diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/haproxy.pp | 112 | ||||
-rw-r--r-- | manifests/profile/base/database/mysql.pp | 3 | ||||
-rw-r--r-- | manifests/profile/base/ironic_inspector.pp | 46 | ||||
-rw-r--r-- | manifests/profile/base/keystone.pp | 3 | ||||
-rw-r--r-- | manifests/profile/base/neutron.pp | 28 |
5 files changed, 167 insertions, 25 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 2ed9449..13d4ba5 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -750,7 +750,7 @@ class tripleo::haproxy ( 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => [ 'forwardfor', 'httpchk' ], + 'option' => 'forwardfor', 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], @@ -762,7 +762,7 @@ class tripleo::haproxy ( } $horizon_options = { 'cookie' => 'SERVERID insert indirect nocache', - 'option' => [ 'forwardfor', 'httpchk' ], + 'option' => 'forwardfor', } } @@ -821,20 +821,12 @@ class tripleo::haproxy ( }, } - - $default_listen_options = { - 'option' => [ 'httpchk', ], - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - } Tripleo::Haproxy::Endpoint { haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, use_internal_certificates => $use_internal_certificates, internal_certificates_specs => $internal_certificates_specs, - listen_options => $default_listen_options, } $stats_base = ['enable', 'uri /'] @@ -860,7 +852,11 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -868,6 +864,11 @@ class tripleo::haproxy ( } if $keystone_public { + $keystone_listen_opts = { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } if $service_certificate { $keystone_public_tls_listen_opts = { 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', @@ -876,9 +877,7 @@ class tripleo::haproxy ( 'option' => 'forwardfor', } } else { - $keystone_public_tls_listen_opts = { - 'option' => [ 'httpchk GET /v3', ], - } + $keystone_public_tls_listen_opts = {} } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, @@ -887,7 +886,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts), + listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -902,6 +901,11 @@ class tripleo::haproxy ( ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -916,6 +920,11 @@ class tripleo::haproxy ( ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), server_names => hiera('cinder_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -930,6 +939,11 @@ class tripleo::haproxy ( ip_addresses => hiera('congress_node_ips', $controller_hosts_real), server_names => hiera('congress_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[congress_api_ssl_port], service_network => $congress_network, } @@ -943,6 +957,11 @@ class tripleo::haproxy ( ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[manila_api_ssl_port], service_network => $manila_network, } @@ -968,6 +987,11 @@ class tripleo::haproxy ( ip_addresses => hiera('tacker_node_ips', $controller_hosts_real), server_names => hiera('tacker_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[tacker_api_ssl_port], service_network => $tacker_network, } @@ -994,7 +1018,11 @@ class tripleo::haproxy ( server_names => hiera('glance_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[glance_api_ssl_port], mode => 'http', - listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, service_network => $glance_api_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } @@ -1009,6 +1037,11 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, #member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1024,6 +1057,11 @@ class tripleo::haproxy ( ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real), server_names => hiera('nova_placement_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[nova_placement_ssl_port], service_network => $nova_placement_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1036,9 +1074,6 @@ class tripleo::haproxy ( service_port => $ports[nova_metadata_port], ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real), - listen_options => { - 'option' => [ 'httpchk', ], - }, service_network => $nova_metadata_network, } } @@ -1050,11 +1085,10 @@ class tripleo::haproxy ( service_port => $ports[nova_novnc_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), - listen_options => merge($default_listen_options, { - 'option' => [ 'tcpka' ], + listen_options => { 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], - }), + }, public_ssl_port => $ports[nova_novnc_ssl_port], service_network => $nova_novncproxy_network, } @@ -1068,6 +1102,11 @@ class tripleo::haproxy ( ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real), server_names => hiera('ec2_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[ec2_api_ssl_port], service_network => $ec2_api_network, } @@ -1091,6 +1130,11 @@ class tripleo::haproxy ( ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1105,6 +1149,11 @@ class tripleo::haproxy ( ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1118,6 +1167,11 @@ class tripleo::haproxy ( service_port => $ports[panko_api_port], ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), server_names => hiera('panko_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[panko_api_ssl_port], service_network => $panko_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1145,6 +1199,11 @@ class tripleo::haproxy ( ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1165,7 +1224,6 @@ class tripleo::haproxy ( if $swift_proxy_server { $swift_proxy_server_listen_options = { - 'option' => [ 'httpchk GET /healthcheck', ], 'timeout client' => '2m', 'timeout server' => '2m', } @@ -1183,13 +1241,17 @@ class tripleo::haproxy ( $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) + $heat_base_options = { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} if $service_certificate { $heat_ssl_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - $heat_options = merge($default_listen_options, $heat_ssl_options) + $heat_options = merge($heat_base_options, $heat_ssl_options) } else { - $heat_options = $default_listen_options + $heat_options = $heat_base_options } if $heat_api { diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index d3c3f21..dcd1b7f 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -167,6 +167,9 @@ class tripleo::profile::base::database::mysql ( if hiera('ironic_api_enabled', false) { include ::ironic::db::mysql } + if hiera('ironic_inspector_enabled', false) { + include ::ironic::inspector::db::mysql + } if hiera('keystone_enabled', false) { include ::keystone::db::mysql } diff --git a/manifests/profile/base/ironic_inspector.pp b/manifests/profile/base/ironic_inspector.pp new file mode 100644 index 0000000..b4276c6 --- /dev/null +++ b/manifests/profile/base/ironic_inspector.pp @@ -0,0 +1,46 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::ironic_inspector +# +# Ironic inspector profile for TripleO +# +# === Parameters +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') + +class tripleo::profile::base::ironic_inspector ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + + if $step >= 4 or ($step >= 3 and $sync_db) { + class { '::ironic::inspector': + sync_db => $sync_db, + } + } + +} diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 00f4aa8..9b2fc51 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -282,6 +282,9 @@ class tripleo::profile::base::keystone ( if hiera('ironic_api_enabled', false) { include ::ironic::keystone::auth } + if hiera('ironic_inspector_enabled', false) { + include ::ironic::keystone::auth_inspector + } if hiera('manila_api_enabled', false) { include ::manila::keystone::auth } diff --git a/manifests/profile/base/neutron.pp b/manifests/profile/base/neutron.pp index 0d647f8..2f01b75 100644 --- a/manifests/profile/base/neutron.pp +++ b/manifests/profile/base/neutron.pp @@ -65,6 +65,19 @@ # [*oslomsg_use_ssl*] # Enable ssl oslo messaging services # Defaults to hiera('neutron::rabbit_use_ssl', '0') +# +# [*dhcp_agents_per_network*] +# (Optional) TripleO configured number of DHCP agents +# to use per network. If left to the default value, neutron will be +# configured with the number of DHCP agents being deployed. +# Defaults to undef +# +# [*dhcp_nodes*] +# (Optional) List of nodes running the DHCP agent. Used to +# set neutron's dhcp_agents_per_network value to the number +# of available agents. +# Defaults to hiera('neutron_dhcp_short_node_names') or [] +# class tripleo::profile::base::neutron ( $step = hiera('step'), @@ -79,9 +92,23 @@ class tripleo::profile::base::neutron ( $oslomsg_notify_port = hiera('neutron::rabbit_port', '5672'), $oslomsg_notify_username = hiera('neutron::rabbit_userid', 'guest'), $oslomsg_use_ssl = hiera('neutron::rabbit_use_ssl', '0'), + $dhcp_agents_per_network = undef, + $dhcp_nodes = hiera('neutron_dhcp_short_node_names', []), ) { if $step >= 3 { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) + + $dhcp_agent_count = size($dhcp_nodes) + if $dhcp_agents_per_network { + $dhcp_agents_per_net = $dhcp_agents_per_network + if ($dhcp_agents_per_net > $dhcp_agent_count) { + warning("dhcp_agents_per_network (${dhcp_agents_per_net}) is greater\ + than the number of deployed dhcp agents (${dhcp_agent_count})") + } + } + elsif $dhcp_agent_count > 0 { + $dhcp_agents_per_net = $dhcp_agent_count + } class { '::neutron' : default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, @@ -99,6 +126,7 @@ class tripleo::profile::base::neutron ( 'password' => $oslomsg_notify_password, 'ssl' => $oslomsg_use_ssl_real, }), + dhcp_agents_per_network => $dhcp_agents_per_net, } include ::neutron::config } |