diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/certmonger/rabbitmq.pp | 4 | ||||
| -rw-r--r-- | manifests/haproxy.pp | 114 | ||||
| -rw-r--r-- | manifests/keepalived.pp | 18 | ||||
| -rw-r--r-- | manifests/profile/base/ironic/conductor.pp | 1 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 16 | ||||
| -rw-r--r-- | manifests/profile/base/logging/fluentd.pp | 160 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/agents/bagpipe.pp | 37 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/agents/l2gw.pp | 35 | ||||
| -rw-r--r-- | manifests/profile/base/pacemaker.pp | 25 | ||||
| -rw-r--r-- | manifests/profile/base/swift/proxy.pp | 58 |
10 files changed, 299 insertions, 169 deletions
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp index 344adef..4a47938 100644 --- a/manifests/certmonger/rabbitmq.pp +++ b/manifests/certmonger/rabbitmq.pp @@ -31,10 +31,6 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # -# [*file_owner*] -# (Optional) The user which the certificate and key files belong to. -# Defaults to 'root' -# # [*principal*] # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index e5d57e5..7aca0e1 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -750,7 +750,7 @@ class tripleo::haproxy ( 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', + 'option' => [ 'forwardfor', 'httpchk' ], 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], @@ -762,7 +762,7 @@ class tripleo::haproxy ( } $horizon_options = { 'cookie' => 'SERVERID insert indirect nocache', - 'option' => 'forwardfor', + 'option' => [ 'forwardfor', 'httpchk' ], } } @@ -821,12 +821,20 @@ class tripleo::haproxy ( }, } + + $default_listen_options = { + 'option' => [ 'httpchk', ], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } Tripleo::Haproxy::Endpoint { haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, use_internal_certificates => $use_internal_certificates, internal_certificates_specs => $internal_certificates_specs, + listen_options => $default_listen_options, } $stats_base = ['enable', 'uri /'] @@ -852,11 +860,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -864,11 +868,6 @@ class tripleo::haproxy ( } if $keystone_public { - $keystone_listen_opts = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - } if $service_certificate { $keystone_public_tls_listen_opts = { 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', @@ -877,7 +876,9 @@ class tripleo::haproxy ( 'option' => 'forwardfor', } } else { - $keystone_public_tls_listen_opts = {} + $keystone_public_tls_listen_opts = { + 'option' => [ 'httpchk GET /v3', ], + } } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, @@ -886,7 +887,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), + listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -901,11 +902,6 @@ class tripleo::haproxy ( ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -920,11 +916,6 @@ class tripleo::haproxy ( ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), server_names => hiera('cinder_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -939,11 +930,6 @@ class tripleo::haproxy ( ip_addresses => hiera('congress_node_ips', $controller_hosts_real), server_names => hiera('congress_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[congress_api_ssl_port], service_network => $congress_network, } @@ -957,11 +943,6 @@ class tripleo::haproxy ( ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[manila_api_ssl_port], service_network => $manila_network, } @@ -987,11 +968,6 @@ class tripleo::haproxy ( ip_addresses => hiera('tacker_node_ips', $controller_hosts_real), server_names => hiera('tacker_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[tacker_api_ssl_port], service_network => $tacker_network, } @@ -1018,11 +994,7 @@ class tripleo::haproxy ( server_names => hiera('glance_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[glance_api_ssl_port], mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}), service_network => $glance_api_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } @@ -1037,11 +1009,6 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, #member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1057,11 +1024,6 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real), server_names => hiera('nova_placement_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[nova_placement_ssl_port], service_network => $nova_placement_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1074,6 +1036,9 @@ class tripleo::haproxy ( service_port => $ports[nova_metadata_port], ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real), + listen_options => { + 'option' => [ 'httpchk', ], + }, service_network => $nova_metadata_network, } } @@ -1085,10 +1050,11 @@ class tripleo::haproxy ( service_port => $ports[nova_novnc_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), - listen_options => { + listen_options => merge($default_listen_options, { + 'option' => [ 'tcpka' ], 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], - }, + }), public_ssl_port => $ports[nova_novnc_ssl_port], service_network => $nova_novncproxy_network, } @@ -1102,11 +1068,6 @@ class tripleo::haproxy ( ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real), server_names => hiera('ec2_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[ec2_api_ssl_port], service_network => $ec2_api_network, } @@ -1130,11 +1091,6 @@ class tripleo::haproxy ( ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1149,11 +1105,6 @@ class tripleo::haproxy ( ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1167,11 +1118,6 @@ class tripleo::haproxy ( service_port => $ports[panko_api_port], ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), server_names => hiera('panko_api_node_names', $controller_hosts_names_real), - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[panko_api_ssl_port], service_network => $panko_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1199,11 +1145,6 @@ class tripleo::haproxy ( ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1224,6 +1165,7 @@ class tripleo::haproxy ( if $swift_proxy_server { $swift_proxy_server_listen_options = { + 'option' => [ 'httpchk GET /healthcheck', ], 'timeout client' => '2m', 'timeout server' => '2m', } @@ -1236,22 +1178,19 @@ class tripleo::haproxy ( listen_options => $swift_proxy_server_listen_options, public_ssl_port => $ports[swift_proxy_ssl_port], service_network => $swift_proxy_server_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) - $heat_base_options = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} if $service_certificate { $heat_ssl_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - $heat_options = merge($heat_base_options, $heat_ssl_options) + $heat_options = merge($default_listen_options, $heat_ssl_options) } else { - $heat_options = $heat_base_options + $heat_options = $default_listen_options } if $heat_api { @@ -1514,6 +1453,7 @@ class tripleo::haproxy ( server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ceph_rgw_ssl_port], service_network => $ceph_rgw_network, + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk HEAD /' ] }), } } diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp index a6d5832..aa0e5d6 100644 --- a/manifests/keepalived.pp +++ b/manifests/keepalived.pp @@ -59,6 +59,12 @@ # A string. # Defaults to false # +# [*ovndbs_virtual_ip*] +# Virtual IP on the OVNDBs service. +# A string. +# Defaults to false +# + class tripleo::keepalived ( $controller_virtual_ip, $control_virtual_interface, @@ -68,6 +74,7 @@ class tripleo::keepalived ( $storage_virtual_ip = false, $storage_mgmt_virtual_ip = false, $redis_virtual_ip = false, + $ovndbs_virtual_ip = false, ) { case $::osfamily { @@ -178,4 +185,15 @@ class tripleo::keepalived ( priority => 101, } } + if $ovndbs_virtual_ip and $ovndbs_virtual_ip != $controller_virtual_ip { + $ovndbs_virtual_interface = interface_for_ip($ovndbs_virtual_ip) + # KEEPALIVE OVNDBS MANAGEMENT NETWORK + keepalived::instance { '57': + interface => $ovndbs_virtual_interface, + virtual_ips => [join([$ovndbs_virtual_ip, ' dev ', $ovndbs_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + } } diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp index 7f90da9..cb0524b 100644 --- a/manifests/profile/base/ironic/conductor.pp +++ b/manifests/profile/base/ironic/conductor.pp @@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor ( if $step >= 4 { include ::ironic::conductor + include ::ironic::drivers::interfaces include ::ironic::drivers::pxe if $manage_pxe { include ::ironic::pxe diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index bb3f387..5909337 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -59,6 +59,15 @@ # heat admin user name # Defaults to undef # +# [*ldap_backends_config*] +# Configuration for keystone::ldap_backend. This takes a hash that will +# create each backend specified. +# Defaults to undef +# +# [*ldap_backend_enable*] +# Enables creating per-domain LDAP backends for keystone. +# Default to false +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -126,6 +135,8 @@ class tripleo::profile::base::keystone ( $heat_admin_email = undef, $heat_admin_password = undef, $heat_admin_user = undef, + $ldap_backends_config = undef, + $ldap_backend_enable = false, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), @@ -207,6 +218,11 @@ class tripleo::profile::base::keystone ( ssl_key_admin => $tls_keyfile_admin, } include ::keystone::cors + + if $ldap_backend_enable { + validate_hash($ldap_backends_config) + create_resources('::keystone::ldap_backend', $ldap_backends_config) + } } if $step >= 4 and $manage_db_purge { diff --git a/manifests/profile/base/logging/fluentd.pp b/manifests/profile/base/logging/fluentd.pp index 9e1aa8d..fc996e9 100644 --- a/manifests/profile/base/logging/fluentd.pp +++ b/manifests/profile/base/logging/fluentd.pp @@ -71,105 +71,109 @@ class tripleo::profile::base::logging::fluentd ( $fluentd_listen_syslog = true, $fluentd_syslog_port = 42185 ) { - include ::fluentd - if $fluentd_groups { - user { $::fluentd::config_owner: - ensure => present, - groups => $fluentd_groups, - membership => 'minimum', + if $step >= 4 { + include ::fluentd + + if $fluentd_groups { + Package<| tag == 'openstack' |> -> + user { $::fluentd::config_owner: + ensure => present, + groups => $fluentd_groups, + membership => 'minimum', + } } - } - if $fluentd_pos_file_path { - file { $fluentd_pos_file_path: - ensure => 'directory', - owner => $::fluentd::config_owner, - group => $::fluentd::config_group, - mode => '0750', + if $fluentd_pos_file_path { + file { $fluentd_pos_file_path: + ensure => 'directory', + owner => $::fluentd::config_owner, + group => $::fluentd::config_group, + mode => '0750', + } } - } - ::fluentd::plugin { 'rubygem-fluent-plugin-add': - plugin_provider => 'yum', - } + ::fluentd::plugin { 'rubygem-fluent-plugin-add': + plugin_provider => 'yum', + } - if $fluentd_sources { - ::fluentd::config { '100-openstack-sources.conf': - config => { - 'source' => $fluentd_sources, + if $fluentd_sources { + ::fluentd::config { '100-openstack-sources.conf': + config => { + 'source' => $fluentd_sources, + } } } - } - if $fluentd_listen_syslog { - # fluentd will receive syslog messages by listening on a local udp - # socket. - ::fluentd::config { '110-system-sources.conf': - config => { - 'source' => { - 'type' => 'syslog', - 'tag' => 'system.messages', - 'port' => $fluentd_syslog_port, + if $fluentd_listen_syslog { + # fluentd will receive syslog messages by listening on a local udp + # socket. + ::fluentd::config { '110-system-sources.conf': + config => { + 'source' => { + 'type' => 'syslog', + 'tag' => 'system.messages', + 'port' => $fluentd_syslog_port, + } } } - } - file { '/etc/rsyslog.d/fluentd.conf': - content => "*.* @127.0.0.1:${fluentd_syslog_port}", - owner => 'root', - group => 'root', - mode => '0644', - } ~> exec { 'reload rsyslog': - command => '/bin/systemctl restart rsyslog', + file { '/etc/rsyslog.d/fluentd.conf': + content => "*.* @127.0.0.1:${fluentd_syslog_port}", + owner => 'root', + group => 'root', + mode => '0644', + } ~> exec { 'reload rsyslog': + command => '/bin/systemctl restart rsyslog', + } } - } - if $fluentd_filters { - ::fluentd::config { '200-openstack-filters.conf': - config => { - 'filter' => $fluentd_filters, + if $fluentd_filters { + ::fluentd::config { '200-openstack-filters.conf': + config => { + 'filter' => $fluentd_filters, + } } } - } - if $fluentd_servers and !empty($fluentd_servers) { - if $fluentd_use_ssl { - ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward': - plugin_provider => 'yum', - } + if $fluentd_servers and !empty($fluentd_servers) { + if $fluentd_use_ssl { + ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward': + plugin_provider => 'yum', + } - file {'/etc/fluentd/ca_cert.pem': - content => $fluentd_ssl_certificate, - owner => $::fluentd::config_owner, - group => $::fluentd::config_group, - mode => '0444', - } + file {'/etc/fluentd/ca_cert.pem': + content => $fluentd_ssl_certificate, + owner => $::fluentd::config_owner, + group => $::fluentd::config_group, + mode => '0444', + } - ::fluentd::config { '300-openstack-matches.conf': - config => { - 'match' => { - # lint:ignore:single_quote_string_with_variables - # lint:ignore:quoted_booleans - 'type' => 'secure_forward', - 'tag_pattern' => '**', - 'self_hostname' => '${hostname}', - 'secure' => 'true', - 'ca_cert_path' => '/etc/fluentd/ca_cert.pem', - 'shared_key' => $fluentd_shared_key, - 'server' => $fluentd_servers, - # lint:endignore - # lint:endignore + ::fluentd::config { '300-openstack-matches.conf': + config => { + 'match' => { + # lint:ignore:single_quote_string_with_variables + # lint:ignore:quoted_booleans + 'type' => 'secure_forward', + 'tag_pattern' => '**', + 'self_hostname' => '${hostname}', + 'secure' => 'true', + 'ca_cert_path' => '/etc/fluentd/ca_cert.pem', + 'shared_key' => $fluentd_shared_key, + 'server' => $fluentd_servers, + # lint:endignore + # lint:endignore + } } } - } - } else { - ::fluentd::config { '300-openstack-matches.conf': - config => { - 'match' => { - 'type' => 'forward', - 'tag_pattern' => '**', - 'server' => $fluentd_servers, + } else { + ::fluentd::config { '300-openstack-matches.conf': + config => { + 'match' => { + 'type' => 'forward', + 'tag_pattern' => '**', + 'server' => $fluentd_servers, + } } } } diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp new file mode 100644 index 0000000..fb5e000 --- /dev/null +++ b/manifests/profile/base/neutron/agents/bagpipe.pp @@ -0,0 +1,37 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Ricardo Noriega <rnoriega@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agents::bagpipe +# +# Neutron Bagpipe Agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::bagpipe ( + $step = hiera('step'), +) { + include ::tripleo::profile::base::neutron + + if $step >= 4 { + include ::neutron::agents::bagpipe + } +} diff --git a/manifests/profile/base/neutron/agents/l2gw.pp b/manifests/profile/base/neutron/agents/l2gw.pp new file mode 100644 index 0000000..10cd662 --- /dev/null +++ b/manifests/profile/base/neutron/agents/l2gw.pp @@ -0,0 +1,35 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Author: Peng Liu <pliu@redhat.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::agent::l2gw +# +# Neutron L2 Gateway agent profile for TripleO +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::agents::l2gw ( + $step = hiera('step'), +) { + if $step >= 4 { + include ::neutron::agents::l2gw + } +} diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index 6021731..c1d745a 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -55,6 +55,14 @@ # (Optional) Number of seconds to sleep between remote creation tries # Defaults to hiera('pacemaker_remote_try_sleep', 60) # +# [*cluster_recheck_interval*] +# (Optional) Set the cluster-wide cluster-recheck-interval property +# If the hiera key does not exist or if it is set to undef, the property +# won't be changed from its default value when there are no pacemaker_remote +# nodes. In presence of pacemaker_remote nodes and an undef value it will +# be set to 60s. +# Defaults to hiera('pacemaker_cluster_recheck_interval', undef) +# class tripleo::profile::base::pacemaker ( $step = hiera('step'), $pcs_tries = hiera('pcs_tries', 20), @@ -65,6 +73,7 @@ class tripleo::profile::base::pacemaker ( $remote_monitor_interval = hiera('pacemaker_remote_monitor_interval', 20), $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), + $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -136,6 +145,22 @@ class tripleo::profile::base::pacemaker ( if $step >= 2 { if $pacemaker_master { include ::pacemaker::resource_defaults + # When we have a non-zero number of pacemaker remote nodes we + # want to set the cluster-recheck-interval property to something + # lower (unless the operator has explicitely set a value) + if count($remote_short_node_names) > 0 and $cluster_recheck_interval == undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => '60s', + tries => $pcs_tries, + } + } elsif $cluster_recheck_interval != undef { + pacemaker::property{ 'cluster-recheck-interval-property': + property => 'cluster-recheck-interval', + value => $cluster_recheck_interval, + tries => $pcs_tries, + } + } } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 0d9ba68..e80c8c9 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -46,6 +46,22 @@ # Username for messaging nova queue # Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*memcache_port*] # (Optional) memcache port # Defaults to 11211 @@ -59,6 +75,26 @@ # for more details. # Defaults to hiera('step') # +# [*swift_proxy_network*] +# (Optional) The network name where the swift proxy endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('swift_proxy_network', undef) +# +# [*tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to undef +# +# [*tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::swift::proxy ( $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), @@ -67,11 +103,33 @@ class tripleo::profile::base::swift::proxy ( $ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'), $ceilometer_messaging_use_ssl = '0', $ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), $memcache_port = 11211, $memcache_servers = hiera('memcached_node_ips'), $step = hiera('step'), + $swift_proxy_network = hiera('swift_proxy_network', undef), + $tls_proxy_bind_ip = undef, + $tls_proxy_fqdn = undef, + $tls_proxy_port = 8080, ) { if $step >= 4 { + if $enable_internal_tls { + if !$swift_proxy_network { + fail('swift_proxy_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key'] + + ::tripleo::tls_proxy { 'swift-proxy-api': + servername => $tls_proxy_fqdn, + ip => $tls_proxy_bind_ip, + port => $tls_proxy_port, + tls_cert => $tls_certfile, + tls_key => $tls_keyfile, + notify => Class['::neutron::server'], + } + } $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config include ::swift::proxy |