diff options
Diffstat (limited to 'manifests')
23 files changed, 463 insertions, 55 deletions
diff --git a/manifests/glance/nfs_mount.pp b/manifests/glance/nfs_mount.pp new file mode 100644 index 0000000..035191d --- /dev/null +++ b/manifests/glance/nfs_mount.pp @@ -0,0 +1,80 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::glance::nfs_mount +# +# NFS mount for Glance image storage file backend +# +# === Parameters +# +# [*share*] +# NFS share to mount, in 'IP:PATH' format. +# +# [*options*] +# (Optional) NFS mount options. Defaults to +# 'intr,context=system_u:object_r:glance_var_lib_t:s0' +# +# [*edit_fstab*] +# (Optional) Whether to persist the mount info to fstab. +# Defaults to true. +# +# [*fstab_fstype*] +# (Optional) File system type to use in fstab for the mount. +# Defaults to 'nfs4'. +# +# [*fstab_prepend_options*] +# (Optional) Extra mount options for fstab (prepended to $options). +# Defaults to 'bg', so that a potentially failed mount doesn't +# prevent the machine from booting. +# +class tripleo::glance::nfs_mount ( + $share, + $options = 'intr,context=system_u:object_r:glance_var_lib_t:s0', + $edit_fstab = true, + $fstab_fstype = 'nfs4', + $fstab_prepend_options = 'bg' +) { + + $images_dir = '/var/lib/glance/images' + + if $options and $options != '' { + $options_part = "-o ${options}" + } else { + $options_part = '' + } + + if $fstab_prepend_options and $fstab_prepend_options != '' { + $fstab_prepend_part = "${fstab_prepend_options}," + } else { + $fstab_prepend_part = '' + } + + file { $images_dir: + ensure => directory, + } -> + exec { 'NFS mount for glance file backend': + path => ['/usr/sbin', '/usr/bin'], + command => "mount -t nfs '${share}' '${images_dir}' ${options_part}", + unless => "mount | grep ' ${images_dir} '", + } + + if $edit_fstab { + file_line { 'NFS for glance in fstab': + ensure => present, + line => "${share} ${images_dir} ${fstab_fstype} ${fstab_prepend_part}${options} 0 0", + match => " ${images_dir} ", + path => '/etc/fstab', + } + } +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index bd708af..5b69edd 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -37,7 +37,7 @@ # # [*haproxy_default_timeout*] # The value to use as timeout in the HAProxy default config section. -# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] +# Defaults to [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ] # # [*haproxy_listen_bind_param*] # A list of params to be added to the HAProxy listener bind directive. By @@ -182,6 +182,10 @@ # (optional) Enable or not Aodh API binding # Defaults to hiera('aodh_api_enabled', false) # +# [*barbican*] +# (optional) Enable or not Barbican API binding +# Defaults to hiera('barbican_api_enabled', false) +# # [*gnocchi*] # (optional) Enable or not Gnocchi API binding # Defaults to hiera('gnocchi_api_enabled', false) @@ -226,6 +230,14 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_member_options*] +# The options to use for the mysql HAProxy balancer members. +# If this parameter is undefined, the actual value configured will depend +# on the value of $mysql_clustercheck. If cluster checking is enabled, +# the mysql member options will be: "['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s']" +# and if mysql cluster checking is disabled, the member options will be: "union($haproxy_member_options, ['backup'])" +# Defaults to undef +# # [*rabbitmq*] # (optional) Enable or not RabbitMQ binding # Defaults to false @@ -271,6 +283,10 @@ # (optional) Specify the network aodh is running on. # Defaults to hiera('aodh_api_network', undef) # +# [*barbican_network*] +# (optional) Specify the network barbican is running on. +# Defaults to hiera('barbican_api_network', undef) +# # [*ceilometer_network*] # (optional) Specify the network ceilometer is running on. # Defaults to hiera('ceilometer_api_network', undef) @@ -376,6 +392,8 @@ # The available keys to modify the services' ports are: # 'aodh_api_port' (Defaults to 8042) # 'aodh_api_ssl_port' (Defaults to 13042) +# 'barbican_api_port' (Defaults to 9311) +# 'barbican_api_ssl_port' (Defaults to 13311) # 'ceilometer_api_port' (Defaults to 8777) # 'ceilometer_api_ssl_port' (Defaults to 13777) # 'cinder_api_port' (Defaults to 8776) @@ -435,7 +453,7 @@ class tripleo::haproxy ( $haproxy_service_manage = true, $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, - $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], + $haproxy_default_timeout = [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ], $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', @@ -464,6 +482,7 @@ class tripleo::haproxy ( $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false), $ceilometer = hiera('ceilometer_api_enabled', false), $aodh = hiera('aodh_api_enabled', false), + $barbican = hiera('barbican_api_enabled', false), $gnocchi = hiera('gnocchi_api_enabled', false), $mistral = hiera('mistral_api_enabled', false), $swift_proxy_server = hiera('swift_proxy_enabled', false), @@ -475,6 +494,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_member_options = undef, $rabbitmq = false, $docker_registry = hiera('enable_docker_registry', false), $redis = hiera('redis_enabled', false), @@ -486,6 +506,7 @@ class tripleo::haproxy ( $zaqar_ws = hiera('zaqar_api_enabled', false), $ui = hiera('enable_ui', false), $aodh_network = hiera('aodh_api_network', undef), + $barbican_network = hiera('barbican_api_network', false), $ceilometer_network = hiera('ceilometer_api_network', undef), $ceph_rgw_network = hiera('ceph_rgw_network', undef), $cinder_network = hiera('cinder_api_network', undef), @@ -515,6 +536,8 @@ class tripleo::haproxy ( $default_service_ports = { aodh_api_port => 8042, aodh_api_ssl_port => 13042, + barbican_api_port => 9311, + barbican_api_ssl_port => 13311, ceilometer_api_port => 8777, ceilometer_api_ssl_port => 13777, cinder_api_port => 8776, @@ -585,6 +608,8 @@ class tripleo::haproxy ( # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles. if $keepalived { include ::tripleo::keepalived + # Make sure keepalive starts before haproxy. + Class['::keepalived::service'] -> Class['::haproxy'] } # TODO(bnemec): When we have support for SSL on private and admin endpoints, @@ -759,6 +784,11 @@ class tripleo::haproxy ( service_port => $ports[neutron_api_port], ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, } @@ -868,6 +898,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -904,6 +935,11 @@ class tripleo::haproxy ( service_port => $ports[ceilometer_api_port], ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -917,12 +953,29 @@ class tripleo::haproxy ( service_port => $ports[aodh_api_port], ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } } + if $barbican { + ::tripleo::haproxy::endpoint { 'barbican': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('barbican_api_vip', $controller_virtual_ip), + service_port => $ports[barbican_api_port], + ip_addresses => hiera('barbican_api_node_ips', $controller_hosts_real), + server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + public_ssl_port => $ports[barbican_api_ssl_port], + service_network => $barbican_network + } + } + if $gnocchi { ::tripleo::haproxy::endpoint { 'gnocchi': public_virtual_ip => $public_virtual_ip, @@ -930,8 +983,14 @@ class tripleo::haproxy ( service_port => $ports[gnocchi_api_port], ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1069,13 +1128,21 @@ class tripleo::haproxy ( 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', } - $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = ['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s'] + } } else { $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', } - $mysql_member_options = union($haproxy_member_options, ['backup']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = union($haproxy_member_options, ['backup']) + } } if $mysql { @@ -1089,7 +1156,7 @@ class tripleo::haproxy ( ports => '3306', ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), server_names => hiera('mysql_node_names', $controller_hosts_names_real), - options => $mysql_member_options, + options => $mysql_member_options_real, } } @@ -1198,8 +1265,8 @@ class tripleo::haproxy ( $opendaylight_api_vip = hiera('opendaylight_api_vip', $controller_virtual_ip) $opendaylight_bind_opts = { - "${opendaylight_api_vip}:8081" => [], - "${public_virtual_ip}:8081" => [], + "${opendaylight_api_vip}:8081" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8081" => $haproxy_listen_bind_param, } if $opendaylight { diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp index c0fb3ef..0e9262d 100644 --- a/manifests/keepalived.pp +++ b/manifests/keepalived.pp @@ -158,5 +158,4 @@ class tripleo::keepalived ( priority => 101, } } - } diff --git a/manifests/network/os_net_config.pp b/manifests/network/os_net_config.pp index 7e07f6c..3283b5f 100644 --- a/manifests/network/os_net_config.pp +++ b/manifests/network/os_net_config.pp @@ -30,6 +30,17 @@ class tripleo::network::os_net_config { Package['openvswitch'], Service['openvswitch'], ], + notify => Exec['trigger-keepalived-restart'], } + # By modifying the keepalived.conf file we ensure that puppet will + # trigger a restart of keepalived during the main stage. Adding back + # any lost conf during the os-net-config step. + exec { 'trigger-keepalived-restart': + command => '/usr/bin/echo "# Restart keepalived" >> /etc/keepalived/keepalived.conf', + path => '/usr/bin:/bin', + refreshonly => true, + # Only if keepalived is installed + onlyif => 'test -e /etc/keepalived/keepalived.conf', + } } diff --git a/manifests/profile/base/aodh.pp b/manifests/profile/base/aodh.pp index 02c1d07..281e069 100644 --- a/manifests/profile/base/aodh.pp +++ b/manifests/profile/base/aodh.pp @@ -49,8 +49,9 @@ class tripleo::profile::base::aodh ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::aodh' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::aodh::auth include ::aodh::config diff --git a/manifests/profile/base/barbican.pp b/manifests/profile/base/barbican.pp new file mode 100644 index 0000000..f4d6230 --- /dev/null +++ b/manifests/profile/base/barbican.pp @@ -0,0 +1,36 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::barbican +# +# Barbican profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# + +class tripleo::profile::base::barbican ( + $step = hiera('step'), +) { + + if $step >= 3 { + include ::barbican + include ::barbican::config + include ::barbican::client + } +} diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp new file mode 100644 index 0000000..470e649 --- /dev/null +++ b/manifests/profile/base/barbican/api.pp @@ -0,0 +1,56 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::barbican::api +# +# Barbican profile for tripleo api +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::barbican::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + include ::tripleo::profile::base::barbican + + if $step >= 3 and $sync_db { + include ::barbican::db::mysql + } + + if $step >= 4 or ( $step >= 3 and $sync_db ) { + class { '::barbican::api': + sync_db => $sync_db + } + include ::barbican::keystone::authtoken + include ::barbican::api::logging + include ::barbican::keystone::notification + include ::barbican::quota + include ::barbican::wsgi::apache + } +} diff --git a/manifests/profile/base/ceilometer.pp b/manifests/profile/base/ceilometer.pp index 959d86c..392d0c7 100644 --- a/manifests/profile/base/ceilometer.pp +++ b/manifests/profile/base/ceilometer.pp @@ -38,8 +38,9 @@ class tripleo::profile::base::ceilometer ( ) { if $step >= 3 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::ceilometer' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::ceilometer::config } diff --git a/manifests/profile/base/cinder.pp b/manifests/profile/base/cinder.pp index 9f7c453..8023fcc 100644 --- a/manifests/profile/base/cinder.pp +++ b/manifests/profile/base/cinder.pp @@ -52,8 +52,9 @@ class tripleo::profile::base::cinder ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::cinder' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::cinder::config } diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index f3db396..af3b0ac 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -22,6 +22,10 @@ # (Optional) Glance backend(s) to use. # Defaults to downcase(hiera('glance_backend', 'swift')) # +# [*glance_nfs_enabled*] +# (Optional) Whether to use NFS mount as 'file' backend storage location. +# Defaults to false +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -36,12 +40,17 @@ # Defaults to hiera('glance::notify::rabbitmq::rabbit_port', 5672) class tripleo::profile::base::glance::api ( - $glance_backend = downcase(hiera('glance_backend', 'swift')), - $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), - $rabbit_port = hiera('glance::notify::rabbitmq::rabbit_port', 5672), + $glance_backend = downcase(hiera('glance_backend', 'swift')), + $glance_nfs_enabled = false, + $step = hiera('step'), + $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_port = hiera('glance::notify::rabbitmq::rabbit_port', 5672), ) { + if $step >= 1 and $glance_nfs_enabled { + include ::tripleo::glance::nfs_mount + } + if $step >= 4 { case $glance_backend { 'swift': { $backend_store = 'glance.store.swift.Store' } @@ -58,9 +67,9 @@ class tripleo::profile::base::glance::api ( class { '::glance::api': stores => $glance_store, } - + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::glance::notify::rabbitmq' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include join(['::glance::backend::', $glance_backend]) } diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 9a08551..2fde1fc 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -22,19 +22,52 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*gnocchi_backend*] # (Optional) Gnocchi backend string file, swift or rbd # Defaults to swift # +# [*gnocchi_network*] +# (Optional) The network name where the gnocchi endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('gnocchi_api_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::gnocchi::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), + $gnocchi_network = hiera('gnocchi_api_network', undef), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -44,13 +77,31 @@ class tripleo::profile::base::gnocchi::api ( include ::tripleo::profile::base::gnocchi + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$gnocchi_network { + fail('gnocchi_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${gnocchi_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${gnocchi_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 3 and $sync_db { include ::gnocchi::db::sync } if $step >= 4 { include ::gnocchi::api - include ::gnocchi::wsgi::apache + class { '::gnocchi::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } class { '::gnocchi::storage': coordination_url => join(['redis://:', hiera('gnocchi_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']), diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index abb9f76..00a9809 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -53,7 +53,7 @@ class tripleo::profile::base::heat ( ) { # Domain resources will be created at step5 on the node running keystone.pp # configure heat.conf at step3 and 4 but actually create the domain later. - if $step == 3 or $step == 4 { + if $step >= 3 { class { '::heat::keystone::domain': manage_domain => false, manage_user => false, @@ -62,9 +62,10 @@ class tripleo::profile::base::heat ( } if $step >= 4 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::heat' : notification_driver => $notification_driver, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::heat::config include ::heat::cors diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index e63e4c6..7b44421 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -48,9 +48,10 @@ class tripleo::profile::base::ironic ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::ironic': sync_db => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::ironic::cors diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 8a70110..9801eb2 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -74,6 +74,23 @@ # for more details. # Defaults to hiera('step') # +# [*heat_admin_domain*] +# domain name for heat admin +# Defaults to hiera('heat::keystone::domain::domain_name', 'heat') +# +# [*heat_admin_user*] +# heat admin user name +# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin') +# +# [*heat_admin_email*] +# heat admin email address +# Defaults to hiera('heat::keystone::domain::domain_admin_email', +# 'heat_admin@localhost') +# +# [*heat_admin_password*] +# heat admin password +# Defaults to hiera('heat::keystone::domain::domain_password') +# class tripleo::profile::base::keystone ( $admin_endpoint_network = hiera('keystone_admin_api_network', undef), $bootstrap_node = hiera('bootstrap_nodeid', undef), @@ -85,6 +102,10 @@ class tripleo::profile::base::keystone ( $rabbit_hosts = hiera('rabbitmq_node_ips', undef), $rabbit_port = hiera('keystone::rabbit_port', 5672), $step = hiera('step'), + $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'), + $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'), + $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'), + $heat_admin_password = hiera('heat::keystone::domain::domain_password'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -122,10 +143,11 @@ class tripleo::profile::base::keystone ( } if $step >= 4 or ( $step >= 3 and $sync_db ) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::keystone': sync_db => $sync_db, enable_bootstrap => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::keystone::config @@ -153,22 +175,22 @@ class tripleo::profile::base::keystone ( if $step >= 5 and $manage_domain { if hiera('heat_engine_enabled', false) { - # if Heat and Keystone are collocated, so we want to - # both configure heat.conf and create Keystone resources. - # note: domain_password is given via Hiera. - if defined(Class['::tripleo::profile::base::heat']) { - include ::heat::keystone::domain - } else { - # if Heat and Keystone are not collocated, we want Puppet - # to only create Keystone resources on the Keystone node - # but not try to configure Heat, to avoid leaking the password. - class { '::heat::keystone::domain': - domain_name => $::os_service_default, - domain_admin => $::os_service_default, - domain_password => $::os_service_default, - } + # create these seperate and don't use ::heat::keystone::domain since + # that class writes out the configs + keystone_domain { $heat_admin_domain: + ensure => 'present', + enabled => true + } + keystone_user { "${heat_admin_user}::${heat_admin_domain}": + ensure => 'present', + enabled => true, + email => $heat_admin_email, + password => $heat_admin_password + } + keystone_user_role { "${heat_admin_user}::${heat_admin_domain}@::${heat_admin_domain}": + roles => ['admin'], + require => Class['::keystone::roles::admin'] } - Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain'] } } @@ -176,6 +198,9 @@ class tripleo::profile::base::keystone ( if hiera('aodh_api_enabled', false) { include ::aodh::keystone::auth } + if hiera('barbican_api_enabled', false) { + include ::barbican::keystone::auth + } if hiera('ceilometer_api_enabled', false) { include ::ceilometer::keystone::auth } diff --git a/manifests/profile/base/manila.pp b/manifests/profile/base/manila.pp index 393dd52..3e16dff 100644 --- a/manifests/profile/base/manila.pp +++ b/manifests/profile/base/manila.pp @@ -47,8 +47,9 @@ class tripleo::profile::base::manila ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::manila' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::manila::config } diff --git a/manifests/profile/base/mistral.pp b/manifests/profile/base/mistral.pp index dcd9d0b..3da754c 100644 --- a/manifests/profile/base/mistral.pp +++ b/manifests/profile/base/mistral.pp @@ -48,8 +48,9 @@ class tripleo::profile::base::mistral ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::mistral': - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::mistral::config include ::mistral::client diff --git a/manifests/profile/base/neutron.pp b/manifests/profile/base/neutron.pp index 53df3d9..64f5f32 100644 --- a/manifests/profile/base/neutron.pp +++ b/manifests/profile/base/neutron.pp @@ -36,8 +36,9 @@ class tripleo::profile::base::neutron ( $rabbit_port = hiera('neutron::rabbit_port', 5672), ) { if $step >= 3 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::neutron' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::neutron::config } diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp index 2eb09ae..c120931 100644 --- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp @@ -53,9 +53,9 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight ( if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') } class { '::neutron::plugins::ml2::opendaylight': - odl_username => $odl_username, - odl_password => $odl_password, - odl_url => "${conn_proto}://${odl_url_ip}:${odl_port}/controller/nb/v2/neutron"; + odl_username => $odl_username, + odl_password => $odl_password, + odl_url => "${conn_proto}://${odl_url_ip}:${odl_port}/controller/nb/v2/neutron"; } } } diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index b397802..4626465 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -68,8 +68,9 @@ class tripleo::profile::base::nova ( } if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::nova' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::nova::config class { '::nova::cache': diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index ca2f7dd..e660990 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -20,14 +20,47 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# +# [*nova_api_network*] +# (Optional) The network name where the nova API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('nova_api_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::nova::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $nova_api_network = hiera('nova_api_network', undef), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -37,6 +70,21 @@ class tripleo::profile::base::nova::api ( include ::tripleo::profile::base::nova + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$nova_api_network { + fail('nova_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${nova_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${nova_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ($step >= 3 and $sync_db) { if hiera('nova::use_ipv6', false) { @@ -53,7 +101,10 @@ class tripleo::profile::base::nova::api ( sync_db => $sync_db, sync_db_api => $sync_db, } - include ::nova::wsgi::apache + class { '::nova::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } include ::nova::network::neutron } diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp index c034628..f509225 100644 --- a/manifests/profile/base/sahara.pp +++ b/manifests/profile/base/sahara.pp @@ -47,9 +47,10 @@ class tripleo::profile::base::sahara ( } if $step >= 4 or ($step >= 3 and $sync_db){ + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::sahara': sync_db => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index feabf86..15b4686 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -31,10 +31,20 @@ # (Optional) memcache port # Defaults to 11211 # +# [*rabbit_hosts*] +# list of the rabbbit host IPs +# Defaults to hiera('rabbitmq_node_ips') +# +# [*rabbit_port*] +# IP port for rabbitmq service +# Defaults to hiera('swift::proxy::ceilometer::rabbit_port', 5672) +# class tripleo::profile::base::swift::proxy ( - $step = hiera('step'), + $step = hiera('step'), $memcache_servers = hiera('memcached_node_ips'), - $memcache_port = 11211, + $memcache_port = 11211, + $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_port = hiera('swift::proxy::ceilometer::rabbit_port', 5672), ) { if $step >= 4 { $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") @@ -53,7 +63,10 @@ class tripleo::profile::base::swift::proxy ( include ::swift::proxy::tempurl include ::swift::proxy::formpost include ::swift::proxy::bulk - include ::swift::proxy::ceilometer + $swift_rabbit_hosts = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") + class { '::swift::proxy::ceilometer': + rabbit_hosts => $swift_rabbit_hosts, + } include ::swift::proxy::versioned_writes } } diff --git a/manifests/ui.pp b/manifests/ui.pp index 41ad8d6..27e3e50 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -25,7 +25,7 @@ # # [*bind_host*] # The host/ip address Apache will listen on. -# Optional. Defaults to undef (listen on all ip addresses). +# Optional. Defaults to hiera('controller_host') # # [*ui_port*] # The port on which the UI is listening. |