Age | Commit message (Collapse) | Author | Files | Lines |
|
Change-Id: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
|
|
Allow TripleO to deploy Nova Placement API with a new profile.
Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
|
|
This replaces the services' IP-based RabbitMQ configuration and uses
FQDNs instead.
Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
|
|
|
|
Change-Id: I035c26e0f50e4b3fc0f6085fa5a4bf524e4852b7
|
|
These are now passed via the heat profiles in t-h-t (via
heat-base.yaml and heat-engine.yaml) and use the actual names of
keystone parameters instead.
Change-Id: Id0f5dd03b6757df989339c93b58a5b7eac3402a2
Depends-On: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
|
|
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
|
|
This patch changes the rabbit_hosts config generation to work properly
with IPv6 addresses.
Closes-Bug: #1639881
Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
|
|
Rather than use the heat::keystone::domain class which also includes the
configuration options, we should just create the user for heat in
keystone independently of the configuration.
Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe
Related-Bug: #1638350
Closes-Bug: #1638626
|
|
|
|
|
|
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
|
|
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: If2804b469eb3ee08f3f194c7dd3290d23a245a7a
|
|
We use the rabbit_hosts configuration for most of our services but we
haven't been adding the configured port. This patch appends the IP port
used provided to the service's heat template to the IPs in the list.
Note: while we could use the value set for the rabbitmq server in
rabbitmq::port, it doesn't allow for dealing with SSL. This also is also
backwards compatible with the RabbitClientPort parameters used in the
heat templates.
Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b
Closes-Bug: #1633580
|
|
Change-Id: Ie215289a7be681a2b1aa5495d3f965c005d62f52
Depends-On: Ia863b38bbac1aceabe6b7deb6939c9db693ff16d
|
|
This needs to happen on the node running keystone, or things break
when you try to deploy e.g the heat_engine service on a non Controller
role. We check the enabled flag for heat engine so this only happens
if the heat_engine service is running on some (any) role.
Partial-Bug: #1631130
Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3
|
|
This patch moves the various DB syncs into the MySQL role.
Database creation needs to occur on the MySQL server to
avoid permission issues.
This patch also moves database creation to step 2 so we can
guarantee that all per-service databases exist at this time.
This avoids complex ordering needed during step 3 where
services, on different hosts, can run their own db sync's
in a distributed fashion.
Change-Id: I05cc0afa9373429a3197c194c3e8f784ae96de5f
Partial-bug: #1620595
|
|
|
|
Instead of hard-coded yaml aliases in t-h-t, make each service
profile that requires rabbit default to the list of rabbit ips.
Note this could still be extended in future to e.g enable per
service rabbit clusters, but the default is to lookup the
hiera which should be logically equivalent to current t-h-t.
Change-Id: Ie53c93456529420588eb1927703ea91b54095d87
Partially-Implements: blueprint custom-roles
|
|
Shares the same (ssl)port with Swift Proxy
Change-Id: I2e1de1a3fa6ad62895a1e972e43858f23c08bbea
|
|
|
|
The new tripleo::profile::base::ui profile installs the
openstack-tripleo-ui RPM package and setup CORS for required services.
Change-Id: Ib9d8643da3f51171495fcb8b64d1a7ca86cd66bc
|
|
This commit enables the configuration of the service users and
keystone endpoints in the keystone profile. Since with the
composable services work, we can't assure that the APIs will be in
the same node as keystone, this needs to be done from the keystone
profile.
Depends-On: I62273f403838893602816204d9bc50d516c0057f
Change-Id: I36e1c478e7c92be61da6a0d710e9025d4d354072
|
|
As we are staring to manually check overcloud services
the first step is to check that the puppet profiles
are all aligned.
Changes applied:
No logic added or removed in this submission.
Removed unused parameters.
Align header comments structure.
All profiles parameters sorted following:
"Mandatory params first sorted alphabetically
then optional params sorted alphabetically."
Note: Following submissions will check pacemaker,
cinder, mistral and redis services in the base profiles
as some of them has the $pacemaker_master parameter
defaulted to true.
Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
|
|
We don't currently offer any parameter interface to enable
PKI certs, and these have all been deprecated by keystone, so
remove them.
Change-Id: I8232262b928c91dcde7bea2f23fa2a7c2660719e
|
|
In the Next Generation HA architecture a number of active/active services
will be run via systemd. In order for this to work we need to make sure that
the sync_db operation only takes place on the bootstrap node, just like it is
done today for the pacemaker profiles.
We do this by removing sync_db as a parameter and instead set it to true
or false depending if the hostname matches the bootstrap_node as it is done
today in the pacemaker role.
Note that we call hiera('bootstrap_nodeid', undef) because if a profile
is included on a non controller node that variable will be undefined.
The following testing was done:
- HA puppet-pacemaker.yaml scenario with three computes
- NonHA with one controller
- NonHA with three controllers
Fixes-Bug: 1600149
Co-Author: cmsj@tenshu.net
Change-Id: I04a7b9e3c18627ea512000a34357acb7f27d6e0e
Implements: blueprint ha-lightweight-architecture
|
|
Before, we had bootstrap_master set to 'undef' by default that was
used to whether or not run keystone bootstrap exec during deployment.
Setting the value to undef was a mistake, because enable_bootstrap in
puppet-keystone is set to true by default, so bootstrap was running
on all controllers at step 4 for HA scenario, while we want it to run on
a single controller (pacemaker_master) at step 4, like we do for
db-sync.
This patch:
* removes bootstrap_master.
* re-use sync_db to whether or not run keystone bootstrap.
so it will only run on a single node when database is ready and
db-sync done (orchestration dones by anchors in puppet-keystone).
Change-Id: I1042862f7c346d1c358b908c33eae0f33afd5e9f
|
|
|
|
Since keystone is being run under apache, the signing keys should notify
apache and not the keystone service. The keystone service is actually
disabled, so if the keys get updated nothing happens.
Change-Id: Idfebeabf03d010956569c32b24437245e2b93c2a
Related-Bug: #1581591
|
|
These can be controlled via the specific Pacemaker role template.
Depends-On: I91a4267f0fc230f63df3333747d28463c7ae55fe
Change-Id: I8ef7bb94e048b998712b3534ceb51a7d10d016e9
|
|
Before the roles we could make the create db operation depend on a
'galera-ready' resource [1]. We can't do it anymore from the role so
we need to do create in step 3, when we do sync as well.
1. https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/manifests/overcloud_controller_pacemaker.pp#L382
Change-Id: Id065a9180f1f1a41ab225ec5f755498ec7d9a827
|
|
This change moves the database creation and sync with the role
profile, so that it's only executed when the role is enabled and
by the role itself.
It also calls the non-pacemaker profiles out of the 'step'
conditional because the non-pacemaker profiles know how to deal with
'step' already.
Change-Id: I6c752cb53090e7ef8e0319bade462f2453ed7660
Related-Bug: 1572952
|
|
Implements: blueprint refactor-puppet-manifests
Add keystone profiles for both pacemaker and non-ha.
Add db sync profiles for pacemaker and non-ha.
HA profiles are designed such that they include the base
profiles, disabling features as needed, while the base
profile can be used independently.
Change-Id: I2faf5a78db802549053ec41678bf83bf28108189
|