5 files changed, 143 insertions, 22 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 83ca930..4d37458 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -524,7 +524,6 @@
 #    'ironic_inspector_port' (Defaults to 5050)
 #    'ironic_inspector_ssl_port' (Defaults to 13050)
 #    'keystone_admin_api_port' (Defaults to 35357)
-#    'keystone_admin_api_ssl_port' (Defaults to 13357)
 #    'keystone_public_api_port' (Defaults to 5000)
 #    'keystone_public_api_ssl_port' (Defaults to 13000)
 #    'manila_api_port' (Defaults to 8786)
@@ -713,7 +712,6 @@ class tripleo::haproxy (
     ironic_inspector_port => 5050,
     ironic_inspector_ssl_port => 13050,
     keystone_admin_api_port => 35357,
-    keystone_admin_api_ssl_port => 13357,
     keystone_public_api_port => 5000,
     keystone_public_api_ssl_port => 13000,
     manila_api_port => 8786,
@@ -862,16 +860,14 @@ class tripleo::haproxy (
 
   if $keystone_admin {
     ::tripleo::haproxy::endpoint { 'keystone_admin':
-      public_virtual_ip => $public_virtual_ip,
-      internal_ip       => hiera('keystone_admin_api_vip', $controller_virtual_ip),
-      service_port      => $ports[keystone_admin_api_port],
-      ip_addresses      => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
-      server_names      => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
-      mode              => 'http',
-      listen_options    => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
-      public_ssl_port   => $ports[keystone_admin_api_ssl_port],
-      service_network   => $keystone_admin_network,
-      member_options    => union($haproxy_member_options, $internal_tls_member_options),
+      internal_ip     => hiera('keystone_admin_api_vip', $controller_virtual_ip),
+      service_port    => $ports[keystone_admin_api_port],
+      ip_addresses    => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
+      server_names    => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
+      mode            => 'http',
+      listen_options  => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
+      service_network => $keystone_admin_network,
+      member_options  => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 9139061..4436e19 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -133,21 +133,35 @@ define tripleo::haproxy::endpoint (
   } else {
     # internal service only
     $public_bind_opts = {}
+    $listen_options_real = $listen_options
   }
 
   if $use_internal_certificates {
     if !$service_network {
       fail("The service_network for this service is undefined. Can't configure TLS for the internal network.")
     }
-    # NOTE(jaosorior): The key of the internal_certificates_specs hash must
-    # must match the convention haproxy-<network name> or else this
-    # will fail. Futherly, it must contain the path that we'll use under
-    # 'service_pem'.
-    $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+
+    if $service_network == 'external' and $public_certificate {
+      # NOTE(jaosorior): This service has been configured to use the external
+      # network. We should use the public certificate in this case.
+      $internal_cert_path = $public_certificate
+    } else {
+      # NOTE(jaosorior): This service is configured for the internal network.
+      # We use the certificate spec hash. The key of the
+      # internal_certificates_specs hash must must match the convention
+      # haproxy-<network name> or else this will fail. Futherly, it must
+      # contain the path that we'll use under 'service_pem'.
+      $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+    }
     $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
                                         union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
   } else {
-    $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+    if $service_network == 'external' and $public_certificate {
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
+                                          union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+    } else {
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+    }
   }
   $bind_opts = merge($internal_bind_opts, $public_bind_opts)
 
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index 40a0a99..48bf4b8 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api (
 
   include ::tripleo::profile::base::barbican
 
-  if $step >= 3 and $sync_db {
-    include ::barbican::db::mysql
-  }
-
   if $step >= 4 or ( $step >= 3 and $sync_db ) {
     $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
     class { '::barbican::api':
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 7e7d68b..7bb8c74 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -171,6 +171,9 @@ class tripleo::profile::base::database::mysql (
     if hiera('cinder_api_enabled', false) {
       include ::cinder::db::mysql
     }
+    if hiera('barbican_api_enabled', false) {
+      include ::barbican::db::mysql
+    }
     if hiera('congress_enabled', false) {
       include ::congress::db::mysql
     }
diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp
new file mode 100644
index 0000000..1545875
--- /dev/null
+++ b/manifests/profile/base/logging/logrotate.pp
@@ -0,0 +1,112 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::logging::logrotate
+#
+# Installs a cron job that rotates containerized services logs.
+#
+# === Parameters
+#
+# [*step*]
+#   (Optional) String. The current step of the deployment
+#   Defaults to hiera('step')
+#
+#  [*ensure*]
+#    (optional) Defaults to present.
+#    Valid values are present, absent.
+#
+#  [*minute*]
+#    (optional) Defaults to '0'. Configures cron job for logrotate.
+#
+#  [*hour*]
+#    (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+#  [*monthday*]
+#    (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+#  [*month*]
+#    (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+#  [*weekday*]
+#    (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+#  [*maxdelay*]
+#    (optional) Seconds. Defaults to 90. Should be a positive integer.
+#    Induces a random delay before running the cronjob to avoid running all
+#    cron jobs at the same time on all hosts this job is configured.
+#
+#  [*user*]
+#    (optional) Defaults to 'root'. Configures cron job for logrotate.
+#
+#  [*delaycompress*]
+#    (optional) Defaults to True.
+#    Configures the logrotate delaycompress parameter.
+#
+#  [*size*]
+#    (optional) Defaults to '10M'.
+#    Configures the logrotate size parameter.
+#
+#  [*rotate*]
+#    (optional) Defaults to 14.
+#    Configures the logrotate rotate parameter.
+#
+class tripleo::profile::base::logging::logrotate (
+  $step             = Integer(hiera('step')),
+  $ensure           = present,
+  $minute           = 0,
+  $hour             = '*',
+  $monthday         = '*',
+  $month            = '*',
+  $weekday          = '*',
+  Integer $maxdelay = 90,
+  $user             = 'root',
+  $delaycompress    = true,
+  $size             = '10M',
+  $rotate           = 14,
+) {
+
+  if $step >= 4 {
+    if $maxdelay == 0 {
+      $sleep = ''
+    } else {
+      $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
+    }
+
+    $svc = 'logrotate-crond'
+    $config = "/etc/${svc}.conf"
+    $state = "/var/lib/logrotate/${svc}.status"
+    $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}"
+
+    file { "${config}":
+      ensure  => $ensure,
+      owner   => $user,
+      group   => $user,
+      mode    => '0640',
+      content => template('tripleo/logrotate/containers_logrotate.conf.erb'),
+    }
+
+    cron { "${svc}":
+      ensure      => $ensure,
+      command     => "${cmd} 2>&1|logger -t ${svc}",
+      environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
+      user        => $user,
+      minute      => $minute,
+      hour        => $hour,
+      monthday    => $monthday,
+      month       => $month,
+      weekday     => $weekday,
+    }
+  }
+}