diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/cluster/cassandra.pp | 73 | ||||
| -rw-r--r-- | manifests/cluster/zookeeper.pp | 69 | ||||
| -rw-r--r-- | manifests/loadbalancer.pp | 144 | ||||
| -rw-r--r-- | manifests/network/midonet/agent.pp | 66 | ||||
| -rw-r--r-- | manifests/network/midonet/api.pp | 122 | ||||
| -rw-r--r-- | manifests/packages.pp | 21 | ||||
| -rw-r--r-- | manifests/ssl/cinder_config.pp | 28 |
7 files changed, 515 insertions, 8 deletions
diff --git a/manifests/cluster/cassandra.pp b/manifests/cluster/cassandra.pp new file mode 100644 index 0000000..b20926b --- /dev/null +++ b/manifests/cluster/cassandra.pp @@ -0,0 +1,73 @@ +# +# Copyright (C) 2015 Midokura SARL +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::cluster::cassandra +# +# Deploys a cassandra service that belongs to a cluster. Uses puppet-cassandra +# +# == Parameters: +# +# [*cassandra_servers*] +# (required) All the IP addresses of the cassandra cluster. +# Array of strings value. +# +# [*cassandra_ip*] +# (required) IP address of the current host. +# String value +# +# [*storage_port*] +# (optional) Inter-node cluster communication port. +# Defaults to 7000. +# +# [*ssl_storage_port*] +# (optional) SSL Inter-node cluster communication port. +# Defaults to 7001. +# +# [*client_port*] +# (optional) Cassandra client port. +# Defaults to 9042. +# +# [*client_port_thrift*] +# (optional) Cassandra client port thrift. +# Defaults to 9160. +# +class tripleo::cluster::cassandra( + $cassandra_servers, + $cassandra_ip, + $storage_port = '7000', + $ssl_storage_port = '7001', + $client_port = '9042', + $client_port_thrift = '9160' +) +{ + + # TODO: Remove this comment once we can guarantee that all the distros + # deploying TripleO use Puppet > 3.7 because of this bug: + # https://tickets.puppetlabs.com/browse/PUP-1299 + # + # validate_array($cassandra_servers) + validate_ipv4_address($cassandra_ip) + + class {'::cassandra': + cluster_name => 'TripleO', + seeds => $cassandra_servers, + listen_address => $cassandra_ip, + storage_port => $storage_port, + ssl_storage_port => $ssl_storage_port, + native_transport_port => $client_port, + rpc_port => $client_port_thrift + } + +} diff --git a/manifests/cluster/zookeeper.pp b/manifests/cluster/zookeeper.pp new file mode 100644 index 0000000..82d21ee --- /dev/null +++ b/manifests/cluster/zookeeper.pp @@ -0,0 +1,69 @@ +# +# Copyright (C) 2015 Midokura SARL +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::cluster::zookeeper +# +# Deploys a zookeeper service that belongs to a cluster. Uses deric-zookeeper +# +# == Parameters: +# +# [*zookeeper_server_ips*] +# (required) List of IP addresses of the zookeeper cluster. +# Arrays of strings value. +# +# [*zookeeper_client_ip*] +# (required) IP address of the host where zookeeper will listen IP addresses. +# String (IPv4) value. +# +# [*zookeeper_hostnames*] +# (required) List of hostnames of the zookeeper cluster. The hostname of the +# node will be used to define the ID of the zookeeper configuration +# Array of strings value. +# + +class tripleo::cluster::zookeeper( + $zookeeper_server_ips, + $zookeeper_client_ip, + $zookeeper_hostnames +) +{ + # TODO: Remove comments below once we can guarantee that all the distros + # deploying TripleO use Puppet > 3.7 because of this bug: + # https://tickets.puppetlabs.com/browse/PUP-1299 + + # validate_array($zookeeper_server_ips) + validate_ipv4_address($zookeeper_client_ip) + # validate_array($zookeeper_hostnames) + + # TODO(devvesa) Zookeeper package should provide these paths, + # remove this lines as soon as it will. + file {['/usr/lib', '/usr/lib/zookeeper', '/usr/lib/zookeeper/bin/']: + ensure => directory + } + + file {'/usr/lib/zookeeper/bin/zkEnv.sh': + ensure => link, + target => '/usr/libexec/zkEnv.sh' + } + + class {'::zookeeper': + servers => $zookeeper_server_ips, + client_ip => $zookeeper_client_ip, + id => extract_id($zookeeper_hostnames, $::hostname), + cfg_dir => '/etc/zookeeper/conf', + } + + File['/usr/lib/zookeeper/bin/zkEnv.sh'] -> Class['::zookeeper'] +} diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index ec38c5c..5308a01 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -35,6 +35,10 @@ # The value to use as maxconn in the haproxy default config section. # Defaults to 4096 # +# [*haproxy_default_timeout*] +# The value to use as timeout in the haproxy default config section. +# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] +# # [*haproxy_log_address*] # The IPv4, IPv6 or filesystem socket path of the syslog server. # Defaults to '/dev/log' @@ -133,6 +137,15 @@ # [*aodh_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the Aodh public API endpoint using the specified file. +# +# [*sahara_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the Sahara public API endpoint using the specified file. +# Defaults to undef +# +# [*trove_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the Trove public API endpoint using the specified file. # Defaults to undef # # [*gnocchi_certificate*] @@ -180,6 +193,14 @@ # (optional) Enable or not Manila API binding # Defaults to false # +# [*sahara*] +# (optional) Enable or not Sahara API binding +# defaults to false +# +# [*trove*] +# (optional) Enable or not Trove API binding +# defaults to false +# # [*glance_api*] # (optional) Enable or not Glance API binding # Defaults to false @@ -256,6 +277,10 @@ # (optional) Enable or not Redis binding # Defaults to false # +# [*midonet_api*] +# (optional) Enable or not MidoNet API binding +# Defaults to false +# class tripleo::loadbalancer ( $controller_virtual_ip, $control_virtual_interface, @@ -268,6 +293,7 @@ class tripleo::loadbalancer ( $haproxy_service_manage = true, $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, + $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], $haproxy_log_address = '/dev/log', $controller_host = undef, $controller_hosts = undef, @@ -276,6 +302,8 @@ class tripleo::loadbalancer ( $keystone_certificate = undef, $neutron_certificate = undef, $cinder_certificate = undef, + $sahara_certificate = undef, + $trove_certificate = undef, $manila_certificate = undef, $glance_certificate = undef, $nova_certificate = undef, @@ -290,6 +318,8 @@ class tripleo::loadbalancer ( $keystone_public = false, $neutron = false, $cinder = false, + $sahara = false, + $trove = false, $manila = false, $glance_api = false, $glance_registry = false, @@ -310,6 +340,7 @@ class tripleo::loadbalancer ( $mysql_clustercheck = false, $rabbitmq = false, $redis = false, + $midonet_api = false, ) { if !$controller_host and !$controller_hosts { @@ -423,6 +454,16 @@ class tripleo::loadbalancer ( } else { $cinder_bind_certificate = $service_certificate } + if $sahara_certificate { + $sahara_bind_certificate = $sahara_certificate + } else { + $sahara_bind_certificate = $service_certificate + } + if $trove_certificate { + $trove_bind_certificate = $trove_certificate + } else { + $trove_bind_certificate = $trove_certificate + } if $manila_certificate { $manila_bind_certificate = $manila_certificate } else { @@ -548,6 +589,32 @@ class tripleo::loadbalancer ( } } + $sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip) + if $sahara_bind_certificate { + $sahara_bind_opts = { + "${sahara_api_vip}:8386" => [], + "${public_virtual_ip}:13786" => ['ssl', 'crt', $sahara_bind_certificate], + } + } else { + $sahara_bind_opts = { + "${sahara_api_vip}:8386" => [], + "${public_virtual_ip}:8386" => [], + } + } + + $trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip) + if $trove_bind_certificate { + $trove_bind_opts = { + "${trove_api_vip}:8779" => [], + "${public_virtual_ip}:13779" => ['ssl', 'crt', $trove_bind_certificate], + } + } else { + $trove_bind_opts = { + "${trove_api_vip}:8779" => [], + "${public_virtual_ip}:8779" => [], + } + } + $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) if $nova_bind_certificate { $nova_osapi_bind_opts = { @@ -637,6 +704,7 @@ class tripleo::loadbalancer ( } $heat_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", + 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], } $heat_cw_bind_opts = { "${heat_api_vip}:8003" => [], @@ -704,7 +772,7 @@ class tripleo::loadbalancer ( 'mode' => 'tcp', 'log' => 'global', 'retries' => '3', - 'timeout' => [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], + 'timeout' => $haproxy_default_timeout, 'maxconn' => $haproxy_default_maxconn, }, } @@ -743,6 +811,10 @@ class tripleo::loadbalancer ( haproxy::listen { 'keystone_public': bind => $keystone_public_bind_opts, collect_exported => false, + mode => 'http', # Needed for http-request option + options => { + 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + }, } haproxy::balancermember { 'keystone_public': listening_service => 'keystone_public', @@ -771,6 +843,10 @@ class tripleo::loadbalancer ( haproxy::listen { 'cinder': bind => $cinder_bind_opts, collect_exported => false, + mode => 'http', # Needed for http-request option + options => { + 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + }, } haproxy::balancermember { 'cinder': listening_service => 'cinder', @@ -795,6 +871,34 @@ class tripleo::loadbalancer ( } } + if $sahara { + haproxy::listen { 'sahara': + bind => $sahara_bind_opts, + collect_exported => false, + } + haproxy::balancermember { 'sahara': + listening_service => 'sahara', + ports => '8386', + ipaddresses => hiera('sahara_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + } + } + + if $trove { + haproxy::listen { 'trove': + bind => $trove_bind_opts, + collect_exported => false, + } + haproxy::balancermember { 'trove': + listening_service => 'trove', + ports => '8779', + ipaddresses => hiera('trove_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + } + } + if $glance_api { haproxy::listen { 'glance_api': bind => $glance_bind_opts, @@ -842,6 +946,10 @@ class tripleo::loadbalancer ( haproxy::listen { 'nova_osapi': bind => $nova_osapi_bind_opts, collect_exported => false, + mode => 'http', + options => { + 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + }, } haproxy::balancermember { 'nova_osapi': listening_service => 'nova_osapi', @@ -872,6 +980,7 @@ class tripleo::loadbalancer ( bind => $nova_novnc_bind_opts, options => { 'balance' => 'source', + 'timeout' => [ 'tunnel 1h' ], }, collect_exported => false, } @@ -998,21 +1107,23 @@ class tripleo::loadbalancer ( ports => '80', ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => ["cookie ${::hostname}", 'check', 'inter 2000', 'rise 2', 'fall 5'], } } if $mysql_clustercheck { $mysql_listen_options = { - 'option' => [ 'tcpka', 'httpchk' ], - 'timeout' => [ 'client 0', 'server 0' ], - 'stick-table' => 'type ip size 1000', - 'stick' => 'on dst', + 'option' => [ 'tcpka', 'httpchk' ], + 'timeout client' => '90m', + 'timeout server' => '90m', + 'stick-table' => 'type ip size 1000', + 'stick' => 'on dst', } $mysql_member_options = ['check', 'inter 2000', 'rise 2', 'fall 5', 'backup', 'port 9200', 'on-marked-down shutdown-sessions'] } else { $mysql_listen_options = { - 'timeout' => [ 'client 0', 'server 0' ], + 'timeout client' => '90m', + 'timeout server' => '90m', } $mysql_member_options = ['check', 'inter 2000', 'rise 2', 'fall 5', 'backup'] } @@ -1087,4 +1198,23 @@ class tripleo::loadbalancer ( } } + $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip) + $midonet_bind_opts = { + "${midonet_api_vip}:8081" => [], + "${public_virtual_ip}:8081" => [], + } + + if $midonet_api { + haproxy::listen { 'midonet_api': + bind => $midonet_bind_opts, + collect_exported => false, + } + haproxy::balancermember { 'midonet_api': + listening_service => 'midonet_api', + ports => '8081', + ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + } + } } diff --git a/manifests/network/midonet/agent.pp b/manifests/network/midonet/agent.pp new file mode 100644 index 0000000..0e65282 --- /dev/null +++ b/manifests/network/midonet/agent.pp @@ -0,0 +1,66 @@ +# +# Copyright (C) 2015 Midokura SARL +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::network::midonet::agent +# +# Configure the midonet agent +# +# == Parameters: +# +# [*zookeeper_servers*] +# (required) List of IPs of the zookeeper server cluster. It will configure +# the connection using the 2181 port. +# Array of strings value. +# +# [*cassandra_seeds*] +# (required) List of IPs of the cassandra cluster. +# Array of strings value. +# +class tripleo::network::midonet::agent ( + $zookeeper_servers, + $cassandra_seeds +) { + + # TODO: Remove comments below once we can guarantee that all the distros + # deploying TripleO use Puppet > 3.7 because of this bug: + # https://tickets.puppetlabs.com/browse/PUP-1299 + + # validate_array($zookeeper_servers) + # validate_array($cassandra_seeds) + + + # FIXME: This statement should be controlled by hiera on heat templates + # project + # Make sure openvswitch service is not running + service {'openvswitch': + ensure => stopped, + enable => false + } + + exec {'delete datapaths': + command => '/usr/bin/mm-dpctl --delete-dp ovs-system', + path => '/usr/bin:/usr/sbin:/bin', + onlyif => '/usr/bin/mm-dpctl --show-dp ovs-system' + } + + # Configure and run the agent + class {'::midonet::midonet_agent': + zk_servers => list_to_zookeeper_hash($zookeeper_servers), + cassandra_seeds => $cassandra_seeds + } + + Service['openvswitch'] -> Class['::midonet::midonet_agent::run'] + Exec['delete datapaths'] -> Class['::midonet::midonet_agent::run'] +} diff --git a/manifests/network/midonet/api.pp b/manifests/network/midonet/api.pp new file mode 100644 index 0000000..83efd2c --- /dev/null +++ b/manifests/network/midonet/api.pp @@ -0,0 +1,122 @@ +# +# Copyright (C) 2015 Midokura SARL +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::network::midonet::api +# +# Configure the MidoNet API +# +# == Parameters: +# +# [*zookeeper_servers*] +# (required) List IPs of the zookeeper server cluster. Zookeeper is the +# backend database where MidoNet stores the virtual network topology. +# Array of strings value. +# +# [*vip*] +# (required) Public Virtual IP where the API will be exposed. +# String (IPv4) value. +# +# [*keystone_ip*] +# (required) MidoNet API is registered as an OpenStack service. Provide the +# keystone ip address. +# String (IPv4) value. +# +# [*keystone_admin_token*] +# (required) MidoNet API is registered as an OpenStack service. It needs the +# keystone admin token to perform some admin calls. +# String value. +# +# [*bind_address*] +# (required) MidoNet API uses a Tomcat instance to offer the REST service. The +# ip address where to bind the tomcat service. +# String (IPv4) value. +# +# [*admin_password*] +# (required) OpenStack admin user password. +# String value. +# +# [*keystone_port*] +# (optional) MidoNet API is registered as an OpenStack service. Provide +# the keystone port. +# Defaults to 35357 +# +# [*keystone_tenant_name*] +# (optional) Tenant of the keystone service. +# Defaults to 'admin' +# +# [*admin_user_name*] +# (optional) OpenStack admin user name. +# Defaults to 'admin' +# +# [*admin_tenant_name*] +# (optional). OpenStack admin tenant name. +# Defaults to 'admin' +# + +class tripleo::network::midonet::api( + $zookeeper_servers, + $vip, + $keystone_ip, + $keystone_admin_token, + $bind_address, + $admin_password, + $keystone_port = 35357, + $keystone_tenant_name = 'admin', + $admin_user_name = 'admin', + $admin_tenant_name = 'admin' +) +{ + + # TODO: Remove this comment once we can guarantee that all the distros + # deploying TripleO use Puppet > 3.7 because of this bug: + # https://tickets.puppetlabs.com/browse/PUP-1299 + + # validate_array($zookeeper_servers) + validate_ip_address($vip) + validate_ip_address($keystone_ip) + validate_ip_address($bind_address) + + # Run Tomcat and MidoNet API + class {'::tomcat': + install_from_source => false + } -> + + package {'midonet-api': + ensure => present + } -> + + class {'::midonet::midonet_api::run': + zk_servers => list_to_zookeeper_hash($zookeeper_servers), + keystone_auth => true, + tomcat_package => 'tomcat', + vtep => false, + api_ip => $vip, + api_port => '8081', + keystone_host => $keystone_ip, + keystone_port => $keystone_port, + keystone_admin_token => $keystone_admin_token, + keystone_tenant_name => $keystone_tenant_name, + catalina_base => '/usr/share/tomcat', + bind_address => $bind_address + } + + # Configure the CLI + class {'::midonet::midonet_cli': + api_endpoint => "http://${vip}:8081/midonet-api", + username => $admin_user_name, + password => $admin_password, + tenant_name => $admin_tenant_name + } +} diff --git a/manifests/packages.pp b/manifests/packages.pp index ac11efd..c0971e9 100644 --- a/manifests/packages.pp +++ b/manifests/packages.pp @@ -45,7 +45,26 @@ class tripleo::packages ( if $enable_upgrade { Package <| |> { ensure => 'latest' } + + case $::osfamily { + 'RedHat': { + $pkg_upgrade_cmd = 'yum -y update' + } + default: { + warning('Please specify a package upgrade command for distribution.') + } + } + + exec { 'package-upgrade': + command => $pkg_upgrade_cmd, + path => '/usr/bin', + } + # A resource chain to ensure the upgrade ordering we want: + # 1) upgrade puppet managed packages (will trigger puppet dependencies) + # 2) then upgrade all packages via exec + # 3) then restart services + Package <| |> -> Exec['package-upgrade'] -> Service <| |> + } } - diff --git a/manifests/ssl/cinder_config.pp b/manifests/ssl/cinder_config.pp new file mode 100644 index 0000000..e1ed113 --- /dev/null +++ b/manifests/ssl/cinder_config.pp @@ -0,0 +1,28 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::ssl::cinder_config +# +# Enable SSL middleware for the cinder service's pipeline. +# + +class tripleo::ssl::cinder_config { + cinder_api_paste_ini { + 'filter:ssl_header_handler/paste.filter_factory': + value => 'oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory'; + 'pipeline:apiversions/pipeline': + value => 'ssl_header_handler faultwrap osvolumeversionapp'; + } +} |