aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-08-19Merge "Allow configuring multiple insecure registries"Jenkins2-6/+31
2017-08-19Merge "Add TLS for nova metadata service"Jenkins2-0/+41
2017-08-18Merge "Enable TLS in the internal network for horizon"Jenkins1-4/+41
2017-08-18Merge "Create separate resource for HAProxy horizon endpoint"Jenkins2-49/+170
2017-08-18Merge "Move barbican's database creation to mysql profile"Jenkins3-7/+3
2017-08-18Merge "Release Pike rc1 - 7.3.0"Jenkins2-3/+3
2017-08-17Add TLS for nova metadata serviceJuan Antonio Osorio Robles2-0/+41
This adds a TLS proxy in front of it so it serves TLS in the internal network. bp tls-via-certmonger Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
2017-08-17Merge "Remove extra keystone admin haproxy listen and allow TLS"Jenkins2-18/+27
2017-08-17Allow configuring multiple insecure registriesJiri Stransky2-6/+31
If we're using local registries, we may want to use different registries e.g. for Ceph and for OpenStack. We allow multiple registries in general for this purpose, and we should also allow it in the insecure registry configuration. Change-Id: I5cddd20a123a85516577bde1b793a30d43171285 Related-Bug: #1709310
2017-08-17Merge "HAProxy: Set listen options for internal services too"Jenkins1-0/+1
2017-08-17Merge "Add logrotate-crond configuration"Jenkins3-0/+185
2017-08-17Enable TLS in the internal network for horizonJuan Antonio Osorio Robles1-4/+41
This enables the usage of TLS by the apache vhost that hosts horizon. bp tls-via-certmonger Change-Id: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e
2017-08-17Create separate resource for HAProxy horizon endpointJuan Antonio Osorio Robles2-49/+170
This removes clutter from the main haproxy manifest and allows TLS in the internal network as well. Trying to keep the previous behavior. bp tls-via-certmonger-containers Change-Id: I1a68771cc7be7fb2b32abbad81db7890bd2c5502
2017-08-16Release Pike rc1 - 7.3.0Emilien Macchi2-3/+3
Change-Id: Id3277c97052e1dd88e6d2de6c5f92b32b95fa210
2017-08-17Move barbican's database creation to mysql profileJuan Antonio Osorio Robles3-7/+3
This makes sure that the database creation is only executed on the mysql profile (or container if that's enabled), and stops the conflicts and errors that were happening when barbican was deployed in containerized environments. Change-Id: Ib5c99482f62397fc5fb79a9dc537dfb06ee7f4df Closes-Bug: #1710928
2017-08-16Add logrotate-crond configurationBogdan Dobrelya3-0/+185
Generate a cron job and a config for logrotate to be run against containerized services logs. Related-bug: #1700912 Change-Id: Ib9d5d8ca236296179182613e1ff625deea168614 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-08-16Remove extra keystone admin haproxy listen and allow TLSJuan Antonio Osorio Robles2-18/+27
The current code exposes an unused public listen directive in HAProxy for the keystone admin endpoint. This is not ideal and should be removed, as it exposes the service unnecessarily. We should stick to just exposing it to the ctlplane network as is the default. If folks really need to expose it to the public network, they can do so by modifying the ServiceNetMap through t-h-t and setting the keystone admin endpoint's network to external. Now, for "single" or "internal" haproxy endpoints, this adds the ability to detect if they're using the external network, and thus use TLS on it. Which is something a deployer would want if they exposed the keystone admin endpoint in such a way. Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22 Closes-Bug: #1710909 Closes-Bug: #1639996
2017-08-16Merge "Replace enabled languages with excluded languages in UI"Jenkins2-30/+14
2017-08-15Merge "Enable TLS configuration for containerized HAProxy"Jenkins1-18/+97
2017-08-15Merge "Use rabbitmq ipv6 flag"Jenkins1-11/+4
2017-08-14Merge "Fix legacy nova/cinder encryption key manager configuration"Jenkins5-7/+46
2017-08-14Use rabbitmq ipv6 flagJohn Eckersberg1-11/+4
The internal details of enabling IPv6 have moved upstream[1], so just set the ipv6 flag when desired and don't worry about the details anymore! [1] https://github.com/puppetlabs/puppetlabs-rabbitmq/pull/552 Closes-Bug: #1710658 Change-Id: Ib22507c4d02f0fae5c0189ab7e040efac3df7e2f
2017-08-12Merge "Run online_data_migrations for Ironic on upgrade"Jenkins1-2/+3
2017-08-12Merge "Enable TLS configuration for containerized Galera"Jenkins1-74/+118
2017-08-11Merge "Do not include manila ceph key resource twice"Jenkins1-10/+12
2017-08-11Merge "Modify resource dependencies of certmonger_user resources"Jenkins2-7/+11
2017-08-11HAProxy: Set listen options for internal services tooJuan Antonio Osorio Robles1-0/+1
This was missed from a previous commit, as described in the bug report. We need to set this variable in this case as well, else it will use the undefined variable, thus ignoring anything that the user had set. Change-Id: I6810e7bb3eed16a6478974ac759c3f720a41120a Closes-Bug: #1709332
2017-08-11Modify resource dependencies of certmonger_user resourcesJuan Antonio Osorio Robles2-7/+11
In a containerized environment the haproxy class might not be defined, so this was made optional. On the other hand, this also retrieves the CRL before any certmonger_certificate resources are created. bp tls-via-certmonger-containers Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
2017-08-10Do not include manila ceph key resource twiceJan Provaznik1-10/+12
When mds creates manila key [1], then manila manifest needs to check first if this resource already exists otherwise puppet fails. [1] I6308a317ffe0af244396aba5197c85e273e69f68 Change-Id: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
2017-08-10Merge "Enable TLS configuration for containerized RabbitMQ"Jenkins1-52/+76
2017-08-09Merge "Use clustercheck credentials to poll galera state in container"Jenkins1-3/+8
2017-08-09Enable TLS configuration for containerized HAProxyDamien Ciabrini1-18/+97
In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files, as well as the crl file are all passed as configuration files and must be copied by Kolla at container startup. Change-Id: I4b72739446c63f0f0ac9f859314a4d6746e20255 Partial-Bug: #1709563
2017-08-09Merge "Enable innodb_buffer_pool_size configuration"Jenkins2-8/+18
2017-08-09Enable TLS configuration for containerized RabbitMQDamien Ciabrini1-52/+76
In non-containerized deployments, RabbitMQ can be configured to use TLS for serving and mirroring traffic. Fix the creation of the rabbitmq bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9 Partial-Bug: #1709558
2017-08-07Merge "Update swift-proxy unit tests for puppet5"Jenkins1-1/+3
2017-08-07Run online_data_migrations for Ironic on upgradeDmitry Tantsur1-2/+3
This only enables correct offline upgrade for now, proper rolling upgrade support will follow in the Queens release. Change-Id: Iebbd0c6dfc704ba2e0b5176d607354dd31f13a0d Depends-On: I548c80cf138b661ba3a5e45a6dfe8711f3322ed0 Partial-Bug: #1708149
2017-08-07Merge "Update link addresses in README.md"Jenkins1-3/+3
2017-08-06Update swift-proxy unit tests for puppet5Emilien Macchi1-1/+3
The latest version of puppet now require the class dependencies included in the unit tests. Change-Id: I0b6462f697f2d8012f8a785660c004f3efb13fdc
2017-08-06Enable TLS configuration for containerized GaleraDamien Ciabrini1-74/+118
In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the creation of the mysql bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814 Partial-Bug: #1708135
2017-08-05Merge "Enable encryption of pacemaker traffic by default"Jenkins2-2/+24
2017-08-05Merge "Update openstackdocstheme>=1.16.0"Jenkins1-1/+1
2017-08-04Merge "Configure dockerd with --iptables=false"Jenkins2-3/+3
2017-08-04Merge "Ensure directory exists for certificates for haproxy"Jenkins3-0/+61
2017-08-03Enable innodb_buffer_pool_size configurationMike Bayer2-8/+18
Adds a hiera-enabled setting for mysql.pp to allow configuration of innodb_buffer_pool_size, a key configurational element for MySQL performance tuning. Change-Id: Iabdcb6f76510becb98cba35c95db550ffce44ff3 Closes-bug: #1704978
2017-08-03Configure dockerd with --iptables=falseDan Prince2-3/+3
This change defaults --iptables=false for dockerd to avoid having Docker create its own FORWARD iptables rules. These rules can interact with normal OS networking rules and disable communications between hosts on reboot. Change-Id: I875fa14f7d810c7f0aba3b3a1b04b60a19470f0f Closes-bug: #1708279
2017-08-03Update link addresses in README.mdzhangdebo19871-3/+3
Change-Id: I0ad611bd669e9fb5f119237034dca347641c74b5
2017-08-02Use normal socket file permissions instead of polkitOliver Walsh4-137/+62
The default (on RHEL/CentOS) is to use polkit but this is only useful for GUI support or for fine grained API access control. As we don't require either we can achieve identical control using plain old unix filesystem permissions. I've merged Sven's changes from https://review.openstack.org/484979 and https://review.openstack.org/487150. As we need to be careful with the libvirtd option quoting I think it's best to do this in puppet-tripleo instead of t-h-t yaml. The option to override the settings from t-h-t remains. Co-Authored-By: Sven Anderson <sven@redhat.com> Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Closes-bug: 1696504 Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2 Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
2017-08-02Merge "Support for Dell EMC Unity Cinder Driver"Jenkins3-12/+129
2017-08-02Ensure directory exists for certificates for haproxyJuan Antonio Osorio Robles3-0/+61
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
2017-08-01Enable encryption of pacemaker traffic by defaultJuan Antonio Osorio Robles2-2/+24
We already are setting a pre-shared key by default for the pacemaker cluster. This was done in order to communicate with TLS-PSK with pacemaker-remote clusters. This key is also useful for us to enable encrypted traffic for the regular cluster traffic, which we enable by default with this patch. Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf