aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/certmonger/rabbitmq.pp4
-rw-r--r--manifests/haproxy.pp124
-rw-r--r--manifests/haproxy/endpoint.pp2
-rw-r--r--manifests/keepalived.pp18
-rw-r--r--manifests/profile/base/aodh/api.pp15
-rw-r--r--manifests/profile/base/barbican/api.pp13
-rw-r--r--manifests/profile/base/ceilometer/api.pp13
-rw-r--r--manifests/profile/base/ceilometer/collector.pp8
-rw-r--r--manifests/profile/base/ceph/rgw.pp2
-rw-r--r--manifests/profile/base/certmonger_user.pp77
-rw-r--r--manifests/profile/base/cinder/api.pp13
-rw-r--r--manifests/profile/base/cinder/volume.pp13
-rw-r--r--manifests/profile/base/cinder/volume/dellps.pp6
-rw-r--r--manifests/profile/base/cinder/volume/pure.pp65
-rw-r--r--manifests/profile/base/database/mongodb.pp11
-rw-r--r--manifests/profile/base/database/mysql.pp10
-rw-r--r--manifests/profile/base/database/mysql/client.pp1
-rw-r--r--manifests/profile/base/docker_registry.pp1
-rw-r--r--manifests/profile/base/etcd.pp7
-rw-r--r--manifests/profile/base/glance/api.pp13
-rw-r--r--manifests/profile/base/gnocchi/api.pp22
-rw-r--r--manifests/profile/base/haproxy.pp16
-rw-r--r--manifests/profile/base/heat/api.pp15
-rw-r--r--manifests/profile/base/heat/api_cfn.pp15
-rw-r--r--manifests/profile/base/heat/api_cloudwatch.pp15
-rw-r--r--manifests/profile/base/horizon.pp2
-rw-r--r--manifests/profile/base/ironic/conductor.pp8
-rw-r--r--manifests/profile/base/keystone.pp41
-rw-r--r--manifests/profile/base/logging/fluentd.pp160
-rw-r--r--manifests/profile/base/neutron/agents/bagpipe.pp37
-rw-r--r--manifests/profile/base/neutron/agents/l2gw.pp35
-rw-r--r--manifests/profile/base/neutron/bgpvpn.pp5
-rw-r--r--manifests/profile/base/neutron/l2gw.pp37
-rw-r--r--manifests/profile/base/neutron/opendaylight.pp30
-rw-r--r--manifests/profile/base/neutron/plugins/ml2/opendaylight.pp9
-rw-r--r--manifests/profile/base/neutron/plugins/ovs/opendaylight.pp14
-rw-r--r--manifests/profile/base/neutron/server.pp13
-rw-r--r--manifests/profile/base/neutron/sriov.pp2
-rw-r--r--manifests/profile/base/nova.pp87
-rw-r--r--manifests/profile/base/nova/api.pp13
-rw-r--r--manifests/profile/base/nova/compute.pp2
-rw-r--r--manifests/profile/base/nova/ec2api.pp1
-rw-r--r--manifests/profile/base/nova/placement.pp13
-rw-r--r--manifests/profile/base/pacemaker.pp25
-rw-r--r--manifests/profile/base/panko/api.pp13
-rw-r--r--manifests/profile/base/qdr.pp54
-rw-r--r--manifests/profile/base/rabbitmq.pp13
-rw-r--r--manifests/profile/base/securetty.pp48
-rw-r--r--manifests/profile/base/sshd.pp56
-rw-r--r--manifests/profile/base/swift/proxy.pp58
-rw-r--r--manifests/profile/base/swift/ringbuilder.pp36
-rw-r--r--manifests/profile/base/tuned.pp20
-rw-r--r--manifests/profile/pacemaker/database/mysql.pp5
-rw-r--r--manifests/ui.pp21
54 files changed, 881 insertions, 476 deletions
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
index 344adef..4a47938 100644
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -31,10 +31,6 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
-# [*file_owner*]
-# (Optional) The user which the certificate and key files belong to.
-# Defaults to 'root'
-#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 92edd71..7aca0e1 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -750,7 +750,7 @@ class tripleo::haproxy (
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
- 'option' => 'forwardfor',
+ 'option' => [ 'forwardfor', 'httpchk' ],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
@@ -762,7 +762,7 @@ class tripleo::haproxy (
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
- 'option' => 'forwardfor',
+ 'option' => [ 'forwardfor', 'httpchk' ],
}
}
@@ -821,12 +821,20 @@ class tripleo::haproxy (
},
}
+
+ $default_listen_options = {
+ 'option' => [ 'httpchk', ],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ }
Tripleo::Haproxy::Endpoint {
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
+ listen_options => $default_listen_options,
}
$stats_base = ['enable', 'uri /']
@@ -852,11 +860,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
public_ssl_port => $ports[keystone_admin_api_ssl_port],
service_network => $keystone_admin_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -864,11 +868,6 @@ class tripleo::haproxy (
}
if $keystone_public {
- $keystone_listen_opts = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- }
if $service_certificate {
$keystone_public_tls_listen_opts = {
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
@@ -877,7 +876,9 @@ class tripleo::haproxy (
'option' => 'forwardfor',
}
} else {
- $keystone_public_tls_listen_opts = {}
+ $keystone_public_tls_listen_opts = {
+ 'option' => [ 'httpchk GET /v3', ],
+ }
}
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
@@ -886,7 +887,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
+ listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -901,11 +902,6 @@ class tripleo::haproxy (
ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
server_names => hiera('neutron_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[neutron_api_ssl_port],
service_network => $neutron_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -920,11 +916,6 @@ class tripleo::haproxy (
ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
server_names => hiera('cinder_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[cinder_api_ssl_port],
service_network => $cinder_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -939,11 +930,6 @@ class tripleo::haproxy (
ip_addresses => hiera('congress_node_ips', $controller_hosts_real),
server_names => hiera('congress_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[congress_api_ssl_port],
service_network => $congress_network,
}
@@ -957,11 +943,6 @@ class tripleo::haproxy (
ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
server_names => hiera('manila_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[manila_api_ssl_port],
service_network => $manila_network,
}
@@ -987,11 +968,6 @@ class tripleo::haproxy (
ip_addresses => hiera('tacker_node_ips', $controller_hosts_real),
server_names => hiera('tacker_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[tacker_api_ssl_port],
service_network => $tacker_network,
}
@@ -1018,11 +994,7 @@ class tripleo::haproxy (
server_names => hiera('glance_api_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[glance_api_ssl_port],
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}),
service_network => $glance_api_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
}
@@ -1037,11 +1009,6 @@ class tripleo::haproxy (
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[nova_api_ssl_port],
service_network => $nova_osapi_network,
#member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1057,11 +1024,6 @@ class tripleo::haproxy (
ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real),
server_names => hiera('nova_placement_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[nova_placement_ssl_port],
service_network => $nova_placement_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1074,6 +1036,9 @@ class tripleo::haproxy (
service_port => $ports[nova_metadata_port],
ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real),
+ listen_options => {
+ 'option' => [ 'httpchk', ],
+ },
service_network => $nova_metadata_network,
}
}
@@ -1085,10 +1050,11 @@ class tripleo::haproxy (
service_port => $ports[nova_novnc_port],
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
- listen_options => {
+ listen_options => merge($default_listen_options, {
+ 'option' => [ 'tcpka' ],
'balance' => 'source',
'timeout' => [ 'tunnel 1h' ],
- },
+ }),
public_ssl_port => $ports[nova_novnc_ssl_port],
service_network => $nova_novncproxy_network,
}
@@ -1102,11 +1068,6 @@ class tripleo::haproxy (
ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real),
server_names => hiera('ec2_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[ec2_api_ssl_port],
service_network => $ec2_api_network,
}
@@ -1130,11 +1091,6 @@ class tripleo::haproxy (
ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[ceilometer_api_ssl_port],
service_network => $ceilometer_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1149,11 +1105,6 @@ class tripleo::haproxy (
ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
server_names => hiera('aodh_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[aodh_api_ssl_port],
service_network => $aodh_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1167,11 +1118,6 @@ class tripleo::haproxy (
service_port => $ports[panko_api_port],
ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real),
server_names => hiera('panko_api_node_names', $controller_hosts_names_real),
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[panko_api_ssl_port],
service_network => $panko_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1199,11 +1145,6 @@ class tripleo::haproxy (
ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[gnocchi_api_ssl_port],
service_network => $gnocchi_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1224,6 +1165,7 @@ class tripleo::haproxy (
if $swift_proxy_server {
$swift_proxy_server_listen_options = {
+ 'option' => [ 'httpchk GET /healthcheck', ],
'timeout client' => '2m',
'timeout server' => '2m',
}
@@ -1236,22 +1178,19 @@ class tripleo::haproxy (
listen_options => $swift_proxy_server_listen_options,
public_ssl_port => $ports[swift_proxy_ssl_port],
service_network => $swift_proxy_server_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
- $heat_base_options = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
if $service_certificate {
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
- $heat_options = merge($heat_base_options, $heat_ssl_options)
+ $heat_options = merge($default_listen_options, $heat_ssl_options)
} else {
- $heat_options = $heat_base_options
+ $heat_options = $default_listen_options
}
if $heat_api {
@@ -1377,7 +1316,7 @@ class tripleo::haproxy (
server_names => hiera('mysql_node_names', $controller_hosts_names_real),
options => $mysql_member_options_real,
}
- if hiera('manage_firewall', true) {
+ if hiera('tripleo::firewall::manage_firewall', true) {
include ::tripleo::firewall
$mysql_firewall_rules = {
'100 mysql_haproxy' => {
@@ -1462,7 +1401,7 @@ class tripleo::haproxy (
server_names => hiera('redis_node_names', $controller_hosts_names_real),
options => $haproxy_member_options,
}
- if hiera('manage_firewall', true) {
+ if hiera('tripleo::firewall::manage_firewall', true) {
include ::tripleo::firewall
$redis_firewall_rules = {
'100 redis_haproxy' => {
@@ -1514,6 +1453,7 @@ class tripleo::haproxy (
server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[ceph_rgw_ssl_port],
service_network => $ceph_rgw_network,
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk HEAD /' ] }),
}
}
@@ -1595,6 +1535,12 @@ class tripleo::haproxy (
server_names => $controller_hosts_names_real,
mode => 'http',
public_ssl_port => $ports[ui_ssl_port],
+ listen_options => {
+ # NOTE(dtrainor): in addition to the zaqar_ws endpoint, the HTTPS
+ # (443/tcp) endpoint that answers for the UI must also use a long-lived
+ # tunnel timeout for the same reasons mentioned above.
+ 'timeout' => ['tunnel 3600s'],
+ },
}
}
if $contrail_config {
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index da2aba3..16e0bd1 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -147,7 +147,7 @@ define tripleo::haproxy::endpoint (
server_names => $server_names,
options => $member_options,
}
- if hiera('manage_firewall', true) {
+ if hiera('tripleo::firewall::manage_firewall', true) {
include ::tripleo::firewall
# This block will construct firewall rules only when we specify
# a port for the regular service and also the ssl port for the service.
diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp
index a6d5832..aa0e5d6 100644
--- a/manifests/keepalived.pp
+++ b/manifests/keepalived.pp
@@ -59,6 +59,12 @@
# A string.
# Defaults to false
#
+# [*ovndbs_virtual_ip*]
+# Virtual IP on the OVNDBs service.
+# A string.
+# Defaults to false
+#
+
class tripleo::keepalived (
$controller_virtual_ip,
$control_virtual_interface,
@@ -68,6 +74,7 @@ class tripleo::keepalived (
$storage_virtual_ip = false,
$storage_mgmt_virtual_ip = false,
$redis_virtual_ip = false,
+ $ovndbs_virtual_ip = false,
) {
case $::osfamily {
@@ -178,4 +185,15 @@ class tripleo::keepalived (
priority => 101,
}
}
+ if $ovndbs_virtual_ip and $ovndbs_virtual_ip != $controller_virtual_ip {
+ $ovndbs_virtual_interface = interface_for_ip($ovndbs_virtual_ip)
+ # KEEPALIVE OVNDBS MANAGEMENT NETWORK
+ keepalived::instance { '57':
+ interface => $ovndbs_virtual_interface,
+ virtual_ips => [join([$ovndbs_virtual_ip, ' dev ', $ovndbs_virtual_interface])],
+ state => 'MASTER',
+ track_script => ['haproxy'],
+ priority => 101,
+ }
+ }
}
diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp
index af4a5b3..22fc000 100644
--- a/manifests/profile/base/aodh/api.pp
+++ b/manifests/profile/base/aodh/api.pp
@@ -39,14 +39,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -57,17 +49,12 @@ class tripleo::profile::base::aodh::api (
$aodh_network = hiera('aodh_api_network', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
include ::tripleo::profile::base::aodh
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$aodh_network {
fail('aodh_api_network is not set in the hieradata.')
}
@@ -79,7 +66,7 @@ class tripleo::profile::base::aodh::api (
}
- if $step >= 4 {
+ if $step >= 3 {
include ::aodh::api
class { '::aodh::wsgi::apache':
ssl_cert => $tls_certfile,
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index 22984b1..71e4ea1 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -43,14 +43,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -105,7 +97,6 @@ class tripleo::profile::base::barbican::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
$oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
@@ -126,10 +117,6 @@ class tripleo::profile::base::barbican::api (
}
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$barbican_network {
fail('barbican_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp
index 6ef4748..28504c5 100644
--- a/manifests/profile/base/ceilometer/api.pp
+++ b/manifests/profile/base/ceilometer/api.pp
@@ -39,14 +39,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -56,16 +48,11 @@ class tripleo::profile::base::ceilometer::api (
$ceilometer_network = hiera('ceilometer_api_network', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
include ::tripleo::profile::base::ceilometer
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$ceilometer_network {
fail('ceilometer_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/ceilometer/collector.pp b/manifests/profile/base/ceilometer/collector.pp
index 20eab54..6b58286 100644
--- a/manifests/profile/base/ceilometer/collector.pp
+++ b/manifests/profile/base/ceilometer/collector.pp
@@ -85,4 +85,12 @@ class tripleo::profile::base::ceilometer::collector (
include ::ceilometer::dispatcher::gnocchi
}
+ # Re-run ceilometer-upgrade again in step 5 so gnocchi resource types
+ # are created safely.
+ if $step >= 5 and $sync_db {
+ exec {'ceilometer-db-upgrade':
+ command => 'ceilometer-upgrade --skip-metering-database',
+ path => ['/usr/bin', '/usr/sbin'],
+ }
+ }
}
diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp
index 8443de0..d00f7cd 100644
--- a/manifests/profile/base/ceph/rgw.pp
+++ b/manifests/profile/base/ceph/rgw.pp
@@ -60,7 +60,7 @@ class tripleo::profile::base::ceph::rgw (
$rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway')
$civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip)
include ::ceph::params
- include ::ceph::profile::base
+ include ::ceph::profile::client
ceph::rgw { $rgw_name:
frontend_type => 'civetweb',
rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}",
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
new file mode 100644
index 0000000..586c7e4
--- /dev/null
+++ b/manifests/profile/base/certmonger_user.pp
@@ -0,0 +1,77 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == class: tripleo::profile::base::certmonger_user
+#
+# Profile that ensures that the relevant certmonger certificates have been
+# requested. The certificates come from the hiera set by the specific profiles
+# and come in a pre-defined format.
+# For a service that has several certificates (one per network name):
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "HTTP/<overcloud controller fqdn>"
+# For a service that uses a single certificate:
+# mysql_certificates_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+#
+# === Parameters
+#
+# [*apache_certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*haproxy_certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
+#
+# [*mysql_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*rabbitmq_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
+#
+class tripleo::profile::base::certmonger_user (
+ $apache_certificates_specs = hiera('apache_certificates_specs', {}),
+ $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+ $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+ $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
+) {
+ unless empty($apache_certificates_specs) {
+ ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+ }
+ unless empty($haproxy_certificates_specs) {
+ ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+ # The haproxy fronends (or listen resources) depend on the certificate
+ # existing and need to be refreshed if it changed.
+ Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
+ }
+ unless empty($mysql_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
+ }
+ unless empty($rabbitmq_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
+ }
+}
diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp
index 450a8e6..c432fd6 100644
--- a/manifests/profile/base/cinder/api.pp
+++ b/manifests/profile/base/cinder/api.pp
@@ -43,14 +43,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -61,7 +53,6 @@ class tripleo::profile::base::cinder::api (
$certificates_specs = hiera('apache_certificates_specs', {}),
$cinder_api_network = hiera('cinder_api_network', undef),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
@@ -73,10 +64,6 @@ class tripleo::profile::base::cinder::api (
include ::tripleo::profile::base::cinder
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$cinder_api_network {
fail('cinder_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp
index 9fb1594..e1370a3 100644
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@@ -18,6 +18,10 @@
#
# === Parameters
#
+# [*cinder_enable_pure_backend*]
+# (Optional) Whether to enable the pure backend
+# Defaults to true
+#
# [*cinder_enable_dellsc_backend*]
# (Optional) Whether to enable the delsc backend
# Defaults to true
@@ -60,6 +64,7 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::cinder::volume (
+ $cinder_enable_pure_backend = false,
$cinder_enable_dellsc_backend = false,
$cinder_enable_hpelefthand_backend = false,
$cinder_enable_dellps_backend = false,
@@ -76,6 +81,13 @@ class tripleo::profile::base::cinder::volume (
if $step >= 4 {
include ::cinder::volume
+ if $cinder_enable_pure_backend {
+ include ::tripleo::profile::base::cinder::volume::pure
+ $cinder_pure_backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure')
+ } else {
+ $cinder_pure_backend_name = undef
+ }
+
if $cinder_enable_dellsc_backend {
include ::tripleo::profile::base::cinder::volume::dellsc
$cinder_dellsc_backend_name = hiera('cinder::backend::dellsc_iscsi::volume_backend_name', 'tripleo_dellsc')
@@ -134,6 +146,7 @@ class tripleo::profile::base::cinder::volume (
$backends = delete_undef_values([$cinder_iscsi_backend_name,
$cinder_rbd_backend_name,
+ $cinder_pure_backend_name,
$cinder_dellps_backend_name,
$cinder_dellsc_backend_name,
$cinder_hpelefthand_backend_name,
diff --git a/manifests/profile/base/cinder/volume/dellps.pp b/manifests/profile/base/cinder/volume/dellps.pp
index 1338240..e825b61 100644
--- a/manifests/profile/base/cinder/volume/dellps.pp
+++ b/manifests/profile/base/cinder/volume/dellps.pp
@@ -41,9 +41,9 @@ class tripleo::profile::base::cinder::volume::dellps (
san_thin_provision => hiera('cinder::backend::eqlx::san_thin_provision', undef),
eqlx_group_name => hiera('cinder::backend::eqlx::eqlx_group_name', undef),
eqlx_pool => hiera('cinder::backend::eqlx::eqlx_pool', undef),
- eqlx_use_chap => hiera('cinder::backend::eqlx::eqlx_use_chap', undef),
- eqlx_chap_login => hiera('cinder::backend::eqlx::eqlx_chap_login', undef),
- eqlx_chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef),
+ use_chap_auth => hiera('cinder::backend::eqlx::eqlx_use_chap', undef),
+ chap_username => hiera('cinder::backend::eqlx::eqlx_chap_login', undef),
+ chap_password => hiera('cinder::backend::eqlx::eqlx_chap_password', undef),
}
}
diff --git a/manifests/profile/base/cinder/volume/pure.pp b/manifests/profile/base/cinder/volume/pure.pp
new file mode 100644
index 0000000..e524919
--- /dev/null
+++ b/manifests/profile/base/cinder/volume/pure.pp
@@ -0,0 +1,65 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::cinder::volume::pure
+#
+# Cinder Volume pure profile for tripleo
+#
+# === Parameters
+#
+# [*san_ip*]
+# (required) IP address of PureStorage management VIP.
+#
+# [*pure_api_token*]
+# (required) API token for management of PureStorage array.
+#
+# [*backend_name*]
+# (Optional) Name given to the Cinder backend stanza
+# Defaults to 'tripleo_pure'
+#
+# [*pure_storage_protocol*]
+# (optional) Must be either 'iSCSI' or 'FC'. This will determine
+# which Volume Driver will be configured; PureISCSIDriver or PureFCDriver.
+# Defaults to 'iSCSI'
+#
+# [*use_multipath_for_image_xfer*]
+# (optional) .
+# Defaults to True
+#
+# [*use_chap_auth*]
+# (optional) Only affects the PureISCSIDriver.
+# Defaults to False
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::cinder::volume::pure (
+ $backend_name = hiera('cinder::backend::pure::volume_backend_name', 'tripleo_pure'),
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::cinder::volume
+
+ if $step >= 4 {
+ cinder::backend::pure { $backend_name :
+ san_ip => hiera('cinder::backend::pure::san_ip', undef),
+ pure_api_token => hiera('cinder::backend::pure::pure_api_token', undef),
+ pure_storage_protocol => hiera('cinder::backend::pure::pure_storage_protocol', undef),
+ use_chap_auth => hiera('cinder::backend::pure::use_chap_auth', undef),
+ use_multipath_for_image_xfer => hiera('cinder::backend::pure::use_multipath_for_image_xfer', undef),
+ }
+ }
+
+}
diff --git a/manifests/profile/base/database/mongodb.pp b/manifests/profile/base/database/mongodb.pp
index 8967f5b..4740d67 100644
--- a/manifests/profile/base/database/mongodb.pp
+++ b/manifests/profile/base/database/mongodb.pp
@@ -30,10 +30,15 @@
# for more details.
# Defaults to hiera('step')
#
+# [*memory_limit*]
+# (Optional) Limit amount of memory mongodb can use
+# Defaults to 20G
+#
class tripleo::profile::base::database::mongodb (
$mongodb_replset,
$bootstrap_node = downcase(hiera('bootstrap_nodeid')),
$step = hiera('step'),
+ $memory_limit = '20G',
) {
if $step >= 2 {
@@ -56,5 +61,11 @@ class tripleo::profile::base::database::mongodb (
}
}
+ # Limit memory utilization
+ ::systemd::service_limits { 'mongod.service':
+ limits => {
+ 'MemoryLimit' => $memory_limit
+ }
+ }
}
}
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 80b07d4..b4ac8ac 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -47,12 +47,6 @@
# limit for the mysql service.
# Defaults to false
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# MySQL. This could be as many as specified by the $certificates_specs
-# variable.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*manage_resources*]
# (Optional) Whether or not manage root user, root my.cnf, and service.
# Defaults to true
@@ -82,7 +76,6 @@ class tripleo::profile::base::database::mysql (
$certificate_specs = {},
$enable_internal_tls = hiera('enable_internal_tls', false),
$generate_dropin_file_limit = false,
- $generate_service_certificates = hiera('generate_service_certificates', false),
$manage_resources = true,
$mysql_server_options = {},
$mysql_max_connections = hiera('mysql_max_connections', undef),
@@ -100,9 +93,6 @@ class tripleo::profile::base::database::mysql (
validate_hash($certificate_specs)
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs)
- }
$tls_certfile = $certificate_specs['service_certificate']
$tls_keyfile = $certificate_specs['service_key']
} else {
diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp
index 22384a9..014ef35 100644
--- a/manifests/profile/base/database/mysql/client.pp
+++ b/manifests/profile/base/database/mysql/client.pp
@@ -82,6 +82,7 @@ class tripleo::profile::base::database::mysql::client (
# Create /etc/my.cnf.d/tripleo.cnf
exec { 'directory-create-etc-my.cnf.d':
command => 'mkdir -p /etc/my.cnf.d',
+ unless => 'test -d /etc/my.cnf.d',
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
} ->
augeas { 'tripleo-mysql-client-conf':
diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp
index 0452575..2f1783d 100644
--- a/manifests/profile/base/docker_registry.pp
+++ b/manifests/profile/base/docker_registry.pp
@@ -43,6 +43,7 @@ class tripleo::profile::base::docker_registry (
}
package{'docker-distribution': }
package{'docker': }
+ package{'openstack-kolla': }
file { '/etc/docker-distribution/registry/config.yml' :
ensure => file,
content => template('tripleo/docker_distribution/registry_config.yml.erb'),
diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp
index 505e29f..fc4771f 100644
--- a/manifests/profile/base/etcd.pp
+++ b/manifests/profile/base/etcd.pp
@@ -47,19 +47,12 @@ class tripleo::profile::base::etcd (
$step = hiera('step'),
) {
if $step >= 1 {
- if count($nodes) > 1 {
- $cluster_enabled = true
- } else {
- $cluster_enabled = false
- }
-
class {'::etcd':
listen_client_urls => "http://${bind_ip}:${client_port}",
advertise_client_urls => "http://${bind_ip}:${client_port}",
listen_peer_urls => "http://${bind_ip}:${peer_port}",
initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}",
initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"),
- cluster_enabled => $cluster_enabled,
proxy => 'off',
}
}
diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp
index e5807f6..8ed7fb7 100644
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@@ -38,14 +38,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*glance_backend*]
# (Optional) Glance backend(s) to use.
# Defaults to downcase(hiera('glance_backend', 'swift'))
@@ -91,7 +83,6 @@ class tripleo::profile::base::glance::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$glance_backend = downcase(hiera('glance_backend', 'swift')),
$glance_network = hiera('glance_api_network', undef),
$glance_nfs_enabled = false,
@@ -102,10 +93,6 @@ class tripleo::profile::base::glance::api (
$tls_proxy_fqdn = undef,
$tls_proxy_port = 9292,
) {
- if $enable_internal_tls and $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
} else {
diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp
index 2fde1fc..79ee265 100644
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@@ -38,14 +38,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*gnocchi_backend*]
# (Optional) Gnocchi backend string file, swift or rbd
# Defaults to swift
@@ -64,7 +56,6 @@ class tripleo::profile::base::gnocchi::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
$gnocchi_network = hiera('gnocchi_api_network', undef),
$step = hiera('step'),
@@ -78,10 +69,6 @@ class tripleo::profile::base::gnocchi::api (
include ::tripleo::profile::base::gnocchi
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$gnocchi_network {
fail('gnocchi_api_network is not set in the hieradata.')
}
@@ -113,4 +100,13 @@ class tripleo::profile::base::gnocchi::api (
default: { fail('Unrecognized gnocchi_backend parameter.') }
}
}
+
+ # Re-run gnochci upgrade with storage as swift/ceph should be up at this
+ # stage.
+ if $step >= 5 and $sync_db {
+ exec {'run gnocchi upgrade with storage':
+ command => 'gnocchi-upgrade --config-file=/etc/gnocchi/gnocchi.conf',
+ path => ['/usr/bin', '/usr/sbin'],
+ }
+ }
}
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index 8568b28..9a03487 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -36,14 +36,6 @@
# (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true).
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -52,18 +44,10 @@
class tripleo::profile::base::haproxy (
$certificates_specs = {},
$enable_load_balancer = hiera('enable_load_balancer', true),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
if $step >= 1 {
if $enable_load_balancer {
- if str2bool($generate_service_certificates) {
- ensure_resources('tripleo::certmonger::haproxy', $certificates_specs)
- # The haproxy fronends (or listen resources) depend on the certificate
- # existing and need to be refreshed if it changed.
- Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
- }
-
class {'::tripleo::haproxy':
internal_certificates_specs => $certificates_specs,
}
diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp
index 9ffba9c..8e2da7e 100644
--- a/manifests/profile/base/heat/api.pp
+++ b/manifests/profile/base/heat/api.pp
@@ -34,14 +34,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*heat_api_network*]
# (Optional) The network name where the heat API endpoint is listening on.
# This is set by t-h-t.
@@ -55,17 +47,12 @@
class tripleo::profile::base::heat::api (
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$heat_api_network = hiera('heat_api_network', undef),
$step = hiera('step'),
) {
include ::tripleo::profile::base::heat
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$heat_api_network {
fail('heat_api_network is not set in the hieradata.')
}
@@ -76,7 +63,7 @@ class tripleo::profile::base::heat::api (
$tls_keyfile = undef
}
- if $step >= 4 {
+ if $step >= 3 {
include ::heat::api
class { '::heat::wsgi::apache_api':
ssl_cert => $tls_certfile,
diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp
index 987d3b2..02eb82a 100644
--- a/manifests/profile/base/heat/api_cfn.pp
+++ b/manifests/profile/base/heat/api_cfn.pp
@@ -34,14 +34,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*heat_api_cfn_network*]
# (Optional) The network name where the heat cfn endpoint is listening on.
# This is set by t-h-t.
@@ -55,17 +47,12 @@
class tripleo::profile::base::heat::api_cfn (
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$heat_api_cfn_network = hiera('heat_api_cfn_network', undef),
$step = hiera('step'),
) {
include ::tripleo::profile::base::heat
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$heat_api_cfn_network {
fail('heat_api_cfn_network is not set in the hieradata.')
}
@@ -76,7 +63,7 @@ class tripleo::profile::base::heat::api_cfn (
$tls_keyfile = undef
}
- if $step >= 4 {
+ if $step >= 3 {
include ::heat::api_cfn
class { '::heat::wsgi::apache_api_cfn':
diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp
index 4dd2607..558d247 100644
--- a/manifests/profile/base/heat/api_cloudwatch.pp
+++ b/manifests/profile/base/heat/api_cloudwatch.pp
@@ -34,14 +34,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*heat_api_cloudwatch_network*]
# (Optional) The network name where the heat cloudwatch endpoint is listening
# on. This is set by t-h-t.
@@ -55,17 +47,12 @@
class tripleo::profile::base::heat::api_cloudwatch (
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef),
$step = hiera('step'),
) {
include ::tripleo::profile::base::heat
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$heat_api_cloudwatch_network {
fail('heat_api_cloudwatch_network is not set in the hieradata.')
}
@@ -76,7 +63,7 @@ class tripleo::profile::base::heat::api_cloudwatch (
$tls_keyfile = undef
}
- if $step >= 4 {
+ if $step >= 3 {
include ::heat::api_cloudwatch
class { '::heat::wsgi::apache_api_cloudwatch':
diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp
index 278c25c..10eaaa6 100644
--- a/manifests/profile/base/horizon.pp
+++ b/manifests/profile/base/horizon.pp
@@ -31,7 +31,7 @@ class tripleo::profile::base::horizon (
$step = hiera('step'),
$neutron_options = hiera('horizon::neutron_options', {}),
) {
- if $step >= 4 {
+ if $step >= 3 {
# Horizon
include ::apache::mod::remoteip
include ::apache::mod::status
diff --git a/manifests/profile/base/ironic/conductor.pp b/manifests/profile/base/ironic/conductor.pp
index 4824648..cb0524b 100644
--- a/manifests/profile/base/ironic/conductor.pp
+++ b/manifests/profile/base/ironic/conductor.pp
@@ -34,6 +34,7 @@ class tripleo::profile::base::ironic::conductor (
if $step >= 4 {
include ::ironic::conductor
+ include ::ironic::drivers::interfaces
include ::ironic::drivers::pxe
if $manage_pxe {
include ::ironic::pxe
@@ -44,5 +45,12 @@ class tripleo::profile::base::ironic::conductor (
include ::ironic::drivers::ilo
include ::ironic::drivers::ipmi
include ::ironic::drivers::ssh
+
+ # Configure access to other services
+ include ::ironic::drivers::inspector
+ include ::ironic::glance
+ include ::ironic::neutron
+ include ::ironic::service_catalog
+ include ::ironic::swift
}
}
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 9b2fc51..134e751 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -43,14 +43,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*heat_admin_domain*]
# domain name for heat admin
# Defaults to undef
@@ -67,6 +59,15 @@
# heat admin user name
# Defaults to undef
#
+# [*ldap_backends_config*]
+# Configuration for keystone::ldap_backend. This takes a hash that will
+# create each backend specified.
+# Defaults to undef
+#
+# [*ldap_backend_enable*]
+# Enables creating per-domain LDAP backends for keystone.
+# Default to false
+#
# [*manage_db_purge*]
# (Optional) Whether keystone token flushing should be enabled
# Defaults to hiera('keystone_enable_db_purge', true)
@@ -130,11 +131,12 @@ class tripleo::profile::base::keystone (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$heat_admin_domain = undef,
$heat_admin_email = undef,
$heat_admin_password = undef,
$heat_admin_user = undef,
+ $ldap_backends_config = undef,
+ $ldap_backend_enable = false,
$manage_db_purge = hiera('keystone_enable_db_purge', true),
$public_endpoint_network = hiera('keystone_public_api_network', undef),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
@@ -163,10 +165,6 @@ class tripleo::profile::base::keystone (
}
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$public_endpoint_network {
fail('keystone_public_api_network is not set in the hieradata.')
}
@@ -208,6 +206,10 @@ class tripleo::profile::base::keystone (
}),
}
+ if 'amqp' in [$oslomsg_rpc_proto, $oslomsg_notify_proto]{
+ include ::keystone::messaging::amqp
+ }
+
include ::keystone::config
class { '::keystone::wsgi::apache':
ssl_cert => $tls_certfile,
@@ -216,6 +218,11 @@ class tripleo::profile::base::keystone (
ssl_key_admin => $tls_keyfile_admin,
}
include ::keystone::cors
+
+ if $ldap_backend_enable {
+ validate_hash($ldap_backends_config)
+ create_resources('::keystone::ldap_backend', $ldap_backends_config)
+ }
}
if $step >= 4 and $manage_db_purge {
@@ -255,7 +262,10 @@ class tripleo::profile::base::keystone (
if hiera('barbican_api_enabled', false) {
include ::barbican::keystone::auth
}
- if hiera('ceilometer_api_enabled', false) {
+ # ceilometer user is needed even when ceilometer api
+ # not running, so it can authenticate with keystone
+ # and dispatch data.
+ if hiera('ceilometer_auth_enabled', false) {
include ::ceilometer::keystone::auth
}
if hiera('ceph_rgw_enabled', false) {
@@ -300,6 +310,9 @@ class tripleo::profile::base::keystone (
if hiera('nova_placement_enabled', false) {
include ::nova::keystone::auth_placement
}
+ if hiera('octavia_api_enabled', false) {
+ include ::octavia::keystone::auth
+ }
if hiera('panko_api_enabled', false) {
include ::panko::keystone::auth
}
diff --git a/manifests/profile/base/logging/fluentd.pp b/manifests/profile/base/logging/fluentd.pp
index 9e1aa8d..fc996e9 100644
--- a/manifests/profile/base/logging/fluentd.pp
+++ b/manifests/profile/base/logging/fluentd.pp
@@ -71,105 +71,109 @@ class tripleo::profile::base::logging::fluentd (
$fluentd_listen_syslog = true,
$fluentd_syslog_port = 42185
) {
- include ::fluentd
- if $fluentd_groups {
- user { $::fluentd::config_owner:
- ensure => present,
- groups => $fluentd_groups,
- membership => 'minimum',
+ if $step >= 4 {
+ include ::fluentd
+
+ if $fluentd_groups {
+ Package<| tag == 'openstack' |> ->
+ user { $::fluentd::config_owner:
+ ensure => present,
+ groups => $fluentd_groups,
+ membership => 'minimum',
+ }
}
- }
- if $fluentd_pos_file_path {
- file { $fluentd_pos_file_path:
- ensure => 'directory',
- owner => $::fluentd::config_owner,
- group => $::fluentd::config_group,
- mode => '0750',
+ if $fluentd_pos_file_path {
+ file { $fluentd_pos_file_path:
+ ensure => 'directory',
+ owner => $::fluentd::config_owner,
+ group => $::fluentd::config_group,
+ mode => '0750',
+ }
}
- }
- ::fluentd::plugin { 'rubygem-fluent-plugin-add':
- plugin_provider => 'yum',
- }
+ ::fluentd::plugin { 'rubygem-fluent-plugin-add':
+ plugin_provider => 'yum',
+ }
- if $fluentd_sources {
- ::fluentd::config { '100-openstack-sources.conf':
- config => {
- 'source' => $fluentd_sources,
+ if $fluentd_sources {
+ ::fluentd::config { '100-openstack-sources.conf':
+ config => {
+ 'source' => $fluentd_sources,
+ }
}
}
- }
- if $fluentd_listen_syslog {
- # fluentd will receive syslog messages by listening on a local udp
- # socket.
- ::fluentd::config { '110-system-sources.conf':
- config => {
- 'source' => {
- 'type' => 'syslog',
- 'tag' => 'system.messages',
- 'port' => $fluentd_syslog_port,
+ if $fluentd_listen_syslog {
+ # fluentd will receive syslog messages by listening on a local udp
+ # socket.
+ ::fluentd::config { '110-system-sources.conf':
+ config => {
+ 'source' => {
+ 'type' => 'syslog',
+ 'tag' => 'system.messages',
+ 'port' => $fluentd_syslog_port,
+ }
}
}
- }
- file { '/etc/rsyslog.d/fluentd.conf':
- content => "*.* @127.0.0.1:${fluentd_syslog_port}",
- owner => 'root',
- group => 'root',
- mode => '0644',
- } ~> exec { 'reload rsyslog':
- command => '/bin/systemctl restart rsyslog',
+ file { '/etc/rsyslog.d/fluentd.conf':
+ content => "*.* @127.0.0.1:${fluentd_syslog_port}",
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ } ~> exec { 'reload rsyslog':
+ command => '/bin/systemctl restart rsyslog',
+ }
}
- }
- if $fluentd_filters {
- ::fluentd::config { '200-openstack-filters.conf':
- config => {
- 'filter' => $fluentd_filters,
+ if $fluentd_filters {
+ ::fluentd::config { '200-openstack-filters.conf':
+ config => {
+ 'filter' => $fluentd_filters,
+ }
}
}
- }
- if $fluentd_servers and !empty($fluentd_servers) {
- if $fluentd_use_ssl {
- ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward':
- plugin_provider => 'yum',
- }
+ if $fluentd_servers and !empty($fluentd_servers) {
+ if $fluentd_use_ssl {
+ ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward':
+ plugin_provider => 'yum',
+ }
- file {'/etc/fluentd/ca_cert.pem':
- content => $fluentd_ssl_certificate,
- owner => $::fluentd::config_owner,
- group => $::fluentd::config_group,
- mode => '0444',
- }
+ file {'/etc/fluentd/ca_cert.pem':
+ content => $fluentd_ssl_certificate,
+ owner => $::fluentd::config_owner,
+ group => $::fluentd::config_group,
+ mode => '0444',
+ }
- ::fluentd::config { '300-openstack-matches.conf':
- config => {
- 'match' => {
- # lint:ignore:single_quote_string_with_variables
- # lint:ignore:quoted_booleans
- 'type' => 'secure_forward',
- 'tag_pattern' => '**',
- 'self_hostname' => '${hostname}',
- 'secure' => 'true',
- 'ca_cert_path' => '/etc/fluentd/ca_cert.pem',
- 'shared_key' => $fluentd_shared_key,
- 'server' => $fluentd_servers,
- # lint:endignore
- # lint:endignore
+ ::fluentd::config { '300-openstack-matches.conf':
+ config => {
+ 'match' => {
+ # lint:ignore:single_quote_string_with_variables
+ # lint:ignore:quoted_booleans
+ 'type' => 'secure_forward',
+ 'tag_pattern' => '**',
+ 'self_hostname' => '${hostname}',
+ 'secure' => 'true',
+ 'ca_cert_path' => '/etc/fluentd/ca_cert.pem',
+ 'shared_key' => $fluentd_shared_key,
+ 'server' => $fluentd_servers,
+ # lint:endignore
+ # lint:endignore
+ }
}
}
- }
- } else {
- ::fluentd::config { '300-openstack-matches.conf':
- config => {
- 'match' => {
- 'type' => 'forward',
- 'tag_pattern' => '**',
- 'server' => $fluentd_servers,
+ } else {
+ ::fluentd::config { '300-openstack-matches.conf':
+ config => {
+ 'match' => {
+ 'type' => 'forward',
+ 'tag_pattern' => '**',
+ 'server' => $fluentd_servers,
+ }
}
}
}
diff --git a/manifests/profile/base/neutron/agents/bagpipe.pp b/manifests/profile/base/neutron/agents/bagpipe.pp
new file mode 100644
index 0000000..fb5e000
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/bagpipe.pp
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Ricardo Noriega <rnoriega@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agents::bagpipe
+#
+# Neutron Bagpipe Agent profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::agents::bagpipe (
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 {
+ include ::neutron::agents::bagpipe
+ }
+}
diff --git a/manifests/profile/base/neutron/agents/l2gw.pp b/manifests/profile/base/neutron/agents/l2gw.pp
new file mode 100644
index 0000000..10cd662
--- /dev/null
+++ b/manifests/profile/base/neutron/agents/l2gw.pp
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Peng Liu <pliu@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::agent::l2gw
+#
+# Neutron L2 Gateway agent profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::agents::l2gw (
+ $step = hiera('step'),
+) {
+ if $step >= 4 {
+ include ::neutron::agents::l2gw
+ }
+}
diff --git a/manifests/profile/base/neutron/bgpvpn.pp b/manifests/profile/base/neutron/bgpvpn.pp
index 9fa1d14..d6fdf4e 100644
--- a/manifests/profile/base/neutron/bgpvpn.pp
+++ b/manifests/profile/base/neutron/bgpvpn.pp
@@ -27,10 +27,11 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::neutron::bgpvpn (
- $step = hiera('step'),
+ $step = hiera('step'),
) {
+ include ::tripleo::profile::base::neutron
+
if $step >= 4 {
- include ::tripleo::profile::base::neutron
include ::neutron::services::bgpvpn
}
}
diff --git a/manifests/profile/base/neutron/l2gw.pp b/manifests/profile/base/neutron/l2gw.pp
new file mode 100644
index 0000000..da71108
--- /dev/null
+++ b/manifests/profile/base/neutron/l2gw.pp
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Peng Liu <pliu@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::l2gw
+#
+# Neutron L2 Gateway Service plugin profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::neutron::l2gw (
+ $step = hiera('step'),
+) {
+ include ::tripleo::profile::base::neutron
+
+ if $step >= 4 {
+ include ::neutron::services::l2gw
+ }
+}
diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp
index 556fe63..b5e6d11 100644
--- a/manifests/profile/base/neutron/opendaylight.pp
+++ b/manifests/profile/base/neutron/opendaylight.pp
@@ -22,19 +22,35 @@
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
-# [*primary_node*]
-# (Optional) The hostname of the first node of this role type
-# Defaults to hiera('bootstrap_nodeid', undef)
+# [*odl_api_ips*]
+# (Optional) List of OpenStack Controller IPs for ODL API
+# Defaults to hiera('opendaylight_api_node_ips')
+#
+# [*node_name*]
+# (Optional) The short hostname of node
+# Defaults to hiera('bootstack_nodeid')
#
class tripleo::profile::base::neutron::opendaylight (
$step = hiera('step'),
- $primary_node = hiera('bootstrap_nodeid', undef),
+ $odl_api_ips = hiera('opendaylight_api_node_ips'),
+ $node_name = hiera('bootstack_nodeid')
) {
if $step >= 1 {
- # Configure ODL only on first node of the role where this service is
- # applied
- if $primary_node == downcase($::hostname) {
+ validate_array($odl_api_ips)
+ if empty($odl_api_ips) {
+ fail('No IPs assigned to OpenDaylight Api Service')
+ } elsif size($odl_api_ips) == 2 {
+ fail('2 node OpenDaylight deployments are unsupported. Use 1 or greater than 2')
+ } elsif size($odl_api_ips) > 2 {
+ $node_string = split($node_name, '-')
+ $ha_node_index = $node_string[-1] + 1
+ class { '::opendaylight':
+ enable_ha => true,
+ ha_node_ips => $odl_api_ips,
+ ha_node_index => $ha_node_index,
+ }
+ } else {
include ::opendaylight
}
}
diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
index c120931..2618d4f 100644
--- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
+++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
@@ -30,6 +30,10 @@
# (Optional) Password to configure for OpenDaylight
# Defaults to 'admin'
#
+# [*odl_url_ip*]
+# (Optional) Virtual IP address for ODL Api Service
+# Defaults to hiera('opendaylight_api_vip')
+#
# [*conn_proto*]
# (Optional) Protocol to use to for ODL REST access
# Defaults to hiera('opendaylight::nb_connection_protocol')
@@ -43,14 +47,13 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight (
$odl_port = hiera('opendaylight::odl_rest_port'),
$odl_username = hiera('opendaylight::username'),
$odl_password = hiera('opendaylight::password'),
+ $odl_url_ip = hiera('opendaylight_api_vip'),
$conn_proto = hiera('opendaylight::nb_connection_protocol'),
$step = hiera('step'),
) {
if $step >= 4 {
- $odl_url_ip = hiera('opendaylight_api_vip')
-
- if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') }
+ if ! $odl_url_ip { fail('OpenDaylight API VIP is Empty') }
class { '::neutron::plugins::ml2::opendaylight':
odl_username => $odl_username,
diff --git a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
index 91c5168..4da8df9 100644
--- a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
+++ b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
@@ -30,6 +30,10 @@
# (Optional) List of OpenStack Controller IPs for ODL API
# Defaults to hiera('opendaylight_api_node_ips')
#
+# [*odl_url_ip*]
+# (Optional) Virtual IP address for ODL Api Service
+# Defaults to hiera('opendaylight_api_vip')
+#
# [*conn_proto*]
# (Optional) Protocol to use to for ODL REST access
# Defaults to hiera('opendaylight::nb_connection_protocol')
@@ -43,25 +47,25 @@ class tripleo::profile::base::neutron::plugins::ovs::opendaylight (
$odl_port = hiera('opendaylight::odl_rest_port'),
$odl_check_url = hiera('opendaylight_check_url'),
$odl_api_ips = hiera('opendaylight_api_node_ips'),
+ $odl_url_ip = hiera('opendaylight_api_vip'),
$conn_proto = hiera('opendaylight::nb_connection_protocol'),
$step = hiera('step'),
) {
if $step >= 4 {
- $opendaylight_controller_ip = $odl_api_ips[0]
- $odl_url_ip = hiera('opendaylight_api_vip')
-
- if ! $opendaylight_controller_ip { fail('OpenDaylight Controller IP is Empty') }
+ if empty($odl_api_ips) { fail('No IPs assigned to OpenDaylight Api Service') }
if ! $odl_url_ip { fail('OpenDaylight API VIP is Empty') }
# Build URL to check if ODL is up before connecting OVS
$opendaylight_url = "${conn_proto}://${odl_url_ip}:${odl_port}/${odl_check_url}"
+ $odl_ovsdb_str = join(regsubst($odl_api_ips, '.+', 'tcp:\0:6640'), ' ')
+
class { '::neutron::plugins::ovs::opendaylight':
tunnel_ip => hiera('neutron::agents::ml2::ovs::local_ip'),
odl_check_url => $opendaylight_url,
- odl_ovsdb_iface => "tcp:${opendaylight_controller_ip}:6640",
+ odl_ovsdb_iface => $odl_ovsdb_str,
}
}
}
diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp
index 5d6909f..d67a40c 100644
--- a/manifests/profile/base/neutron/server.pp
+++ b/manifests/profile/base/neutron/server.pp
@@ -43,14 +43,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*l3_ha_override*]
# (Optional) Override the calculated value for neutron::server::l3_ha
# by default this is calculated to enable when DVR is not enabled
@@ -95,7 +87,6 @@ class tripleo::profile::base::neutron::server (
$certificates_specs = hiera('apache_certificates_specs', {}),
$dvr_enabled = hiera('neutron::server::router_distributed', false),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$l3_ha_override = '',
$l3_nodes = hiera('neutron_l3_short_node_names', []),
$neutron_network = hiera('neutron_api_network', undef),
@@ -104,10 +95,6 @@ class tripleo::profile::base::neutron::server (
$tls_proxy_fqdn = undef,
$tls_proxy_port = 9696,
) {
- if $enable_internal_tls and $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
} else {
diff --git a/manifests/profile/base/neutron/sriov.pp b/manifests/profile/base/neutron/sriov.pp
index 00ecc21..24c7b63 100644
--- a/manifests/profile/base/neutron/sriov.pp
+++ b/manifests/profile/base/neutron/sriov.pp
@@ -33,6 +33,8 @@ class tripleo::profile::base::neutron::sriov(
$mechanism_drivers = hiera('neutron::plugins::ml2::mechanism_drivers'),
) {
+ include ::tripleo::profile::base::neutron
+
if $step >= 4 {
if 'sriovnicswitch' in $mechanism_drivers {
include ::neutron::agents::ml2::sriov
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index 36425f6..ab9b615 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -82,6 +82,15 @@
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
+# [*migration_ssh_key*]
+# (Optional) SSH key pair for migration SSH tunnel.
+# Expects a hash with keys 'private_key' and 'public_key'.
+# Defaults to {}
+#
+# [*libvirt_tls*]
+# (Optional) Whether or not libvird TLS service is enabled.
+# Defaults to false
+
class tripleo::profile::base::nova (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$libvirt_enabled = false,
@@ -99,6 +108,8 @@ class tripleo::profile::base::nova (
$oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'),
$nova_compute_enabled = false,
$step = hiera('step'),
+ $migration_ssh_key = {},
+ $libvirt_tls = false
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
@@ -114,7 +125,62 @@ class tripleo::profile::base::nova (
if $step >= 4 or ($step >= 3 and $sync_db) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
- class { '::nova' :
+ include ::nova::config
+ class { '::nova::cache':
+ enabled => true,
+ backend => 'oslo_cache.memcache_pool',
+ memcache_servers => $memcache_servers,
+ }
+ include ::nova::placement
+
+ if $step >= 4 and $manage_migration {
+
+ # Libvirt setup (live-migration)
+ if $libvirt_tls {
+ class { '::nova::migration::libvirt':
+ transport => 'tls',
+ configure_libvirt => $libvirt_enabled,
+ configure_nova => $nova_compute_enabled,
+ }
+ } else {
+ # Reuse the cold-migration SSH tunnel when TLS is not enabled
+ class { '::nova::migration::libvirt':
+ transport => 'ssh',
+ configure_libvirt => $libvirt_enabled,
+ configure_nova => $nova_compute_enabled,
+ client_user => 'nova',
+ client_extraparams => {'keyfile' => '/var/lib/nova/.ssh/id_rsa'}
+ }
+ }
+
+ if $migration_ssh_key != {} {
+ # Nova SSH tunnel setup (cold-migration)
+
+ #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands
+ user { 'nova':
+ ensure => present,
+ shell => '/bin/bash',
+ }
+
+ $private_key_parts = split($migration_ssh_key['public_key'], ' ')
+ $nova_public_key = {
+ type => $private_key_parts[0],
+ key => $private_key_parts[1]
+ }
+ $nova_private_key = {
+ type => $private_key_parts[0],
+ key => $migration_ssh_key['private_key']
+ }
+ } else {
+ $nova_public_key = undef
+ $nova_private_key = undef
+ }
+ } else {
+ $nova_public_key = undef
+ $nova_private_key = undef
+ }
+
+ class { '::nova':
default_transport_url => os_transport_url({
'transport' => $oslomsg_rpc_proto,
'hosts' => $oslomsg_rpc_hosts,
@@ -131,23 +197,8 @@ class tripleo::profile::base::nova (
'password' => $oslomsg_notify_password,
'ssl' => $oslomsg_use_ssl_real,
}),
+ nova_public_key => $nova_public_key,
+ nova_private_key => $nova_private_key,
}
- include ::nova::config
- class { '::nova::cache':
- enabled => true,
- backend => 'oslo_cache.memcache_pool',
- memcache_servers => $memcache_servers,
- }
- include ::nova::placement
}
-
- if $step >= 4 {
- if $manage_migration {
- class { '::nova::migration::libvirt':
- configure_libvirt => $libvirt_enabled,
- configure_nova => $nova_compute_enabled,
- }
- }
- }
-
}
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp
index cda2b66..95a1721 100644
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -36,14 +36,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*nova_api_network*]
# (Optional) The network name where the nova API endpoint is listening on.
# This is set by t-h-t.
@@ -63,7 +55,6 @@ class tripleo::profile::base::nova::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$nova_api_network = hiera('nova_api_network', undef),
$nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false),
$step = hiera('step'),
@@ -93,10 +84,6 @@ class tripleo::profile::base::nova::api (
# https://bugs.launchpad.net/nova/+bug/1661360
if $nova_api_wsgi_enabled {
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$nova_api_network {
fail('nova_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp
index 0eb2ed7..84b8bd5 100644
--- a/manifests/profile/base/nova/compute.pp
+++ b/manifests/profile/base/nova/compute.pp
@@ -48,10 +48,12 @@ class tripleo::profile::base::nova::compute (
# When utilising images for deployment, we need to reset the iSCSI initiator name to make it unique
# https://bugzilla.redhat.com/show_bug.cgi?id=1244328
+ ensure_resource('package', 'iscsi-initiator-utils', { ensure => 'present' })
exec { 'reset-iscsi-initiator-name':
command => '/bin/echo InitiatorName=$(/usr/sbin/iscsi-iname) > /etc/iscsi/initiatorname.iscsi',
onlyif => '/usr/bin/test ! -f /etc/iscsi/.initiator_reset',
before => File['/etc/iscsi/.initiator_reset'],
+ require => Package['iscsi-initiator-utils'],
}
file { '/etc/iscsi/.initiator_reset':
ensure => present,
diff --git a/manifests/profile/base/nova/ec2api.pp b/manifests/profile/base/nova/ec2api.pp
index f34b071..f8817d2 100644
--- a/manifests/profile/base/nova/ec2api.pp
+++ b/manifests/profile/base/nova/ec2api.pp
@@ -31,5 +31,6 @@ class tripleo::profile::base::nova::ec2api (
include ::ec2api::api
include ::ec2api::db::sync
include ::ec2api::metadata
+ include ::ec2api::keystone::authtoken
}
}
diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp
index 46658b8..16bfe17 100644
--- a/manifests/profile/base/nova/placement.pp
+++ b/manifests/profile/base/nova/placement.pp
@@ -36,14 +36,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*nova_placement_network*]
# (Optional) The network name where the nova placement endpoint is listening on.
# This is set by t-h-t.
@@ -58,7 +50,6 @@ class tripleo::profile::base::nova::placement (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$nova_placement_network = hiera('nova_placement_network', undef),
$step = hiera('step'),
) {
@@ -72,10 +63,6 @@ class tripleo::profile::base::nova::placement (
include ::tripleo::profile::base::nova::authtoken
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$nova_placement_network {
fail('nova_placement_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index 6021731..c1d745a 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -55,6 +55,14 @@
# (Optional) Number of seconds to sleep between remote creation tries
# Defaults to hiera('pacemaker_remote_try_sleep', 60)
#
+# [*cluster_recheck_interval*]
+# (Optional) Set the cluster-wide cluster-recheck-interval property
+# If the hiera key does not exist or if it is set to undef, the property
+# won't be changed from its default value when there are no pacemaker_remote
+# nodes. In presence of pacemaker_remote nodes and an undef value it will
+# be set to 60s.
+# Defaults to hiera('pacemaker_cluster_recheck_interval', undef)
+#
class tripleo::profile::base::pacemaker (
$step = hiera('step'),
$pcs_tries = hiera('pcs_tries', 20),
@@ -65,6 +73,7 @@ class tripleo::profile::base::pacemaker (
$remote_monitor_interval = hiera('pacemaker_remote_monitor_interval', 20),
$remote_tries = hiera('pacemaker_remote_tries', 5),
$remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60),
+ $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef),
) {
if count($remote_short_node_names) != count($remote_node_ips) {
@@ -136,6 +145,22 @@ class tripleo::profile::base::pacemaker (
if $step >= 2 {
if $pacemaker_master {
include ::pacemaker::resource_defaults
+ # When we have a non-zero number of pacemaker remote nodes we
+ # want to set the cluster-recheck-interval property to something
+ # lower (unless the operator has explicitely set a value)
+ if count($remote_short_node_names) > 0 and $cluster_recheck_interval == undef {
+ pacemaker::property{ 'cluster-recheck-interval-property':
+ property => 'cluster-recheck-interval',
+ value => '60s',
+ tries => $pcs_tries,
+ }
+ } elsif $cluster_recheck_interval != undef {
+ pacemaker::property{ 'cluster-recheck-interval-property':
+ property => 'cluster-recheck-interval',
+ value => $cluster_recheck_interval,
+ tries => $pcs_tries,
+ }
+ }
}
}
diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp
index a6643ce..90e80a2 100644
--- a/manifests/profile/base/panko/api.pp
+++ b/manifests/profile/base/panko/api.pp
@@ -38,14 +38,6 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# HAProxy. This could be as many as specified by the $certificates_specs
-# variable.
-# Note that this doesn't configure the certificates in haproxy, it merely
-# creates the certificates.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*panko_network*]
# (Optional) The network name where the panko endpoint is listening on.
# This is set by t-h-t.
@@ -60,7 +52,6 @@ class tripleo::profile::base::panko::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$panko_network = hiera('panko_api_network', undef),
$step = hiera('step'),
) {
@@ -73,10 +64,6 @@ class tripleo::profile::base::panko::api (
include ::tripleo::profile::base::panko
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
- }
-
if !$panko_network {
fail('panko_api_network is not set in the hieradata.')
}
diff --git a/manifests/profile/base/qdr.pp b/manifests/profile/base/qdr.pp
new file mode 100644
index 0000000..9827f2e
--- /dev/null
+++ b/manifests/profile/base/qdr.pp
@@ -0,0 +1,54 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::qdr
+#
+# Qpid dispatch router profile for tripleo
+#
+# === Parameters
+#
+# [*qdr_username*]
+# Username for the qrouter daemon
+# Defaults to undef
+#
+# [*qdr_password*]
+# Password for the qrouter daemon
+# Defaults to undef
+#
+# [*qdr_listener_port*]
+# Port for the listener (not that we do not use qdr::listener_port
+# directly because it requires a string and we have a number.
+# Defaults to hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672)
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::qdr (
+ $qdr_username = undef,
+ $qdr_password = undef,
+ $qdr_listener_port = hiera('tripleo::profile::base::qdr::qdr_listener_port', 5672),
+ $step = hiera('step'),
+) {
+ if $step >= 1 {
+ class { '::qdr':
+ listener_port => "${qdr_listener_port}",
+ } ->
+ qdr_user { $qdr_username:
+ ensure => present,
+ password => $qdr_password,
+ }
+ }
+}
diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp
index b04d721..9d1417c 100644
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@@ -42,12 +42,6 @@
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_environment').
#
-# [*generate_service_certificates*]
-# (Optional) Whether or not certmonger will generate certificates for
-# MySQL. This could be as many as specified by the $certificates_specs
-# variable.
-# Defaults to hiera('generate_service_certificate', false).
-#
# [*inet_dist_interface*]
# (Optional) Address to bind the inter-cluster interface
# to. It is the inet_dist_use_interface option in the kernel variables
@@ -87,7 +81,6 @@ class tripleo::profile::base::rabbitmq (
$config_variables = hiera('rabbitmq_config_variables'),
$enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t
$environment = hiera('rabbitmq_environment'),
- $generate_service_certificates = hiera('generate_service_certificates', false),
$inet_dist_interface = hiera('rabbitmq::interface', undef),
$ipv6 = str2bool(hiera('rabbit_ipv6', false)),
$kernel_variables = hiera('rabbitmq_kernel_variables'),
@@ -98,9 +91,6 @@ class tripleo::profile::base::rabbitmq (
$step = hiera('step'),
) {
if $enable_internal_tls {
- if $generate_service_certificates {
- ensure_resource('class', 'tripleo::certmonger::rabbitmq', $certificate_specs)
- }
$tls_certfile = $certificate_specs['service_certificate']
$tls_keyfile = $certificate_specs['service_key']
} else {
@@ -160,6 +150,9 @@ class tripleo::profile::base::rabbitmq (
ssl_key => $tls_keyfile,
}
}
+ }
+
+ if $step >= 2 {
# In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency
# to Service['rabbitmq-server'] will not work. Sticking with UPDATE action.
if $stack_action == 'UPDATE' {
diff --git a/manifests/profile/base/securetty.pp b/manifests/profile/base/securetty.pp
new file mode 100644
index 0000000..07f29f8
--- /dev/null
+++ b/manifests/profile/base/securetty.pp
@@ -0,0 +1,48 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::securetty
+#
+# Sets securetty Parameters
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+# [*tty_list*]
+# Hash of values for /etc/securetty console
+# Defaults to hiera('securetty::tty_list')
+#
+class tripleo::profile::base::securetty (
+ $step = hiera('step'),
+ $tty_list = hiera('tty_list', []),
+) {
+ validate_array($tty_list)
+
+ if $step >=1 {
+ $ttys = join($tty_list, "\n")
+
+ file { '/etc/securetty':
+ ensure => file,
+ content => template( 'tripleo/securetty/securetty.erb' ),
+ owner => 'root',
+ group => 'root',
+ mode => '0600'
+ }
+ }
+}
diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp
index e7916c1..f43089c 100644
--- a/manifests/profile/base/sshd.pp
+++ b/manifests/profile/base/sshd.pp
@@ -15,47 +15,45 @@
#
# == Class: tripleo::profile::base::sshd
#
-# SSH profile for tripleo
+# SSH composable service for TripleO
#
# === Parameters
#
# [*bannertext*]
-# The text used within SSH Banner
+# The text used within /etc/issue and /etc/issue.net
# Defaults to hiera('BannerText')
#
+# [*motd*]
+# The text used within SSH Banner
+# Defaults to hiera('MOTD')
+#
class tripleo::profile::base::sshd (
$bannertext = hiera('BannerText', undef),
+ $motd = hiera('MOTD', undef),
) {
- if $bannertext {
- $action = 'set'
- } else {
- $action = 'rm'
- }
-
- package {'openssh-server':
- ensure => installed,
- }
+ include ::ssh
- augeas { 'sshd_config_banner':
- context => '/files/etc/ssh/sshd_config',
- changes => [ "${action} Banner /etc/issue" ],
- notify => Service['sshd']
- }
-
- file { '/etc/issue':
- ensure => file,
- backup => false,
- content => $bannertext,
- owner => 'root',
- group => 'root',
- mode => '0600'
+ if $bannertext {
+ $filelist = [ '/etc/issue', '/etc/issue.net', ]
+ file { $filelist:
+ ensure => file,
+ backup => false,
+ content => $bannertext,
+ owner => 'root',
+ group => 'root',
+ mode => '0644'
+ }
}
- service { 'sshd':
- ensure => 'running',
- enable => true,
- hasstatus => false,
- require => Package['openssh-server'],
+ if $motd {
+ file { '/etc/motd':
+ ensure => file,
+ backup => false,
+ content => $motd,
+ owner => 'root',
+ group => 'root',
+ mode => '0644'
+ }
}
}
diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp
index 0d9ba68..e80c8c9 100644
--- a/manifests/profile/base/swift/proxy.pp
+++ b/manifests/profile/base/swift/proxy.pp
@@ -46,6 +46,22 @@
# Username for messaging nova queue
# Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest')
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*memcache_port*]
# (Optional) memcache port
# Defaults to 11211
@@ -59,6 +75,26 @@
# for more details.
# Defaults to hiera('step')
#
+# [*swift_proxy_network*]
+# (Optional) The network name where the swift proxy endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('swift_proxy_network', undef)
+#
+# [*tls_proxy_bind_ip*]
+# IP on which the TLS proxy will listen on. Required only if
+# enable_internal_tls is set.
+# Defaults to undef
+#
+# [*tls_proxy_fqdn*]
+# fqdn on which the tls proxy will listen on. required only used if
+# enable_internal_tls is set.
+# defaults to undef
+#
+# [*tls_proxy_port*]
+# port on which the tls proxy will listen on. Only used if
+# enable_internal_tls is set.
+# defaults to 8080
+#
class tripleo::profile::base::swift::proxy (
$ceilometer_enabled = true,
$ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'),
@@ -67,11 +103,33 @@ class tripleo::profile::base::swift::proxy (
$ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'),
$ceilometer_messaging_use_ssl = '0',
$ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
$memcache_port = 11211,
$memcache_servers = hiera('memcached_node_ips'),
$step = hiera('step'),
+ $swift_proxy_network = hiera('swift_proxy_network', undef),
+ $tls_proxy_bind_ip = undef,
+ $tls_proxy_fqdn = undef,
+ $tls_proxy_port = 8080,
) {
if $step >= 4 {
+ if $enable_internal_tls {
+ if !$swift_proxy_network {
+ fail('swift_proxy_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key']
+
+ ::tripleo::tls_proxy { 'swift-proxy-api':
+ servername => $tls_proxy_fqdn,
+ ip => $tls_proxy_bind_ip,
+ port => $tls_proxy_port,
+ tls_cert => $tls_certfile,
+ tls_key => $tls_keyfile,
+ notify => Class['::neutron::server'],
+ }
+ }
$swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}")
include ::swift::config
include ::swift::proxy
diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp
index 7e5fc74..f7cfea4 100644
--- a/manifests/profile/base/swift/ringbuilder.pp
+++ b/manifests/profile/base/swift/ringbuilder.pp
@@ -63,6 +63,12 @@
# Minimum amount of time before partitions can be moved.
# Defaults to undef
#
+# [*swift_ring_get_tempurl*]
+# GET tempurl to fetch Swift rings from
+#
+# [*swift_ring_put_tempurl*]
+# PUT tempurl to upload Swift rings to
+#
class tripleo::profile::base::swift::ringbuilder (
$replicas,
$build_ring = true,
@@ -74,7 +80,23 @@ class tripleo::profile::base::swift::ringbuilder (
$swift_storage_node_ips = hiera('swift_storage_node_ips', []),
$part_power = undef,
$min_part_hours = undef,
+ $swift_ring_get_tempurl = hiera('swift_ring_get_tempurl', ''),
+ $swift_ring_put_tempurl = hiera('swift_ring_put_tempurl', ''),
) {
+
+ if $step == 2 and $swift_ring_get_tempurl != '' {
+ exec{'fetch_swift_ring_tarball':
+ path => ['/usr/bin'],
+ command => "curl --insecure --silent '${swift_ring_get_tempurl}' -o /tmp/swift-rings.tar.gz",
+ returns => [0, 3]
+ } ~>
+ exec{'extract_swift_ring_tarball':
+ path => ['/bin'],
+ command => 'tar xzf /tmp/swift-rings.tar.gz -C /',
+ returns => [0, 2]
+ }
+ }
+
if $step >= 2 {
# pre-install swift here so we can build rings
include ::swift
@@ -112,4 +134,18 @@ class tripleo::profile::base::swift::ringbuilder (
Ring_object_device<| |> ~> Exec['rebalance_container']
}
}
+
+ if $step == 5 and $build_ring and $swift_ring_put_tempurl != '' {
+ exec{'create_swift_ring_tarball':
+ path => ['/bin', '/usr/bin'],
+ command => 'tar cvzf /tmp/swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/',
+ unless => 'swift-recon --md5 | grep -q "doesn\'t match"'
+ } ~>
+ exec{'upload_swift_ring_tarball':
+ path => ['/usr/bin'],
+ command => "curl --insecure --silent -X PUT '${$swift_ring_put_tempurl}' --data-binary @/tmp/swift-rings.tar.gz",
+ require => Exec['create_swift_ring_tarball'],
+ refreshonly => true,
+ }
+ }
}
diff --git a/manifests/profile/base/tuned.pp b/manifests/profile/base/tuned.pp
new file mode 100644
index 0000000..8dfcea0
--- /dev/null
+++ b/manifests/profile/base/tuned.pp
@@ -0,0 +1,20 @@
+# == Class: tripleo::profile::base::tuned
+#
+# Configures tuned service.
+#
+# === Parameters:
+#
+# [*profile*]
+# (optional) tuned active profile.
+# Defaults to 'throughput-performance'
+#
+#
+class tripleo::profile::base::tuned (
+ $profile = 'throughput-performance'
+) {
+ exec { 'tuned-adm':
+ path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+ command => "tuned-adm profile ${profile}",
+ unless => "tuned-adm active | grep -q '${profile}'"
+ }
+}
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp
index bc5e644..031e80c 100644
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@@ -120,7 +120,7 @@ class tripleo::profile::pacemaker::database::mysql (
if $step >= 1 and $pacemaker_master and hiera('stack_action') == 'UPDATE' {
tripleo::pacemaker::resource_restart_flag { 'galera-master':
subscribe => File['mysql-config-file'],
- }
+ } ~> Exec<| title == 'galera-ready' |>
}
if $step >= 2 {
@@ -145,7 +145,7 @@ class tripleo::profile::pacemaker::database::mysql (
},
require => [Class['::mysql::server'],
Pacemaker::Property['galera-role-node-property']],
- before => Exec['galera-ready'],
+ notify => Exec['galera-ready'],
}
exec { 'galera-ready' :
command => '/usr/bin/clustercheck >/dev/null',
@@ -153,6 +153,7 @@ class tripleo::profile::pacemaker::database::mysql (
tries => 180,
try_sleep => 10,
environment => ['AVAILABLE_WHEN_READONLY=0'],
+ refreshonly => true,
require => Exec['create-root-sysconfig-clustercheck'],
}
# We add a clustercheck db user and we will switch /etc/sysconfig/clustercheck
diff --git a/manifests/ui.pp b/manifests/ui.pp
index d51ef2e..b2ed178 100644
--- a/manifests/ui.pp
+++ b/manifests/ui.pp
@@ -33,8 +33,16 @@
#
# [*enabled_languages*]
# Which languages to show in the UI.
-# An array.
-# Defaults to ['en-GB', 'en', 'de', 'ja', 'ko-KR', 'zh-CN', 'es']
+# A hash.
+# Defaults to
+# {
+# 'de' => 'German',
+# 'en' => 'English',
+# 'es' => 'Spanish',
+# 'ja' => 'Japanese',
+# 'ko-KR' => 'Korean',
+# 'zh-CN' => 'Simplified Chinese'
+# }
#
# [*endpoint_proxy_keystone*]
# The keystone proxy endpoint url
@@ -94,7 +102,14 @@ class tripleo::ui (
$bind_host = hiera('controller_host'),
$ui_port = 3000,
$zaqar_default_queue = 'tripleo',
- $enabled_languages = ['en-GB', 'en', 'de', 'ja', 'ko-KR', 'zh-CN', 'es'],
+ $enabled_languages = {
+ 'de' => 'German',
+ 'en' => 'English',
+ 'es' => 'Spanish',
+ 'ja' => 'Japanese',
+ 'ko-KR' => 'Korean',
+ 'zh-CN' => 'Simplified Chinese'
+ },
$endpoint_proxy_zaqar = undef,
$endpoint_proxy_keystone = undef,
$endpoint_proxy_heat = undef,