7 files changed, 109 insertions, 28 deletions
diff --git a/manifests/certmonger/apache_dirs.pp b/manifests/certmonger/apache_dirs.pp
new file mode 100644
index 0000000..2588e46
--- /dev/null
+++ b/manifests/certmonger/apache_dirs.pp
@@ -0,0 +1,55 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# : = Class: tripleo::certmonger::apache_dirs
+#
+# Creates the necessary directories for apache's certificates and keys in the
+# assigned locations if specified. It also assigns the correct SELinux tags.
+#
+# === Parameters:
+#
+# [*certificate_dir*]
+#   (Optional) Directory where apache's certificates will be stored. If left
+#   unspecified, it won't be created.
+#   Defaults to undef
+#
+# [*key_dir*]
+#   (Optional) Directory where apache's keys will be stored.
+#   Defaults to undef
+#
+class tripleo::certmonger::apache_dirs(
+  $certificate_dir = undef,
+  $key_dir         = undef,
+){
+
+  if $certificate_dir {
+    file { $certificate_dir :
+      ensure  => 'directory',
+      selrole => 'object_r',
+      seltype => 'cert_t',
+      seluser => 'system_u',
+    }
+    File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
+  }
+
+  if $key_dir {
+    file { $key_dir :
+      ensure  => 'directory',
+      selrole => 'object_r',
+      seltype => 'cert_t',
+      seluser => 'system_u',
+    }
+    File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
+  }
+}
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
index 94b48b7..74c0b5a 100644
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -55,6 +55,7 @@ define tripleo::certmonger::httpd (
     postsave_cmd => $postsave_cmd,
     ca           => $certmonger_ca,
     wait         => true,
+    tag          => 'apache-cert',
     require      => Class['::certmonger'],
   }
 
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 87c4909..a32c8d9 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -428,6 +428,10 @@
 #  (optional) Specify the network ec2_api_metadata is running on.
 #  Defaults to hiera('ec2_api_network', undef)
 #
+# [*etcd_network*]
+#  (optional) Specify the network etcd is running on.
+#  Defaults to hiera('etcd_network', undef)
+#
 # [*opendaylight_network*]
 #  (optional) Specify the network opendaylight is running on.
 #  Defaults to hiera('opendaylight_api_network', undef)
@@ -623,6 +627,7 @@ class tripleo::haproxy (
   $ovn_dbs_network             = hiera('ovn_dbs_network', undef),
   $ec2_api_network             = hiera('ec2_api_network', undef),
   $ec2_api_metadata_network    = hiera('ec2_api_network', undef),
+  $etcd_network                = hiera('etcd_network', undef),
   $sahara_network              = hiera('sahara_api_network', undef),
   $swift_proxy_server_network  = hiera('swift_proxy_network', undef),
   $tacker_network              = hiera('tacker_api_network', undef),
@@ -651,6 +656,7 @@ class tripleo::haproxy (
     contrail_webui_https_port => 8143,
     docker_registry_port => 8787,
     docker_registry_ssl_port => 13787,
+    etcd_port => 2379,
     glance_api_port => 9292,
     glance_api_ssl_port => 13292,
     gnocchi_api_port => 8041,
@@ -791,11 +797,6 @@ class tripleo::haproxy (
     "${redis_vip}:6379" => $haproxy_listen_bind_param,
   }
 
-  $etcd_vip = hiera('etcd_vip', $controller_virtual_ip)
-  $etcd_bind_opts = {
-    "${etcd_vip}:2379" => $haproxy_listen_bind_param,
-  }
-
   class { '::haproxy':
     service_manage   => $haproxy_service_manage,
     global_options   => {
@@ -1346,19 +1347,15 @@ class tripleo::haproxy (
   }
 
   if $etcd {
-    haproxy::listen { 'etcd':
-      bind             => $etcd_bind_opts,
-      options          => {
+    ::tripleo::haproxy::endpoint { 'etcd':
+      internal_ip     => hiera('etcd_vip', $controller_virtual_ip),
+      service_port    => $ports[etcd_port],
+      ip_addresses    => hiera('etcd_node_ips', $controller_hosts_real),
+      server_names    => hiera('etcd_node_names', $controller_hosts_names_real),
+      service_network => $etcd_network,
+      listen_options  => {
         'balance' => 'source',
-      },
-      collect_exported => false,
-    }
-    haproxy::balancermember { 'etcd':
-      listening_service => 'etcd',
-      ports             => '2379',
-      ipaddresses       => hiera('etcd_node_ips', $controller_hosts_real),
-      server_names      => hiera('etcd_node_names', $controller_hosts_names_real),
-      options           => $haproxy_member_options,
+      }
     }
   }
 
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 424ef09..4d91ac9 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -68,6 +68,7 @@ class tripleo::profile::base::certmonger_user (
   include ::tripleo::certmonger::ca::libvirt
 
   unless empty($apache_certificates_specs) {
+    include ::tripleo::certmonger::apache_dirs
     ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
   }
   unless empty($libvirt_certificates_specs) {
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index 5e18a85..4797d86 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -28,12 +28,17 @@
 #   Set docker_namespace to INSECURE_REGISTRY, used when a local registry
 #   is enabled (defaults to false)
 #
+# [*registry_mirror*]
+#   Configure a registry-mirror in the /etc/docker/daemon.json file.
+#   (defaults to false)
+#
 # [*step*]
 #   step defaults to hiera('step')
 #
 class tripleo::profile::base::docker (
   $docker_namespace = undef,
   $insecure_registry = false,
+  $registry_mirror = false,
   $step = hiera('step'),
 ) {
   if $step >= 1 {
@@ -64,5 +69,23 @@ class tripleo::profile::base::docker (
       subscribe => Package['docker'],
       notify    => Service['docker'],
     }
+
+    if $registry_mirror {
+      $mirror_changes = [
+        'set dict/entry[. = "registry-mirrors"] "registry-mirrors',
+        "set dict/entry[. = \"registry-mirrors\"]/array/string \"${registry_mirror}\""
+      ]
+    } else {
+      $mirror_changes = [ 'rm dict/entry[. = "registry-mirrors"]', ]
+    }
+
+    augeas { 'docker-daemon.json':
+      lens      => 'Json.lns',
+      incl      => '/etc/docker/daemon.json',
+      changes   => $mirror_changes,
+      subscribe => Package['docker'],
+      notify    => Service['docker'],
+    }
+
   }
 }
diff --git a/manifests/profile/base/docker_registry.pp b/manifests/profile/base/docker_registry.pp
index 2f1783d..cb262d9 100644
--- a/manifests/profile/base/docker_registry.pp
+++ b/manifests/profile/base/docker_registry.pp
@@ -31,19 +31,28 @@
 #  network
 #  Defaults to hiera('controller_admin_host')
 #
+# [*enable_container_images_build*]
+#  (Optional) Whether to install tools to build docker container images
+#  Defaults to hiera('enable_container_images_build', true)
+#
 class tripleo::profile::base::docker_registry (
-  $registry_host       = hiera('controller_host'),
-  $registry_port       = 8787,
-  $registry_admin_host = hiera('controller_admin_host'),
+  $registry_host                 = hiera('controller_host'),
+  $registry_port                 = 8787,
+  $registry_admin_host           = hiera('controller_admin_host'),
+  $enable_container_images_build = hiera('enable_container_images_build', true),
 ) {
+
+  include ::tripleo::profile::base::docker
+
   # We want a v2 registry
   package{'docker-registry':
     ensure        => absent,
     allow_virtual => false,
   }
   package{'docker-distribution': }
-  package{'docker': }
-  package{'openstack-kolla': }
+  if str2bool($enable_container_images_build) {
+    package{'openstack-kolla': }
+  }
   file { '/etc/docker-distribution/registry/config.yml' :
     ensure  => file,
     content => template('tripleo/docker_distribution/registry_config.yml.erb'),
@@ -68,9 +77,4 @@ class tripleo::profile::base::docker_registry (
     enable  => true,
     require => Package['docker-distribution'],
   }
-  service { 'docker':
-    ensure  => running,
-    enable  => true,
-    require => Package['docker'],
-  }
 }
diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp
index f43089c..2b86032 100644
--- a/manifests/profile/base/sshd.pp
+++ b/manifests/profile/base/sshd.pp
@@ -32,7 +32,7 @@ class tripleo::profile::base::sshd (
   $motd = hiera('MOTD', undef),
 ) {
 
-  include ::ssh
+  include ::ssh::server
 
   if $bannertext {
     $filelist = [ '/etc/issue', '/etc/issue.net', ]