diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/firewall/rule.pp | 19 | ||||
-rw-r--r-- | manifests/haproxy.pp | 49 | ||||
-rw-r--r-- | manifests/haproxy/endpoint.pp | 29 | ||||
-rw-r--r-- | manifests/packages.pp | 4 | ||||
-rw-r--r-- | manifests/profile/base/ceilometer/api.pp | 7 | ||||
-rw-r--r-- | manifests/profile/base/cinder/volume.pp | 29 | ||||
-rw-r--r-- | manifests/profile/base/cinder/volume/hpelefthand.pp | 71 | ||||
-rw-r--r-- | manifests/profile/base/metrics/collectd.pp | 88 | ||||
-rw-r--r-- | manifests/profile/base/metrics/collectd/plugin_helper.pp | 6 | ||||
-rw-r--r-- | manifests/profile/base/neutron/agents/ovn.pp | 14 | ||||
-rw-r--r-- | manifests/profile/base/neutron/opendaylight.pp | 19 | ||||
-rw-r--r-- | manifests/profile/base/neutron/ovn_northd.pp | 40 | ||||
-rw-r--r-- | manifests/profile/base/neutron/plugins/ml2.pp | 5 | ||||
-rw-r--r-- | manifests/profile/base/neutron/plugins/ml2/ovn.pp | 25 | ||||
-rw-r--r-- | manifests/profile/base/nova.pp | 46 | ||||
-rw-r--r-- | manifests/profile/base/pacemaker.pp | 3 | ||||
-rw-r--r-- | manifests/profile/base/swift/proxy.pp | 23 | ||||
-rw-r--r-- | manifests/tls_proxy.pp | 60 | ||||
-rw-r--r-- | manifests/vip_hosts.pp | 39 |
19 files changed, 467 insertions, 109 deletions
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index 6801dc4..816e6fe 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -77,8 +77,16 @@ define tripleo::firewall::rule ( $extras = {}, ) { + if $port == 'all' { + warning("All ${proto} traffic will be open on this host.") + # undef so the IPtables rule won't have any port specified. + $port_real = undef + } else { + $port_real = $port + } + $basic = { - 'port' => $port, + 'port' => $port_real, 'dport' => $dport, 'sport' => $sport, 'proto' => $proto, @@ -100,6 +108,15 @@ define tripleo::firewall::rule ( $rule = merge($basic, $state_rule, $extras) validate_hash($rule) + # This conditional will ensure that TCP and UDP firewall rules have + # a port specified in the configuration when using INPUT or OUTPUT chains. + # If not, the Puppet catalog will fail. + # If we don't do this sanity check, a user could create some TCP/UDP + # rules without port, and the result would be an iptables rule that allow any + # traffic on the host. + if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) { + fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.") + } create_resources('firewall', { "${title}" => $rule }) } diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 515f49a..c57666d 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -276,6 +276,10 @@ # (optional) Enable or not OpenDaylight binding # Defaults to hiera('opendaylight_api_enabled', false) # +# [*ovn_dbs*] +# (optional) Enable or not OVN northd binding +# Defaults to hiera('ovn_dbs_enabled', false) +# # [*zaqar_ws*] # (optional) Enable or not Zaqar Websockets binding # Defaults to false @@ -380,6 +384,10 @@ # (optional) Specify the network panko is running on. # Defaults to hiera('panko_api_network', undef) # +# [*ovn_dbs_network*] +# (optional) Specify the network ovn_dbs is running on. +# Defaults to hiera('ovn_dbs_network', undef) +# # [*sahara_network*] # (optional) Specify the network sahara is running on. # Defaults to hiera('sahara_api_network', undef) @@ -441,6 +449,8 @@ # 'nova_novnc_ssl_port' (Defaults to 13080) # 'panko_api_port' (Defaults to 8779) # 'panko_api_ssl_port' (Defaults to 13779) +# 'ovn_nbdb_port' (Defaults to 6641) +# 'ovn_sbdb_port' (Defaults to 6642) # 'sahara_api_port' (Defaults to 8386) # 'sahara_api_ssl_port' (Defaults to 13386) # 'swift_proxy_port' (Defaults to 8080) @@ -515,6 +525,7 @@ class tripleo::haproxy ( $zaqar_api = hiera('zaqar_api_enabled', false), $ceph_rgw = hiera('ceph_rgw_enabled', false), $opendaylight = hiera('opendaylight_api_enabled', false), + $ovn_dbs = hiera('ovn_dbs_enabled', false), $zaqar_ws = hiera('zaqar_api_enabled', false), $ui = hiera('enable_ui', false), $aodh_network = hiera('aodh_api_network', undef), @@ -540,6 +551,7 @@ class tripleo::haproxy ( $nova_novncproxy_network = hiera('nova_vnc_proxy_network', undef), $nova_osapi_network = hiera('nova_api_network', undef), $panko_network = hiera('panko_api_network', undef), + $ovn_dbs_network = hiera('ovn_dbs_network', undef), $sahara_network = hiera('sahara_api_network', undef), $swift_proxy_server_network = hiera('swift_proxy_network', undef), $trove_network = hiera('trove_api_network', undef), @@ -590,6 +602,8 @@ class tripleo::haproxy ( nova_novnc_ssl_port => 13080, panko_api_port => 8779, panko_api_ssl_port => 13779, + ovn_nbdb_port => 6641, + ovn_sbdb_port => 6642, sahara_api_port => 8386, sahara_api_ssl_port => 13386, swift_proxy_port => 8080, @@ -1318,6 +1332,39 @@ class tripleo::haproxy ( } } + + if $ovn_dbs { + # FIXME: is this config enough to ensure we only hit the first node in + # ovn_northd_node_ips ? + $ovn_db_listen_options = { + 'option' => [ 'tcpka' ], + 'timeout client' => '90m', + 'timeout server' => '90m', + 'stick-table' => 'type ip size 1000', + 'stick' => 'on dst', + } + ::tripleo::haproxy::endpoint { 'ovn_nbdb': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ovn_dbs_vip', $controller_virtual_ip), + service_port => $ports[ovn_nbdb_port], + ip_addresses => hiera('ovn_dbs_node_ips', $controller_hosts_real), + server_names => hiera('ovn_dbs_node_names', $controller_hosts_names_real), + service_network => $ovn_dbs_network, + listen_options => $ovn_db_listen_options, + mode => 'tcp' + } + ::tripleo::haproxy::endpoint { 'ovn_sbdb': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ovn_dbs_vip', $controller_virtual_ip), + service_port => $ports[ovn_sbdb_port], + ip_addresses => hiera('ovn_dbs_node_ips', $controller_hosts_real), + server_names => hiera('ovn_dbs_node_names', $controller_hosts_names_real), + service_network => $ovn_dbs_network, + listen_options => $ovn_db_listen_options, + mode => 'tcp' + } + } + if $zaqar_ws { ::tripleo::haproxy::endpoint { 'zaqar_ws': public_virtual_ip => $public_virtual_ip, @@ -1331,7 +1378,7 @@ class tripleo::haproxy ( # NOTE(jaosorior): Websockets have more overhead in establishing # connections than regular HTTP connections. Also, since it begins # as an HTTP connection and then "upgrades" to a TCP connection, some - # timeouts get overriden by others at certain times of the connection. + # timeouts get overridden by others at certain times of the connection. # The following values were taken from the following site: # http://blog.haproxy.com/2012/11/07/websockets-load-balancing-with-haproxy/ 'timeout' => ['connect 5s', 'client 25s', 'server 25s', 'tunnel 3600s'], diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 4311049..0bba245 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -149,14 +149,27 @@ define tripleo::haproxy::endpoint ( } if hiera('manage_firewall', true) { include ::tripleo::firewall - $firewall_rules = { - "100 ${name}_haproxy" => { - 'dport' => $service_port, - }, - "100 ${name}_haproxy_ssl" => { - 'dport' => $public_ssl_port, - }, + # This block will construct firewall rules only when we specify + # a port for the regular service and also the ssl port for the service. + # It makes sure we're not trying to create TCP iptables rules where no port + # is specified. + if $service_port { + $haproxy_firewall_rules = { + "100 ${name}_haproxy" => { + 'dport' => $service_port, + }, + } + } + if $public_ssl_port { + $haproxy_ssl_firewall_rules = { + "100 ${name}_haproxy_ssl" => { + 'dport' => $public_ssl_port, + }, + } + } + $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules) + if $service_port or $public_ssl_port { + create_resources('tripleo::firewall::rule', $firewall_rules) } - create_resources('tripleo::firewall::rule', $firewall_rules) } } diff --git a/manifests/packages.pp b/manifests/packages.pp index ec2635a..147c76a 100644 --- a/manifests/packages.pp +++ b/manifests/packages.pp @@ -35,7 +35,7 @@ class tripleo::packages ( # required for stages include ::stdlib - if !$enable_install and !$enable_upgrade { + if !str2bool($enable_install) and !str2bool($enable_upgrade) { case $::osfamily { 'RedHat': { Package <| |> { provider => 'norpm' } @@ -46,7 +46,7 @@ class tripleo::packages ( } } - if $enable_upgrade { + if str2bool($enable_upgrade) { Package <| |> { ensure => 'latest' } # Running the package upgrade before managing Services in the main stage. # So we're sure that services will be able to restart with the new version diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6ef4748..2e7986b 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*enable_legacy_api*] +# (Optional) Enable legacy ceilometer api service. +# Defaults to hiera('enable_legacy_api', false) +# # [*ceilometer_network*] # (Optional) The network name where the ceilometer endpoint is listening on. # This is set by t-h-t. @@ -53,6 +57,7 @@ # Defaults to hiera('step') # class tripleo::profile::base::ceilometer::api ( + $enable_legacy_api = hiera('enable_legacy_ceilometer_api', false), $ceilometer_network = hiera('ceilometer_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), @@ -76,7 +81,7 @@ class tripleo::profile::base::ceilometer::api ( $tls_keyfile = undef } - if $step >= 4 { + if $step >= 4 and $enable_legacy_api { include ::ceilometer::api class { '::ceilometer::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 64927b6..7663b6f 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -22,6 +22,10 @@ # (Optional) Whether to enable the delsc backend # Defaults to true # +# [*cinder_enable_hpelefthand_backend*] +# (Optional) Whether to enable the hpelefthand backend +# Defaults to false +# # [*cinder_enable_eqlx_backend*] # (Optional) Whether to enable the eqlx backend # Defaults to true @@ -52,14 +56,15 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( - $cinder_enable_dellsc_backend = false, - $cinder_enable_eqlx_backend = false, - $cinder_enable_iscsi_backend = true, - $cinder_enable_netapp_backend = false, - $cinder_enable_nfs_backend = false, - $cinder_enable_rbd_backend = false, - $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), - $step = hiera('step'), + $cinder_enable_dellsc_backend = false, + $cinder_enable_hpelefthand_backend = false, + $cinder_enable_eqlx_backend = false, + $cinder_enable_iscsi_backend = true, + $cinder_enable_netapp_backend = false, + $cinder_enable_nfs_backend = false, + $cinder_enable_rbd_backend = false, + $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), + $step = hiera('step'), ) { include ::tripleo::profile::base::cinder @@ -73,6 +78,13 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellsc_backend_name = undef } + if $cinder_enable_hpelefthand_backend { + include ::tripleo::profile::base::cinder::volume::hpelefthand + $cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand') + } else { + $cinder_hpelefthand_backend_name = undef + } + if $cinder_enable_eqlx_backend { include ::tripleo::profile::base::cinder::volume::eqlx $cinder_eqlx_backend_name = hiera('cinder::backend::eqlx::volume_backend_name', 'tripleo_eqlx') @@ -112,6 +124,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_rbd_backend_name, $cinder_eqlx_backend_name, $cinder_dellsc_backend_name, + $cinder_hpelefthand_backend_name, $cinder_netapp_backend_name, $cinder_nfs_backend_name, $cinder_user_enabled_backends]) diff --git a/manifests/profile/base/cinder/volume/hpelefthand.pp b/manifests/profile/base/cinder/volume/hpelefthand.pp new file mode 100644 index 0000000..32f0976 --- /dev/null +++ b/manifests/profile/base/cinder/volume/hpelefthand.pp @@ -0,0 +1,71 @@ +# Copyright 2016 Hewlett-Packard Enterprise. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::hpelefthand +# +# Cinder Volume hpelefthand profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_hpelefthand' +# +# [*cinder_hpelefthand_api_url*] +# (required) url for api access to lefthand - example https://10.x.x.x:8080/api/v1 +# +# [*cinder_hpelefthand_username*] +# (required) Username for HPElefthand admin user +# +# [*cinder_hpelefthand_password*] +# (required) Password for hpelefthand_username +# +# [*cinder_hpelefthand_iscsi_chap_enabled*] +# (required) setting to false by default +# +# [*cinder_hpelefthand_clustername*] +# (required) clustername of hpelefthand +# +# [*cinder_hpelefthand_debug*] +# (required) setting to false by default +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::hpelefthand ( + $backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand'), + $cinder_hpelefthand_username = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_username', undef), + $cinder_hpelefthand_password = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_password', undef), + $cinder_hpelefthand_clustername = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_clustername', undef), + $cinder_hpelefthand_api_url = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_api_url', undef), + $cinder_hpelefthand_iscsi_chap_enabled = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_iscsi_chap_enabled', undef), + $cinder_hpelefthand_debug = hiera('cinder::backend::hpelefthand_iscsi::hpelefthand_debug', undef), + $step = hiera('step'), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::hpelefthand_iscsi { $backend_name : + hpelefthand_username => $cinder_hpelefthand_username, + hpelefthand_password => $cinder_hpelefthand_password, + hpelefthand_clustername => $cinder_hpelefthand_clustername, + hpelefthand_api_url => $cinder_hpelefthand_api_url, + hpelefthand_iscsi_chap_enabled => $cinder_hpelefthand_iscsi_chap_enabled, + hpelefthand_debug => $cinder_hpelefthand_debug, + } + } + +} diff --git a/manifests/profile/base/metrics/collectd.pp b/manifests/profile/base/metrics/collectd.pp new file mode 100644 index 0000000..0f738d1 --- /dev/null +++ b/manifests/profile/base/metrics/collectd.pp @@ -0,0 +1,88 @@ +# == Class: tripleo::profile::base::metrics::collectd +# +# Collectd configuration for TripleO +# +# === Parameters +# +# [*collectd_plugins*] +# (Optional) List. A list of collectd plugins to configure (the +# corresponding collectd::plugin::NAME class must exist in the +# collectd package). +# +# [*collectd_server*] +# (Optional) String. The name or address of a collectd server to +# which we should send metrics. +# +# [*collectd_port*] +# (Optional) Integer. The port to which we will connect on the +# collectd server. +# +# [*collectd_username*] +# (Optional) String. Username for authenticating to the remote +# collectd server. +# +# [*collectd_password*] +# (Optional) String. Password for authenticating to the remote +# collectd server. +# +# [*collectd_securitylevel*] +# (Optional) String. +# +# [*collectd_interface*] +# (Optional) String. Name of a network interface. +# +# [*collectd_graphite_server*] +# (Optional) String. The name or address of a graphite server to +# which we should send metrics. +# +# [*collectd_graphite_port*] +# (Optional) Integer. This is the port to which we will connect on +# the graphite server. Defaults to 2004. +# +# [*collectd_graphite_prefix*] +# (Optional) String. Prefix to add to metric names. Defaults to +# 'overcloud.'. +# +# [*collectd_graphite_protocol*] +# (Optional) String. One of 'udp' or 'tcp'. +# +class tripleo::profile::base::metrics::collectd ( + $collectd_plugins = [], + + $collectd_server = undef, + $collectd_port = 25826, + $collectd_username = undef, + $collectd_password = undef, + $collectd_securitylevel = undef, + + $collectd_graphite_server = undef, + $collectd_graphite_port = 2004, + $collectd_graphite_prefix = undef, + $collectd_graphite_protocol = 'udp' +) { + include ::collectd + ::tripleo::profile::base::metrics::collectd::plugin_helper { $collectd_plugins: } + + if ! ($collectd_graphite_protocol in ['udp', 'tcp']) { + fail("collectd_graphite_protocol must be one of 'udp' or 'tcp'") + } + + if $collectd_server { + ::collectd::plugin::network::server { $collectd_server: + username => $collectd_username, + password => $collectd_password, + port => $collectd_port, + securitylevel => $collectd_securitylevel, + } + } + + if $collectd_graphite_server { + ::collectd::plugin::write_graphite::carbon { 'openstack_graphite': + graphitehost => $collectd_graphite_server, + graphiteport => $collectd_graphite_port, + graphiteprefix => $collectd_graphite_prefix, + protocol => $collectd_graphite_protocol, + } + } +} + diff --git a/manifests/profile/base/metrics/collectd/plugin_helper.pp b/manifests/profile/base/metrics/collectd/plugin_helper.pp new file mode 100644 index 0000000..b624ee1 --- /dev/null +++ b/manifests/profile/base/metrics/collectd/plugin_helper.pp @@ -0,0 +1,6 @@ +# We use this to transform a list of unqualified plugin names +# (like ['disk', 'ntpd']) into the correct collectd plugin classes. +define tripleo::profile::base::metrics::collectd::plugin_helper ( +) { + include "collectd::plugin::${title}" +} diff --git a/manifests/profile/base/neutron/agents/ovn.pp b/manifests/profile/base/neutron/agents/ovn.pp index 443b164..a593092 100644 --- a/manifests/profile/base/neutron/agents/ovn.pp +++ b/manifests/profile/base/neutron/agents/ovn.pp @@ -17,7 +17,12 @@ # OVN Neutron agent profile for tripleo # # [*ovn_db_host*] -# The IP-Address/Hostname where OVN DBs are deployed +# (Optional) The IP-Address where OVN DBs are listening. +# Defaults to hiera('ovn_dbs_vip') +# +# [*ovn_sbdb_port*] +# (Optional) Port number on which southbound database is listening +# Defaults to hiera('ovn::southbound::port') # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -25,14 +30,13 @@ # Defaults to hiera('step') # class tripleo::profile::base::neutron::agents::ovn ( - $ovn_db_host, - $step = hiera('step') + $ovn_db_host = hiera('ovn_dbs_vip'), + $ovn_sbdb_port = hiera('ovn::southbound::port'), + $step = hiera('step') ) { if $step >= 4 { - $ovn_sbdb_port = hiera('ovn::southbound::port') class { '::ovn::controller': ovn_remote => "tcp:${ovn_db_host}:${ovn_sbdb_port}", - ovn_encap_type => hiera('ovn::southboud::encap_type') } } } diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp index a3f46ec..556fe63 100644 --- a/manifests/profile/base/neutron/opendaylight.pp +++ b/manifests/profile/base/neutron/opendaylight.pp @@ -22,24 +22,19 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*primary_controller*] -# (Optional) The hostname of the first controller +# [*primary_node*] +# (Optional) The hostname of the first node of this role type # Defaults to hiera('bootstrap_nodeid', undef) # class tripleo::profile::base::neutron::opendaylight ( - $step = hiera('step'), - $primary_controller = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), + $primary_node = hiera('bootstrap_nodeid', undef), ) { - include ::tripleo::profile::base::neutron - - if ! str2bool(hiera('opendaylight::enable_l3')) { - include ::tripleo::profile::base::neutron::l3 - } - if $step >= 1 { - # Configure ODL only on first controller - if $primary_controller == downcase($::hostname) { + # Configure ODL only on first node of the role where this service is + # applied + if $primary_node == downcase($::hostname) { include ::opendaylight } } diff --git a/manifests/profile/base/neutron/ovn_northd.pp b/manifests/profile/base/neutron/ovn_northd.pp new file mode 100644 index 0000000..0b46d5c --- /dev/null +++ b/manifests/profile/base/neutron/ovn_northd.pp @@ -0,0 +1,40 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::neutron::plugins::ml2::ovn +# +# OVN Neutron northd profile for tripleo +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::ovn_northd ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), +) { + if $step >= 4 { + # Note this only runs on the first node in the cluster when + # deployed on a role where multiple nodes exist. + if $::hostname == downcase($bootstrap_node) { + include ::ovn::northd + } + } +} + diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp index 4f4de0b..c046850 100644 --- a/manifests/profile/base/neutron/plugins/ml2.pp +++ b/manifests/profile/base/neutron/plugins/ml2.pp @@ -71,5 +71,10 @@ class tripleo::profile::base::neutron::plugins::ml2 ( if 'ovn' in $mechanism_drivers { include ::tripleo::profile::base::neutron::plugins::ml2::ovn } + + if 'fujitsu_cfab' in $mechanism_drivers { + include ::neutron::plugins::ml2::fujitsu + include ::neutron::plugins::ml2::fujitsu::cfab + } } } diff --git a/manifests/profile/base/neutron/plugins/ml2/ovn.pp b/manifests/profile/base/neutron/plugins/ml2/ovn.pp index 46477a7..b5b7a0a 100644 --- a/manifests/profile/base/neutron/plugins/ml2/ovn.pp +++ b/manifests/profile/base/neutron/plugins/ml2/ovn.pp @@ -17,7 +17,16 @@ # OVN Neutron ML2 profile for tripleo # # [*ovn_db_host*] -# The IP-Address/Hostname where OVN DBs are deployed +# The IP-Address where OVN DBs are listening. +# Defaults to hiera('ovn_dbs_vip') +# +# [*ovn_nb_port*] +# (Optional) Port number on which northbound database is listening +# Defaults to hiera('ovn::northbound::port') +# +# [*ovn_sb_port*] +# (Optional) Port number on which southbound database is listening +# Defaults to hiera('ovn::southbound::port') # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -25,18 +34,12 @@ # Defaults to hiera('step') # class tripleo::profile::base::neutron::plugins::ml2::ovn ( - $ovn_db_host, - $step = hiera('step') + $ovn_db_host = hiera('ovn_dbs_vip'), + $ovn_nb_port = hiera('ovn::northbound::port'), + $ovn_sb_port = hiera('ovn::southbound::port'), + $step = hiera('step') ) { if $step >= 4 { - if $::hostname == $ovn_db_host { - # NOTE: we might split northd from plugin later, in the case of - # micro-services, where neutron-server & northd are not in the same - # containers - include ::ovn::northd - } - $ovn_nb_port = hiera('ovn::northbound::port') - $ovn_sb_port = hiera('ovn::southbound::port') class { '::neutron::plugins::ml2::ovn': ovn_nb_connection => "tcp:${ovn_db_host}:${ovn_nb_port}", ovn_sb_connection => "tcp:${ovn_db_host}:${ovn_sb_port}", diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 7f1c862..ab9700f 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -30,6 +30,26 @@ # (Optional) Whether or not manage Nova Live migration # Defaults to false # +# [*messaging_driver*] +# Driver for messaging service. +# Defaults to hiera('messaging_service_name', 'rabbit') +# +# [*messaging_hosts*] +# list of the messaging host fqdns +# Defaults to hiera('rabbitmq_node_names') +# +# [*messaging_password*] +# Password for messaging nova queue +# Defaults to hiera('nova::rabbit_password') +# +# [*messaging_port*] +# IP port for messaging service +# Defaults to hiera('nova::rabbit_port', 5672) +# +# [*messaging_username*] +# Username for messaging nova queue +# Defaults to hiera('nova::rabbit_userid', 'guest') +# # [*nova_compute_enabled*] # (Optional) Whether or not nova-compute is enabled. # Defaults to false @@ -38,22 +58,17 @@ # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*rabbit_hosts*] -# list of the rabbbit host fqdns -# Defaults to hiera('rabbitmq_node_names') -# -# [*rabbit_port*] -# IP port for rabbitmq service -# Defaults to hiera('nova::rabbit_port', 5672) - class tripleo::profile::base::nova ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $libvirt_enabled = false, $manage_migration = false, + $messaging_driver = hiera('messaging_service_name', 'rabbit'), + $messaging_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $messaging_password = hiera('nova::rabbit_password'), + $messaging_port = hiera('nova::rabbit_port', '5672'), + $messaging_username = hiera('nova::rabbit_userid', 'guest'), $nova_compute_enabled = false, $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_names', undef), - $rabbit_port = hiera('nova::rabbit_port', 5672), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -68,9 +83,16 @@ class tripleo::profile::base::nova ( } if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) { - $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") + # TODO(ccamacho): remove sprintf once we properly type the port, needs + # to be a string for the os_transport_url function. class { '::nova' : - rabbit_hosts => $rabbit_endpoints, + default_transport_url => os_transport_url({ + 'transport' => $messaging_driver, + 'hosts' => $messaging_hosts, + 'port' => sprintf('%s', $messaging_port), + 'username' => $messaging_username, + 'password' => $messaging_password, + }), } include ::nova::config class { '::nova::cache': diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index cc5fd8a..19eb52b 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -40,7 +40,8 @@ class tripleo::profile::base::pacemaker ( $enable_fencing = str2bool(hiera('enable_fencing', false)) and $step >= 5 if $step >= 1 { - $pacemaker_cluster_members = downcase(regsubst(hiera('controller_node_names'), ',', ' ', 'G')) + $pacemaker_short_node_names = join(hiera('pacemaker_short_node_names'), ',') + $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 974a725..7bbef1e 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -37,14 +37,19 @@ # # [*rabbit_port*] # IP port for rabbitmq service -# Defaults to hiera('swift::proxy::ceilometer::rabbit_port', 5672) +# Defaults to 5672 +# +# [*ceilometer_enabled*] +# Whether the ceilometer pipeline is enabled. +# Defaults to true # class tripleo::profile::base::swift::proxy ( - $step = hiera('step'), - $memcache_servers = hiera('memcached_node_ips'), - $memcache_port = 11211, - $rabbit_hosts = hiera('rabbitmq_node_names', undef), - $rabbit_port = hiera('swift::proxy::ceilometer::rabbit_port', 5672), + $step = hiera('step'), + $memcache_servers = hiera('memcached_node_ips'), + $memcache_port = 11211, + $rabbit_hosts = hiera('rabbitmq_node_names', undef), + $rabbit_port = 5672, + $ceilometer_enabled = true, ) { if $step >= 4 { $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") @@ -64,8 +69,10 @@ class tripleo::profile::base::swift::proxy ( include ::swift::proxy::formpost include ::swift::proxy::bulk $swift_rabbit_hosts = suffix(any2array($rabbit_hosts), ":${rabbit_port}") - class { '::swift::proxy::ceilometer': - rabbit_hosts => $swift_rabbit_hosts, + if $ceilometer_enabled { + class { '::swift::proxy::ceilometer': + rabbit_hosts => $swift_rabbit_hosts, + } } include ::swift::proxy::versioned_writes include ::swift::proxy::slo diff --git a/manifests/tls_proxy.pp b/manifests/tls_proxy.pp new file mode 100644 index 0000000..36d6b6d --- /dev/null +++ b/manifests/tls_proxy.pp @@ -0,0 +1,60 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::tls_proxy +# +# Sets up a TLS proxy using mod_proxy that redirects towards localhost. +# +# === Parameters +# +# [*ip*] +# The IP address that the proxy will be listening on. +# +# [*port*] +# The port that the proxy will be listening on. +# +# [*servername*] +# The vhost servername that contains the FQDN to identify the virtual host. +# +# [*tls_cert*] +# The path to the TLS certificate that the proxy will be serving. +# +# [*tls_key*] +# The path to the key used for the specified certificate. +# +define tripleo::tls_proxy( + $ip, + $port, + $servername, + $tls_cert, + $tls_key, +) { + ::apache::vhost { "${title}-proxy": + ensure => 'present', + docroot => undef, # This is required by the manifest + manage_docroot => false, + servername => $servername, + ip => $ip, + port => $port, + ssl => true, + ssl_cert => $tls_cert, + ssl_key => $tls_key, + request_headers => ['set X-Forwarded-Proto "https"'], + proxy_pass => { + path => '/', + url => "http://localhost:${port}/", + params => {retry => '10'}, + } + } +} diff --git a/manifests/vip_hosts.pp b/manifests/vip_hosts.pp deleted file mode 100644 index 7b260fd..0000000 --- a/manifests/vip_hosts.pp +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2016 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::vip_hosts -# -# Write the overcloud VIPs into /etc/hosts -# -# === Parameters -# -# [*hosts_spec*] -# The specification of the hosts that will be added to the /etc/hosts file. -# These come in the form of a hash that will be consumed by create_resources. -# e.g.: -# tripleo::hosts_spec: -# host-1: -# name: host1.domain -# ip: 127.0.0.1 -# host-2: -# name: host2.domain -# ip: 127.0.0.2 -# -class tripleo::vip_hosts ( - $hosts_spec -) { - create_resources('host', $hosts_spec) -} - |