aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/certmonger/mysql.pp9
-rw-r--r--manifests/glance/nfs_mount.pp2
-rw-r--r--manifests/haproxy.pp44
-rw-r--r--manifests/profile/base/kernel.pp28
-rw-r--r--manifests/profile/base/neutron/opendaylight/configure_cluster.pp45
-rw-r--r--manifests/profile/base/neutron/opendaylight/create_cluster.pp43
-rw-r--r--manifests/profile/base/neutron/plugins/ml2.pp4
-rw-r--r--manifests/profile/base/neutron/plugins/ml2/nuage.pp31
-rw-r--r--manifests/profile/base/ui.pp4
-rw-r--r--manifests/profile/pacemaker/database/mysql.pp49
-rw-r--r--manifests/ui.pp3
11 files changed, 230 insertions, 32 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp
index dd9b184..0988c55 100644
--- a/manifests/certmonger/mysql.pp
+++ b/manifests/certmonger/mysql.pp
@@ -31,6 +31,12 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
+# [*dnsnames*]
+# (Optional) The DNS names that will be added for the SubjectAltNames entry
+# in the certificate. If left unset, the value will be set to the $hostname.
+# This parameter can take both a string or an array of strings.
+# Defaults to $hostname
+#
# [*principal*]
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
# Defaults to undef
@@ -40,6 +46,7 @@ class tripleo::certmonger::mysql (
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
+ $dnsnames = $hostname,
$principal = undef,
) {
include ::certmonger
@@ -51,7 +58,7 @@ class tripleo::certmonger::mysql (
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
- dnsname => $hostname,
+ dnsname => $dnsnames,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
diff --git a/manifests/glance/nfs_mount.pp b/manifests/glance/nfs_mount.pp
index 035191d..674bdd0 100644
--- a/manifests/glance/nfs_mount.pp
+++ b/manifests/glance/nfs_mount.pp
@@ -43,7 +43,7 @@ class tripleo::glance::nfs_mount (
$options = 'intr,context=system_u:object_r:glance_var_lib_t:s0',
$edit_fstab = true,
$fstab_fstype = 'nfs4',
- $fstab_prepend_options = 'bg'
+ $fstab_prepend_options = '_netdev,bg'
) {
$images_dir = '/var/lib/glance/images'
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 6b305cb..2f29674 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -155,6 +155,10 @@
# When set, enables SSL on the haproxy stats endpoint using the specified file.
# Defaults to undef
#
+# [*haproxy_stats*]
+# (optional) Enable or not the haproxy stats interface
+# Defaults to true
+#
# [*keystone_admin*]
# (optional) Enable or not Keystone Admin API binding
# Defaults to hiera('keystone_enabled', false)
@@ -279,6 +283,10 @@
# (optional) Enable check via clustercheck for mysql
# Defaults to false
#
+# [*mysql_max_conn*]
+# (optional) Set the maxconn parameter for mysql
+# Defaults to undef
+#
# [*mysql_member_options*]
# The options to use for the mysql HAProxy balancer members.
# If this parameter is undefined, the actual value configured will depend
@@ -522,7 +530,7 @@
# 'nova_novnc_port' (Defaults to 6080)
# 'nova_novnc_ssl_port' (Defaults to 13080)
# 'opendaylight_api_port' (Defaults to 8081)
-# 'panko_api_port' (Defaults to 8779)
+# 'panko_api_port' (Defaults to 8977)
# 'panko_api_ssl_port' (Defaults to 13779)
# 'ovn_nbdb_port' (Defaults to 6641)
# 'ovn_sbdb_port' (Defaults to 6642)
@@ -571,6 +579,7 @@ class tripleo::haproxy (
$ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
$crl_file = undef,
$haproxy_stats_certificate = undef,
+ $haproxy_stats = true,
$keystone_admin = hiera('keystone_enabled', false),
$keystone_public = hiera('keystone_enabled', false),
$neutron = hiera('neutron_api_enabled', false),
@@ -602,6 +611,7 @@ class tripleo::haproxy (
$ironic_inspector = hiera('ironic_inspector_enabled', false),
$mysql = hiera('mysql_enabled', false),
$mysql_clustercheck = false,
+ $mysql_max_conn = undef,
$mysql_member_options = undef,
$rabbitmq = false,
$etcd = hiera('etcd_enabled', false),
@@ -706,7 +716,7 @@ class tripleo::haproxy (
nova_novnc_port => 6080,
nova_novnc_ssl_port => 13080,
opendaylight_api_port => 8081,
- panko_api_port => 8779,
+ panko_api_port => 8977,
panko_api_ssl_port => 13779,
ovn_nbdb_port => 6641,
ovn_sbdb_port => 6642,
@@ -871,19 +881,21 @@ class tripleo::haproxy (
listen_options => $default_listen_options,
}
- $stats_base = ['enable', 'uri /']
- if $haproxy_stats_password {
- $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
- } else {
- $stats_config = $stats_base
- }
- haproxy::listen { 'haproxy.stats':
- bind => $haproxy_stats_bind_opts,
- mode => 'http',
- options => {
- 'stats' => $stats_config,
- },
- collect_exported => false,
+ if $haproxy_stats {
+ $stats_base = ['enable', 'uri /']
+ if $haproxy_stats_password {
+ $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+ } else {
+ $stats_config = $stats_base
+ }
+ haproxy::listen { 'haproxy.stats':
+ bind => $haproxy_stats_bind_opts,
+ mode => 'http',
+ options => {
+ 'stats' => $stats_config,
+ },
+ collect_exported => false,
+ }
}
if $keystone_admin {
@@ -1314,6 +1326,7 @@ class tripleo::haproxy (
'timeout server' => '90m',
'stick-table' => 'type ip size 1000',
'stick' => 'on dst',
+ 'maxconn' => $mysql_max_conn
}
if $mysql_member_options {
$mysql_member_options_real = $mysql_member_options
@@ -1324,6 +1337,7 @@ class tripleo::haproxy (
$mysql_listen_options = {
'timeout client' => '90m',
'timeout server' => '90m',
+ 'maxconn' => $mysql_max_conn
}
if $mysql_member_options {
$mysql_member_options_real = $mysql_member_options
diff --git a/manifests/profile/base/kernel.pp b/manifests/profile/base/kernel.pp
index df13a98..48caf37 100644
--- a/manifests/profile/base/kernel.pp
+++ b/manifests/profile/base/kernel.pp
@@ -17,14 +17,32 @@
#
# Load and configure Kernel modules.
#
-class tripleo::profile::base::kernel {
+# === Parameters
+#
+# [*module_list*]
+# (Optional) List of kernel modules to load.
+# Defaults to hiera('kernel_modules')
+#
+# [*sysctl_settings*]
+# (Optional) List of sysctl settings to load.
+# Defaults to hiera('sysctl_settings')
+#
+class tripleo::profile::base::kernel (
+ $module_list = hiera('kernel_modules', undef),
+ $sysctl_settings = hiera('sysctl_settings', undef),
+) {
- if hiera('kernel_modules', undef) {
- create_resources(kmod::load, hiera('kernel_modules'), { })
+ if $module_list {
+ create_resources(kmod::load, $module_list, { })
}
- if hiera('sysctl_settings', undef) {
- create_resources(sysctl::value, hiera('sysctl_settings'), { })
+ if $sysctl_settings {
+ create_resources(sysctl::value, $sysctl_settings, { })
}
Exec <| tag == 'kmod::load' |> -> Sysctl <| |>
+ # RHEL 7.4+ workaround where this functionality is built into the
+ # kernel instead of being built as a module.
+ # That way, we can support both 7.3 and 7.4 RHEL versions.
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1387537
+ Exec <| title == 'modprobe nf_conntrack_proto_sctp' |> { returns => [0,1] }
}
diff --git a/manifests/profile/base/neutron/opendaylight/configure_cluster.pp b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp
new file mode 100644
index 0000000..022e8ae
--- /dev/null
+++ b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp
@@ -0,0 +1,45 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Configures an OpenDaylight cluster.
+# It creates the akka configuration file for ODL to cluster correctly
+# It will not configure clustering if less than 3 nodes
+#
+# == Function: tripleo::profile::base::neutron::opendaylight::configure_cluster
+#
+# == Parameters
+#
+# [*node_name*]
+# The short hostname of node
+#
+# [*odl_api_ips*] Array of IPs per ODL node
+# Defaults to empty array
+#
+define tripleo::profile::base::neutron::opendaylight::configure_cluster(
+ $node_name,
+ $odl_api_ips = [],
+) {
+ validate_array($odl_api_ips)
+ if size($odl_api_ips) > 2 {
+ $node_string = split($node_name, '-')
+ $ha_node_index = $node_string[-1] + 1
+ $ha_node_ip_str = join($odl_api_ips, ' ')
+ exec { 'Configure ODL Clustering':
+ command => "configure_cluster.sh ${ha_node_index} ${ha_node_ip_str}",
+ path => '/opt/opendaylight/bin/:/usr/sbin:/usr/bin:/sbin:/bin',
+ creates => '/opt/opendaylight/configuration/initial/akka.conf'
+ }
+ }
+}
+
diff --git a/manifests/profile/base/neutron/opendaylight/create_cluster.pp b/manifests/profile/base/neutron/opendaylight/create_cluster.pp
new file mode 100644
index 0000000..c3e4f7f
--- /dev/null
+++ b/manifests/profile/base/neutron/opendaylight/create_cluster.pp
@@ -0,0 +1,43 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Configures an OpenDaylight cluster.
+# It creates the akka configuration file for ODL to cluster correctly
+# It will not configure clustering if less than 3 nodes
+#
+# == Class: tripleo::profile::base::neutron::opendaylight::create_cluster
+#
+# OpenDaylight class only used for creating clusters with container deployments
+#
+# === Parameters
+#
+# [*odl_api_ips*]
+# (Optional) List of OpenStack Controller IPs for ODL API
+# Defaults to hiera('opendaylight_api_node_ips')
+#
+# [*node_name*]
+# (Optional) The short hostname of node
+# Defaults to hiera('bootstack_nodeid')
+#
+class tripleo::profile::base::neutron::opendaylight::create_cluster (
+ $odl_api_ips = hiera('opendaylight_api_node_ips'),
+ $node_name = hiera('bootstack_nodeid')
+) {
+
+ tripleo::profile::base::neutron::opendaylight::configure_cluster {'ODL cluster':
+ node_name => $node_name,
+ odl_api_ips => $odl_api_ips,
+ }
+
+}
diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp
index f7a2935..1f440fa 100644
--- a/manifests/profile/base/neutron/plugins/ml2.pp
+++ b/manifests/profile/base/neutron/plugins/ml2.pp
@@ -85,5 +85,9 @@ class tripleo::profile::base::neutron::plugins::ml2 (
if 'vpp' in $mechanism_drivers {
include ::tripleo::profile::base::neutron::plugins::ml2::vpp
}
+
+ if 'nuage' in $mechanism_drivers {
+ include ::tripleo::profile::base::neutron::plugins::ml2::nuage
+ }
}
}
diff --git a/manifests/profile/base/neutron/plugins/ml2/nuage.pp b/manifests/profile/base/neutron/plugins/ml2/nuage.pp
new file mode 100644
index 0000000..e9608d0
--- /dev/null
+++ b/manifests/profile/base/neutron/plugins/ml2/nuage.pp
@@ -0,0 +1,31 @@
+# Copyright 2017 Nuage Networks from Nokia Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::plugins::ml2::nuage
+#
+# Nuage Neutron ML2 profile for tripleo
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::plugins::ml2::nuage (
+ $step = hiera('step'),
+) {
+
+ if $step >= 4 {
+ include ::neutron::plugins::ml2::nuage
+ }
+}
diff --git a/manifests/profile/base/ui.pp b/manifests/profile/base/ui.pp
index 681496a..710c210 100644
--- a/manifests/profile/base/ui.pp
+++ b/manifests/profile/base/ui.pp
@@ -17,10 +17,6 @@
# UI profile for tripleo
#
class tripleo::profile::base::ui () {
- package {'openstack-tripleo-ui': }
-
- include ::apache
-
include ::tripleo::ui
}
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp
index 3aff62f..22adbe9 100644
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@@ -26,6 +26,27 @@
# (Optional) The address that the local mysql instance should bind to.
# Defaults to $::hostname
#
+# [*ca_file*]
+# (Optional) The path to the CA file that will be used for the TLS
+# configuration. It's only used if internal TLS is enabled.
+# Defaults to undef
+#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'mysql' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::database::mysql::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*gmcast_listen_addr*]
# (Optional) This variable defines the address on which the node listens to
# connections from other nodes in the cluster.
@@ -41,11 +62,14 @@
# Defaults to hiera('pcs_tries', 20)
#
class tripleo::profile::pacemaker::database::mysql (
- $bootstrap_node = hiera('mysql_short_bootstrap_node_name'),
- $bind_address = $::hostname,
- $gmcast_listen_addr = hiera('mysql_bind_host'),
- $step = Integer(hiera('step')),
- $pcs_tries = hiera('pcs_tries', 20),
+ $bootstrap_node = hiera('mysql_short_bootstrap_node_name'),
+ $bind_address = $::hostname,
+ $ca_file = undef,
+ $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $gmcast_listen_addr = hiera('mysql_bind_host'),
+ $step = Integer(hiera('step')),
+ $pcs_tries = hiera('pcs_tries', 20),
) {
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
@@ -70,6 +94,19 @@ class tripleo::profile::pacemaker::database::mysql (
$processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') }
$cluster_host_map = join($processed_galera_name_pairs, ';')
+ if $enable_internal_tls {
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ if $ca_file {
+ $tls_ca_options = "socket.ssl_ca=${ca_file}"
+ } else {
+ $tls_ca_options = ''
+ }
+ $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+ } else {
+ $tls_options = ''
+ }
+
$mysqld_options = {
'mysqld' => {
'skip-name-resolve' => '1',
@@ -98,7 +135,7 @@ class tripleo::profile::pacemaker::database::mysql (
'wsrep_drupal_282555_workaround'=> '0',
'wsrep_causal_reads' => '0',
'wsrep_sst_method' => 'rsync',
- 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;",
+ 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}",
}
}
diff --git a/manifests/ui.pp b/manifests/ui.pp
index 825ffc2..d744044 100644
--- a/manifests/ui.pp
+++ b/manifests/ui.pp
@@ -136,13 +136,16 @@ class tripleo::ui (
$endpoint_config_swift = undef,
) {
+ package {'openstack-tripleo-ui': }
+ include ::apache
include ::apache::mod::proxy
include ::apache::mod::proxy_http
include ::apache::mod::proxy_wstunnel
::apache::vhost { 'tripleo-ui':
ensure => 'present',
+ require => Package['openstack-tripleo-ui'],
servername => $servername,
ip => $bind_host,
port => $ui_port,