aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/certmonger/ca/crl.pp2
-rw-r--r--manifests/certmonger/haproxy.pp13
-rw-r--r--manifests/certmonger/httpd.pp10
-rw-r--r--manifests/certmonger/mongodb.pp10
-rw-r--r--manifests/certmonger/mysql.pp10
-rw-r--r--manifests/certmonger/rabbitmq.pp10
-rw-r--r--manifests/haproxy.pp86
-rw-r--r--manifests/haproxy/endpoint.pp26
-rw-r--r--manifests/haproxy/horizon_endpoint.pp154
-rw-r--r--manifests/profile/base/barbican/api.pp4
-rw-r--r--manifests/profile/base/ceph/mds.pp5
-rw-r--r--manifests/profile/base/certmonger_user.pp18
-rw-r--r--manifests/profile/base/cinder/volume.pp40
-rw-r--r--manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp42
-rw-r--r--manifests/profile/base/database/mysql.pp3
-rw-r--r--manifests/profile/base/docker.pp24
-rw-r--r--manifests/profile/base/horizon.pp45
-rw-r--r--manifests/profile/base/logging/logrotate.pp112
-rw-r--r--manifests/profile/base/manila/api.pp7
-rw-r--r--manifests/profile/base/nova/api.pp40
-rw-r--r--manifests/profile/pacemaker/manila.pp54
21 files changed, 574 insertions, 141 deletions
diff --git a/manifests/certmonger/ca/crl.pp b/manifests/certmonger/ca/crl.pp
index 2454460..a69065d 100644
--- a/manifests/certmonger/ca/crl.pp
+++ b/manifests/certmonger/ca/crl.pp
@@ -129,7 +129,7 @@ class tripleo::certmonger::ca::crl (
if $ensure == 'present' {
# Fetch CRL in cron job and notify needed services
- $cmd_list = concat(["${sleep}curl -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds)
+ $cmd_list = concat(["${sleep}curl -s -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds)
$cron_cmd = join($cmd_list, ' && ')
} else {
$cron_cmd = absent
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index d4f4ad2..819348d 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -32,10 +32,6 @@
# The hostname that certmonger will use as the common name for the
# certificate.
#
-# [*postsave_cmd*]
-# The post-save-command that certmonger will use once it renews the
-# certificate.
-#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
@@ -48,15 +44,19 @@
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
+# [*postsave_cmd*]
+# The post-save-command that certmonger will use once it renews the
+# certificate.
+#
define tripleo::certmonger::haproxy (
$service_pem,
$service_certificate,
$service_key,
$hostname,
- $postsave_cmd,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = undef,
$principal = undef,
+ $postsave_cmd = undef,
){
include ::certmonger
include ::haproxy::params
@@ -74,6 +74,7 @@ define tripleo::certmonger::haproxy (
$dnsnames_real = $hostname
}
+ $postsave_cmd_real = pick($postsave_cmd, 'systemctl reload haproxy')
certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,
@@ -81,7 +82,7 @@ define tripleo::certmonger::haproxy (
dnsname => $dnsnames_real,
certfile => $service_certificate,
keyfile => $service_key,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
principal => $principal,
wait => true,
tag => 'haproxy-cert',
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
index e9754f7..1b57984 100644
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -36,6 +36,11 @@
# in the certificate. If left unset, the value will be set to the $hostname.
# Defaults to undef
#
+# [*postsave_cmd*]
+# (Optional) Specifies the command to execute after requesting a certificate.
+# If nothing is given, it will default to: "systemctl restart ${service name}"
+# Defaults to undef.
+#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
@@ -45,6 +50,7 @@ define tripleo::certmonger::httpd (
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = undef,
+ $postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
@@ -56,7 +62,7 @@ define tripleo::certmonger::httpd (
$dnsnames_real = $hostname
}
- $postsave_cmd = "systemctl reload ${::apache::params::service_name}"
+ $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::apache::params::service_name}")
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
@@ -64,7 +70,7 @@ define tripleo::certmonger::httpd (
hostname => $hostname,
dnsname => $dnsnames_real,
principal => $principal,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
wait => true,
tag => 'apache-cert',
diff --git a/manifests/certmonger/mongodb.pp b/manifests/certmonger/mongodb.pp
index 0b2dd6a..37af82c 100644
--- a/manifests/certmonger/mongodb.pp
+++ b/manifests/certmonger/mongodb.pp
@@ -34,6 +34,11 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
+# [*postsave_cmd*]
+# (Optional) Specifies the command to execute after requesting a certificate.
+# If nothing is given, it will default to: "systemctl restart ${service name}"
+# Defaults to undef.
+#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
@@ -44,12 +49,13 @@ class tripleo::certmonger::mongodb (
$service_key,
$service_pem,
$certmonger_ca = hiera('certmonger_ca', 'local'),
+ $postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
include ::mongodb::params
- $postsave_cmd = "systemctl restart ${::mongodb::params::service_name}"
+ $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::mongodb::params::service_name}")
certmonger_certificate { 'mongodb' :
ensure => 'present',
certfile => $service_certificate,
@@ -57,7 +63,7 @@ class tripleo::certmonger::mongodb (
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp
index 0988c55..ae408b6 100644
--- a/manifests/certmonger/mysql.pp
+++ b/manifests/certmonger/mysql.pp
@@ -37,6 +37,11 @@
# This parameter can take both a string or an array of strings.
# Defaults to $hostname
#
+# [*postsave_cmd*]
+# (Optional) Specifies the command to execute after requesting a certificate.
+# If nothing is given, it will default to: "systemctl restart ${service name}"
+# Defaults to undef.
+#
# [*principal*]
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
# Defaults to undef
@@ -47,12 +52,13 @@ class tripleo::certmonger::mysql (
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = $hostname,
+ $postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
include ::mysql::params
- $postsave_cmd = "systemctl reload ${::mysql::params::server_service_name}"
+ $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::mysql::params::server_service_name}")
certmonger_certificate { 'mysql' :
ensure => 'present',
certfile => $service_certificate,
@@ -60,7 +66,7 @@ class tripleo::certmonger::mysql (
hostname => $hostname,
dnsname => $dnsnames,
principal => $principal,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
index 4a47938..15b1fc3 100644
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -31,6 +31,11 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
+# [*postsave_cmd*]
+# (Optional) Specifies the command to execute after requesting a certificate.
+# If nothing is given, it will default to: "systemctl restart ${service name}"
+# Defaults to undef.
+#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
@@ -40,12 +45,13 @@ class tripleo::certmonger::rabbitmq (
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
+ $postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
include ::rabbitmq::params
- $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}"
+ $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}")
certmonger_certificate { 'rabbitmq' :
ensure => 'present',
certfile => $service_certificate,
@@ -53,7 +59,7 @@ class tripleo::certmonger::rabbitmq (
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a3d088a..9939ca9 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -402,6 +402,10 @@
# (optional) Specify the network heat_cloudwatch is running on.
# Defaults to hiera('heat_api_cloudwatch_network', undef)
#
+# [*horizon_network*]
+# (optional) Specify the network horizon is running on.
+# Defaults to hiera('horizon_network', undef)
+#
# [*ironic_inspector_network*]
# (optional) Specify the network ironic_inspector is running on.
# Defaults to hiera('ironic_inspector_network', undef)
@@ -520,7 +524,6 @@
# 'ironic_inspector_port' (Defaults to 5050)
# 'ironic_inspector_ssl_port' (Defaults to 13050)
# 'keystone_admin_api_port' (Defaults to 35357)
-# 'keystone_admin_api_ssl_port' (Defaults to 13357)
# 'keystone_public_api_port' (Defaults to 5000)
# 'keystone_public_api_ssl_port' (Defaults to 13000)
# 'manila_api_port' (Defaults to 8786)
@@ -644,6 +647,7 @@ class tripleo::haproxy (
$heat_api_network = hiera('heat_api_network', undef),
$heat_cfn_network = hiera('heat_api_cfn_network', undef),
$heat_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef),
+ $horizon_network = hiera('horizon_network', undef),
$ironic_inspector_network = hiera('ironic_inspector_network', undef),
$ironic_network = hiera('ironic_api_network', undef),
$keystone_admin_network = hiera('keystone_admin_api_network', undef),
@@ -708,7 +712,6 @@ class tripleo::haproxy (
ironic_inspector_port => 5050,
ironic_inspector_ssl_port => 13050,
keystone_admin_api_port => 35357,
- keystone_admin_api_ssl_port => 13357,
keystone_public_api_port => 5000,
keystone_public_api_ssl_port => 13000,
manila_api_port => 8786,
@@ -772,43 +775,6 @@ class tripleo::haproxy (
$controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ',')))
}
- $horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
- if $service_certificate {
- # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
- # same, the first option takes precedence. Which is the case when network
- # isolation is not enabled. This is not a problem as both options are
- # identical. If network isolation is enabled, this works correctly and
- # will add a TLS binding to both the horizon_vip and the
- # public_virtual_ip.
- # Even though for the public_virtual_ip the port 80 is listening, we
- # redirect to https in the horizon_options below.
- $horizon_bind_opts = {
- "${horizon_vip}:80" => $haproxy_listen_bind_param,
- "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- $horizon_options = {
- 'cookie' => 'SERVERID insert indirect nocache',
- 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
- # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
- 'redirect' => 'scheme https code 301 if !{ ssl_fc }',
- 'option' => [ 'forwardfor', 'httpchk' ],
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- }
- } else {
- $horizon_bind_opts = {
- "${horizon_vip}:80" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
- }
- $horizon_options = {
- 'cookie' => 'SERVERID insert indirect nocache',
- 'option' => [ 'forwardfor', 'httpchk' ],
- }
- }
-
$mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
$mysql_bind_opts = {
"${mysql_vip}:3306" => $haproxy_listen_bind_param,
@@ -894,16 +860,14 @@ class tripleo::haproxy (
if $keystone_admin {
::tripleo::haproxy::endpoint { 'keystone_admin':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
- service_port => $ports[keystone_admin_api_port],
- ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
- server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
- mode => 'http',
- listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
- public_ssl_port => $ports[keystone_admin_api_ssl_port],
- service_network => $keystone_admin_network,
- member_options => union($haproxy_member_options, $internal_tls_member_options),
+ internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
+ service_port => $ports[keystone_admin_api_port],
+ ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
+ server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
+ mode => 'http',
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
+ service_network => $keystone_admin_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
@@ -1071,6 +1035,7 @@ class tripleo::haproxy (
'option' => [ 'httpchk', ],
},
service_network => $nova_metadata_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
@@ -1274,18 +1239,17 @@ class tripleo::haproxy (
}
if $horizon {
- haproxy::listen { 'horizon':
- bind => $horizon_bind_opts,
- options => $horizon_options,
- mode => 'http',
- collect_exported => false,
- }
- haproxy::balancermember { 'horizon':
- listening_service => 'horizon',
- ports => '80',
- ipaddresses => hiera('horizon_node_ips', $controller_hosts_real),
- server_names => hiera('horizon_node_names', $controller_hosts_names_real),
- options => union($haproxy_member_options, ["cookie ${::hostname}"]),
+ class { '::tripleo::haproxy::horizon_endpoint':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('horizon_vip', $controller_virtual_ip),
+ haproxy_listen_bind_param => $haproxy_listen_bind_param,
+ ip_addresses => hiera('horizon_node_ips', $controller_hosts_real),
+ server_names => hiera('horizon_node_names', $controller_hosts_names_real),
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
+ public_certificate => $service_certificate,
+ use_internal_certificates => $use_internal_certificates,
+ internal_certificates_specs => $internal_certificates_specs,
+ service_network => $horizon_network,
}
}
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 9139061..4436e19 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -133,21 +133,35 @@ define tripleo::haproxy::endpoint (
} else {
# internal service only
$public_bind_opts = {}
+ $listen_options_real = $listen_options
}
if $use_internal_certificates {
if !$service_network {
fail("The service_network for this service is undefined. Can't configure TLS for the internal network.")
}
- # NOTE(jaosorior): The key of the internal_certificates_specs hash must
- # must match the convention haproxy-<network name> or else this
- # will fail. Futherly, it must contain the path that we'll use under
- # 'service_pem'.
- $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+
+ if $service_network == 'external' and $public_certificate {
+ # NOTE(jaosorior): This service has been configured to use the external
+ # network. We should use the public certificate in this case.
+ $internal_cert_path = $public_certificate
+ } else {
+ # NOTE(jaosorior): This service is configured for the internal network.
+ # We use the certificate spec hash. The key of the
+ # internal_certificates_specs hash must must match the convention
+ # haproxy-<network name> or else this will fail. Futherly, it must
+ # contain the path that we'll use under 'service_pem'.
+ $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+ }
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
} else {
- $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+ if $service_network == 'external' and $public_certificate {
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
+ union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+ } else {
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+ }
}
$bind_opts = merge($internal_bind_opts, $public_bind_opts)
diff --git a/manifests/haproxy/horizon_endpoint.pp b/manifests/haproxy/horizon_endpoint.pp
new file mode 100644
index 0000000..c7dfd88
--- /dev/null
+++ b/manifests/haproxy/horizon_endpoint.pp
@@ -0,0 +1,154 @@
+# Copyright 2014 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::haproxy::endpoint
+#
+# Configure a HAProxy listen endpoint
+#
+# [*internal_ip*]
+# The IP in which the proxy endpoint will be listening in the internal
+# network.
+#
+# [*ip_addresses*]
+# The ordered list of IPs to be used to contact the balancer member.
+#
+# [*server_names*]
+# The names of the balancer members, which usually should be the hostname.
+#
+# [*member_options*]
+# Options for the balancer member, specified after the server declaration.
+# These should go in the member's configuration block.
+#
+# [*public_virtual_ip*]
+# Address in which the proxy endpoint will be listening in the public network.
+# If this service is internal only this should be ommitted.
+# Defaults to undef.
+#
+# [*haproxy_listen_bind_param*]
+# A list of params to be added to the HAProxy listener bind directive.
+# Defaults to undef.
+#
+# [*public_certificate*]
+# Certificate path used to enable TLS for the public proxy endpoint.
+# Defaults to undef.
+#
+# [*use_internal_certificates*]
+# Flag that indicates if we'll use an internal certificate for this specific
+# service. When set, enables SSL on the internal API endpoints using the file
+# that certmonger is tracking; this is derived from the network the service is
+# listening on.
+# Defaults to false
+#
+# [*internal_certificates_specs*]
+# A hash that should contain the specs that were used to create the
+# certificates. As the name indicates, only the internal certificates will be
+# fetched from here. And the keys should follow the following pattern
+# "haproxy-<network name>". The network name should be as it was defined in
+# tripleo-heat-templates.
+# Note that this is only taken into account if the $use_internal_certificates
+# flag is set.
+# Defaults to {}
+#
+# [*service_network*]
+# (optional) Indicates the network that the service is running on. Used for
+# fetching the certificate for that specific network.
+# Defaults to undef
+#
+class tripleo::haproxy::horizon_endpoint (
+ $internal_ip,
+ $ip_addresses,
+ $server_names,
+ $member_options,
+ $public_virtual_ip,
+ $haproxy_listen_bind_param = undef,
+ $public_certificate = undef,
+ $use_internal_certificates = false,
+ $internal_certificates_specs = {},
+ $service_network = undef,
+) {
+ # service exposed to the public network
+ if $public_certificate {
+ if $use_internal_certificates {
+ if !$service_network {
+ fail("The service_network for this service is undefined. Can't configure TLS for the internal network.")
+ }
+ # NOTE(jaosorior): The key of the internal_certificates_specs hash must
+ # must match the convention haproxy-<network name> or else this
+ # will fail. Futherly, it must contain the path that we'll use under
+ # 'service_pem'.
+ $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+ $internal_bind_opts = union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path])
+ } else {
+ # If no internal cert is given, we still configure TLS for the internal
+ # network, however, we expect that the public certificate has appropriate
+ # subjectaltnames set.
+ $internal_bind_opts = union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])
+ }
+ # NOTE(jaosorior): If the internal_ip and the public_virtual_ip are the
+ # same, the first option takes precedence. Which is the case when network
+ # isolation is not enabled. This is not a problem as both options are
+ # identical. If network isolation is enabled, this works correctly and
+ # will add a TLS binding to both the internal_ip and the
+ # public_virtual_ip.
+ # Even though for the public_virtual_ip the port 80 is listening, we
+ # redirect to https in the horizon_options below.
+ $horizon_bind_opts = {
+ "${internal_ip}:80" => $haproxy_listen_bind_param,
+ "${internal_ip}:443" => $internal_bind_opts,
+ "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
+ "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]),
+ }
+ $horizon_options = {
+ 'cookie' => 'SERVERID insert indirect nocache',
+ 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
+ # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
+ 'redirect' => 'scheme https code 301 if !{ ssl_fc }',
+ 'option' => [ 'forwardfor', 'httpchk' ],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ }
+ } else {
+ $horizon_bind_opts = {
+ "${internal_ip}:80" => $haproxy_listen_bind_param,
+ "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
+ }
+ $horizon_options = {
+ 'cookie' => 'SERVERID insert indirect nocache',
+ 'option' => [ 'forwardfor', 'httpchk' ],
+ }
+ }
+
+ if $use_internal_certificates {
+ # Use SSL port if TLS in the internal network is enabled.
+ $backend_port = '443'
+ } else {
+ $backend_port = '80'
+ }
+
+ haproxy::listen { 'horizon':
+ bind => $horizon_bind_opts,
+ options => $horizon_options,
+ mode => 'http',
+ collect_exported => false,
+ }
+ haproxy::balancermember { 'horizon':
+ listening_service => 'horizon',
+ ports => $backend_port,
+ ipaddresses => $ip_addresses,
+ server_names => $server_names,
+ options => union($member_options, ["cookie ${::hostname}"]),
+ }
+}
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index 40a0a99..48bf4b8 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api (
include ::tripleo::profile::base::barbican
- if $step >= 3 and $sync_db {
- include ::barbican::db::mysql
- }
-
if $step >= 4 or ( $step >= 3 and $sync_db ) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
class { '::barbican::api':
diff --git a/manifests/profile/base/ceph/mds.pp b/manifests/profile/base/ceph/mds.pp
index 9cc2b20..d675563 100644
--- a/manifests/profile/base/ceph/mds.pp
+++ b/manifests/profile/base/ceph/mds.pp
@@ -32,4 +32,9 @@ class tripleo::profile::base::ceph::mds (
if $step >= 3 {
include ::ceph::profile::mds
}
+
+ # when deploying mds, create also cephfs which is used by manila
+ if $step >= 4 {
+ include ::ceph::profile::fs
+ }
}
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 2ac4b6e..c3dde96 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -38,11 +38,21 @@
# it will create.
# Defaults to hiera('apache_certificate_specs', {}).
#
+# [*apache_postsave_cmd*]
+# (Optional) If set, it overrides the default way to restart apache when the
+# certificate is renewed.
+# Defaults to undef
+#
# [*haproxy_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
#
+# [*haproxy_postsave_cmd*]
+# (Optional) If set, it overrides the default way to restart haproxy when the
+# certificate is renewed.
+# Defaults to undef
+#
# [*libvirt_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@@ -70,7 +80,9 @@
#
class tripleo::profile::base::certmonger_user (
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
+ $apache_postsave_cmd = undef,
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+ $haproxy_postsave_cmd = undef,
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
@@ -94,7 +106,8 @@ class tripleo::profile::base::certmonger_user (
unless empty($apache_certificates_specs) {
include ::tripleo::certmonger::apache_dirs
- ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+ ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs,
+ {'postsave_cmd' => $apache_postsave_cmd})
}
unless empty($libvirt_certificates_specs) {
include ::tripleo::certmonger::libvirt_dirs
@@ -102,7 +115,8 @@ class tripleo::profile::base::certmonger_user (
}
unless empty($haproxy_certificates_specs) {
include ::tripleo::certmonger::haproxy_dirs
- ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+ ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,
+ {'postsave_cmd' => $haproxy_postsave_cmd})
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp
index 252bae1..b9cee83 100644
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@@ -30,6 +30,10 @@
# (Optional) Whether to enable the unity backend
# Defaults to false
#
+# [*cinder_enable_dellemc_vmax_iscsi_backend*]
+# (Optional) Whether to enable the vmax iscsi backend
+# Defaults to false
+#
# [*cinder_enable_hpelefthand_backend*]
# (Optional) Whether to enable the hpelefthand backend
# Defaults to false
@@ -72,19 +76,20 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::cinder::volume (
- $cinder_enable_pure_backend = false,
- $cinder_enable_dellsc_backend = false,
- $cinder_enable_dellemc_unity_backend = false,
- $cinder_enable_hpelefthand_backend = false,
- $cinder_enable_dellps_backend = false,
- $cinder_enable_iscsi_backend = true,
- $cinder_enable_netapp_backend = false,
- $cinder_enable_nfs_backend = false,
- $cinder_enable_rbd_backend = false,
- $cinder_enable_scaleio_backend = false,
- $cinder_enable_vrts_hs_backend = false,
- $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
- $step = Integer(hiera('step')),
+ $cinder_enable_pure_backend = false,
+ $cinder_enable_dellsc_backend = false,
+ $cinder_enable_dellemc_unity_backend = false,
+ $cinder_enable_dellemc_vmax_iscsi_backend = false,
+ $cinder_enable_hpelefthand_backend = false,
+ $cinder_enable_dellps_backend = false,
+ $cinder_enable_iscsi_backend = true,
+ $cinder_enable_netapp_backend = false,
+ $cinder_enable_nfs_backend = false,
+ $cinder_enable_rbd_backend = false,
+ $cinder_enable_scaleio_backend = false,
+ $cinder_enable_vrts_hs_backend = false,
+ $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
+ $step = Integer(hiera('step')),
) {
include ::tripleo::profile::base::cinder
@@ -112,6 +117,14 @@ class tripleo::profile::base::cinder::volume (
$cinder_dellemc_unity_backend_name = undef
}
+ if $cinder_enable_dellemc_vmax_iscsi_backend {
+ include ::tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi
+ $cinder_dellemc_vmax_iscsi_backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name',
+ 'tripleo_dellemc_vmax_iscsi')
+ } else {
+ $cinder_dellemc_vmax_iscsi_backend_name = undef
+ }
+
if $cinder_enable_hpelefthand_backend {
include ::tripleo::profile::base::cinder::volume::hpelefthand
$cinder_hpelefthand_backend_name = hiera('cinder::backend::hpelefthand_iscsi::volume_backend_name', 'tripleo_hpelefthand')
@@ -174,6 +187,7 @@ class tripleo::profile::base::cinder::volume (
$cinder_dellps_backend_name,
$cinder_dellsc_backend_name,
$cinder_dellemc_unity_backend_name,
+ $cinder_dellemc_vmax_iscsi_backend_name,
$cinder_hpelefthand_backend_name,
$cinder_netapp_backend_name,
$cinder_nfs_backend_name,
diff --git a/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp
new file mode 100644
index 0000000..d09481f
--- /dev/null
+++ b/manifests/profile/base/cinder/volume/dellemc_vmax_iscsi.pp
@@ -0,0 +1,42 @@
+# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi
+#
+# Cinder Volume dellemc_vmax_iscsi profile for tripleo
+#
+# === Parameters
+#
+# [*backend_name*]
+# (Optional) Name given to the Cinder backend stanza
+# Defaults to 'tripleo_dellemc_vmax_iscsi'
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::cinder::volume::dellemc_vmax_iscsi (
+ $backend_name = hiera('cinder::backend::dellemc_vmax_iscsi::volume_backend_name', 'tripleo_dellemc_vmax_iscsi'),
+ $step = Integer(hiera('step')),
+) {
+ include ::tripleo::profile::base::cinder::volume
+
+ if $step >= 4 {
+ cinder::backend::dellemc_vmax_iscsi { $backend_name :
+ cinder_emc_config_file => hiera('cinder::backend::dellemc_vmax_iscsi::cinder_emc_config_file', undef),
+ }
+ }
+
+}
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 7e7d68b..7bb8c74 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -171,6 +171,9 @@ class tripleo::profile::base::database::mysql (
if hiera('cinder_api_enabled', false) {
include ::cinder::db::mysql
}
+ if hiera('barbican_api_enabled', false) {
+ include ::barbican::db::mysql
+ }
if hiera('congress_enabled', false) {
include ::congress::db::mysql
}
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index d230366..8cb4cdd 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -19,10 +19,11 @@
#
# === Parameters
#
-# [*insecure_registry_address*]
-# The host/port combiniation of the insecure registry. This is used to configure
-# /etc/sysconfig/docker so that a local (insecure) registry can be accessed.
-# Example: 127.0.0.1:8787 (defaults to unset)
+# [*insecure_registries*]
+# An array of host/port combiniations of insecure registries. This is used to configure
+# /etc/sysconfig/docker so that local (insecure) registries can be accessed.
+# Example: ['127.0.0.1:8787']
+# (defaults to unset)
#
# [*registry_mirror*]
# Configure a registry-mirror in the /etc/docker/daemon.json file.
@@ -45,6 +46,11 @@
#
# DEPRECATED PARAMETERS
#
+# [*insecure_registry_address*]
+# DEPRECATED: The host/port combiniation of the insecure registry. This is used to configure
+# /etc/sysconfig/docker so that a local (insecure) registry can be accessed.
+# Example: 127.0.0.1:8787 (defaults to unset)
+#
# [*docker_namespace*]
# DEPRECATED: The namespace to be used when setting INSECURE_REGISTRY
# this will be split on "/" to derive the docker registry
@@ -55,13 +61,14 @@
# is enabled (defaults to false)
#
class tripleo::profile::base::docker (
- $insecure_registry_address = undef,
+ $insecure_registries = undef,
$registry_mirror = false,
$docker_options = '--log-driver=journald --signature-verification=false --iptables=false',
$configure_storage = true,
$storage_options = '-s overlay2',
$step = Integer(hiera('step')),
# DEPRECATED PARAMETERS
+ $insecure_registry_address = undef,
$docker_namespace = undef,
$insecure_registry = false,
) {
@@ -92,14 +99,19 @@ class tripleo::profile::base::docker (
}
if $insecure_registry {
- warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registry_address instead.')
+ warning('The $insecure_registry and $docker_namespace are deprecated. Use $insecure_registries instead.')
if $docker_namespace == undef {
fail('You must provide a $docker_namespace in order to configure insecure registry')
}
$namespace = strip($docker_namespace.split('/')[0])
$registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'" ]
} elsif $insecure_registry_address {
+ warning('The $insecure_registry_address parameter is deprecated. Use $insecure_registries instead.')
$registry_changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${insecure_registry_address}\"'" ]
+ } elsif $insecure_registries {
+ $registry_changes = [ join(['set INSECURE_REGISTRY \'"--insecure-registry ',
+ join($insecure_registries, ' --insecure-registry '),
+ '"\''], '') ]
} else {
$registry_changes = [ 'rm INSECURE_REGISTRY' ]
}
diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp
index 3f01d01..9441329 100644
--- a/manifests/profile/base/horizon.pp
+++ b/manifests/profile/base/horizon.pp
@@ -27,6 +27,27 @@
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*horizon_network*]
+# (Optional) The network name where the horizon endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('horizon_network', undef)
+#
# [*neutron_options*]
# (Optional) A hash of parameters to enable features specific to Neutron
# Defaults to hiera('horizon::neutron_options', {})
@@ -36,10 +57,13 @@
# Defaults to hiera('memcached_node_ips')
#
class tripleo::profile::base::horizon (
- $step = Integer(hiera('step')),
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
- $neutron_options = hiera('horizon::neutron_options', {}),
- $memcached_ips = hiera('memcached_node_ips')
+ $step = Integer(hiera('step')),
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $horizon_network = hiera('horizon_network', undef),
+ $neutron_options = hiera('horizon::neutron_options', {}),
+ $memcached_ips = hiera('memcached_node_ips')
) {
if $::hostname == downcase($bootstrap_node) {
$is_bootstrap = true
@@ -47,6 +71,17 @@ class tripleo::profile::base::horizon (
$is_bootstrap = false
}
+ if $enable_internal_tls {
+ if !$horizon_network {
+ fail('horizon_api_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${horizon_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${horizon_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
if $step >= 4 or ( $step >= 3 and $is_bootstrap ) {
# Horizon
include ::apache::mod::remoteip
@@ -68,6 +103,8 @@ class tripleo::profile::base::horizon (
class { '::horizon':
cache_server_ip => $horizon_memcached_servers,
neutron_options => $neutron_options_real,
+ horizon_cert => $tls_certfile,
+ horizon_key => $tls_keyfile,
}
}
}
diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp
new file mode 100644
index 0000000..1545875
--- /dev/null
+++ b/manifests/profile/base/logging/logrotate.pp
@@ -0,0 +1,112 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::logging::logrotate
+#
+# Installs a cron job that rotates containerized services logs.
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) String. The current step of the deployment
+# Defaults to hiera('step')
+#
+# [*ensure*]
+# (optional) Defaults to present.
+# Valid values are present, absent.
+#
+# [*minute*]
+# (optional) Defaults to '0'. Configures cron job for logrotate.
+#
+# [*hour*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*monthday*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*month*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*weekday*]
+# (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+# [*maxdelay*]
+# (optional) Seconds. Defaults to 90. Should be a positive integer.
+# Induces a random delay before running the cronjob to avoid running all
+# cron jobs at the same time on all hosts this job is configured.
+#
+# [*user*]
+# (optional) Defaults to 'root'. Configures cron job for logrotate.
+#
+# [*delaycompress*]
+# (optional) Defaults to True.
+# Configures the logrotate delaycompress parameter.
+#
+# [*size*]
+# (optional) Defaults to '10M'.
+# Configures the logrotate size parameter.
+#
+# [*rotate*]
+# (optional) Defaults to 14.
+# Configures the logrotate rotate parameter.
+#
+class tripleo::profile::base::logging::logrotate (
+ $step = Integer(hiera('step')),
+ $ensure = present,
+ $minute = 0,
+ $hour = '*',
+ $monthday = '*',
+ $month = '*',
+ $weekday = '*',
+ Integer $maxdelay = 90,
+ $user = 'root',
+ $delaycompress = true,
+ $size = '10M',
+ $rotate = 14,
+) {
+
+ if $step >= 4 {
+ if $maxdelay == 0 {
+ $sleep = ''
+ } else {
+ $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
+ }
+
+ $svc = 'logrotate-crond'
+ $config = "/etc/${svc}.conf"
+ $state = "/var/lib/logrotate/${svc}.status"
+ $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}"
+
+ file { "${config}":
+ ensure => $ensure,
+ owner => $user,
+ group => $user,
+ mode => '0640',
+ content => template('tripleo/logrotate/containers_logrotate.conf.erb'),
+ }
+
+ cron { "${svc}":
+ ensure => $ensure,
+ command => "${cmd} 2>&1|logger -t ${svc}",
+ environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
+ user => $user,
+ minute => $minute,
+ hour => $hour,
+ monthday => $monthday,
+ month => $month,
+ weekday => $weekday,
+ }
+ }
+}
diff --git a/manifests/profile/base/manila/api.pp b/manifests/profile/base/manila/api.pp
index 95607ae..25c3890 100644
--- a/manifests/profile/base/manila/api.pp
+++ b/manifests/profile/base/manila/api.pp
@@ -26,6 +26,10 @@
# (Optional) Whether or not the netapp backend is enabled
# Defaults to hiera('manila_backend_netapp_enabled', false)
#
+# [*backend_vmax_enabled*]
+# (Optional) Whether or not the vmax backend is enabled
+# Defaults to hiera('manila_backend_vmax_enabled', false)
+#
# [*backend_cephfs_enabled*]
# (Optional) Whether or not the cephfs backend is enabled
# Defaults to hiera('manila_backend_cephfs_enabled', false)
@@ -42,6 +46,7 @@
class tripleo::profile::base::manila::api (
$backend_generic_enabled = hiera('manila_backend_generic_enabled', false),
$backend_netapp_enabled = hiera('manila_backend_netapp_enabled', false),
+ $backend_vmax_enabled = hiera('manila_backend_vmax_enabled', false),
$backend_cephfs_enabled = hiera('manila_backend_cephfs_enabled', false),
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$step = Integer(hiera('step')),
@@ -55,7 +60,7 @@ class tripleo::profile::base::manila::api (
include ::tripleo::profile::base::manila
if $step >= 4 or ($step >= 3 and $sync_db) {
- if $backend_generic_enabled or $backend_netapp_enabled {
+ if $backend_generic_enabled or $backend_netapp_enabled or $backend_vmax_enabled {
$nfs_protocol = 'NFS'
$cifs_protocol = 'CIFS'
} else {
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp
index 0dcc754..2ff1add 100644
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -46,18 +46,42 @@
# Nova Team discourages it.
# Defaults to hiera('nova_wsgi_enabled', false)
#
+# [*nova_metadata_network*]
+# (Optional) The network name where the nova metadata endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('nova_metadata_network', undef)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
+# [*metadata_tls_proxy_bind_ip*]
+# IP on which the TLS proxy will listen on. Required only if
+# enable_internal_tls is set.
+# Defaults to undef
+#
+# [*metadata_tls_proxy_fqdn*]
+# fqdn on which the tls proxy will listen on. required only used if
+# enable_internal_tls is set.
+# defaults to undef
+#
+# [*metadata_tls_proxy_port*]
+# port on which the tls proxy will listen on. Only used if
+# enable_internal_tls is set.
+# defaults to 8080
+#
class tripleo::profile::base::nova::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
$nova_api_network = hiera('nova_api_network', undef),
$nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false),
+ $nova_metadata_network = hiera('nova_metadata_network', undef),
$step = Integer(hiera('step')),
+ $metadata_tls_proxy_bind_ip = undef,
+ $metadata_tls_proxy_fqdn = undef,
+ $metadata_tls_proxy_port = 8775,
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
@@ -73,6 +97,22 @@ class tripleo::profile::base::nova::api (
}
if $step >= 4 or ($step >= 3 and $sync_db) {
+ if $enable_internal_tls {
+ if !$nova_metadata_network {
+ fail('nova_metadata_network is not set in the hieradata.')
+ }
+ $metadata_tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate']
+ $metadata_tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key']
+
+ ::tripleo::tls_proxy { 'nova-metadata-api':
+ servername => $metadata_tls_proxy_fqdn,
+ ip => $metadata_tls_proxy_bind_ip,
+ port => $metadata_tls_proxy_port,
+ tls_cert => $metadata_tls_certfile,
+ tls_key => $metadata_tls_keyfile,
+ }
+ Tripleo::Tls_proxy['nova-metadata-api'] ~> Anchor<| title == 'nova::service::begin' |>
+ }
class { '::nova::api':
sync_db => $sync_db,
diff --git a/manifests/profile/pacemaker/manila.pp b/manifests/profile/pacemaker/manila.pp
index 25d389a..3fb4e0b 100644
--- a/manifests/profile/pacemaker/manila.pp
+++ b/manifests/profile/pacemaker/manila.pp
@@ -26,16 +26,14 @@
# (Optional) Whether or not the netapp backend is enabled
# Defaults to hiera('manila_backend_netapp_enabled', false)
#
+# [*backend_vmax_enabled*]
+# (Optional) Whether or not the vmax backend is enabled
+# Defaults to hiera('manila_backend_vmax_enabled', false)
+#
# [*backend_cephfs_enabled*]
# (Optional) Whether or not the cephfs backend is enabled
# Defaults to hiera('manila_backend_cephfs_enabled', false)
#
-# [*ceph_mds_enabled*]
-# (Optional) Whether or not the ceph mds is enabled. This option is used
-# to distinguish if an external ceph is used or if ceph is deployed by
-# tripleo. By default ceph mds is not deployed by tripleo.
-# Defaults to hiera('ceph_mds_enabled', false)
-#
# [*bootstrap_node*]
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('manila_share_short_bootstrap_node_name')
@@ -52,8 +50,8 @@
class tripleo::profile::pacemaker::manila (
$backend_generic_enabled = hiera('manila_backend_generic_enabled', false),
$backend_netapp_enabled = hiera('manila_backend_netapp_enabled', false),
+ $backend_vmax_enabled = hiera('manila_backend_vmax_enabled', false),
$backend_cephfs_enabled = hiera('manila_backend_cephfs_enabled', false),
- $ceph_mds_enabled = hiera('ceph_mds_enabled', false),
$bootstrap_node = hiera('manila_share_short_bootstrap_node_name'),
$step = Integer(hiera('step')),
$pcs_tries = hiera('pcs_tries', 20),
@@ -119,12 +117,6 @@ class tripleo::profile::pacemaker::manila (
$cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
$keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
- # $ceph_mds_enabled is used to distinguish if an external ceph is used or
- # if ceph is deployed by TripleO
- if $ceph_mds_enabled {
- include ::ceph::profile::fs
- }
-
manila::backend::cephfsnative { $manila_cephfsnative_backend :
driver_handles_share_servers => hiera('manila::backend::cephfsnative::driver_handles_share_servers', false),
share_backend_name => hiera('manila::backend::cephfsnative::share_backend_name'),
@@ -134,21 +126,6 @@ class tripleo::profile::pacemaker::manila (
cephfs_enable_snapshots => hiera('manila::backend::cephfsnative::cephfs_enable_snapshots'),
}
- if !defined(Resource['ceph::key', "client.${cephfs_auth_id}"]) {
- ceph::key { "client.${cephfs_auth_id}" :
- secret => hiera('manila::backend::cephfsnative::ceph_client_key'),
- keyring_path => $keyring_path,
- # inject the new key into ceph cluster only if ceph is deployed by
- # tripleo (if external ceph is used it should be added manually)
- inject => $ceph_mds_enabled,
- user => 'manila',
- cap_mds => 'allow *',
- cap_mon => 'allow r, allow command \"auth del\", allow command \"auth caps\", \
-allow command \"auth get\", allow command \"auth get-or-create\"',
- cap_osd => 'allow rw'
- }
- }
-
ceph_config {
"client.${cephfs_auth_id}/keyring": value => $keyring_path;
"client.${cephfs_auth_id}/client mount uid": value => 0;
@@ -179,11 +156,30 @@ allow command \"auth get\", allow command \"auth get-or-create\"',
}
}
+ # manila vmax:
+ if $backend_vmax_enabled {
+ $manila_vmax_backend = hiera('manila::backend::dellemc_vmax::title')
+ manila::backend::dellemc_vmax { $manila_vmax_backend :
+ driver_handles_share_servers => hiera('manila::backend::dellemc_vmax::driver_handles_share_servers', true),
+ emc_nas_login => hiera('manila::backend::dellemc_vmax::emc_nas_login'),
+ emc_nas_password => hiera('manila::backend::dellemc_vmax::emc_nas_password'),
+ emc_nas_server => hiera('manila::backend::dellemc_vmax::emc_nas_server'),
+ emc_share_backend => hiera('manila::backend::dellemc_vmax::emc_share_backend','vmax'),
+ share_backend_name => hiera('manila::backend::dellemc_vmax::share_backend_name'),
+ vmax_server_container => hiera('manila::backend::dellemc_vmax::vmax_server_container'),
+ vmax_share_data_pools => hiera('manila::backend::dellemc_vmax::vmax_share_data_pools'),
+ vmax_ethernet_ports => hiera('manila::backend::dellemc_vmax::vmax_ethernet_ports'),
+ }
+ }
+
+
+
$manila_enabled_backends = delete_undef_values(
[
$manila_generic_backend,
$manila_cephfsnative_backend,
- $manila_netapp_backend
+ $manila_netapp_backend,
+ $manila_vmax_backend
]
)
class { '::manila::backends' :