11 files changed, 230 insertions, 32 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp
index dd9b184..0988c55 100644
--- a/manifests/certmonger/mysql.pp
+++ b/manifests/certmonger/mysql.pp
@@ -31,6 +31,12 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*dnsnames*]
+#   (Optional) The DNS names that will be added for the SubjectAltNames entry
+#   in the certificate. If left unset, the value will be set to the $hostname.
+#   This parameter can take both a string or an array of strings.
+#   Defaults to $hostname
+#
 # [*principal*]
 #   (Optional) The haproxy service principal that is set for MySQL in kerberos.
 #   Defaults to undef
@@ -40,6 +46,7 @@ class tripleo::certmonger::mysql (
   $service_certificate,
   $service_key,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $dnsnames      = $hostname,
   $principal     = undef,
 ) {
   include ::certmonger
@@ -51,7 +58,7 @@ class tripleo::certmonger::mysql (
     certfile     => $service_certificate,
     keyfile      => $service_key,
     hostname     => $hostname,
-    dnsname      => $hostname,
+    dnsname      => $dnsnames,
     principal    => $principal,
     postsave_cmd => $postsave_cmd,
     ca           => $certmonger_ca,
diff --git a/manifests/glance/nfs_mount.pp b/manifests/glance/nfs_mount.pp
index 035191d..674bdd0 100644
--- a/manifests/glance/nfs_mount.pp
+++ b/manifests/glance/nfs_mount.pp
@@ -43,7 +43,7 @@ class tripleo::glance::nfs_mount (
   $options               = 'intr,context=system_u:object_r:glance_var_lib_t:s0',
   $edit_fstab            = true,
   $fstab_fstype          = 'nfs4',
-  $fstab_prepend_options = 'bg'
+  $fstab_prepend_options = '_netdev,bg'
 ) {
 
   $images_dir = '/var/lib/glance/images'
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 6b305cb..2f29674 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -155,6 +155,10 @@
 #  When set, enables SSL on the haproxy stats endpoint using the specified file.
 #  Defaults to undef
 #
+# [*haproxy_stats*]
+#  (optional) Enable or not the haproxy stats interface
+#  Defaults to true
+#
 # [*keystone_admin*]
 #  (optional) Enable or not Keystone Admin API binding
 #  Defaults to hiera('keystone_enabled', false)
@@ -279,6 +283,10 @@
 #  (optional) Enable check via clustercheck for mysql
 #  Defaults to false
 #
+# [*mysql_max_conn*]
+#  (optional) Set the maxconn parameter for mysql
+#  Defaults to undef
+#
 # [*mysql_member_options*]
 #  The options to use for the mysql HAProxy balancer members.
 #  If this parameter is undefined, the actual value configured will depend
@@ -522,7 +530,7 @@
 #    'nova_novnc_port' (Defaults to 6080)
 #    'nova_novnc_ssl_port' (Defaults to 13080)
 #    'opendaylight_api_port' (Defaults to 8081)
-#    'panko_api_port' (Defaults to 8779)
+#    'panko_api_port' (Defaults to 8977)
 #    'panko_api_ssl_port' (Defaults to 13779)
 #    'ovn_nbdb_port' (Defaults to 6641)
 #    'ovn_sbdb_port' (Defaults to 6642)
@@ -571,6 +579,7 @@ class tripleo::haproxy (
   $ca_bundle                   = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
   $crl_file                    = undef,
   $haproxy_stats_certificate   = undef,
+  $haproxy_stats               = true,
   $keystone_admin              = hiera('keystone_enabled', false),
   $keystone_public             = hiera('keystone_enabled', false),
   $neutron                     = hiera('neutron_api_enabled', false),
@@ -602,6 +611,7 @@ class tripleo::haproxy (
   $ironic_inspector            = hiera('ironic_inspector_enabled', false),
   $mysql                       = hiera('mysql_enabled', false),
   $mysql_clustercheck          = false,
+  $mysql_max_conn              = undef,
   $mysql_member_options        = undef,
   $rabbitmq                    = false,
   $etcd                        = hiera('etcd_enabled', false),
@@ -706,7 +716,7 @@ class tripleo::haproxy (
     nova_novnc_port => 6080,
     nova_novnc_ssl_port => 13080,
     opendaylight_api_port => 8081,
-    panko_api_port => 8779,
+    panko_api_port => 8977,
     panko_api_ssl_port => 13779,
     ovn_nbdb_port => 6641,
     ovn_sbdb_port => 6642,
@@ -871,19 +881,21 @@ class tripleo::haproxy (
     listen_options              => $default_listen_options,
   }
 
-  $stats_base = ['enable', 'uri /']
-  if $haproxy_stats_password {
-    $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
-  } else {
-    $stats_config = $stats_base
-  }
-  haproxy::listen { 'haproxy.stats':
-    bind             => $haproxy_stats_bind_opts,
-    mode             => 'http',
-    options          => {
-      'stats' => $stats_config,
-    },
-    collect_exported => false,
+  if $haproxy_stats {
+    $stats_base = ['enable', 'uri /']
+    if $haproxy_stats_password {
+      $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+    } else {
+      $stats_config = $stats_base
+    }
+    haproxy::listen { 'haproxy.stats':
+      bind             => $haproxy_stats_bind_opts,
+      mode             => 'http',
+      options          => {
+        'stats' => $stats_config,
+      },
+      collect_exported => false,
+    }
   }
 
   if $keystone_admin {
@@ -1314,6 +1326,7 @@ class tripleo::haproxy (
       'timeout server' => '90m',
       'stick-table'    => 'type ip size 1000',
       'stick'          => 'on dst',
+      'maxconn'        => $mysql_max_conn
     }
     if $mysql_member_options {
         $mysql_member_options_real = $mysql_member_options
@@ -1324,6 +1337,7 @@ class tripleo::haproxy (
     $mysql_listen_options = {
       'timeout client' => '90m',
       'timeout server' => '90m',
+      'maxconn'        => $mysql_max_conn
     }
     if $mysql_member_options {
         $mysql_member_options_real = $mysql_member_options
diff --git a/manifests/profile/base/kernel.pp b/manifests/profile/base/kernel.pp
index df13a98..48caf37 100644
--- a/manifests/profile/base/kernel.pp
+++ b/manifests/profile/base/kernel.pp
@@ -17,14 +17,32 @@
 #
 # Load and configure Kernel modules.
 #
-class tripleo::profile::base::kernel {
+# === Parameters
+#
+# [*module_list*]
+#   (Optional) List of kernel modules to load.
+#   Defaults to hiera('kernel_modules')
+#
+# [*sysctl_settings*]
+#   (Optional) List of sysctl settings to load.
+#   Defaults to hiera('sysctl_settings')
+#
+class tripleo::profile::base::kernel (
+  $module_list     = hiera('kernel_modules', undef),
+  $sysctl_settings = hiera('sysctl_settings', undef),
+) {
 
-  if hiera('kernel_modules', undef) {
-    create_resources(kmod::load, hiera('kernel_modules'), { })
+  if $module_list {
+    create_resources(kmod::load, $module_list, { })
   }
-  if hiera('sysctl_settings', undef) {
-    create_resources(sysctl::value, hiera('sysctl_settings'), { })
+  if $sysctl_settings {
+    create_resources(sysctl::value, $sysctl_settings, { })
   }
   Exec <| tag == 'kmod::load' |> -> Sysctl <| |>
 
+  # RHEL 7.4+ workaround where this functionality is built into the
+  # kernel instead of being built as a module.
+  # That way, we can support both 7.3 and 7.4 RHEL versions.
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1387537
+  Exec <| title == 'modprobe nf_conntrack_proto_sctp' |> { returns => [0,1] }
 }
diff --git a/manifests/profile/base/neutron/opendaylight/configure_cluster.pp b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp
new file mode 100644
index 0000000..022e8ae
--- /dev/null
+++ b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp
@@ -0,0 +1,45 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Configures an OpenDaylight cluster.
+# It creates the akka configuration file for ODL to cluster correctly
+# It will not configure clustering if less than 3 nodes
+#
+# == Function: tripleo::profile::base::neutron::opendaylight::configure_cluster
+#
+# == Parameters
+#
+# [*node_name*]
+#   The short hostname of node
+#
+# [*odl_api_ips*] Array of IPs per ODL node
+#   Defaults to empty array
+#
+define tripleo::profile::base::neutron::opendaylight::configure_cluster(
+  $node_name,
+  $odl_api_ips = [],
+) {
+  validate_array($odl_api_ips)
+  if size($odl_api_ips) > 2 {
+    $node_string = split($node_name, '-')
+    $ha_node_index = $node_string[-1] + 1
+    $ha_node_ip_str = join($odl_api_ips, ' ')
+    exec { 'Configure ODL Clustering':
+      command => "configure_cluster.sh ${ha_node_index} ${ha_node_ip_str}",
+      path    => '/opt/opendaylight/bin/:/usr/sbin:/usr/bin:/sbin:/bin',
+      creates => '/opt/opendaylight/configuration/initial/akka.conf'
+    }
+  }
+}
+
diff --git a/manifests/profile/base/neutron/opendaylight/create_cluster.pp b/manifests/profile/base/neutron/opendaylight/create_cluster.pp
new file mode 100644
index 0000000..c3e4f7f
--- /dev/null
+++ b/manifests/profile/base/neutron/opendaylight/create_cluster.pp
@@ -0,0 +1,43 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Configures an OpenDaylight cluster.
+# It creates the akka configuration file for ODL to cluster correctly
+# It will not configure clustering if less than 3 nodes
+#
+# == Class: tripleo::profile::base::neutron::opendaylight::create_cluster
+#
+# OpenDaylight class only used for creating clusters with container deployments
+#
+# === Parameters
+#
+# [*odl_api_ips*]
+#   (Optional) List of OpenStack Controller IPs for ODL API
+#   Defaults to hiera('opendaylight_api_node_ips')
+#
+# [*node_name*]
+#   (Optional) The short hostname of node
+#   Defaults to hiera('bootstack_nodeid')
+#
+class tripleo::profile::base::neutron::opendaylight::create_cluster (
+  $odl_api_ips  = hiera('opendaylight_api_node_ips'),
+  $node_name    = hiera('bootstack_nodeid')
+) {
+
+  tripleo::profile::base::neutron::opendaylight::configure_cluster {'ODL cluster':
+    node_name   => $node_name,
+    odl_api_ips => $odl_api_ips,
+  }
+
+}
diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp
index f7a2935..1f440fa 100644
--- a/manifests/profile/base/neutron/plugins/ml2.pp
+++ b/manifests/profile/base/neutron/plugins/ml2.pp
@@ -85,5 +85,9 @@ class tripleo::profile::base::neutron::plugins::ml2 (
     if 'vpp' in $mechanism_drivers {
       include ::tripleo::profile::base::neutron::plugins::ml2::vpp
     }
+
+    if 'nuage' in $mechanism_drivers {
+      include ::tripleo::profile::base::neutron::plugins::ml2::nuage
+    }
   }
 }
diff --git a/manifests/profile/base/neutron/plugins/ml2/nuage.pp b/manifests/profile/base/neutron/plugins/ml2/nuage.pp
new file mode 100644
index 0000000..e9608d0
--- /dev/null
+++ b/manifests/profile/base/neutron/plugins/ml2/nuage.pp
@@ -0,0 +1,31 @@
+# Copyright 2017 Nuage Networks from Nokia Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::plugins::ml2::nuage
+#
+# Nuage Neutron ML2 profile for tripleo
+#
+# [*step*]
+#   (Optional) The current step in deployment. See tripleo-heat-templates
+#   for more details.
+#   Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::plugins::ml2::nuage (
+  $step              = hiera('step'),
+) {
+
+  if $step >= 4 {
+    include ::neutron::plugins::ml2::nuage
+  }
+}
diff --git a/manifests/profile/base/ui.pp b/manifests/profile/base/ui.pp
index 681496a..710c210 100644
--- a/manifests/profile/base/ui.pp
+++ b/manifests/profile/base/ui.pp
@@ -17,10 +17,6 @@
 # UI profile for tripleo
 #
 class tripleo::profile::base::ui () {
-  package {'openstack-tripleo-ui': }
-
-  include ::apache
-
   include ::tripleo::ui
 }
 
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp
index 3aff62f..22adbe9 100644
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@@ -26,6 +26,27 @@
 #   (Optional) The address that the local mysql instance should bind to.
 #   Defaults to $::hostname
 #
+# [*ca_file*]
+#   (Optional) The path to the CA file that will be used for the TLS
+#   configuration. It's only used if internal TLS is enabled.
+#   Defaults to undef
+#
+# [*certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate
+#   it will create. Note that the certificate nickname must be 'mysql' in
+#   the case of this service.
+#   Example with hiera:
+#     tripleo::profile::base::database::mysql::certificate_specs:
+#       hostname: <overcloud controller fqdn>
+#       service_certificate: <service certificate path>
+#       service_key: <service key path>
+#       principal: "mysql/<overcloud controller fqdn>"
+#   Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
 # [*gmcast_listen_addr*]
 #   (Optional) This variable defines the address on which the node listens to
 #   connections from other nodes in the cluster.
@@ -41,11 +62,14 @@
 #   Defaults to hiera('pcs_tries', 20)
 #
 class tripleo::profile::pacemaker::database::mysql (
-  $bootstrap_node     = hiera('mysql_short_bootstrap_node_name'),
-  $bind_address       = $::hostname,
-  $gmcast_listen_addr = hiera('mysql_bind_host'),
-  $step               = Integer(hiera('step')),
-  $pcs_tries          = hiera('pcs_tries', 20),
+  $bootstrap_node      = hiera('mysql_short_bootstrap_node_name'),
+  $bind_address        = $::hostname,
+  $ca_file             = undef,
+  $certificate_specs   = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+  $enable_internal_tls = hiera('enable_internal_tls', false),
+  $gmcast_listen_addr  = hiera('mysql_bind_host'),
+  $step                = Integer(hiera('step')),
+  $pcs_tries           = hiera('pcs_tries', 20),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $pacemaker_master = true
@@ -70,6 +94,19 @@ class tripleo::profile::pacemaker::database::mysql (
   $processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') }
   $cluster_host_map = join($processed_galera_name_pairs, ';')
 
+  if $enable_internal_tls {
+    $tls_certfile = $certificate_specs['service_certificate']
+    $tls_keyfile = $certificate_specs['service_key']
+    if $ca_file {
+      $tls_ca_options = "socket.ssl_ca=${ca_file}"
+    } else {
+      $tls_ca_options = ''
+    }
+    $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+  } else {
+    $tls_options = ''
+  }
+
   $mysqld_options = {
     'mysqld' => {
       'skip-name-resolve'             => '1',
@@ -98,7 +135,7 @@ class tripleo::profile::pacemaker::database::mysql (
       'wsrep_drupal_282555_workaround'=> '0',
       'wsrep_causal_reads'            => '0',
       'wsrep_sst_method'              => 'rsync',
-      'wsrep_provider_options'        => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;",
+      'wsrep_provider_options'        => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}",
     }
   }
 
diff --git a/manifests/ui.pp b/manifests/ui.pp
index 825ffc2..d744044 100644
--- a/manifests/ui.pp
+++ b/manifests/ui.pp
@@ -136,13 +136,16 @@ class tripleo::ui (
   $endpoint_config_swift            = undef,
 
 ) {
+  package {'openstack-tripleo-ui': }
 
+  include ::apache
   include ::apache::mod::proxy
   include ::apache::mod::proxy_http
   include ::apache::mod::proxy_wstunnel
 
   ::apache::vhost { 'tripleo-ui':
     ensure           => 'present',
+    require          => Package['openstack-tripleo-ui'],
     servername       => $servername,
     ip               => $bind_host,
     port             => $ui_port,