([$ovndbs_virtual_ip, ' dev ', $ovndbs_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + } } diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 22fc000..5c539fc 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -68,6 +68,7 @@ class tripleo::profile::base::aodh::api ( if $step >= 3 { include ::aodh::api + include ::apache::mod::ssl class { '::aodh::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 71e4ea1..211e442 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -158,6 +158,7 @@ class tripleo::profile::base::barbican::api ( include ::barbican::api::logging include ::barbican::keystone::notification include ::barbican::quota + include ::apache::mod::ssl class { '::barbican::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/ceilometer.pp b/manifests/profile/base/ceilometer.pp index 2855bd2..e6a2f11 100644 --- a/manifests/profile/base/ceilometer.pp +++ b/manifests/profile/base/ceilometer.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -68,6 +72,7 @@ # Defaults to hiera('ceilometer::rabbit_use_ssl', '0') class tripleo::profile::base::ceilometer ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = hiera('step'), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), @@ -81,6 +86,11 @@ class tripleo::profile::base::ceilometer ( $oslomsg_notify_username = hiera('ceilometer::rabbit_userid', 'guest'), $oslomsg_use_ssl = hiera('ceilometer::rabbit_use_ssl', '0'), ) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } if $step >= 3 { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) @@ -105,4 +115,12 @@ class tripleo::profile::base::ceilometer ( include ::ceilometer::config } + # Run ceilometer-upgrade in step 5 so gnocchi resource types + # are created safely. + if $step >= 5 and $sync_db { + exec {'ceilometer-db-upgrade': + command => 'ceilometer-upgrade --skip-metering-database', + path => ['/usr/bin', '/usr/sbin'], + } + } } diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 28504c5..0176380 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -63,8 +63,9 @@ class tripleo::profile::base::ceilometer::api ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 3 { include ::ceilometer::api + include ::apache::mod::ssl class { '::ceilometer::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp index 6b58286..a2c1e29 100644 --- a/manifests/profile/base/ceilometer/collector.pp +++ b/manifests/profile/base/ceilometer/collector.pp @@ -84,13 +84,4 @@ class tripleo::profile::base::ceilometer::collector ( include ::ceilometer::collector include ::ceilometer::dispatcher::gnocchi } - - # Re-run ceilometer-upgrade again in step 5 so gnocchi resource types - # are created safely. - if $step >= 5 and $sync_db { - exec {'ceilometer-db-upgrade': - command => 'ceilometer-upgrade --skip-metering-database', - path => ['/usr/bin', '/usr/sbin'], - } - } } diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 586c7e4..b63fb7f 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -43,6 +43,11 @@ # it will create. # Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). # +# [*libvirt_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('libvirt_certificates_specs', {}). +# # [*mysql_certificate_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -53,15 +58,29 @@ # it will create. # Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}). # +# [*etcd_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}). +# class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), + $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}), ) { + include ::tripleo::certmonger::ca::libvirt + unless empty($apache_certificates_specs) { + include ::tripleo::certmonger::apache_dirs ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) } + unless empty($libvirt_certificates_specs) { + include ::tripleo::certmonger::libvirt_dirs + ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs) + } unless empty($haproxy_certificates_specs) { ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate @@ -74,4 +93,7 @@ class tripleo::profile::base::certmonger_user ( unless empty($rabbitmq_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs) } + unless empty($etcd_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs) + } } diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index c432fd6..2fd9a65 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -76,6 +76,7 @@ class tripleo::profile::base::cinder::api ( if $step >= 4 or ($step >= 3 and $sync_db) { include ::cinder::api + include ::apache::mod::ssl class { '::cinder::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 9fb1594..e1370a3 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*cinder_enable_pure_backend*] +# (Optional) Whether to enable the pure backend +# Defaults to true +# # [*cinder_enable_dellsc_backend*] # (Optional) Whether to enable the delsc backend # Defaults to true @@ -60,6 +64,7 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( + $cinder_enable_pure_backend = false, $cinder_enable_dellsc_backend = false, $cinder_enable_hpelefthand_backend = false, $cinder_enable_dellps_backend = false, @@ -76,6 +81,13 @@ class tripleo::profile::base::cinder::volume ( if $step >= 4 { include ::cinder::volume + if $cinder_enable_pure_backend { + include ::tripleo::profile::base::cinder::volume::pure + $cinder_pure_backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure') + } else { + $cinder_pure_backend_name = undef + } + if $cinder_enable_dellsc_backend { include ::tripleo::profile::base::cinder::volume::dellsc $cinder_dellsc_backend_name = hiera('cinder::backend::dellsc_iscsi::volume_backend_name', 'tripleo_dellsc') @@ -134,6 +146,7 @@ class tripleo::profile::base::cinder::volume ( $backends = delete_undef_values([$cinder_iscsi_backend_name, $cinder_rbd_backend_name, + $cinder_pure_backend_name, $cinder_dellps_backend_name, $cinder_dellsc_backend_name, $cinder_hpelefthand_backend_name, diff --git a/manifests/profile/base/cinder/volume/dellsc.pp b/manifests/profile/base/cinder/volume/dellsc.pp index 534bcb7..a60eadf 100644 --- a/manifests/profile/base/cinder/volume/dellsc.pp +++ b/manifests/profile/base/cinder/volume/dellsc.pp @@ -35,15 +35,20 @@ class tripleo::profile::base::cinder::volume::dellsc ( if $step >= 4 { cinder::backend::dellsc_iscsi { $backend_name : - san_ip => hiera('cinder::backend::dellsc_iscsi::san_ip', undef), - san_login => hiera('cinder::backend::dellsc_iscsi::san_login', undef), - san_password => hiera('cinder::backend::dellsc_iscsi::san_password', undef), - dell_sc_ssn => hiera('cinder::backend::dellsc_iscsi::dell_sc_ssn', undef), - iscsi_ip_address => hiera('cinder::backend::dellsc_iscsi::iscsi_ip_address', undef), - iscsi_port => hiera('cinder::backend::dellsc_iscsi::iscsi_port', undef), - dell_sc_api_port => hiera('cinder::backend::dellsc_iscsi::dell_sc_api_port', undef), - dell_sc_server_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_server_folder', undef), - dell_sc_volume_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_volume_folder', undef), + san_ip => hiera('cinder::backend::dellsc_iscsi::san_ip', undef), + san_login => hiera('cinder::backend::dellsc_iscsi::san_login', undef), + san_password => hiera('cinder::backend::dellsc_iscsi::san_password', undef), + dell_sc_ssn => hiera('cinder::backend::dellsc_iscsi::dell_sc_ssn', undef), + iscsi_ip_address => hiera('cinder::backend::dellsc_iscsi::iscsi_ip_address', undef), + iscsi_port => hiera('cinder::backend::dellsc_iscsi::iscsi_port', undef), + dell_sc_api_port => hiera('cinder::backend::dellsc_iscsi::dell_sc_api_port', undef), + dell_sc_server_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_server_folder', undef), + dell_sc_volume_folder => hiera('cinder::backend::dellsc_iscsi::dell_sc_volume_folder', undef), + excluded_domain_ip => hiera('cinder::backend::dellsc_iscsi::excluded_domain_ip', undef), + secondary_san_ip => hiera('cinder::backend::dellsc_iscsi::secondary_san_ip', undef), + secondary_san_login => hiera('cinder::backend::dellsc_iscsi::secondary_san_login', undef), + secondary_san_password => hiera('cinder::backend::dellsc_iscsi::secondary_san_password', undef), + secondary_sc_api_port => hiera('cinder::backend::dellsc_iscsi::secondary_sc_api_port', undef), } } diff --git a/manifests/profile/base/cinder/volume/pure.pp b/manifests/profile/base/cinder/volume/pure.pp new file mode 100644 index 0000000..e524919 --- /dev/null +++ b/manifests/profile/base/cinder/volume/pure.pp @@ -0,0 +1,65 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::pure +# +# Cinder Volume pure profile for tripleo +# +# === Parameters +# +# [*san_ip*] +# (required) IP address of PureStorage management VIP. +# +# [*pure_api_token*] +# (required) API token for management of PureStorage array. +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_pure' +# +# [*pure_storage_protocol*] +# (optional) Must be either 'iSCSI' or 'FC'. This will determine +# which Volume Driver will be configured; PureISCSIDriver or PureFCDriver. +# Defaults to 'iSCSI' +# +# [*use_multipath_for_image_xfer*] +# (optional) . +# Defaults to True +# +# [*use_chap_auth*] +# (optional) Only affects the PureISCSIDriver. +# Defaults to False +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::pure ( + $backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure'), + $step = hiera('step'), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::pure { $backend_name : + san_ip => hiera('cinder::backend::pure::san_ip', undef), + pure_api_token => hiera('cinder::backend::pure::pure_api_token', undef), + pure_storage_protocol => hiera('cinder::backend::pure::pure_storage_protocol', undef), + use_chap_auth => hiera('cinder::backend::pure::use_chap_auth', undef), + use_multipath_for_image_xfer => hiera('cinder::backend::pure::use_multipath_for_image_xfer', undef), + } + } + +} diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp index 22384a9..014ef35 100644 --- a/manifests/profile/base/database/mysql/client.pp +++ b/manifests/profile/base/database/mysql/client.pp @@ -82,6 +82,7 @@ class tripleo::profile::base::database::mysql::client ( # Create /etc/my.cnf.d/tripleo.cnf exec { 'directory-create-etc-my.cnf.d': command => 'mkdir -p /etc/my.cnf.d', + unless => 'test -d /etc/my.cnf.d', path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], } -> augeas { 'tripleo-mysql-client-conf': diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 5e18a85..d035f6a 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -28,12 +28,17 @@ # Set docker_namespace to INSECURE_REGISTRY, used when a local registry # is enabled (defaults to false) # +# [*registry_mirror*] +# Configure a registry-mirror in the /etc/docker/daemon.json file. +# (defaults to false) +# # [*step*] # step defaults to hiera('step') # class tripleo::profile::base::docker ( $docker_namespace = undef, $insecure_registry = false, + $registry_mirror = false, $step = hiera('step'), ) { if $step >= 1 { @@ -64,5 +69,32 @@ class tripleo::profile::base::docker ( subscribe => Package['docker'], notify => Service['docker'], } + + if $registry_mirror { + $mirror_changes = [ + 'set dict/entry[. = "registry-mirrors"] "registry-mirrors', + "set dict/entry[. = \"registry-mirrors\"]/array/string \"${registry_mirror}\"" + ] + } else { + $mirror_changes = [ 'rm dict/entry[. = "registry-mirrors"]', ] + } + + file { '/etc/docker/daemon.json': + ensure => 'present', + content => '{}', + mode => '0644', + replace => false, + require => Package['docker'] + } + + augeas { 'docker-daemon.json': + lens => 'Json.lns', + incl => '/etc/docker/daemon.json', + changes => $mirror_changes, + subscribe => Package['docker'], + notify => Service['docker'], + require => File['/etc/docker/daemon.json'], + } + } } diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp index 2f1783d..cb262d9 100644 --- a/manifests/profile/base/docker_registry.pp +++ b/manifests/profile/base/docker_registry.pp @@ -31,19 +31,28 @@ # network # Defaults to hiera('controller_admin_host') # +# [*enable_container_images_build*] +# (Optional) Whether to install tools to build docker container images +# Defaults to hiera('enable_container_images_build', true) +# class tripleo::profile::base::docker_registry ( - $registry_host = hiera('controller_host'), - $registry_port = 8787, - $registry_admin_host = hiera('controller_admin_host'), + $registry_host = hiera('controller_host'), + $registry_port = 8787, + $registry_admin_host = hiera('controller_admin_host'), + $enable_container_images_build = hiera('enable_container_images_build', true), ) { + + include ::tripleo::profile::base::docker + # We want a v2 registry package{'docker-registry': ensure => absent, allow_virtual => false, } package{'docker-distribution': } - package{'docker': } - package{'openstack-kolla': } + if str2bool($enable_container_images_build) { + package{'openstack-kolla': } + } file { '/etc/docker-distribution/registry/config.yml' : ensure => file, content => template('tripleo/docker_distribution/registry_config.yml.erb'), @@ -68,9 +77,4 @@ class tripleo::profile::base::docker_registry ( enable => true, require => Package['docker-distribution'], } - service { 'docker': - ensure => running, - enable => true, - require => Package['docker'], - } } diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp index fc4771f..9f5d180 100644 --- a/manifests/profile/base/etcd.pp +++ b/manifests/profile/base/etcd.pp @@ -34,26 +34,63 @@ # (Optional) Array of host(s) for etcd nodes. # Defaults to hiera('etcd_node_ips', []). # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'etcd' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::etcd::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "etcd/<overcloud controller fqdn>" +# Defaults to {}. +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::etcd ( - $bind_ip = '127.0.0.1', - $client_port = '2379', - $peer_port = '2380', - $nodes = hiera('etcd_node_names', []), - $step = hiera('step'), + $bind_ip = '127.0.0.1', + $client_port = '2379', + $peer_port = '2380', + $nodes = hiera('etcd_node_names', []), + $certificate_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $step = hiera('step'), ) { - if $step >= 1 { + + validate_hash($certificate_specs) + + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + $protocol = 'https' + } else { + $tls_certfile = undef + $tls_keyfile = undef + $protocol = 'http' + } + + if $step >= 2 { class {'::etcd': - listen_client_urls => "http://${bind_ip}:${client_port}", - advertise_client_urls => "http://${bind_ip}:${client_port}", - listen_peer_urls => "http://${bind_ip}:${peer_port}", - initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}", - initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"), + listen_client_urls => "${protocol}://${bind_ip}:${client_port}", + advertise_client_urls => "${protocol}://${bind_ip}:${client_port}", + listen_peer_urls => "${protocol}://${bind_ip}:${peer_port}", + initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}", + initial_cluster => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"), proxy => 'off', + cert_file => $tls_certfile, + key_file => $tls_keyfile, + client_cert_auth => $enable_internal_tls, + peer_cert_file => $tls_certfile, + peer_key_file => $tls_keyfile, + peer_client_cert_auth => $enable_internal_tls, } } } diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 79ee265..a4e9a30 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -47,6 +47,14 @@ # This is set by t-h-t. # Defaults to hiera('gnocchi_api_network', undef) # +# [*gnocchi_redis_password*] +# (Required) Password for the gnocchi redis user for the coordination url +# Defaults to hiera('gnocchi_redis_password') +# +# [*redis_vip*] +# (Required) Redis ip address for the coordination url +# Defaults to hiera('redis_vip') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -58,6 +66,8 @@ class tripleo::profile::base::gnocchi::api ( $enable_internal_tls = hiera('enable_internal_tls', false), $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), $gnocchi_network = hiera('gnocchi_api_network', undef), + $gnocchi_redis_password = hiera('gnocchi_redis_password'), + $redis_vip = hiera('redis_vip'), $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -83,15 +93,18 @@ class tripleo::profile::base::gnocchi::api ( include ::gnocchi::db::sync } - if $step >= 4 { + if $step >= 3 { include ::gnocchi::api + include ::apache::mod::ssl class { '::gnocchi::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, } + } + if $step >= 4 { class { '::gnocchi::storage': - coordination_url => join(['redis://:', hiera('gnocchi_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']), + coordination_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']), } case $gnocchi_backend { 'swift': { include ::gnocchi::storage::swift } diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index 8e2da7e..79eb77e 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -65,6 +65,7 @@ class tripleo::profile::base::heat::api ( if $step >= 3 { include ::heat::api + include ::apache::mod::ssl class { '::heat::wsgi::apache_api': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index 02eb82a..dad7b76 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cfn ( if $step >= 3 { include ::heat::api_cfn + include ::apache::mod::ssl class { '::heat::wsgi::apache_api_cfn': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 558d247..428bcf2 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cloudwatch ( if $step >= 3 { include ::heat::api_cloudwatch + include ::apache::mod::ssl class { '::heat::wsgi::apache_api_cloudwatch': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp index 7f90da9..5ebf167 100644 --- a/manifests/profile/base/ironic/conductor.pp +++ b/manifests/profile/base/ironic/conductor.pp @@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor ( if $step >= 4 { include ::ironic::conductor + include ::ironic::drivers::interfaces include ::ironic::drivers::pxe if $manage_pxe { include ::ironic::pxe @@ -43,7 +44,11 @@ class tripleo::profile::base::ironic::conductor ( include ::ironic::drivers::drac include ::ironic::drivers::ilo include ::ironic::drivers::ipmi - include ::ironic::drivers::ssh + include ::ironic::drivers::redfish + # TODO: deprecated code cleanup, remove in Queens + ironic_config { + 'ssh/libvirt_uri': ensure => absent; + } # Configure access to other services include ::ironic::drivers::inspector diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index bb3f387..31f5c93 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -59,6 +59,15 @@ # heat admin user name # Defaults to undef # +# [*ldap_backends_config*] +# Configuration for keystone::ldap_backend. This takes a hash that will +# create each backend specified. +# Defaults to undef +# +# [*ldap_backend_enable*] +# Enables creating per-domain LDAP backends for keystone. +# Default to false +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -126,6 +135,8 @@ class tripleo::profile::base::keystone ( $heat_admin_email = undef, $heat_admin_password = undef, $heat_admin_user = undef, + $ldap_backends_config = undef, + $ldap_backend_enable = false, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), @@ -200,6 +211,7 @@ class tripleo::profile::base::keystone ( } include ::keystone::config + include ::apache::mod::ssl class { '::keystone::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, @@ -207,6 +219,13 @@ class tripleo::profile::base::keystone ( ssl_key_admin => $tls_keyfile_admin, } include ::keystone::cors + + if $ldap_backend_enable { + validate_hash($ldap_backends_config) + create_resources('::keystone::ldap_backend', $ldap_backends_config, { + create_domain_entry => $manage_domain, + }) + } } if $step >= 4 and $manage_db_purge { @@ -294,13 +313,16 @@ class tripleo::profile::base::keystone ( if hiera('nova_placement_enabled', false) { include ::nova::keystone::auth_placement } + if hiera('octavia_api_enabled', false) { + include ::octavia::keystone::auth + } if hiera('panko_api_enabled', false) { include ::panko::keystone::auth } if hiera('sahara_api_enabled', false) { include ::sahara::keystone::auth } - if hiera('swift_proxy_enabled', false) { + if hiera('swift_proxy_enabled', false) or hiera('external_swift_proxy_enabled',false) { include ::swift::keystone::auth } if hiera('tacker_enabled', false) { diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp new file mode 100644 index 0000000..fb5e000 --- /dev/null +++ b/manifests/profile/base/neutron/agents/bagpipe.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::bagpipe +# +# Neutron Bagpipe Agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::bagpipe ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::agents::bagpipe + } +} diff --git a/manifests/profile/base/neutron/agents/bigswitch.pp b/manifests/profile/base/neutron/agents/bigswitch.pp new file mode 100644 index 0000000..137dec0 --- /dev/null +++ b/manifests/profile/base/neutron/agents/bigswitch.pp @@ -0,0 +1,31 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::bigswitch +# +# Bigswitch Neutron agent profile +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::bigswitch( + $step = hiera('step'), +) { + if $step >= 4 { + include ::neutron::agents::bigswitch + } +} diff --git a/manifests/profile/base/neutron/agents/vpp.pp b/manifests/profile/base/neutron/agents/vpp.pp new file mode 100644 index 0000000..e961aa7 --- /dev/null +++ b/manifests/profile/base/neutron/agents/vpp.pp @@ -0,0 +1,49 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::vpp +# +# Neutron VPP Agent profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*etcd_host*] +# (Optional) etcd server VIP. +# Defaults to hiera('etcd_vip') +# +# [*etcd_port*] +# (Optional) etcd server listening port. +# Defaults to 2379 +# +class tripleo::profile::base::neutron::agents::vpp( + $step = hiera('step'), + $etcd_host = hiera('etcd_vip'), + $etcd_port = 2379, +) { + if empty($etcd_host) { + fail('etcd_vip not set in hieradata') + } + + if $step >= 4 { + class { '::neutron::agents::ml2::vpp': + etcd_host => $etcd_host, + etcd_port => $etcd_port, + } + } +} diff --git a/manifests/profile/base/neutron/linuxbridge.pp b/manifests/profile/base/neutron/linuxbridge.pp new file mode 100644 index 0000000..9f4899a --- /dev/null +++ b/manifests/profile/base/neutron/linuxbridge.pp @@ -0,0 +1,20 @@ +# == Class: tripleo::profile::base::neutron::linuxbridge +# +# Neutron linuxbridge agent profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templatee +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::linuxbridge( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 5 { + include ::neutron::agents::ml2::linuxbridge + } +} diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp index 52d4ca1..1702fed 100644 --- a/manifests/profile/base/neutron/plugins/ml2.pp +++ b/manifests/profile/base/neutron/plugins/ml2.pp @@ -81,5 +81,9 @@ class tripleo::profile::base::neutron::plugins::ml2 ( include ::neutron::plugins::ml2::fujitsu include ::neutron::plugins::ml2::fujitsu::fossw } + + if 'vpp' in $mechanism_drivers { + include ::tripleo::profile::base::neutron::plugins::ml2::vpp + } } } diff --git a/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp b/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp new file mode 100644 index 0000000..161cd75 --- /dev/null +++ b/manifests/profile/base/neutron/plugins/ml2/bagpipe.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::ml2::bagpipe +# +# Neutron Bagpipe ML2 profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::plugins::ml2::bagpipe ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::plugins::ml2::bagpipe + } +} diff --git a/manifests/profile/base/neutron/plugins/ml2/vpp.pp b/manifests/profile/base/neutron/plugins/ml2/vpp.pp new file mode 100644 index 0000000..217e4cf --- /dev/null +++ b/manifests/profile/base/neutron/plugins/ml2/vpp.pp @@ -0,0 +1,49 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::ml2::vpp +# +# VPP Neutron ML2 profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*etcd_host*] +# (Optional) etcd server VIP. +# Defaults to hiera('etcd_vip') +# +# [*etcd_port*] +# (Optional) etcd server listening port. +# Defaults to 2379 +# +class tripleo::profile::base::neutron::plugins::ml2::vpp ( + $step = hiera('step'), + $etcd_host = hiera('etcd_vip'), + $etcd_port = 2379, +) { + if empty($etcd_host) { + fail('etcd_vip not set in hieradata') + } + + if $step >= 4 { + class { '::neutron::plugins::ml2::vpp': + etcd_host => $etcd_host, + etcd_port => $etcd_port, + } + } +} diff --git a/manifests/profile/base/neutron/plugins/nsx_v3.pp b/manifests/profile/base/neutron/plugins/nsx_v3.pp new file mode 100644 index 0000000..33fa0cf --- /dev/null +++ b/manifests/profile/base/neutron/plugins/nsx_v3.pp @@ -0,0 +1,45 @@ +# Copyright 2017 VMware, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::nsx_v3 +# +# VMware NSXv3 Neutron profile for tripleo +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::plugins::nsx_v3 ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + include ::tripleo::profile::base::neutron + + if $step >= 4 or ( $step >= 3 and $sync_db ) { + include ::neutron::plugins::nsx_v3 + } +} diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 95a1721..bdb3007 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -94,6 +94,7 @@ class tripleo::profile::base::nova::api ( $tls_keyfile = undef } if $step >= 4 or ($step >= 3 and $sync_db) { + include ::apache::mod::ssl class { '::nova::wsgi::apache_api': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index 16bfe17..c78b3c2 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -74,6 +74,7 @@ class tripleo::profile::base::nova::placement ( } if $step >= 3 { + include ::apache::mod::ssl class { '::nova::wsgi::apache_placement': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index 6021731..c1d745a 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -55,6 +55,14 @@ # (Optional) Number of seconds to sleep between remote creation tries # Defaults to hiera('pacemaker_remote_try_sleep', 60) # +# [*cluster_recheck_interval*] +# (Optional) Set the cluster-wide cluster-recheck-interval property +# If the hiera key does not exist or if it is set to undef, the property +# won't be changed from its default value when there are no pacemaker_remote +# nodes. In presence of pacemaker_remote nodes and an undef value it will +# be set to 60s. +# Defaults to hiera('pacemaker_cluster_recheck_interval', undef) +# class tripleo::profile::base::pacemaker ( $step = hiera('step'), $pcs_tries = hiera('pcs_tries', 20), @@ -65,6 +73,7 @@ class tripleo::profile::base::pacemaker ( $remote_monitor_interval = hiera('pacemaker_remote_monitor_interval', 20), $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), + $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -136,6 +145,22 @@ class tripleo::profile::base::pacemaker ( if $step >= 2 { if $pacemaker_master { include ::pacemaker::resource_defaults + # When we have a non-zero number of pacemaker remote nodes we + # want to set the cluster-recheck-interval property to something + # lower (unless the operator has explicitely set a value) + if count($remote_short_node_names) > 0 and $cluster_recheck_interval == undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => '60s', + tries => $pcs_tries, + } + } elsif $cluster_recheck_interval != undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => $cluster_recheck_interval, + tries => $pcs_tries, + } + } } } diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp index 90e80a2..165969f 100644 --- a/manifests/profile/base/panko/api.pp +++ b/manifests/profile/base/panko/api.pp @@ -79,6 +79,7 @@ class tripleo::profile::base::panko::api ( class { '::panko::api': sync_db => $sync_db, } + include ::apache::mod::ssl class { '::panko::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index 9d1417c..8551f19 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -110,7 +110,7 @@ class tripleo::profile::base::rabbitmq ( if $inet_dist_interface { $real_kernel_variables = merge( $kernel_variables, - { 'inet_dist_use_interface' => ip_to_erl_format($inet_dist_interface) }, + { 'inet_dist_use_interface' => ip_to_erl_format($inet_dist_interface) } ) } else { $real_kernel_variables = $kernel_variables diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp index f43089c..3f0245d 100644 --- a/manifests/profile/base/sshd.pp +++ b/manifests/profile/base/sshd.pp @@ -27,14 +27,19 @@ # The text used within SSH Banner # Defaults to hiera('MOTD') # +# [*options*] +# Hash of SSHD options to set. See the puppet-ssh module documentation for +# details. +# Defaults to {} + class tripleo::profile::base::sshd ( $bannertext = hiera('BannerText', undef), $motd = hiera('MOTD', undef), + $options = {} ) { - include ::ssh - - if $bannertext { + if $bannertext and $bannertext != '' { + $sshd_options_banner = {'Banner' => '/etc/issue.net'} $filelist = [ '/etc/issue', '/etc/issue.net', ] file { $filelist: ensure => file, @@ -44,9 +49,12 @@ class tripleo::profile::base::sshd ( group => 'root', mode => '0644' } + } else { + $sshd_options_banner = {} } - if $motd { + if $motd and $motd != '' { + $sshd_options_motd = {'PrintMotd' => 'yes'} file { '/etc/motd': ensure => file, backup => false, @@ -55,5 +63,23 @@ class tripleo::profile::base::sshd ( group => 'root', mode => '0644' } + } else { + $sshd_options_motd = {} + } + + $sshd_options = merge( + $options, + $sshd_options_banner, + $sshd_options_motd + ) + + # NB (owalsh) in puppet-ssh hiera takes precedence over the class param + # we need to control this, so error if it's set in hiera + if hiera('ssh:server::options', undef) { + err('ssh:server::options must not be set, use tripleo::profile::base::sshd::options') + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => $sshd_options } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index e80c8c9..4e0e568 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -127,7 +127,7 @@ class tripleo::profile::base::swift::proxy ( port => $tls_proxy_port, tls_cert => $tls_certfile, tls_key => $tls_keyfile, - notify => Class['::neutron::server'], + notify => Class['::swift::proxy'], } } $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp index 7e5fc74..f7cfea4 100644 --- a/manifests/profile/base/swift/ringbuilder.pp +++ b/manifests/profile/base/swift/ringbuilder.pp @@ -63,6 +63,12 @@ # Minimum amount of time before partitions can be moved. # Defaults to undef # +# [*swift_ring_get_tempurl*] +# GET tempurl to fetch Swift rings from +# +# [*swift_ring_put_tempurl*] +# PUT tempurl to upload Swift rings to +# class tripleo::profile::base::swift::ringbuilder ( $replicas, $build_ring = true, @@ -74,7 +80,23 @@ class tripleo::profile::base::swift::ringbuilder ( $swift_storage_node_ips = hiera('swift_storage_node_ips', []), $part_power = undef, $min_part_hours = undef, + $swift_ring_get_tempurl = hiera('swift_ring_get_tempurl', ''), + $swift_ring_put_tempurl = hiera('swift_ring_put_tempurl', ''), ) { + + if $step == 2 and $swift_ring_get_tempurl != '' { + exec{'fetch_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent '${swift_ring_get_tempurl}' -o /tmp/swift-rings.tar.gz", + returns => [0, 3] + } ~> + exec{'extract_swift_ring_tarball': + path => ['/bin'], + command => 'tar xzf /tmp/swift-rings.tar.gz -C /', + returns => [0, 2] + } + } + if $step >= 2 { # pre-install swift here so we can build rings include ::swift @@ -112,4 +134,18 @@ class tripleo::profile::base::swift::ringbuilder ( Ring_object_device<| |> ~> Exec['rebalance_container'] } } + + if $step == 5 and $build_ring and $swift_ring_put_tempurl != '' { + exec{'create_swift_ring_tarball': + path => ['/bin', '/usr/bin'], + command => 'tar cvzf /tmp/swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/', + unless => 'swift-recon --md5 | grep -q "doesn\'t match"' + } ~> + exec{'upload_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent -X PUT '${$swift_ring_put_tempurl}' --data-binary @/tmp/swift-rings.tar.gz", + require => Exec['create_swift_ring_tarball'], + refreshonly => true, + } + } } diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp index 89a03ad..243dcc7 100644 --- a/manifests/profile/base/zaqar.pp +++ b/manifests/profile/base/zaqar.pp @@ -50,11 +50,15 @@ class tripleo::profile::base::zaqar ( uri => $database_connection, } include ::zaqar::transport::websocket + include ::apache::mod::ssl include ::zaqar::transport::wsgi # TODO (bcrochet): At some point, the transports should be split out to - # seperate services. - include ::zaqar::server + # separate services. + class { '::zaqar::server': + service_name => 'httpd', # TODO cleanup when passed by t-h-t. + } + include ::zaqar::wsgi::apache zaqar::server_instance{ '1': transport => 'websocket' } diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index bc5e644..031e80c 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -120,7 +120,7 @@ class tripleo::profile::pacemaker::database::mysql ( if $step >= 1 and $pacemaker_master and hiera('stack_action') == 'UPDATE' { tripleo::pacemaker::resource_restart_flag { 'galera-master': subscribe => File['mysql-config-file'], - } + } ~> Exec<| title == 'galera-ready' |> } if $step >= 2 { @@ -145,7 +145,7 @@ class tripleo::profile::pacemaker::database::mysql ( }, require => [Class['::mysql::server'], Pacemaker::Property['galera-role-node-property']], - before => Exec['galera-ready'], + notify => Exec['galera-ready'], } exec { 'galera-ready' : command => '/usr/bin/clustercheck >/dev/null', @@ -153,6 +153,7 @@ class tripleo::profile::pacemaker::database::mysql ( tries => 180, try_sleep => 10, environment => ['AVAILABLE_WHEN_READONLY=0'], + refreshonly => true, require => Exec['create-root-sysconfig-clustercheck'], } # We add a clustercheck db user and we will switch /etc/sysconfig/clustercheck diff --git a/manifests/profile/pacemaker/rabbitmq.pp b/manifests/profile/pacemaker/rabbitmq.pp index f4b679a..bf6a38d 100644 --- a/manifests/profile/pacemaker/rabbitmq.pp +++ b/manifests/profile/pacemaker/rabbitmq.pp @@ -30,7 +30,7 @@ # (Optional) The number of HA queues in to be configured in rabbitmq # Defaults to hiera('rabbitmq::nr_ha_queues'), which is usually 0 meaning # that the queues number will be CEIL(N/2) where N is the number of rabbitmq -# nodes. +# nodes. The special value of -1 represents the mode 'ha-mode: all' # # [*rabbit_nodes*] # (Optional) The list of rabbitmq nodes names @@ -90,12 +90,16 @@ class tripleo::profile::pacemaker::rabbitmq ( if $user_ha_queues == 0 { $nr_rabbit_nodes = size($rabbit_nodes) $nr_ha_queues = $nr_rabbit_nodes / 2 + ($nr_rabbit_nodes % 2) + $params = "set_policy='ha-all ^(?!amq\\.).* {\"ha-mode\":\"exactly\",\"ha-params\":${nr_ha_queues}}'" + } elsif $user_ha_queues == -1 { + $params = 'set_policy=\'ha-all ^(?!amq\.).* {"ha-mode":"all"}\'' } else { $nr_ha_queues = $user_ha_queues + $params = "set_policy='ha-all ^(?!amq\\.).* {\"ha-mode\":\"exactly\",\"ha-params\":${nr_ha_queues}}'" } pacemaker::resource::ocf { 'rabbitmq': ocf_agent_name => 'heartbeat:rabbitmq-cluster', - resource_params => "set_policy='ha-all ^(?!amq\\.).* {\"ha-mode\":\"exactly\",\"ha-params\":${nr_ha_queues}}'", + resource_params => $params, clone_params => 'ordered=true interleave=true', meta_params => 'notify=true', op_params => 'start timeout=200s stop timeout=200s', diff --git a/manifests/tls_proxy.pp b/manifests/tls_proxy.pp index 36d6b6d..607e20f 100644 --- a/manifests/tls_proxy.pp +++ b/manifests/tls_proxy.pp @@ -40,6 +40,7 @@ define tripleo::tls_proxy( $tls_cert, $tls_key, ) { + include ::apache ::apache::vhost { "${title}-proxy": ensure => 'present', docroot => undef, # This is required by the manifest diff --git a/manifests/ui.pp b/manifests/ui.pp index d810b5d..1745535 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -38,8 +38,8 @@ # { # 'de' => 'German', # 'en' => 'English', -# 'en-GB' => 'British English', # 'es' => 'Spanish', +# 'id' => 'Indonesian', # 'ja' => 'Japanese', # 'ko-KR' => 'Korean', # 'zh-CN' => 'Simplified Chinese' @@ -106,8 +106,8 @@ class tripleo::ui ( $enabled_languages = { 'de' => 'German', 'en' => 'English', - 'en-GB' => 'British English', 'es' => 'Spanish', + 'id' => 'Indonesian', 'ja' => 'Japanese', 'ko-KR' => 'Korean', 'zh-CN' => 'Simplified Chinese' |