summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-09-05Enable TLS for rabbitmq's replication trafficJuan Antonio Osorio Robles1-1/+11
This follows the RabbitMQ docs [1] for enabling TLS for the replication traffic. It reuses the certificate that rabbitmq already has. Unfortunately, pacemaker uses the shortname for the rabbitmq nodes, so we are not able to do proper verification of the certificates, since we can't allocate a certificate for shortnames. So, until pacemaker can track the rabbit nodes through their FQDNs, we don't set any verification options. [1] https://www.rabbitmq.com/clustering-ssl.html Depends on: https://github.com/voxpupuli/puppet-rabbitmq/pull/574 bp tls-via-certmonger Co-Authored-By: Alex Schultz <aschultz@redhat.com> Change-Id: I265c89cb8898a6da78a606664a22c50f5e57a847 (cherry picked from commit 52404b85dc140d9ddc4605365454df0e052ee2cb)
2017-09-04Prepare 7.4.0 (pike-rc2)Emilien Macchi1-1/+1
Change-Id: I6e1b8c305aad3fb03bd62072b376b34303ecfe24
2017-09-01Merge "Fix enabling zaqar keystone endpoint and MySQL database" into stable/pikeJenkins2-2/+2
2017-09-01Merge "Add manifests to install and configure stunnel" into stable/pikeJenkins6-0/+171
2017-09-01Merge "Repair immediate VF configuration for PCI SR-IOV" into stable/pikeJenkins2-3/+3
2017-09-01Fix enabling zaqar keystone endpoint and MySQL databaseJuan Antonio Osorio Robles2-2/+2
The zaqar service name switched to zaqar-api[1], so the hieradata key is zaqar_api_enabled now instead of zaqar_enabled. [1] I9b451eac4427a52ad8eec62ff89acc6c6d3ab799 Closes-Bug: #1714213 Change-Id: I692658337e7afc9d0a99b245f8b0b4f76a076bc4 (cherry picked from commit bc6a526f91c156e1cecfb9226ae3686102e655d4)
2017-08-31Add manifests to install and configure stunnelJuan Antonio Osorio Robles6-0/+171
Some services (such as Redis) can't use mod_proxy as a TLS proxy, since they're not HTTP services. So stunnel is necessary for these. Thus, we add manifests to configure it as such. bp tls-via-certmonger Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c (cherry picked from commit f85199c77826017e383534051ada57ef1ea4ddcc)
2017-08-31Use Python to compute release notes versionEmilien Macchi1-2/+2
Leave the version fields blank, since the release notes document applies to all versions. That will avoid manual changes in the future like we did until now. Change-Id: I9c64787b278b53a0f4125275678ded3f46d05be2 (cherry picked from commit aefd5f7afd238b50eff71fe6f583ef7cadb54d12)
2017-08-31Merge "HAProxy: Make certmonger bundle the cert and key on renewal" into ↵Jenkins1-1/+14
stable/pike
2017-08-31Merge "Certmonger: Only attempt to reload haproxy is it's active" into ↵Jenkins1-1/+1
stable/pike
2017-08-31Merge "Support for Dell EMC Unity Manila Driver" into stable/pikeJenkins3-2/+32
2017-08-31Merge "Support for Dell EMC Isilon Manila Driver" into stable/pikeJenkins3-2/+32
2017-08-30HAProxy: Make certmonger bundle the cert and key on renewalJuan Antonio Osorio Robles1-1/+14
the postsave command is ran by certmonger when a certificate is requested (which will happen on certificate renewal). The previous command given didn't take into account the file that haproxy expects, which is a bundled PEM file with both the certificate and the key. Thus, certmonger would have never generated a new bundle that haproxy would use, resulting in haproxy always having an old bundle after certificate expiration. This fixes that. Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62 Closes-Bug: #1712514 (cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548)
2017-08-30Certmonger: Only attempt to reload haproxy is it's activeJuan Antonio Osorio Robles1-1/+1
Previously, certmonger tried to reload haproxy every time after a certificate is requested. This is useful for certificate resubmits or renewals. However, it turned out problematic on installation, when haproxy is not yet active, as it would try many times and end up having a race-condition with puppet. This checks if haproxy is active and only then will it attempt to reload it. Change-Id: I51f9cccb5d1518a9647778e7bf6f9426a02ceb60 Closes-Bug: #1712377 (cherry picked from commit 351ab932514f13d7a139b0b41fdc4f6f7e990c8f)
2017-08-30Support for Dell EMC Unity Manila Driverrajinir3-2/+32
This changes adds Dell EMC Unity backend as composable service and matches the tripleo-heat-templates. Change-Id: I0df1e16db89cd53e4f16cd08ccb975d8e7e9a470 Implements: blueprint dellemc-unity-manila (cherry picked from commit 2f93b4fc3aa63d99b7dcb0302e9ee48bda1f4282)
2017-08-30Support for Dell EMC Isilon Manila Driverrajinir3-2/+32
This changes adds Dell EMC Isilon backend as composable service and matches the tripleo-heat-templates. Change-Id: I30f6b4c4ebe0a708a5eb34cd016544f4d2b9c2bb Implements: blueprint dellemc-isilon-manila (cherry picked from commit 75ee7f12f165d4ef6e47600d8c0ec93dff3b610d)
2017-08-30Add /etc/ceph into pacemaker bundlesGiulio Fidente3-0/+15
We missed to mount the Ceph config files into the docker/pacemaker profiles. Change-Id: I23b6890b4cf7f1e6fe84b6be280dde82218275fc Closes-Bug: #1713421 (cherry picked from commit b18ae72c6aaad9eb98d7e4490a6572441f63b9a1)
2017-08-29Enable config for docker daemon debugAlex Schultz2-7/+37
Exposes a way to configure the docker daemon with debug enabled. Change-Id: I654a70c8bb7753679be83d78ca653ed44c3a7395 Related-Bug: #1710533 (cherry picked from commit 44b90c9a79146139cbcbe7f560bd1df667cca780)
2017-08-26Merge "Fix panko port to match tht" into stable/pikeJenkins1-2/+2
2017-08-26Repair immediate VF configuration for PCI SR-IOVBrent Eagles2-3/+3
Change I71edc135432ab2193741c37ce977dd11172401e6 broke the host VF configuration that set VF counts when the puppet is applied. This patch re-adds the ensure => present property required for proper behavior. Change-Id: Ibd18c4f3b7f0d8cee330f94f87e7ad4ea7ceeffb Closes-Bug: #1712903 (cherry picked from commit 1e133f31466bf17df66b0f552a2ce5b3b056e666)
2017-08-25Merge "Update UPPER_CONSTRAINTS_FILE for stable/pike" into stable/pikeJenkins1-1/+1
2017-08-25Merge "Update .gitreview for stable/pike" into stable/pikeJenkins1-0/+1
2017-08-25Fix panko port to match thtPradeep Kilambi1-2/+2
In templates we use 13977 as the port for panko. The old 13779 is reserved for trove so it conflicts. Closes-bug: #1712566 Change-Id: I77444199eef6c2b9abbd819829b4fea2d698e2db (cherry picked from commit 5064677dda8e4f140df6d024089e95afe11a91f1)
2017-08-25Add /bin to PATH for CRL cronjobJuan Antonio Osorio Robles1-1/+1
Checking the root's mail (/var/mail/root) I finally saw the root cause of the CRL cronjob not working. /bin/sh: curl: command not found now, curl, (and most commands used by that cronjob) is in the /bin bash, so we need to add it to the environment's PATH for the cronjob. Change-Id: If10855b801782eeaf2006cd57071d74d13daf8c2 Closes-Bug: #1712404 (cherry picked from commit 139ac85028947f476a085e89bd54f3dfacd886cf)
2017-08-24Update UPPER_CONSTRAINTS_FILE for stable/pikeOpenStack Release Bot1-1/+1
Change-Id: Ibc02e4e87593f18c4c48a9e8197a4cd3c16d9cd4
2017-08-24Update .gitreview for stable/pikeOpenStack Release Bot1-0/+1
Change-Id: Ib750ba8a4e76a25ffd2352b420e97548447eae97
2017-08-24Merge "Use resource collector for the fencing -> stonith ordering"Jenkins1-1/+1
2017-08-24Merge "TLS-everywhere/libvirt: Make postsave command configurable"Jenkins2-3/+16
2017-08-24TLS-everywhere/libvirt: Make postsave command configurableJuan Antonio Osorio Robles2-3/+16
This is requires for when libvirt is running over a container, since we shouldn't try to restart the libvirt process, but the container itself. bp tls-via-certmonger-containers Change-Id: I26a7748b37059ea37f460d8c70ef684cc41b16d3
2017-08-24Merge "Add OVN DBs bundle support for pacemaker HA"Jenkins1-0/+159
2017-08-23Use resource collector for the fencing -> stonith orderingMichele Baldessari1-1/+1
Change Ifef08033043a4cc90a6261e962d2fdecdf275650 moved the stonith property definition to the pacemaker_master node. This means that the Class['tripleo::fencing'] -> Class['pacemaker::stonith'] ordering breaks on non-boostrap pacemaker nodes because the pacemaker::stonith property is not defined there any longer. Let's fix this by simply using a resource collector and set the ordering on that instead of adding yet anoth if statement. Ordering on enablement of stonith is actually more correct formally. Tested this on a broken setup successfully. Closes-Bug: #1712605 Change-Id: I616d340bdf75da9d9eb8b83b2e804dff3d07d58e
2017-08-22Add -s (silent) to curl command for CRL refreshJuan Antonio Osorio Robles2-3/+3
Without it, it doesn't reload the services it should. Change-Id: I43e6188700deb585f905ca700e69b6875f0ded45 Closes-Bug: #1712404
2017-08-21Merge "Do not create fs and server side key from manila"Jenkins2-28/+5
2017-08-21Merge "Certmonger: Make postsave command configurable"Jenkins6-16/+55
2017-08-19Merge "Support for Dell EMC VMAX Manila Driver"Jenkins3-2/+35
2017-08-19Merge "Support for Dell EMC VMAX ISCSI Cinder Driver"Jenkins3-13/+126
2017-08-19Merge "Allow configuring multiple insecure registries"Jenkins2-6/+31
2017-08-19Merge "Add TLS for nova metadata service"Jenkins2-0/+41
2017-08-18Certmonger: Make postsave command configurableJuan Antonio Osorio Robles6-16/+55
We need to make it configurable since these commands don't apply for containerized environments. This way we can restart containers or disable restarting and rely on other means. This stems from the issue that some services get accidentally started by certmonger on containerized environments, which makes the container initialization fail. bp tls-via-certmonger-containers Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
2017-08-18Merge "Enable TLS in the internal network for horizon"Jenkins1-4/+41
2017-08-18Merge "Create separate resource for HAProxy horizon endpoint"Jenkins2-49/+170
2017-08-18Merge "Move barbican's database creation to mysql profile"Jenkins3-7/+3
2017-08-18Merge "Release Pike rc1 - 7.3.0"Jenkins2-3/+3
2017-08-17Add TLS for nova metadata serviceJuan Antonio Osorio Robles2-0/+41
This adds a TLS proxy in front of it so it serves TLS in the internal network. bp tls-via-certmonger Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
2017-08-17Merge "Remove extra keystone admin haproxy listen and allow TLS"Jenkins2-18/+27
2017-08-17Allow configuring multiple insecure registriesJiri Stransky2-6/+31
If we're using local registries, we may want to use different registries e.g. for Ceph and for OpenStack. We allow multiple registries in general for this purpose, and we should also allow it in the insecure registry configuration. Change-Id: I5cddd20a123a85516577bde1b793a30d43171285 Related-Bug: #1709310
2017-08-17Merge "HAProxy: Set listen options for internal services too"Jenkins1-0/+1
2017-08-17Merge "Add logrotate-crond configuration"Jenkins3-0/+185
2017-08-17Enable TLS in the internal network for horizonJuan Antonio Osorio Robles1-4/+41
This enables the usage of TLS by the apache vhost that hosts horizon. bp tls-via-certmonger Change-Id: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e
2017-08-17Create separate resource for HAProxy horizon endpointJuan Antonio Osorio Robles2-49/+170
This removes clutter from the main haproxy manifest and allows TLS in the internal network as well. Trying to keep the previous behavior. bp tls-via-certmonger-containers Change-Id: I1a68771cc7be7fb2b32abbad81db7890bd2c5502