diff options
Diffstat (limited to 'manifests')
24 files changed, 393 insertions, 63 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp index dd9b184..0988c55 100644 --- a/manifests/certmonger/mysql.pp +++ b/manifests/certmonger/mysql.pp @@ -31,6 +31,12 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*dnsnames*] +# (Optional) The DNS names that will be added for the SubjectAltNames entry +# in the certificate. If left unset, the value will be set to the $hostname. +# This parameter can take both a string or an array of strings. +# Defaults to $hostname +# # [*principal*] # (Optional) The haproxy service principal that is set for MySQL in kerberos. # Defaults to undef @@ -40,6 +46,7 @@ class tripleo::certmonger::mysql ( $service_certificate, $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), + $dnsnames = $hostname, $principal = undef, ) { include ::certmonger @@ -51,7 +58,7 @@ class tripleo::certmonger::mysql ( certfile => $service_certificate, keyfile => $service_key, hostname => $hostname, - dnsname => $hostname, + dnsname => $dnsnames, principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, diff --git a/manifests/glance/nfs_mount.pp b/manifests/glance/nfs_mount.pp index 035191d..674bdd0 100644 --- a/manifests/glance/nfs_mount.pp +++ b/manifests/glance/nfs_mount.pp @@ -43,7 +43,7 @@ class tripleo::glance::nfs_mount ( $options = 'intr,context=system_u:object_r:glance_var_lib_t:s0', $edit_fstab = true, $fstab_fstype = 'nfs4', - $fstab_prepend_options = 'bg' + $fstab_prepend_options = '_netdev,bg' ) { $images_dir = '/var/lib/glance/images' diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 6b305cb..2f29674 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -155,6 +155,10 @@ # When set, enables SSL on the haproxy stats endpoint using the specified file. # Defaults to undef # +# [*haproxy_stats*] +# (optional) Enable or not the haproxy stats interface +# Defaults to true +# # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to hiera('keystone_enabled', false) @@ -279,6 +283,10 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_max_conn*] +# (optional) Set the maxconn parameter for mysql +# Defaults to undef +# # [*mysql_member_options*] # The options to use for the mysql HAProxy balancer members. # If this parameter is undefined, the actual value configured will depend @@ -522,7 +530,7 @@ # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) # 'opendaylight_api_port' (Defaults to 8081) -# 'panko_api_port' (Defaults to 8779) +# 'panko_api_port' (Defaults to 8977) # 'panko_api_ssl_port' (Defaults to 13779) # 'ovn_nbdb_port' (Defaults to 6641) # 'ovn_sbdb_port' (Defaults to 6642) @@ -571,6 +579,7 @@ class tripleo::haproxy ( $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $crl_file = undef, $haproxy_stats_certificate = undef, + $haproxy_stats = true, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), $neutron = hiera('neutron_api_enabled', false), @@ -602,6 +611,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_max_conn = undef, $mysql_member_options = undef, $rabbitmq = false, $etcd = hiera('etcd_enabled', false), @@ -706,7 +716,7 @@ class tripleo::haproxy ( nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, opendaylight_api_port => 8081, - panko_api_port => 8779, + panko_api_port => 8977, panko_api_ssl_port => 13779, ovn_nbdb_port => 6641, ovn_sbdb_port => 6642, @@ -871,19 +881,21 @@ class tripleo::haproxy ( listen_options => $default_listen_options, } - $stats_base = ['enable', 'uri /'] - if $haproxy_stats_password { - $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) - } else { - $stats_config = $stats_base - } - haproxy::listen { 'haproxy.stats': - bind => $haproxy_stats_bind_opts, - mode => 'http', - options => { - 'stats' => $stats_config, - }, - collect_exported => false, + if $haproxy_stats { + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } + haproxy::listen { 'haproxy.stats': + bind => $haproxy_stats_bind_opts, + mode => 'http', + options => { + 'stats' => $stats_config, + }, + collect_exported => false, + } } if $keystone_admin { @@ -1314,6 +1326,7 @@ class tripleo::haproxy ( 'timeout server' => '90m', 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options @@ -1324,6 +1337,7 @@ class tripleo::haproxy ( $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp index 300c0ca..d6ec32b 100644 --- a/manifests/profile/base/aodh/api.pp +++ b/manifests/profile/base/aodh/api.pp @@ -23,6 +23,10 @@ # This is set by t-h-t. # Defaults to hiera('aodh_api_network', undef) # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -47,10 +51,16 @@ class tripleo::profile::base::aodh::api ( $aodh_network = hiera('aodh_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } include ::tripleo::profile::base::aodh @@ -66,7 +76,7 @@ class tripleo::profile::base::aodh::api ( } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::aodh::api include ::apache::mod::ssl class { '::aodh::wsgi::apache': diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index 6a30a40..11c1da3 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -23,6 +23,10 @@ # This is set by t-h-t. # Defaults to hiera('ceilometer_api_network', undef) # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::ceilometer::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $ceilometer_network = hiera('ceilometer_api_network', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::ceilometer if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::ceilometer::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::ceilometer::api include ::apache::mod::ssl class { '::ceilometer::wsgi::apache': diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 8eb6079..fbb8b11 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -95,6 +95,9 @@ class tripleo::profile::base::database::mysql ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + + # Force users/grants created to use TLS connections + Openstacklib::Db::Mysql <||> { tls_options => ['SSL'] } } else { $tls_certfile = undef $tls_keyfile = undef @@ -217,6 +220,10 @@ class tripleo::profile::base::database::mysql ( if hiera('ec2_api_enabled', false) { include ::ec2api::db::mysql } + if hiera('zaqar_enabled', false) and hiera('zaqar::db::mysql::user', '') == 'zaqar' { + # NOTE: by default zaqar uses mongodb + include ::zaqar::db::mysql + } } } diff --git a/manifests/profile/base/heat/api.pp b/manifests/profile/base/heat/api.pp index ff90590..2221b37 100644 --- a/manifests/profile/base/heat/api.pp +++ b/manifests/profile/base/heat/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_network = hiera('heat_api_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api include ::apache::mod::ssl class { '::heat::wsgi::apache_api': diff --git a/manifests/profile/base/heat/api_cfn.pp b/manifests/profile/base/heat/api_cfn.pp index e14760a..1014b04 100644 --- a/manifests/profile/base/heat/api_cfn.pp +++ b/manifests/profile/base/heat/api_cfn.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cfn ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_cfn_network = hiera('heat_api_cfn_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api_cfn ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api_cfn include ::apache::mod::ssl diff --git a/manifests/profile/base/heat/api_cloudwatch.pp b/manifests/profile/base/heat/api_cloudwatch.pp index 83d5307..4caac9d 100644 --- a/manifests/profile/base/heat/api_cloudwatch.pp +++ b/manifests/profile/base/heat/api_cloudwatch.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -45,11 +49,18 @@ # Defaults to hiera('step') # class tripleo::profile::base::heat::api_cloudwatch ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + include ::tripleo::profile::base::heat if $enable_internal_tls { @@ -63,7 +74,7 @@ class tripleo::profile::base::heat::api_cloudwatch ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::heat::api_cloudwatch include ::apache::mod::ssl diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 12482b6..26ea20f 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -23,15 +23,26 @@ # for more details. # Defaults to hiera('step') # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron # Defaults to hiera('horizon::neutron_options', {}) # class tripleo::profile::base::horizon ( $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), $neutron_options = hiera('horizon::neutron_options', {}), ) { - if $step >= 3 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { # Horizon include ::apache::mod::remoteip include ::apache::mod::status diff --git a/manifests/profile/base/ironic/api.pp b/manifests/profile/base/ironic/api.pp index 94b7efe..bbc91f5 100644 --- a/manifests/profile/base/ironic/api.pp +++ b/manifests/profile/base/ironic/api.pp @@ -18,16 +18,68 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*ironic_api_network*] +# (Optional) The network name where the ironic API endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('ironic_api_network', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step of the deployment # Defaults to hiera('step') # class tripleo::profile::base::ironic::api ( - $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $ironic_api_network = hiera('ironic_api_network', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $step = Integer(hiera('step')), ) { include ::tripleo::profile::base::ironic - if $step >= 4 { - include ::ironic::api + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false } + + if $enable_internal_tls { + if !$ironic_api_network { + fail('ironic_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${ironic_api_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${ironic_api_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { + include ::ironic::api + include ::apache::mod::ssl + class { '::ironic::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } + } + } diff --git a/manifests/profile/base/kernel.pp b/manifests/profile/base/kernel.pp index df13a98..48caf37 100644 --- a/manifests/profile/base/kernel.pp +++ b/manifests/profile/base/kernel.pp @@ -17,14 +17,32 @@ # # Load and configure Kernel modules. # -class tripleo::profile::base::kernel { +# === Parameters +# +# [*module_list*] +# (Optional) List of kernel modules to load. +# Defaults to hiera('kernel_modules') +# +# [*sysctl_settings*] +# (Optional) List of sysctl settings to load. +# Defaults to hiera('sysctl_settings') +# +class tripleo::profile::base::kernel ( + $module_list = hiera('kernel_modules', undef), + $sysctl_settings = hiera('sysctl_settings', undef), +) { - if hiera('kernel_modules', undef) { - create_resources(kmod::load, hiera('kernel_modules'), { }) + if $module_list { + create_resources(kmod::load, $module_list, { }) } - if hiera('sysctl_settings', undef) { - create_resources(sysctl::value, hiera('sysctl_settings'), { }) + if $sysctl_settings { + create_resources(sysctl::value, $sysctl_settings, { }) } Exec <| tag == 'kmod::load' |> -> Sysctl <| |> + # RHEL 7.4+ workaround where this functionality is built into the + # kernel instead of being built as a module. + # That way, we can support both 7.3 and 7.4 RHEL versions. + # https://bugzilla.redhat.com/show_bug.cgi?id=1387537 + Exec <| title == 'modprobe nf_conntrack_proto_sctp' |> { returns => [0,1] } } diff --git a/manifests/profile/base/metrics/collectd.pp b/manifests/profile/base/metrics/collectd.pp index 098f795..088e6e2 100644 --- a/manifests/profile/base/metrics/collectd.pp +++ b/manifests/profile/base/metrics/collectd.pp @@ -23,6 +23,11 @@ # for more details. # Defaults to hiera('step') # +# [*enable_file_logging*] +# (Optional) Boolean. Whether to enable logfile plugin. +# which we should send metrics. +# Defaults to false +# # [*collectd_server*] # (Optional) String. The name or address of a collectd server to # which we should send metrics. @@ -49,6 +54,7 @@ class tripleo::profile::base::metrics::collectd ( $step = Integer(hiera('step')), + $enable_file_logging = false, $collectd_server = undef, $collectd_port = undef, $collectd_username = undef, @@ -58,6 +64,9 @@ class tripleo::profile::base::metrics::collectd ( ) { if $step >= 3 { include ::collectd + if $enable_file_logging { + include ::collectd::plugin::logfile + } if ! ($collectd_securitylevel in [undef, 'None', 'Sign', 'Encrypt']) { fail('collectd_securitylevel must be one of (None, Sign, Encrypt).') diff --git a/manifests/profile/base/mistral/api.pp b/manifests/profile/base/mistral/api.pp index 2ea5c9a..b5ca85e 100644 --- a/manifests/profile/base/mistral/api.pp +++ b/manifests/profile/base/mistral/api.pp @@ -56,9 +56,9 @@ class tripleo::profile::base::mistral::api ( $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { - $sync_db = true + $is_bootstrap = true } else { - $sync_db = false + $is_bootstrap = false } include ::tripleo::profile::base::mistral @@ -74,7 +74,7 @@ class tripleo::profile::base::mistral::api ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::mistral::api include ::apache::mod::ssl class { '::mistral::wsgi::apache': diff --git a/manifests/profile/base/neutron/opendaylight/configure_cluster.pp b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp new file mode 100644 index 0000000..022e8ae --- /dev/null +++ b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp @@ -0,0 +1,45 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Configures an OpenDaylight cluster. +# It creates the akka configuration file for ODL to cluster correctly +# It will not configure clustering if less than 3 nodes +# +# == Function: tripleo::profile::base::neutron::opendaylight::configure_cluster +# +# == Parameters +# +# [*node_name*] +# The short hostname of node +# +# [*odl_api_ips*] Array of IPs per ODL node +# Defaults to empty array +# +define tripleo::profile::base::neutron::opendaylight::configure_cluster( + $node_name, + $odl_api_ips = [], +) { + validate_array($odl_api_ips) + if size($odl_api_ips) > 2 { + $node_string = split($node_name, '-') + $ha_node_index = $node_string[-1] + 1 + $ha_node_ip_str = join($odl_api_ips, ' ') + exec { 'Configure ODL Clustering': + command => "configure_cluster.sh ${ha_node_index} ${ha_node_ip_str}", + path => '/opt/opendaylight/bin/:/usr/sbin:/usr/bin:/sbin:/bin', + creates => '/opt/opendaylight/configuration/initial/akka.conf' + } + } +} + diff --git a/manifests/profile/base/neutron/opendaylight/create_cluster.pp b/manifests/profile/base/neutron/opendaylight/create_cluster.pp new file mode 100644 index 0000000..c3e4f7f --- /dev/null +++ b/manifests/profile/base/neutron/opendaylight/create_cluster.pp @@ -0,0 +1,43 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Configures an OpenDaylight cluster. +# It creates the akka configuration file for ODL to cluster correctly +# It will not configure clustering if less than 3 nodes +# +# == Class: tripleo::profile::base::neutron::opendaylight::create_cluster +# +# OpenDaylight class only used for creating clusters with container deployments +# +# === Parameters +# +# [*odl_api_ips*] +# (Optional) List of OpenStack Controller IPs for ODL API +# Defaults to hiera('opendaylight_api_node_ips') +# +# [*node_name*] +# (Optional) The short hostname of node +# Defaults to hiera('bootstack_nodeid') +# +class tripleo::profile::base::neutron::opendaylight::create_cluster ( + $odl_api_ips = hiera('opendaylight_api_node_ips'), + $node_name = hiera('bootstack_nodeid') +) { + + tripleo::profile::base::neutron::opendaylight::configure_cluster {'ODL cluster': + node_name => $node_name, + odl_api_ips => $odl_api_ips, + } + +} diff --git a/manifests/profile/base/neutron/plugins/ml2.pp b/manifests/profile/base/neutron/plugins/ml2.pp index f7a2935..1f440fa 100644 --- a/manifests/profile/base/neutron/plugins/ml2.pp +++ b/manifests/profile/base/neutron/plugins/ml2.pp @@ -85,5 +85,9 @@ class tripleo::profile::base::neutron::plugins::ml2 ( if 'vpp' in $mechanism_drivers { include ::tripleo::profile::base::neutron::plugins::ml2::vpp } + + if 'nuage' in $mechanism_drivers { + include ::tripleo::profile::base::neutron::plugins::ml2::nuage + } } } diff --git a/manifests/profile/base/ui.pp b/manifests/profile/base/neutron/plugins/ml2/nuage.pp index 681496a..e9608d0 100644 --- a/manifests/profile/base/ui.pp +++ b/manifests/profile/base/neutron/plugins/ml2/nuage.pp @@ -1,4 +1,4 @@ -# Copyright 2016 Red Hat, Inc. +# Copyright 2017 Nuage Networks from Nokia Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain @@ -12,15 +12,20 @@ # License for the specific language governing permissions and limitations # under the License. # -# == Class: tripleo::profile::base::ui +# == Class: tripleo::profile::base::neutron::plugins::ml2::nuage # -# UI profile for tripleo +# Nuage Neutron ML2 profile for tripleo # -class tripleo::profile::base::ui () { - package {'openstack-tripleo-ui': } - - include ::apache +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::neutron::plugins::ml2::nuage ( + $step = hiera('step'), +) { - include ::tripleo::ui + if $step >= 4 { + include ::neutron::plugins::ml2::nuage + } } - diff --git a/manifests/profile/base/neutron/server.pp b/manifests/profile/base/neutron/server.pp index 0dee53e..60ef443 100644 --- a/manifests/profile/base/neutron/server.pp +++ b/manifests/profile/base/neutron/server.pp @@ -113,10 +113,7 @@ class tripleo::profile::base::neutron::server ( $l3_ha = false } - # We start neutron-server on the bootstrap node first, because - # it will try to populate tables and we need to make sure this happens - # before it starts on other nodes - if $step >= 4 and $sync_db or $step >= 5 and !$sync_db { + if $step >= 4 or ($step >= 3 and $sync_db) { if $enable_internal_tls { if !$neutron_network { fail('neutron_api_network is not set in the hieradata.') @@ -130,9 +127,14 @@ class tripleo::profile::base::neutron::server ( port => $tls_proxy_port, tls_cert => $tls_certfile, tls_key => $tls_keyfile, - notify => Class['::neutron::server'], } + Tripleo::Tls_proxy['neutron-api'] ~> Anchor<| title == 'neutron::service::begin' |> } + } + # We start neutron-server on the bootstrap node first, because + # it will try to populate tables and we need to make sure this happens + # before it starts on other nodes + if $step >= 4 and $sync_db or $step >= 5 and !$sync_db { include ::neutron::server::notifications # We need to override the hiera value neutron::server::sync_db which is set diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp index ac78287..48af39a 100644 --- a/manifests/profile/base/nova/placement.pp +++ b/manifests/profile/base/nova/placement.pp @@ -54,9 +54,9 @@ class tripleo::profile::base::nova::placement ( $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { - $sync_db = true + $is_bootstrap = true } else { - $sync_db = false + $is_bootstrap = false } include ::tripleo::profile::base::nova @@ -73,7 +73,7 @@ class tripleo::profile::base::nova::placement ( $tls_keyfile = undef } - if $step >= 3 { + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::apache::mod::ssl class { '::nova::wsgi::apache_placement': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index b047c36..afb5fa6 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*ceilometer_enabled*] # Whether the ceilometer pipeline is enabled. # Defaults to true @@ -96,6 +100,7 @@ # defaults to 8080 # class tripleo::profile::base::swift::proxy ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), $ceilometer_messaging_hosts = any2array(hiera('rabbitmq_node_names', undef)), @@ -113,7 +118,12 @@ class tripleo::profile::base::swift::proxy ( $tls_proxy_fqdn = undef, $tls_proxy_port = 8080, ) { - if $step >= 4 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + if $step >= 4 or ($step >= 3 and $is_bootstrap) { if $enable_internal_tls { if !$swift_proxy_network { fail('swift_proxy_network is not set in the hieradata.') @@ -127,9 +137,11 @@ class tripleo::profile::base::swift::proxy ( port => $tls_proxy_port, tls_cert => $tls_certfile, tls_key => $tls_keyfile, - notify => Class['::swift::proxy'], } + Tripleo::Tls_proxy['swift-proxy-api'] ~> Anchor<| title == 'swift::service::begin' |> } + } + if $step >= 4 { $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config include ::swift::proxy diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp index b9171b0..063ccb8 100644 --- a/manifests/profile/base/zaqar.pp +++ b/manifests/profile/base/zaqar.pp @@ -18,9 +18,9 @@ # # === Parameters # -# [*sync_db*] -# (Optional) Whether to run db sync -# Defaults to true +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -28,9 +28,16 @@ # Defaults to hiera('step') # class tripleo::profile::base::zaqar ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $step = Integer(hiera('step')), ) { - if $step >= 4 { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { include ::zaqar if str2bool(hiera('mongodb::server::ipv6', false)) { diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index 3aff62f..22adbe9 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -26,6 +26,27 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to $::hostname # +# [*ca_file*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to undef +# +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*gmcast_listen_addr*] # (Optional) This variable defines the address on which the node listens to # connections from other nodes in the cluster. @@ -41,11 +62,14 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::database::mysql ( - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $gmcast_listen_addr = hiera('mysql_bind_host'), - $step = Integer(hiera('step')), - $pcs_tries = hiera('pcs_tries', 20), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -70,6 +94,19 @@ class tripleo::profile::pacemaker::database::mysql ( $processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') } $cluster_host_map = join($processed_galera_name_pairs, ';') + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + if $ca_file { + $tls_ca_options = "socket.ssl_ca=${ca_file}" + } else { + $tls_ca_options = '' + } + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + } else { + $tls_options = '' + } + $mysqld_options = { 'mysqld' => { 'skip-name-resolve' => '1', @@ -98,7 +135,7 @@ class tripleo::profile::pacemaker::database::mysql ( 'wsrep_drupal_282555_workaround'=> '0', 'wsrep_causal_reads' => '0', 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;", + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", } } diff --git a/manifests/ui.pp b/manifests/ui.pp index 825ffc2..d744044 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -136,13 +136,16 @@ class tripleo::ui ( $endpoint_config_swift = undef, ) { + package {'openstack-tripleo-ui': } + include ::apache include ::apache::mod::proxy include ::apache::mod::proxy_http include ::apache::mod::proxy_wstunnel ::apache::vhost { 'tripleo-ui': ensure => 'present', + require => Package['openstack-tripleo-ui'], servername => $servername, ip => $bind_host, port => $ui_port, |