diff options
Diffstat (limited to 'manifests')
24 files changed, 873 insertions, 311 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 3def337..d4f4ad2 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -88,13 +88,14 @@ define tripleo::certmonger::haproxy ( require => Class['::certmonger'], } concat { $service_pem : - ensure => present, - mode => '0640', - owner => 'haproxy', - group => 'haproxy', - tag => 'haproxy-cert', - require => Package[$::haproxy::params::package_name], + ensure => present, + mode => '0640', + owner => 'haproxy', + group => 'haproxy', + tag => 'haproxy-cert', } + Package<| name == $::haproxy::params::package_name |> -> Concat[$service_pem] + concat::fragment { "${title}-cert-fragment": target => $service_pem, source => $service_certificate, diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index a3d088a..9939ca9 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -402,6 +402,10 @@ # (optional) Specify the network heat_cloudwatch is running on. # Defaults to hiera('heat_api_cloudwatch_network', undef) # +# [*horizon_network*] +# (optional) Specify the network horizon is running on. +# Defaults to hiera('horizon_network', undef) +# # [*ironic_inspector_network*] # (optional) Specify the network ironic_inspector is running on. # Defaults to hiera('ironic_inspector_network', undef) @@ -520,7 +524,6 @@ # 'ironic_inspector_port' (Defaults to 5050) # 'ironic_inspector_ssl_port' (Defaults to 13050) # 'keystone_admin_api_port' (Defaults to 35357) -# 'keystone_admin_api_ssl_port' (Defaults to 13357) # 'keystone_public_api_port' (Defaults to 5000) # 'keystone_public_api_ssl_port' (Defaults to 13000) # 'manila_api_port' (Defaults to 8786) @@ -644,6 +647,7 @@ class tripleo::haproxy ( $heat_api_network = hiera('heat_api_network', undef), $heat_cfn_network = hiera('heat_api_cfn_network', undef), $heat_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), + $horizon_network = hiera('horizon_network', undef), $ironic_inspector_network = hiera('ironic_inspector_network', undef), $ironic_network = hiera('ironic_api_network', undef), $keystone_admin_network = hiera('keystone_admin_api_network', undef), @@ -708,7 +712,6 @@ class tripleo::haproxy ( ironic_inspector_port => 5050, ironic_inspector_ssl_port => 13050, keystone_admin_api_port => 35357, - keystone_admin_api_ssl_port => 13357, keystone_public_api_port => 5000, keystone_public_api_ssl_port => 13000, manila_api_port => 8786, @@ -772,43 +775,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) - if $service_certificate { - # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the - # same, the first option takes precedence. Which is the case when network - # isolation is not enabled. This is not a problem as both options are - # identical. If network isolation is enabled, this works correctly and - # will add a TLS binding to both the horizon_vip and the - # public_virtual_ip. - # Even though for the public_virtual_ip the port 80 is listening, we - # redirect to https in the horizon_options below. - $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - "${public_virtual_ip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', - # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => 'scheme https code 301 if !{ ssl_fc }', - 'option' => [ 'forwardfor', 'httpchk' ], - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - } - } else { - $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:80" => $haproxy_listen_bind_param, - } - $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'option' => [ 'forwardfor', 'httpchk' ], - } - } - $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) $mysql_bind_opts = { "${mysql_vip}:3306" => $haproxy_listen_bind_param, @@ -894,16 +860,14 @@ class tripleo::haproxy ( if $keystone_admin { ::tripleo::haproxy::endpoint { 'keystone_admin': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), - service_port => $ports[keystone_admin_api_port], - ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), - server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), - mode => 'http', - listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), - public_ssl_port => $ports[keystone_admin_api_ssl_port], - service_network => $keystone_admin_network, - member_options => union($haproxy_member_options, $internal_tls_member_options), + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), + server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), + service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1071,6 +1035,7 @@ class tripleo::haproxy ( 'option' => [ 'httpchk', ], }, service_network => $nova_metadata_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1274,18 +1239,17 @@ class tripleo::haproxy ( } if $horizon { - haproxy::listen { 'horizon': - bind => $horizon_bind_opts, - options => $horizon_options, - mode => 'http', - collect_exported => false, - } - haproxy::balancermember { 'horizon': - listening_service => 'horizon', - ports => '80', - ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), - server_names => hiera('horizon_node_names', $controller_hosts_names_real), - options => union($haproxy_member_options, ["cookie ${::hostname}"]), + class { '::tripleo::haproxy::horizon_endpoint': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('horizon_vip', $controller_virtual_ip), + haproxy_listen_bind_param => $haproxy_listen_bind_param, + ip_addresses => hiera('horizon_node_ips', $controller_hosts_real), + server_names => hiera('horizon_node_names', $controller_hosts_names_real), + member_options => union($haproxy_member_options, $internal_tls_member_options), + public_certificate => $service_certificate, + use_internal_certificates => $use_internal_certificates, + internal_certificates_specs => $internal_certificates_specs, + service_network => $horizon_network, } } diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 9139061..4436e19 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -133,21 +133,35 @@ define tripleo::haproxy::endpoint ( } else { # internal service only $public_bind_opts = {} + $listen_options_real = $listen_options } if $use_internal_certificates { if !$service_network { fail("The service_network for this service is undefined. Can't configure TLS for the internal network.") } - # NOTE(jaosorior): The key of the internal_certificates_specs hash must - # must match the convention haproxy-<network name> or else this - # will fail. Futherly, it must contain the path that we'll use under - # 'service_pem'. - $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + + if $service_network == 'external' and $public_certificate { + # NOTE(jaosorior): This service has been configured to use the external + # network. We should use the public certificate in this case. + $internal_cert_path = $public_certificate + } else { + # NOTE(jaosorior): This service is configured for the internal network. + # We use the certificate spec hash. The key of the + # internal_certificates_specs hash must must match the convention + # haproxy-<network name> or else this will fail. Futherly, it must + # contain the path that we'll use under 'service_pem'. + $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + } $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path])) } else { - $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + if $service_network == 'external' and $public_certificate { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), + union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + } } $bind_opts = merge($internal_bind_opts, $public_bind_opts) diff --git a/manifests/haproxy/horizon_endpoint.pp b/manifests/haproxy/horizon_endpoint.pp new file mode 100644 index 0000000..c7dfd88 --- /dev/null +++ b/manifests/haproxy/horizon_endpoint.pp @@ -0,0 +1,154 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::haproxy::endpoint +# +# Configure a HAProxy listen endpoint +# +# [*internal_ip*] +# The IP in which the proxy endpoint will be listening in the internal +# network. +# +# [*ip_addresses*] +# The ordered list of IPs to be used to contact the balancer member. +# +# [*server_names*] +# The names of the balancer members, which usually should be the hostname. +# +# [*member_options*] +# Options for the balancer member, specified after the server declaration. +# These should go in the member's configuration block. +# +# [*public_virtual_ip*] +# Address in which the proxy endpoint will be listening in the public network. +# If this service is internal only this should be ommitted. +# Defaults to undef. +# +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. +# Defaults to undef. +# +# [*public_certificate*] +# Certificate path used to enable TLS for the public proxy endpoint. +# Defaults to undef. +# +# [*use_internal_certificates*] +# Flag that indicates if we'll use an internal certificate for this specific +# service. When set, enables SSL on the internal API endpoints using the file +# that certmonger is tracking; this is derived from the network the service is +# listening on. +# Defaults to false +# +# [*internal_certificates_specs*] +# A hash that should contain the specs that were used to create the +# certificates. As the name indicates, only the internal certificates will be +# fetched from here. And the keys should follow the following pattern +# "haproxy-<network name>". The network name should be as it was defined in +# tripleo-heat-templates. +# Note that this is only taken into account if the $use_internal_certificates +# flag is set. +# Defaults to {} +# +# [*service_network*] +# (optional) Indicates the network that the service is running on. Used for +# fetching the certificate for that specific network. +# Defaults to undef +# +class tripleo::haproxy::horizon_endpoint ( + $internal_ip, + $ip_addresses, + $server_names, + $member_options, + $public_virtual_ip, + $haproxy_listen_bind_param = undef, + $public_certificate = undef, + $use_internal_certificates = false, + $internal_certificates_specs = {}, + $service_network = undef, +) { + # service exposed to the public network + if $public_certificate { + if $use_internal_certificates { + if !$service_network { + fail("The service_network for this service is undefined. Can't configure TLS for the internal network.") + } + # NOTE(jaosorior): The key of the internal_certificates_specs hash must + # must match the convention haproxy-<network name> or else this + # will fail. Futherly, it must contain the path that we'll use under + # 'service_pem'. + $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + $internal_bind_opts = union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]) + } else { + # If no internal cert is given, we still configure TLS for the internal + # network, however, we expect that the public certificate has appropriate + # subjectaltnames set. + $internal_bind_opts = union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]) + } + # NOTE(jaosorior): If the internal_ip and the public_virtual_ip are the + # same, the first option takes precedence. Which is the case when network + # isolation is not enabled. This is not a problem as both options are + # identical. If network isolation is enabled, this works correctly and + # will add a TLS binding to both the internal_ip and the + # public_virtual_ip. + # Even though for the public_virtual_ip the port 80 is listening, we + # redirect to https in the horizon_options below. + $horizon_bind_opts = { + "${internal_ip}:80" => $haproxy_listen_bind_param, + "${internal_ip}:443" => $internal_bind_opts, + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. + 'redirect' => 'scheme https code 301 if !{ ssl_fc }', + 'option' => [ 'forwardfor', 'httpchk' ], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } + } else { + $horizon_bind_opts = { + "${internal_ip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'option' => [ 'forwardfor', 'httpchk' ], + } + } + + if $use_internal_certificates { + # Use SSL port if TLS in the internal network is enabled. + $backend_port = '443' + } else { + $backend_port = '80' + } + + haproxy::listen { 'horizon': + bind => $horizon_bind_opts, + options => $horizon_options, + mode => 'http', + collect_exported => false, + } + haproxy::balancermember { 'horizon': + listening_service => 'horizon', + ports => $backend_port, + ipaddresses => $ip_addresses, + server_names => $server_names, + options => union($member_options, ["cookie ${::hostname}"]), + } +} diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 40a0a99..48bf4b8 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api ( include ::tripleo::profile::base::barbican - if $step >= 3 and $sync_db { - include ::barbican::db::mysql - } - if $step >= 4 or ( $step >= 3 and $sync_db ) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::barbican::api': diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 231a1d0..2ac4b6e 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -80,13 +80,16 @@ class tripleo::profile::base::certmonger_user ( unless empty($haproxy_certificates_specs) { $reload_haproxy = ['systemctl reload haproxy'] Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||> - Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + if defined(Class['::haproxy']) { + Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + } } else { $reload_haproxy = [] } class { '::tripleo::certmonger::ca::crl' : reload_cmds => $reload_haproxy, } + Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl'] include ::tripleo::certmonger::ca::libvirt unless empty($apache_certificates_specs) { diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 54880ad..892e4ed 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -43,6 +43,12 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Cinder's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -53,6 +59,7 @@ class tripleo::profile::base::cinder::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $cinder_api_network = hiera('cinder_api_network', undef), $enable_internal_tls = hiera('enable_internal_tls', false), + $keymgr_api_class = hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager'), $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { @@ -75,7 +82,9 @@ class tripleo::profile::base::cinder::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { - include ::cinder::api + class { '::cinder::api': + keymgr_api_class => $keymgr_api_class, + } include ::apache::mod::ssl class { '::cinder::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 252bae1..b9cee83 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -30,6 +30,10 @@ # (Optional) Whether to enable the unity backend # Defaults to false # +# [*cinder_enable_dellemc_vmax_iscsi_backend*] +# (Optional) Whether to enable the vmax iscsi backend +# Defaults to false +# # [*cinder_enable_hpelefthand_backend*] # (Optional) Whether to enable the hpelefthand backend # Defaults to false @@ -72,19 +76,20 @@ # Defaults to hiera('step') # class tripleo::profile::base::cinder::volume ( - $cinder_enable_pure_backend = false, - $cinder_enable_dellsc_backend = false, - $cinder_enable_dellemc_unity_backend = false, - $cinder_enable_hpelefthand_backend = false, - $cinder_enable_dellps_backend = false, - $cinder_enable_iscsi_backend = true, - $cinder_enable_netapp_backend = false, - $cinder_enable_nfs_backend = false, - $cinder_enable_rbd_backend = false, - $cinder_enable_scaleio_backend = false, - $cinder_enable_vrts_hs_backend = false, - $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), - $step = Integer(hiera('step')), + $cinder_enable_pure_backend = false, + $cinder_enable_dellsc_backend = false, + $cinder_enable_dellemc_unity_backend = false, + $cinder_enable_dellemc_vmax_iscsi_backend = false, + $cinder_enable_hpelefthand_backend = false, + $cinder_enable_dellps_backend = false, + $cinder_enable_iscsi_backend = true, + $cinder_enable_netapp_backend = false, + $cinder_enable_nfs_backend = false, + $cinder_enable_rbd_backend = false, + $cinder_enable_scaleio_backend = false, + $cinder_enable_vrts_hs_backend = false, + $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), + $step = Integer(hiera('step')), ) { include ::tripleo::profile::base::cinder @@ -112,6 +117,14 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellemc_unity_backend_name = undef } + if $cinder_enable_dellemc_vmax_iscsi_backend { + include ::tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi + $cinder_dellemc_vmax_iscsi_backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name', + 'tripleo_dellemc_vmax_iscsi') + } else { + $cinder_dellemc_vmax_iscsi_backend_name = undef + } + if $cinder_enable_hpelefthand_backend { include ::tripleo::profile::base::cinder::volume::hpelefthand $cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand') @@ -174,6 +187,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_dellps_backend_name, $cinder_dellsc_backend_name, $cinder_dellemc_unity_backend_name, + $cinder_dellemc_vmax_iscsi_backend_name, $cinder_hpelefthand_backend_name, $cinder_netapp_backend_name, $cinder_nfs_backend_name, diff --git a/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp new file mode 100644 index 0000000..d09481f --- /dev/null +++ b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp @@ -0,0 +1,42 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi +# +# Cinder Volume dellemc_vmax_iscsi profile for tripleo +# +# === Parameters +# +# [*backend_name*] +# (Optional) Name given to the Cinder backend stanza +# Defaults to 'tripleo_dellemc_vmax_iscsi' +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi ( + $backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name', 'tripleo_dellemc_vmax_iscsi'), + $step = Integer(hiera('step')), +) { + include ::tripleo::profile::base::cinder::volume + + if $step >= 4 { + cinder::backend::dellemc_vmax_iscsi { $backend_name : + cinder_emc_config_file => hiera('cinder::backend::dellemc_vmax_iscsi::cinder_emc_config_file', undef), + } + } + +} diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 3bf41cf..7bb8c74 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,6 +47,10 @@ # limit for the mysql service. # Defaults to false # +# [*innodb_buffer_pool_size*] +# (Optional) Configure the size of the MySQL buffer pool. +# Defaults to hiera('innodb_buffer_pool_size', undef) +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, + $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef), $manage_resources = true, $mysql_server_options = {}, $mysql_max_connections = hiera('mysql_max_connections', undef), @@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql ( # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap $mysql_server_default = { 'mysqld' => { - 'bind-address' => $bind_address, - 'max_connections' => $mysql_max_connections, - 'open_files_limit' => '-1', - 'innodb_file_per_table' => 'ON', - 'ssl' => $enable_internal_tls, - 'ssl-key' => $tls_keyfile, - 'ssl-cert' => $tls_certfile, - 'ssl-ca' => undef, + 'bind-address' => $bind_address, + 'max_connections' => $mysql_max_connections, + 'open_files_limit' => '-1', + 'innodb_buffer_pool_size' => $innodb_buffer_pool_size, + 'innodb_file_per_table' => 'ON', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) @@ -165,6 +171,9 @@ class tripleo::profile::base::database::mysql ( if hiera('cinder_api_enabled', false) { include ::cinder::db::mysql } + if hiera('barbican_api_enabled', false) { + include ::barbican::db::mysql + } if hiera('congress_enabled', false) { include ::congress::db::mysql } diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 5f6d97c..8cb4cdd 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -19,10 +19,11 @@ # # === Parameters # -# [*insecure_registry_address*] -# The host/port combiniation of the insecure registry. This is used to configure -# /etc/sysconfig/docker so that a local (insecure) registry can be accessed. -# Example: 127.0.0.1:8787 (defaults to unset) +# [*insecure_registries*] +# An array of host/port combiniations of insecure registries. This is used to configure +# /etc/sysconfig/docker so that local (insecure) registries can be accessed. +# Example: ['127.0.0.1:8787'] +# (defaults to unset) # # [*registry_mirror*] # Configure a registry-mirror in the /etc/docker/daemon.json file. @@ -32,7 +33,7 @@ # OPTIONS that are used to startup the docker service. NOTE: # --selinux-enabled is dropped due to recommendations here: # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html -# Defaults to '--log-driver=journald --signature-verification=false' +# Defaults to '--log-driver=journald --signature-verification=false --iptables=false' # # [*configure_storage*] # Boolean. Whether to configure a docker storage backend. Defaults to true. @@ -45,6 +46,11 @@ # # DEPRECATED PARAMETERS # +# [*insecure_registry_address*] +# DEPRECATED: The host/port combiniation of the insecure registry. This is used to configure +# /etc/sysconfig/docker so that a local (insecure) registry can be accessed. +# Example: 127.0.0.1:8787 (defaults to unset) +# # [*docker_namespace*] # DEPRECATED: The namespace to be used when setting INSECURE_REGISTRY # this will be split on "/" to derive the docker registry @@ -55,13 +61,14 @@ # is enabled (defaults to false) # class tripleo::profile::base::docker ( - $insecure_registry_address = undef, + $insecure_registries = undef, $registry_mirror = false, - $docker_options = '--log-driver=journald --signature-verification=false', + $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), # DEPRECATED PARAMETERS + $insecure_registry_address = undef, $docker_namespace = undef, $insecure_registry = false, ) { @@ -92,14 +99,19 @@ class tripleo::profile::base::docker ( } if $insecure_registry { - warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registry_address instead.') + warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registries instead.') if $docker_namespace == undef { fail('You must provide a $docker_namespace in order to configure insecure registry') } $namespace = strip($docker_namespace.split('/')[0]) $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'" ] } elsif $insecure_registry_address { + warning('The $insecure_registry_address parameter is deprecated. Use $insecure_registries instead.') $registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${insecure_registry_address}\"'" ] + } elsif $insecure_registries { + $registry_changes = [ join(['set INSECURE_REGISTRY \'"--insecure-registry ', + join($insecure_registries, ' --insecure-registry '), + '"\''], '') ] } else { $registry_changes = [ 'rm INSECURE_REGISTRY' ] } diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 3f01d01..9441329 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -27,6 +27,27 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*horizon_network*] +# (Optional) The network name where the horizon endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('horizon_network', undef) +# # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron # Defaults to hiera('horizon::neutron_options', {}) @@ -36,10 +57,13 @@ # Defaults to hiera('memcached_node_ips') # class tripleo::profile::base::horizon ( - $step = Integer(hiera('step')), - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $neutron_options = hiera('horizon::neutron_options', {}), - $memcached_ips = hiera('memcached_node_ips') + $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $horizon_network = hiera('horizon_network', undef), + $neutron_options = hiera('horizon::neutron_options', {}), + $memcached_ips = hiera('memcached_node_ips') ) { if $::hostname == downcase($bootstrap_node) { $is_bootstrap = true @@ -47,6 +71,17 @@ class tripleo::profile::base::horizon ( $is_bootstrap = false } + if $enable_internal_tls { + if !$horizon_network { + fail('horizon_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${horizon_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${horizon_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { # Horizon include ::apache::mod::remoteip @@ -68,6 +103,8 @@ class tripleo::profile::base::horizon ( class { '::horizon': cache_server_ip => $horizon_memcached_servers, neutron_options => $neutron_options_real, + horizon_cert => $tls_certfile, + horizon_key => $tls_keyfile, } } } diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index 2739f33..7e6efec 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -70,8 +70,9 @@ class tripleo::profile::base::ironic ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::ironic': - sync_db => $sync_db, - default_transport_url => os_transport_url({ + sync_db => $sync_db, + db_online_data_migrations => $sync_db, + default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, 'port' => sprintf('%s', $oslomsg_rpc_port), diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp new file mode 100644 index 0000000..1545875 --- /dev/null +++ b/manifests/profile/base/logging/logrotate.pp @@ -0,0 +1,112 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::logging::logrotate +# +# Installs a cron job that rotates containerized services logs. +# +# === Parameters +# +# [*step*] +# (Optional) String. The current step of the deployment +# Defaults to hiera('step') +# +# [*ensure*] +# (optional) Defaults to present. +# Valid values are present, absent. +# +# [*minute*] +# (optional) Defaults to '0'. Configures cron job for logrotate. +# +# [*hour*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*monthday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*month*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*weekday*] +# (optional) Defaults to '*'. Configures cron job for logrotate. +# +# [*maxdelay*] +# (optional) Seconds. Defaults to 90. Should be a positive integer. +# Induces a random delay before running the cronjob to avoid running all +# cron jobs at the same time on all hosts this job is configured. +# +# [*user*] +# (optional) Defaults to 'root'. Configures cron job for logrotate. +# +# [*delaycompress*] +# (optional) Defaults to True. +# Configures the logrotate delaycompress parameter. +# +# [*size*] +# (optional) Defaults to '10M'. +# Configures the logrotate size parameter. +# +# [*rotate*] +# (optional) Defaults to 14. +# Configures the logrotate rotate parameter. +# +class tripleo::profile::base::logging::logrotate ( + $step = Integer(hiera('step')), + $ensure = present, + $minute = 0, + $hour = '*', + $monthday = '*', + $month = '*', + $weekday = '*', + Integer $maxdelay = 90, + $user = 'root', + $delaycompress = true, + $size = '10M', + $rotate = 14, +) { + + if $step >= 4 { + if $maxdelay == 0 { + $sleep = '' + } else { + $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " + } + + $svc = 'logrotate-crond' + $config = "/etc/${svc}.conf" + $state = "/var/lib/logrotate/${svc}.status" + $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}" + + file { "${config}": + ensure => $ensure, + owner => $user, + group => $user, + mode => '0640', + content => template('tripleo/logrotate/containers_logrotate.conf.erb'), + } + + cron { "${svc}": + ensure => $ensure, + command => "${cmd} 2>&1|logger -t ${svc}", + environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh', + user => $user, + minute => $minute, + hour => $hour, + monthday => $monthday, + month => $month, + weekday => $weekday, + } + } +} diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 0dcc754..2ff1add 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -46,18 +46,42 @@ # Nova Team discourages it. # Defaults to hiera('nova_wsgi_enabled', false) # +# [*nova_metadata_network*] +# (Optional) The network name where the nova metadata endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('nova_metadata_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # +# [*metadata_tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to undef +# +# [*metadata_tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*metadata_tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::nova::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $nova_api_network = hiera('nova_api_network', undef), $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false), + $nova_metadata_network = hiera('nova_metadata_network', undef), $step = Integer(hiera('step')), + $metadata_tls_proxy_bind_ip = undef, + $metadata_tls_proxy_fqdn = undef, + $metadata_tls_proxy_port = 8775, ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -73,6 +97,22 @@ class tripleo::profile::base::nova::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { + if $enable_internal_tls { + if !$nova_metadata_network { + fail('nova_metadata_network is not set in the hieradata.') + } + $metadata_tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate'] + $metadata_tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key'] + + ::tripleo::tls_proxy { 'nova-metadata-api': + servername => $metadata_tls_proxy_fqdn, + ip => $metadata_tls_proxy_bind_ip, + port => $metadata_tls_proxy_port, + tls_cert => $metadata_tls_certfile, + tls_key => $metadata_tls_keyfile, + } + Tripleo::Tls_proxy['nova-metadata-api'] ~> Anchor<| title == 'nova::service::begin' |> + } class { '::nova::api': sync_db => $sync_db, diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index 3eae880..a9a1f94 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -27,9 +27,16 @@ # (Optional) Whether or not Cinder is backed by NFS. # Defaults to hiera('cinder_enable_nfs_backend', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Nova's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager') +# class tripleo::profile::base::nova::compute ( $step = Integer(hiera('step')), $cinder_nfs_backend = hiera('cinder_enable_nfs_backend', false), + $keymgr_api_class = hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager'), ) { if $step >= 4 { @@ -37,7 +44,9 @@ class tripleo::profile::base::nova::compute ( include ::tripleo::profile::base::nova # deploy basic bits for nova-compute - include ::nova::compute + class { '::nova::compute': + keymgr_api_class => $keymgr_api_class, + } # If Service['nova-conductor'] is in catalog, make sure we start it # before nova-compute. Service<| title == 'nova-conductor' |> -> Service['nova-compute'] diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index d468110..de7e069 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -63,6 +63,10 @@ # be set to 60s. # Defaults to hiera('pacemaker_cluster_recheck_interval', undef) # +# [*encryption*] +# (Optional) Whether or not to enable encryption of the pacemaker traffic +# Defaults to true +# class tripleo::profile::base::pacemaker ( $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker ( $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), + $encryption = true, ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker ( $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000), + '--ipv6' => '' + } + } else { + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000) + } + } + + if $encryption { + $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'}) } else { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) } + $cluster_setup_extras = $cluster_setup_extras_pre } class { '::pacemaker': hacluster_pwd => hiera('hacluster_pwd'), diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index d0b4a05..fbe5113 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -98,15 +98,6 @@ class tripleo::profile::base::rabbitmq ( $tls_keyfile = undef } - # IPv6 environment, necessary for RabbitMQ. - if $ipv6 { - $rabbit_env = merge($environment, { - 'RABBITMQ_SERVER_START_ARGS' => '"-proto_dist inet6_tcp"', - 'RABBITMQ_CTL_ERL_ARGS' => '"-proto_dist inet6_tcp"' - }) - } else { - $rabbit_env = $environment - } if $inet_dist_interface { $real_kernel_variables = merge( $kernel_variables, @@ -125,10 +116,11 @@ class tripleo::profile::base::rabbitmq ( cluster_nodes => $nodes, config_kernel_variables => $real_kernel_variables, config_variables => $config_variables, - environment_variables => $rabbit_env, + environment_variables => $environment, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, + ipv6 => $ipv6, } # when running multi-nodes without Pacemaker if $manage_service { @@ -144,10 +136,11 @@ class tripleo::profile::base::rabbitmq ( class { '::rabbitmq': config_kernel_variables => $kernel_variables, config_variables => $config_variables, - environment_variables => $rabbit_env, + environment_variables => $environment, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, + ipv6 => $ipv6, } } } diff --git a/manifests/profile/pacemaker/clustercheck.pp b/manifests/profile/pacemaker/clustercheck.pp index 958f4a2..c08bafc 100644 --- a/manifests/profile/pacemaker/clustercheck.pp +++ b/manifests/profile/pacemaker/clustercheck.pp @@ -26,14 +26,19 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to hiera('mysql_bind_host') # +# [*clustercheck_user*] +# (Optional) The name of the clustercheck user. +# Defaults to 'clustercheck' +# # [*clustercheck_password*] # (Optional) The password for the clustercheck user. -# Defaults to hiera('mysql::server::root_password') +# Defaults to hiera('mysql_clustercheck_password') # # class tripleo::profile::pacemaker::clustercheck ( $step = Integer(hiera('step')), - $clustercheck_password = hiera('mysql::server::root_password'), + $clustercheck_user = 'clustercheck', + $clustercheck_password = hiera('mysql_clustercheck_password'), $bind_address = hiera('mysql_bind_host'), ) { @@ -43,7 +48,7 @@ class tripleo::profile::pacemaker::clustercheck ( mode => '0600', owner => 'mysql', group => 'mysql', - content => "MYSQL_USERNAME=root\n + content => "MYSQL_USERNAME=${clustercheck_user}\n MYSQL_PASSWORD='${clustercheck_password}'\n MYSQL_HOST=localhost\n", } diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 21d671c..e07ac2e 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -34,6 +34,27 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to $::hostname # +# [*ca_file*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to undef +# +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*gmcast_listen_addr*] # (Optional) This variable defines the address on which the node listens to # connections from other nodes in the cluster. @@ -50,13 +71,16 @@ # # class tripleo::profile::pacemaker::database::mysql_bundle ( - $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), - $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $gmcast_listen_addr = hiera('mysql_bind_host'), - $pcs_tries = hiera('pcs_tries', 20), - $step = Integer(hiera('step')), + $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), + $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $pcs_tries = hiera('pcs_tries', 20), + $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -64,16 +88,11 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( $pacemaker_master = false } - # use only mysql_node_names when we land a patch in t-h-t that - # switches to autogenerating these values from composable services - # The galera node names need to match the pacemaker node names... so if we - # want to use FQDNs for this, the cluster will not finish bootstrapping, - # since all the nodes will be marked as slaves. For now, we'll stick to the - # short name which is already registered in pacemaker until we get around - # this issue. - $galera_node_names_lookup = hiera('mysql_short_node_names', hiera('mysql_node_names', $::hostname)) + $galera_node_names_lookup = hiera('mysql_short_node_names', $::hostname) + $galera_fqdns_names_lookup = hiera('mysql_node_names', $::hostname) + if is_array($galera_node_names_lookup) { - $galera_nodes = downcase(join($galera_node_names_lookup, ',')) + $galera_nodes = downcase(join($galera_fqdns_names_lookup, ',')) } else { $galera_nodes = downcase($galera_node_names_lookup) } @@ -87,6 +106,19 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( } $cluster_host_map_string = join($host_map_array, ';') + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + if $ca_file { + $tls_ca_options = "socket.ssl_ca=${ca_file}" + } else { + $tls_ca_options = '' + } + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + } else { + $tls_options = '' + } + $mysqld_options = { 'mysqld' => { 'pid-file' => '/var/lib/mysql/mariadb.pid', @@ -116,7 +148,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( 'wsrep_drupal_282555_workaround'=> '0', 'wsrep_causal_reads' => '0', 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;", + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", }, 'mysqld_safe' => { 'pid-file' => '/var/lib/mysql/mariadb.pid', @@ -195,6 +227,74 @@ MYSQL_HOST=localhost\n", } # lint:endignore } + + $storage_maps = { + 'mysql-cfg-files' => { + 'source-dir' => '/var/lib/kolla/config_files/mysql.json', + 'target-dir' => '/var/lib/kolla/config_files/config.json', + 'options' => 'ro', + }, + 'mysql-cfg-data' => { + 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/', + 'target-dir' => '/var/lib/kolla/config_files/src', + 'options' => 'ro', + }, + 'mysql-hosts' => { + 'source-dir' => '/etc/hosts', + 'target-dir' => '/etc/hosts', + 'options' => 'ro', + }, + 'mysql-localtime' => { + 'source-dir' => '/etc/localtime', + 'target-dir' => '/etc/localtime', + 'options' => 'ro', + }, + 'mysql-lib' => { + 'source-dir' => '/var/lib/mysql', + 'target-dir' => '/var/lib/mysql', + 'options' => 'rw', + }, + 'mysql-log-mariadb' => { + 'source-dir' => '/var/log/mariadb', + 'target-dir' => '/var/log/mariadb', + 'options' => 'rw', + }, + 'mysql-dev-log' => { + 'source-dir' => '/dev/log', + 'target-dir' => '/dev/log', + 'options' => 'rw', + }, + } + + if $enable_internal_tls { + $mysql_storage_maps_tls = { + 'mysql-pki-gcomm-key' => { + 'source-dir' => '/etc/pki/tls/private/mysql.key', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key', + 'options' => 'ro', + }, + 'mysql-pki-gcomm-cert' => { + 'source-dir' => '/etc/pki/tls/certs/mysql.crt', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt', + 'options' => 'ro', + }, + } + if $ca_file { + $ca_storage_maps_tls = { + 'mysql-pki-gcomm-ca' => { + 'source-dir' => $ca_file, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${ca_file}", + 'options' => 'ro', + }, + } + } else { + $ca_storage_maps_tls = {} + } + $storage_maps_tls = merge($mysql_storage_maps_tls, $ca_storage_maps_tls) + } else { + $storage_maps_tls = {} + } + pacemaker::resource::bundle { 'galera-bundle': image => $mysql_docker_image, replicas => $galera_nodes_count, @@ -208,63 +308,7 @@ MYSQL_HOST=localhost\n", options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${control_port}", - storage_maps => { - 'mysql-cfg-files' => { - 'source-dir' => '/var/lib/kolla/config_files/mysql.json', - 'target-dir' => '/var/lib/kolla/config_files/config.json', - 'options' => 'ro', - }, - 'mysql-cfg-data' => { - 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/', - 'target-dir' => '/var/lib/kolla/config_files/src', - 'options' => 'ro', - }, - 'mysql-hosts' => { - 'source-dir' => '/etc/hosts', - 'target-dir' => '/etc/hosts', - 'options' => 'ro', - }, - 'mysql-localtime' => { - 'source-dir' => '/etc/localtime', - 'target-dir' => '/etc/localtime', - 'options' => 'ro', - }, - 'mysql-lib' => { - 'source-dir' => '/var/lib/mysql', - 'target-dir' => '/var/lib/mysql', - 'options' => 'rw', - }, - 'mysql-log-mariadb' => { - 'source-dir' => '/var/log/mariadb', - 'target-dir' => '/var/log/mariadb', - 'options' => 'rw', - }, - 'mysql-pki-extracted' => { - 'source-dir' => '/etc/pki/ca-trust/extracted', - 'target-dir' => '/etc/pki/ca-trust/extracted', - 'options' => 'ro', - }, - 'mysql-pki-ca-bundle-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'options' => 'ro', - }, - 'mysql-pki-ca-bundle-trust-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'options' => 'ro', - }, - 'mysql-pki-cert' => { - 'source-dir' => '/etc/pki/tls/cert.pem', - 'target-dir' => '/etc/pki/tls/cert.pem', - 'options' => 'ro', - }, - 'mysql-dev-log' => { - 'source-dir' => '/dev/log', - 'target-dir' => '/dev/log', - 'options' => 'rw', - }, - }, + storage_maps => merge($storage_maps, $storage_maps_tls), } pacemaker::resource::ocf { 'galera': diff --git a/manifests/profile/pacemaker/haproxy_bundle.pp b/manifests/profile/pacemaker/haproxy_bundle.pp index b785ea7..1b9a191 100644 --- a/manifests/profile/pacemaker/haproxy_bundle.pp +++ b/manifests/profile/pacemaker/haproxy_bundle.pp @@ -30,10 +30,34 @@ # (Optional) Whether load balancing is enabled for this cluster # Defaults to hiera('enable_load_balancer', true) # +# [*ca_bundle*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to hiera('tripleo::haproxy::ca_bundle', undef) +# +# [*crl_file*] +# (Optional) The path to the file that contains the certificate +# revocation list. It's only used if internal TLS is enabled. +# Defaults to hiera('tripleo::haproxy::crl_file', undef) +# # [*deployed_ssl_cert_path*] # (Optional) The filepath of the certificate as it will be stored in # the controller. -# Defaults to '/etc/pki/tls/private/overcloud_endpoint.pem' +# Defaults to hiera('tripleo::haproxy::service_certificate', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*internal_certs_directory*] +# (Optional) Directory the holds the certificates to be used when +# when TLS is enabled in the internal network +# Defaults to undef +# +# [*internal_keys_directory*] +# (Optional) Directory the holds the certificates to be used when +# when TLS is enabled in the internal network +# Defaults to undef # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -45,12 +69,17 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::haproxy_bundle ( - $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), - $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), - $enable_load_balancer = hiera('enable_load_balancer', true), - $deployed_ssl_cert_path = '/etc/pki/tls/private/overcloud_endpoint.pem', - $step = Integer(hiera('step')), - $pcs_tries = hiera('pcs_tries', 20), + $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), + $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $ca_bundle = hiera('tripleo::haproxy::ca_bundle', undef), + $crl_file = hiera('tripleo::haproxy::crl_file', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $internal_certs_directory = undef, + $internal_keys_directory = undef, + $deployed_ssl_cert_path = hiera('tripleo::haproxy::service_certificate', undef), + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { include ::tripleo::profile::base::haproxy @@ -90,14 +119,8 @@ class tripleo::profile::pacemaker::haproxy_bundle ( $haproxy_nodes = hiera('haproxy_short_node_names') $haproxy_nodes_count = count($haproxy_nodes) - pacemaker::resource::bundle { 'haproxy-bundle': - image => $haproxy_docker_image, - replicas => $haproxy_nodes_count, - location_rule => $haproxy_location_rule, - container_options => 'network=host', - options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', - run_command => '/bin/bash /usr/local/bin/kolla_start', - storage_maps => { + + $storage_maps = { 'haproxy-cfg-files' => { 'source-dir' => '/var/lib/kolla/config_files/haproxy.json', 'target-dir' => '/var/lib/kolla/config_files/config.json', @@ -143,12 +166,68 @@ class tripleo::profile::pacemaker::haproxy_bundle ( 'target-dir' => '/dev/log', 'options' => 'rw', }, - 'haproxy-cert' => { + }; + + if $deployed_ssl_cert_path { + $cert_storage_maps = { + 'haproxy-cert' => { 'source-dir' => $deployed_ssl_cert_path, - 'target-dir' => $deployed_ssl_cert_path, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${deployed_ssl_cert_path}", 'options' => 'ro', }, - }, + } + } else { + $cert_storage_maps = {} + } + + if $enable_internal_tls { + $haproxy_storage_maps = { + 'haproxy-pki-certs' => { + 'source-dir' => $internal_certs_directory, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${internal_certs_directory}", + 'options' => 'ro', + }, + 'haproxy-pki-keys' => { + 'source-dir' => $internal_keys_directory, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${internal_keys_directory}", + 'options' => 'ro', + }, + } + if $ca_bundle { + $ca_storage_maps = { + 'haproxy-pki-ca-file' => { + 'source-dir' => $ca_bundle, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${ca_bundle}", + 'options' => 'ro', + }, + } + } else { + $ca_storage_maps = {} + } + if $crl_file { + $crl_storage_maps = { + 'haproxy-pki-crl-file' => { + 'source-dir' => $crl_file, + 'target-dir' => $crl_file, + 'options' => 'ro', + }, + } + } else { + $crl_storage_maps = {} + } + $storage_maps_internal_tls = merge($haproxy_storage_maps, $ca_storage_maps, $crl_storage_maps) + } else { + $storage_maps_internal_tls = {} + } + + pacemaker::resource::bundle { 'haproxy-bundle': + image => $haproxy_docker_image, + replicas => $haproxy_nodes_count, + location_rule => $haproxy_location_rule, + container_options => 'network=host', + options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', + run_command => '/bin/bash /usr/local/bin/kolla_start', + storage_maps => merge($storage_maps, $cert_storage_maps, $storage_maps_internal_tls), } $control_vip = hiera('controller_virtual_ip') tripleo::pacemaker::haproxy_with_vip { 'haproxy_and_control_vip': diff --git a/manifests/profile/pacemaker/manila.pp b/manifests/profile/pacemaker/manila.pp index 57d6bb6..6db0b86 100644 --- a/manifests/profile/pacemaker/manila.pp +++ b/manifests/profile/pacemaker/manila.pp @@ -139,17 +139,19 @@ class tripleo::profile::pacemaker::manila ( cephfs_enable_snapshots => hiera('manila::backend::cephfsnative::cephfs_enable_snapshots'), } - ceph::key { "client.${cephfs_auth_id}" : - secret => hiera('manila::backend::cephfsnative::ceph_client_key'), - keyring_path => $keyring_path, - # inject the new key into ceph cluster only if ceph is deployed by - # tripleo (if external ceph is used it should be added manually) - inject => $ceph_mds_enabled, - user => 'manila', - cap_mds => 'allow *', - cap_mon => 'allow r, allow command \"auth del\", allow command \"auth caps\", \ + if !defined(Resource['ceph::key', "client.${cephfs_auth_id}"]) { + ceph::key { "client.${cephfs_auth_id}" : + secret => hiera('manila::backend::cephfsnative::ceph_client_key'), + keyring_path => $keyring_path, + # inject the new key into ceph cluster only if ceph is deployed by + # tripleo (if external ceph is used it should be added manually) + inject => $ceph_mds_enabled, + user => 'manila', + cap_mds => 'allow *', + cap_mon => 'allow r, allow command \"auth del\", allow command \"auth caps\", \ allow command \"auth get\", allow command \"auth get-or-create\"', - cap_osd => 'allow rw' + cap_osd => 'allow rw' + } } ceph_config { diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp index 5dd22d2..4d6b9af 100644 --- a/manifests/profile/pacemaker/rabbitmq_bundle.pp +++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp @@ -44,6 +44,10 @@ # (Optional) The list of rabbitmq nodes names # Defaults to hiera('rabbitmq_node_names') # +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -60,6 +64,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( $erlang_cookie = hiera('rabbitmq::erlang_cookie'), $user_ha_queues = hiera('rabbitmq::nr_ha_queues', 0), $rabbit_nodes = hiera('rabbitmq_node_names'), + $enable_internal_tls = hiera('enable_internal_tls', false), $pcs_tries = hiera('pcs_tries', 20), $step = Integer(hiera('step')), ) { @@ -102,6 +107,76 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( } } + $storage_maps = { + 'rabbitmq-cfg-files' => { + 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json', + 'target-dir' => '/var/lib/kolla/config_files/config.json', + 'options' => 'ro', + }, + 'rabbitmq-cfg-data' => { + 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', + 'target-dir' => '/var/lib/kolla/config_files/src', + 'options' => 'ro', + }, + 'rabbitmq-hosts' => { + 'source-dir' => '/etc/hosts', + 'target-dir' => '/etc/hosts', + 'options' => 'ro', + }, + 'rabbitmq-localtime' => { + 'source-dir' => '/etc/localtime', + 'target-dir' => '/etc/localtime', + 'options' => 'ro', + }, + 'rabbitmq-lib' => { + 'source-dir' => '/var/lib/rabbitmq', + 'target-dir' => '/var/lib/rabbitmq', + 'options' => 'rw', + }, + 'rabbitmq-pki-extracted' => { + 'source-dir' => '/etc/pki/ca-trust/extracted', + 'target-dir' => '/etc/pki/ca-trust/extracted', + 'options' => 'ro', + }, + 'rabbitmq-pki-ca-bundle-crt' => { + 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', + 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-ca-bundle-trust-crt' => { + 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', + 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-cert' => { + 'source-dir' => '/etc/pki/tls/cert.pem', + 'target-dir' => '/etc/pki/tls/cert.pem', + 'options' => 'ro', + }, + 'rabbitmq-dev-log' => { + 'source-dir' => '/dev/log', + 'target-dir' => '/dev/log', + 'options' => 'rw', + }, + } + + if $enable_internal_tls { + $storage_maps_tls = { + 'rabbitmq-pki-cert' => { + 'source-dir' => '/etc/pki/tls/certs/rabbitmq.crt', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-key' => { + 'source-dir' => '/etc/pki/tls/private/rabbitmq.key', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key', + 'options' => 'ro', + }, + } + } else { + $storage_maps_tls = {} + } + pacemaker::resource::bundle { 'rabbitmq-bundle': image => $rabbitmq_docker_image, replicas => $rabbitmq_nodes_count, @@ -114,58 +189,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${rabbitmq_docker_control_port}", - storage_maps => { - 'rabbitmq-cfg-files' => { - 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json', - 'target-dir' => '/var/lib/kolla/config_files/config.json', - 'options' => 'ro', - }, - 'rabbitmq-cfg-data' => { - 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', - 'target-dir' => '/var/lib/kolla/config_files/src', - 'options' => 'ro', - }, - 'rabbitmq-hosts' => { - 'source-dir' => '/etc/hosts', - 'target-dir' => '/etc/hosts', - 'options' => 'ro', - }, - 'rabbitmq-localtime' => { - 'source-dir' => '/etc/localtime', - 'target-dir' => '/etc/localtime', - 'options' => 'ro', - }, - 'rabbitmq-lib' => { - 'source-dir' => '/var/lib/rabbitmq', - 'target-dir' => '/var/lib/rabbitmq', - 'options' => 'rw', - }, - 'rabbitmq-pki-extracted' => { - 'source-dir' => '/etc/pki/ca-trust/extracted', - 'target-dir' => '/etc/pki/ca-trust/extracted', - 'options' => 'ro', - }, - 'rabbitmq-pki-ca-bundle-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'options' => 'ro', - }, - 'rabbitmq-pki-ca-bundle-trust-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'options' => 'ro', - }, - 'rabbitmq-pki-cert' => { - 'source-dir' => '/etc/pki/tls/cert.pem', - 'target-dir' => '/etc/pki/tls/cert.pem', - 'options' => 'ro', - }, - 'rabbitmq-dev-log' => { - 'source-dir' => '/dev/log', - 'target-dir' => '/dev/log', - 'options' => 'rw', - }, - }, + storage_maps => merge($storage_maps, $storage_maps_tls), } # The default nr of ha queues is ceiling(N/2) diff --git a/manifests/ui.pp b/manifests/ui.pp index d744044..cb1da21 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -31,19 +31,9 @@ # The port on which the UI is listening. # Defaults to 3000 # -# [*enabled_languages*] -# Which languages to show in the UI. -# A hash. -# Defaults to -# { -# 'de' => 'German', -# 'en' => 'English', -# 'es' => 'Spanish', -# 'id' => 'Indonesian', -# 'ja' => 'Japanese', -# 'ko-KR' => 'Korean', -# 'zh-CN' => 'Simplified Chinese' -# } +# [*excluded_languages*] +# A list of languages that shouldn't be enabled in the UI, e.g. ['en', 'de'] +# Defaults to [] # # [*endpoint_proxy_keystone*] # The keystone proxy endpoint url @@ -107,19 +97,11 @@ # Defaults to 'tripleo' # class tripleo::ui ( - $servername = $::fqdn, - $bind_host = hiera('controller_host'), - $ui_port = 3000, - $zaqar_default_queue = 'tripleo', - $enabled_languages = { - 'de' => 'German', - 'en' => 'English', - 'es' => 'Spanish', - 'id' => 'Indonesian', - 'ja' => 'Japanese', - 'ko-KR' => 'Korean', - 'zh-CN' => 'Simplified Chinese' - }, + $servername = $::fqdn, + $bind_host = hiera('controller_host'), + $ui_port = 3000, + $zaqar_default_queue = 'tripleo', + $excluded_languages = [], $endpoint_proxy_zaqar = undef, $endpoint_proxy_keystone = undef, $endpoint_proxy_heat = undef, |