diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/haproxy.pp | 113 | ||||
-rw-r--r-- | manifests/keepalived.pp | 18 | ||||
-rw-r--r-- | manifests/profile/base/ironic/conductor.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/keystone.pp | 16 | ||||
-rw-r--r-- | manifests/profile/base/neutron/agents/bagpipe.pp | 37 | ||||
-rw-r--r-- | manifests/profile/base/pacemaker.pp | 25 | ||||
-rw-r--r-- | manifests/profile/base/swift/ringbuilder.pp | 36 |
7 files changed, 159 insertions, 87 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 0b69245..7aca0e1 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -750,7 +750,7 @@ class tripleo::haproxy ( 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', + 'option' => [ 'forwardfor', 'httpchk' ], 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], @@ -762,7 +762,7 @@ class tripleo::haproxy ( } $horizon_options = { 'cookie' => 'SERVERID insert indirect nocache', - 'option' => 'forwardfor', + 'option' => [ 'forwardfor', 'httpchk' ], } } @@ -821,12 +821,20 @@ class tripleo::haproxy ( }, } + + $default_listen_options = { + 'option' => [ 'httpchk', ], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } Tripleo::Haproxy::Endpoint { haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, use_internal_certificates => $use_internal_certificates, internal_certificates_specs => $internal_certificates_specs, + listen_options => $default_listen_options, } $stats_base = ['enable', 'uri /'] @@ -852,11 +860,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -864,11 +868,6 @@ class tripleo::haproxy ( } if $keystone_public { - $keystone_listen_opts = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - } if $service_certificate { $keystone_public_tls_listen_opts = { 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', @@ -877,7 +876,9 @@ class tripleo::haproxy ( 'option' => 'forwardfor', } } else { - $keystone_public_tls_listen_opts = {} + $keystone_public_tls_listen_opts = { + 'option' => [ 'httpchk GET /v3', ], + } } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, @@ -886,7 +887,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), + listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -901,11 +902,6 @@ class tripleo::haproxy ( ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -920,11 +916,6 @@ class tripleo::haproxy ( ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), server_names => hiera('cinder_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -939,11 +930,6 @@ class tripleo::haproxy ( ip_addresses => hiera('congress_node_ips', $controller_hosts_real), server_names => hiera('congress_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[congress_api_ssl_port], service_network => $congress_network, } @@ -957,11 +943,6 @@ class tripleo::haproxy ( ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[manila_api_ssl_port], service_network => $manila_network, } @@ -987,11 +968,6 @@ class tripleo::haproxy ( ip_addresses => hiera('tacker_node_ips', $controller_hosts_real), server_names => hiera('tacker_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[tacker_api_ssl_port], service_network => $tacker_network, } @@ -1018,11 +994,7 @@ class tripleo::haproxy ( server_names => hiera('glance_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[glance_api_ssl_port], mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}), service_network => $glance_api_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } @@ -1037,11 +1009,6 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, #member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1057,11 +1024,6 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real), server_names => hiera('nova_placement_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[nova_placement_ssl_port], service_network => $nova_placement_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1074,6 +1036,9 @@ class tripleo::haproxy ( service_port => $ports[nova_metadata_port], ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real), + listen_options => { + 'option' => [ 'httpchk', ], + }, service_network => $nova_metadata_network, } } @@ -1085,10 +1050,11 @@ class tripleo::haproxy ( service_port => $ports[nova_novnc_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), - listen_options => { + listen_options => merge($default_listen_options, { + 'option' => [ 'tcpka' ], 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], - }, + }), public_ssl_port => $ports[nova_novnc_ssl_port], service_network => $nova_novncproxy_network, } @@ -1102,11 +1068,6 @@ class tripleo::haproxy ( ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real), server_names => hiera('ec2_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[ec2_api_ssl_port], service_network => $ec2_api_network, } @@ -1130,11 +1091,6 @@ class tripleo::haproxy ( ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1149,11 +1105,6 @@ class tripleo::haproxy ( ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1167,11 +1118,6 @@ class tripleo::haproxy ( service_port => $ports[panko_api_port], ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), server_names => hiera('panko_api_node_names', $controller_hosts_names_real), - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[panko_api_ssl_port], service_network => $panko_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1199,11 +1145,6 @@ class tripleo::haproxy ( ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1224,6 +1165,7 @@ class tripleo::haproxy ( if $swift_proxy_server { $swift_proxy_server_listen_options = { + 'option' => [ 'httpchk GET /healthcheck', ], 'timeout client' => '2m', 'timeout server' => '2m', } @@ -1242,17 +1184,13 @@ class tripleo::haproxy ( $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) - $heat_base_options = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} if $service_certificate { $heat_ssl_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - $heat_options = merge($heat_base_options, $heat_ssl_options) + $heat_options = merge($default_listen_options, $heat_ssl_options) } else { - $heat_options = $heat_base_options + $heat_options = $default_listen_options } if $heat_api { @@ -1515,6 +1453,7 @@ class tripleo::haproxy ( server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ceph_rgw_ssl_port], service_network => $ceph_rgw_network, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk HEAD /' ] }), } } diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp index a6d5832..aa0e5d6 100644 --- a/manifests/keepalived.pp +++ b/manifests/keepalived.pp @@ -59,6 +59,12 @@ # A string. # Defaults to false # +# [*ovndbs_virtual_ip*] +# Virtual IP on the OVNDBs service. +# A string. +# Defaults to false +# + class tripleo::keepalived ( $controller_virtual_ip, $control_virtual_interface, @@ -68,6 +74,7 @@ class tripleo::keepalived ( $storage_virtual_ip = false, $storage_mgmt_virtual_ip = false, $redis_virtual_ip = false, + $ovndbs_virtual_ip = false, ) { case $::osfamily { @@ -178,4 +185,15 @@ class tripleo::keepalived ( priority => 101, } } + if $ovndbs_virtual_ip and $ovndbs_virtual_ip != $controller_virtual_ip { + $ovndbs_virtual_interface = interface_for_ip($ovndbs_virtual_ip) + # KEEPALIVE OVNDBS MANAGEMENT NETWORK + keepalived::instance { '57': + interface => $ovndbs_virtual_interface, + virtual_ips => [join([$ovndbs_virtual_ip, ' dev ', $ovndbs_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + } } diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp index 7f90da9..cb0524b 100644 --- a/manifests/profile/base/ironic/conductor.pp +++ b/manifests/profile/base/ironic/conductor.pp @@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor ( if $step >= 4 { include ::ironic::conductor + include ::ironic::drivers::interfaces include ::ironic::drivers::pxe if $manage_pxe { include ::ironic::pxe diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index bb3f387..5909337 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -59,6 +59,15 @@ # heat admin user name # Defaults to undef # +# [*ldap_backends_config*] +# Configuration for keystone::ldap_backend. This takes a hash that will +# create each backend specified. +# Defaults to undef +# +# [*ldap_backend_enable*] +# Enables creating per-domain LDAP backends for keystone. +# Default to false +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -126,6 +135,8 @@ class tripleo::profile::base::keystone ( $heat_admin_email = undef, $heat_admin_password = undef, $heat_admin_user = undef, + $ldap_backends_config = undef, + $ldap_backend_enable = false, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), @@ -207,6 +218,11 @@ class tripleo::profile::base::keystone ( ssl_key_admin => $tls_keyfile_admin, } include ::keystone::cors + + if $ldap_backend_enable { + validate_hash($ldap_backends_config) + create_resources('::keystone::ldap_backend', $ldap_backends_config) + } } if $step >= 4 and $manage_db_purge { diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp new file mode 100644 index 0000000..fb5e000 --- /dev/null +++ b/manifests/profile/base/neutron/agents/bagpipe.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::bagpipe +# +# Neutron Bagpipe Agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::bagpipe ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::agents::bagpipe + } +} diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index 6021731..c1d745a 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -55,6 +55,14 @@ # (Optional) Number of seconds to sleep between remote creation tries # Defaults to hiera('pacemaker_remote_try_sleep', 60) # +# [*cluster_recheck_interval*] +# (Optional) Set the cluster-wide cluster-recheck-interval property +# If the hiera key does not exist or if it is set to undef, the property +# won't be changed from its default value when there are no pacemaker_remote +# nodes. In presence of pacemaker_remote nodes and an undef value it will +# be set to 60s. +# Defaults to hiera('pacemaker_cluster_recheck_interval', undef) +# class tripleo::profile::base::pacemaker ( $step = hiera('step'), $pcs_tries = hiera('pcs_tries', 20), @@ -65,6 +73,7 @@ class tripleo::profile::base::pacemaker ( $remote_monitor_interval = hiera('pacemaker_remote_monitor_interval', 20), $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), + $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -136,6 +145,22 @@ class tripleo::profile::base::pacemaker ( if $step >= 2 { if $pacemaker_master { include ::pacemaker::resource_defaults + # When we have a non-zero number of pacemaker remote nodes we + # want to set the cluster-recheck-interval property to something + # lower (unless the operator has explicitely set a value) + if count($remote_short_node_names) > 0 and $cluster_recheck_interval == undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => '60s', + tries => $pcs_tries, + } + } elsif $cluster_recheck_interval != undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => $cluster_recheck_interval, + tries => $pcs_tries, + } + } } } diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp index 7e5fc74..f7cfea4 100644 --- a/manifests/profile/base/swift/ringbuilder.pp +++ b/manifests/profile/base/swift/ringbuilder.pp @@ -63,6 +63,12 @@ # Minimum amount of time before partitions can be moved. # Defaults to undef # +# [*swift_ring_get_tempurl*] +# GET tempurl to fetch Swift rings from +# +# [*swift_ring_put_tempurl*] +# PUT tempurl to upload Swift rings to +# class tripleo::profile::base::swift::ringbuilder ( $replicas, $build_ring = true, @@ -74,7 +80,23 @@ class tripleo::profile::base::swift::ringbuilder ( $swift_storage_node_ips = hiera('swift_storage_node_ips', []), $part_power = undef, $min_part_hours = undef, + $swift_ring_get_tempurl = hiera('swift_ring_get_tempurl', ''), + $swift_ring_put_tempurl = hiera('swift_ring_put_tempurl', ''), ) { + + if $step == 2 and $swift_ring_get_tempurl != '' { + exec{'fetch_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent '${swift_ring_get_tempurl}' -o /tmp/swift-rings.tar.gz", + returns => [0, 3] + } ~> + exec{'extract_swift_ring_tarball': + path => ['/bin'], + command => 'tar xzf /tmp/swift-rings.tar.gz -C /', + returns => [0, 2] + } + } + if $step >= 2 { # pre-install swift here so we can build rings include ::swift @@ -112,4 +134,18 @@ class tripleo::profile::base::swift::ringbuilder ( Ring_object_device<| |> ~> Exec['rebalance_container'] } } + + if $step == 5 and $build_ring and $swift_ring_put_tempurl != '' { + exec{'create_swift_ring_tarball': + path => ['/bin', '/usr/bin'], + command => 'tar cvzf /tmp/swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/', + unless => 'swift-recon --md5 | grep -q "doesn\'t match"' + } ~> + exec{'upload_swift_ring_tarball': + path => ['/usr/bin'], + command => "curl --insecure --silent -X PUT '${$swift_ring_put_tempurl}' --data-binary @/tmp/swift-rings.tar.gz", + require => Exec['create_swift_ring_tarball'], + refreshonly => true, + } + } } |