Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
This uses the tls_proxy resource added in a previous commit [1] in
front of the neutron server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to
clean it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
|
|
Change-Id: Ic74ccd5fa7b3b04ca810416e5160463252f17474
Signed-off-by: Dan Radez <dradez@redhat.com>
|
|
Change-Id: I3d6bbc05644e840395f87333ec80e3b844f69903
|
|
|
|
|
|
This uses the tls_proxy resource added in the previous commit [1] in
front of the Glance API server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to clean
it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e
Change-Id: Id35a846d43ecae8903a0d58306d9803d5ea00bee
|
|
Glance Registry has been removed in TripleO. So we can clean
puppet-tripleo and remove last bits that used to deploy this service.
Change-Id: Iea8f6340349ab366606205305a3ec9a6e4f11ba6
|
|
|
|
Change-Id: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
|
|
|
|
etcd is used by networking-vpp ML2 driver as the messaging mechanism. This
patch adds etcd service which can be used by other services.
Implements: blueprint fdio-integration-tripleo
Change-Id: Idaa3e3deddf9be3d278e90b569466c2717e2d517
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
Having these available from t-h-t, we should be able to use these now.
Change-Id: I7272df25c4fdba152fe15d40444311bc35ace4d9
Depends-On: Id0d34c7c3939ee81126ffd26d0658c0a87805a44
|
|
Allow TripleO to deploy Nova Placement API with a new profile.
Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
|
|
This change adds haproxy rules for galera and redis. They are not there
because these haproxy entries do not use the ::tripleo::haproxy::endpoint
function which does this automatically.
Rabbit does not need them because it does not go through haproxy.
Closes-Bug: #1654280
Change-Id: If995d5c36341f3c089cbda9a0827ea28c19c796b
|
|
|
|
This migrates the haproxy config for ODL to use the
tripleo::haproxy::endpoint class. This class automatically configures
firewall rules for each haproxy endpoint. Also removes listening on
public network for IP and adds listening on ctlplane network for admin
access.
Partial-Bug: 1651476
Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
|
|
|
|
This only takes effect is internal-tls is used, and forces haproxy to
do proper verifications of the SSL certificates provided by the
servers.
bp tls-via-certmonger
Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642
|
|
|
|
This allows us to use the composable services interfaces to handle
providing the IP address for northd, and will be more flexible in
the event folks want to deploy northd/ovndb on a different node to
the neutron plugin.
This also adds ovn_northd to the haproxy configuration so we can access
it via the ovn_northd_vip in other service profiles. Note we need
to ensure the haproxy config only hits the bootstrap node as northd
won't be running on the other nodes.
Change-Id: I9af7bd837c340c3df016fc7ad4238b2941ba7a95
Partial-Bug: #1634171
|
|
|
|
It needs it so HAProxy will be able to set the X-Forwarded-Proto header.
Related-Bug: #1640126
Change-Id: I1726fa1742bc70518338b80fc6d27567bb020e7c
|
|
HAProxy won't pass X-Forwarded-Proto to these services in mode tcp, so we need
to switch it to http in order for it to work and for the services to properly
set the protocol in the links they serve.
Change-Id: Ib10282159fb9269eebe81af23171ec9fb1297cd0
Closes-Bug: #1640126
|
|
|
|
|
|
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan
deployments ends up being the wrong interface. The public VIP interface
was also defaulted to 'br-ex' which would be incorrect for vlan based
deployments. Since a user has already given the nic template (and in
most cases the subnet that corresponds to the nic) the installer should
be able to figure out which interface the public/control vip should be
on.
These changes enable that type of auto-detection, unless a user
explicitly overrides the heat parameters for ControlVirtualInterface and
PublicVirtualInterface. Also removes calling keepalived from haproxy
now that the services are composed separately on the Controller role.
Partial-Bug: 1606632
Change-Id: I05105fce85be8ace986db351cdca2916f405ed04
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
The default port of the MidoNet Cluster (formerly known as MidoNet API)
is now 8181 instead of 8081.
Since this parameter is configurable through the settings, the default
value for the port has been added to the $service_ports array.
Change-Id: I2785d3109993bca0bd68077ff55cfeafbf594e19
|
|
We have a variable in hiera which tells us if the keepalived
service is enabled, so use it here. Without this any deployment
disabling OS::TripleO::Services::Keepalived will fail.
Change-Id: I90faf51881bd05920067c1e1d82baf5d7586af23
Closes-Bug: #1642677
|
|
|
|
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
|
|
|
|
This optionally enables TLS for Barbican API in the internal network.
If internal TLS is enabled, each node that is serving the Barbican API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
|
|
|
|
this looks like a copy/paste error. Let barbican use its own
hiera data.
Change-Id: I84118c1a561c3db2f18504b55c5a8c4f042e7e3b
|
|
|
|
|
|
|
|
The lastest patchset of https://review.openstack.org/393361 was actually
not working.
The `if defined` idiom depends on *evaluation* order.
At the time it's red in the haproxy.pp class, the line that loads the
class 'haproxy' has still not yet been reached and thus the `defined`
result is false. The constraint is not added.
For this reason, the use of `defined` in module is not advised by
puppetlabs[1].
[1] https://docs.puppet.com/puppet/latest/reference/function.html#defined
Change-Id: Ibd352cb313f8863d62db8987419378bed5b87256
Relates-To: #1638029
|
|
|
|
|
|
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in
order to return links with the correct protocol when SSL is enabled.
This enables it in HAProxy
Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8
Closes-Bug: #1640126
|
|
In HA deployments, we now check mysql nodes every 1s and removed them
immediately if they are failed. Previously we would check every 2s and
allow them to fail 5 checks before being removed, producing errors from
other OpenStack services for 10s, which causes confusion and delay for
operators.
Additionally, these check options are now also a class parameter so can
be overridden by operators.
Closes-Bug: #1639189
Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
|
|
It's been proposed this may help with the
('Connection aborted.', BadStatusLine("''",)) errors.
This patch increase queue, server and client timeouts to 2m (default is 1m)
Related-Bug: #1638908
Change-Id: Ie4f059f3fad2271bb472697e85ede296eee91f5d
|
|
This optionally enables TLS for Cinder API in the internal network.
If internal TLS is enabled, each node that is serving the Cinder API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863
|
|
Change-Id: Id4dc2379b0c423012a0b3aaf49d1e1a7d633a03b
|
|
|
|
|