aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-04-19Merge "Create bigswitch agent profile"Jenkins3-0/+84
2017-04-18Merge "Added release note for "Support for external swift proxy""Jenkins1-0/+5
2017-04-18Ensure we configure ssl.confLukas Bezdicka14-0/+23
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977
2017-04-18Enable setting SubjectaltNames for haproxy and httpd certsJuan Antonio Osorio Robles2-2/+26
This enables setting the subjectAltNames for HAProxy and httpd certs. These will eventually replace the usage of many certs, to have instead just one that has several subjectAltNames. Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
2017-04-18Added release note for "Support for external swift proxy"Luca Lorenzetto1-0/+5
Change-Id: I7feac65bf814099ab591b473be962e64dec85cbd
2017-04-18Haproxy: When using TLS everywhere, use verifyhost for the balancermembersJuan Antonio Osorio Robles1-0/+3
This checks that the subjectAltName in the backend server's certificate matches the server's name that was intended to be used. Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
2017-04-18Merge "Allow setting of keepalived router ID"Jenkins1-7/+14
2017-04-18Merge "HAproxy/heat_api: increase timeout to 10m"Jenkins2-2/+11
2017-04-17HAproxy/heat_api: increase timeout to 10mEmilien Macchi2-2/+11
Default timeout is 2min but it doesn't reflect the rpc_response_timeout value that we set in THT and instack-undercloud, which is 600 (10 min). In some cases (in low-memory environments), Heat needs more than 2 minutes to reply to the client, when deploying the overcloud. It makes sense to increase the timeout to the value of rpc_timeout to give a chance to Heat to reply to the client, otherwise HAproxy will kill the connection and send 504 to the client. Depends-On: I9669d40d86d762101734704fcef153e360767690 Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c Related-Bug: 1666072
2017-04-17Merge "Support for external swift proxy"Jenkins1-1/+1
2017-04-15Merge "Move ceilometer wsgi to step 3"Jenkins2-5/+5
2017-04-15Merge "Move gnocchi wsgi configuration to step 3"Jenkins3-1/+106
2017-04-14Merge "Dell SC: Add exclude_domain_ip option"Jenkins1-0/+1
2017-04-14Support for external swift proxyLuca Lorenzetto1-1/+1
Users may have an external swift proxy already available (i.e. radosgw from already existing ceph, or hardware appliance implementing swift proxy). With this change user may specify an environment file that registers the specified urls as endpoint for the object-store service. The internal swift proxy is left as unconfigured. Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
2017-04-13Merge "Make install of kolla optional on the undercloud"Jenkins1-4/+11
2017-04-13Merge "etcd: Make HAProxy terminate TLS connections"Jenkins1-17/+14
2017-04-13Allow setting of keepalived router IDThomas Herve1-7/+14
By default the undercloud and the overcloud share virtual_router_id definition, leading to errors like "ip address associated with VRID not present in received packet". This allows setting the range for the IDs. Change-Id: I0c822777824b469b0f8ef0f31b3708fe47d5b2d7
2017-04-12Dell SC: Add exclude_domain_ip optionrajinir1-0/+1
This option allows users to exclude some fault domains. Otherwise all domains are returned. Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483 Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
2017-04-12Make install of kolla optional on the undercloudMartin André1-4/+11
This defaults to 'True' to keep backward compatibility and can be disabled by setting 'enable_container_images_built' to false in undercloud.conf. Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
2017-04-12Move gnocchi wsgi configuration to step 3Alex Schultz3-1/+106
We configure apache in step3 so we need to configure the gnocchi api in step 3 as well to prevent unnecessary service restarts during updates. Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be Related-Bug: #1664418
2017-04-12Move ceilometer wsgi to step 3Alex Schultz2-5/+5
Apache is configured in step 3 so if we configure ceilometer in step 4, the configuration is removed on updates. We need to configure it in step 3 with the other apache services to ensure we don't have issues on updates. Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423 Related-Bug: #1664418
2017-04-12Merge "Stop SSHD profile clobbering SSH client config"Jenkins2-2/+2
2017-04-12Add ML2 configuration for Bagpipe BGPVPN extensionRicardo Noriega2-0/+38
Change-Id: I9e1a56782e258fb6982b70d9a07f35808f2b2de5 Depends-On: Ic975ec1d6b2bf6e6bd28b47ba9dd2a3ae629d149 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-04-12Merge "Ensure directory exists for certificates for httpd"Jenkins3-0/+57
2017-04-12Enable internal network TLS for etcdFeng Pan6-10/+193
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-11Stop SSHD profile clobbering SSH client configOliver Walsh2-2/+2
Including the ::ssh manifest will manage both client and server config. Managing the client config was not intended and will clobber the OS default config with the puppet ssh moduled defaults. Follow up for https://review.openstack.org/443113 where I found the issue after the changes merged. Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5 Related-Bug: 1668543
2017-04-11Ensure directory exists for certificates for httpdJuan Antonio Osorio Robles3-0/+57
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-11Update UI language listJulie Pichon1-0/+2
Change-Id: I848b3cc747f1be06aeda57ba15d4ec557c23ad46 Depends-On: Idf3d82058d87d9c8a3b6d8973d5166043dad2252
2017-04-11Merge "Add registry_mirror to base::docker profile"Jenkins2-0/+38
2017-04-11Merge "Use docker profile in docker_registry"Jenkins1-6/+3
2017-04-10etcd: Make HAProxy terminate TLS connectionsJuan Antonio Osorio Robles1-17/+14
When TLS is enabled for the internal network, HAProxy needs to handle etcd's TLS termination. Else it will use plain text. bp secure-etcd Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
2017-04-10Merge "Move etcd to step 2"Jenkins1-1/+1
2017-04-08Add registry_mirror to base::docker profileDan Prince2-0/+38
This patch adds a new registry_mirror option to help configure /etc/docker/daemon.json so that we can make use of HTTP docker mirrors within upstream TripleO CI (infra). Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
2017-04-07Use docker profile in docker_registryDan Prince1-6/+3
The docker_registry profile has resources to configure the docker service and package. These conflict with the entries in the tripleo::profile::base::docker class which exists specifically to manage these resources (and has unit tests). This patch removes the duplicate resources and updates the docker_registry profile to simply include the base docker profile instead. This instack-undercloud change below needs to land first. Depends-On: I6154f4c7435b02b92f6f64687e9ee89d6b86186a Change-Id: I75c740e7efc6662861c28caeb7fa965ba55438cb
2017-04-07Merge "Adding listen_options for Contrail Webui https in haproxy"Jenkins1-0/+4
2017-04-07Merge "TLS-everywhere: Add resources for libvirt's cert for live migration"Jenkins4-0/+192
2017-04-07Merge "Stop including ironic::drivers::ssh in the ironic-conductor profile"Jenkins2-1/+9
2017-04-07Merge "Enable creation of keystone domain when ldap backends are created"Jenkins1-1/+3
2017-04-07Merge "syntax error extra comma in rabbitmq.pp"Jenkins1-1/+1
2017-04-07Merge "Add networking-vpp ML2 mechanism driver support"Jenkins4-0/+105
2017-04-07Merge "Add missing octavia auth include to keystone manifest"Jenkins2-0/+6
2017-04-07Merge "Make galera-ready exec refreshonly"Jenkins1-2/+3
2017-04-07syntax error extra comma in rabbitmq.ppJon Schlueter1-1/+1
bundle rake syntax Could not parse for environment *root*: Syntax error at ')'; expected '}' Change-Id: Idfb254df068b3d7342a6ea3c71dabd1316a61bdf
2017-04-07Stop including ironic::drivers::ssh in the ironic-conductor profileDmitry Tantsur2-1/+9
The SSH drivers are deprecated, pxe_ipmitool + virtualbmc should be used instead. This is a follow-up to blueprint switch-to-virtualbmc. Change-Id: I4fd567dffa3992042eebcf495334b8130e1bdc9f
2017-04-07TLS-everywhere: Add resources for libvirt's cert for live migrationJuan Antonio Osorio Robles4-0/+192
This merely requests the certificates that will be used for libvirt's live migration if TLS-everywhere is enabled. bp tls-via-certmonger Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
2017-04-07Merge "Don't try and create the my.cnf.d dir everytime"Jenkins1-0/+1
2017-04-07Enable creation of keystone domain when ldap backends are createdJuan Antonio Osorio Robles1-1/+3
This sets the flag create_domain_entry for the ldap_backend resource, which will create the domain for the ldap backend (this was previously not the case since only the configuration was created). Furtherly, this flag will also refresh the keystone server, so the changes come into effect. Note that this is only done in step 3, so the domains are created there and the refresh happens in that step. Also, this is only done for the bootstrap node, since when the other nodes start, they will already have the domains available in the keystone database and there won't be a need to restart. Related-Bug: #1677603 Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28 Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c
2017-04-07Merge "Composable services support for Cinder Pure Storage FlashArray"Jenkins5-8/+169
2017-04-07Merge "Adjust UI manifest (language list)"Jenkins1-2/+0
2017-04-07Merge "Migrate Swift ring handling from tripleo-heat-templates to ↵Jenkins2-0/+101
puppet-tripleo"