aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/keystone.pp
AgeCommit message (Collapse)AuthorFilesLines
2016-11-08Add proper handling of IPv6 addresses for rabbit host/port handlingBrent Eagles1-1/+2
This patch changes the rabbit_hosts config generation to work properly with IPv6 addresses. Closes-Bug: #1639881 Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
2016-11-02Create heat user in keystone profileAlex Schultz1-15/+36
Rather than use the heat::keystone::domain class which also includes the configuration options, we should just create the user for heat in keystone independently of the configuration. Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe Related-Bug: #1638350 Closes-Bug: #1638626
2016-11-01Merge "Add barbican profile"Jenkins1-0/+3
2016-10-21Merge "Add zaqar profiles"Jenkins1-0/+4
2016-10-19Enable TLS in the internal network for keystoneJuan Antonio Osorio Robles1-11/+79
This optionally enables TLS for keystone in the internal network. If internal TLS is enabled, each node that is serving the keystone service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
2016-10-19Add barbican profileAde Lee1-0/+3
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: If2804b469eb3ee08f3f194c7dd3290d23a245a7a
2016-10-17Add port to rabbitmq node ip listBrent Eagles1-1/+6
We use the rabbit_hosts configuration for most of our services but we haven't been adding the configured port. This patch appends the IP port used provided to the service's heat template to the IPs in the list. Note: while we could use the value set for the rabbitmq server in rabbitmq::port, it doesn't allow for dealing with SSL. This also is also backwards compatible with the RabbitClientPort parameters used in the heat templates. Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b Closes-Bug: #1633580
2016-10-17Add zaqar profilesBrad P. Crochet1-0/+4
Change-Id: Ie215289a7be681a2b1aa5495d3f965c005d62f52 Depends-On: Ia863b38bbac1aceabe6b7deb6939c9db693ff16d
2016-10-14Move heat domain/user creation into keystone profileSteven Hardy1-0/+23
This needs to happen on the node running keystone, or things break when you try to deploy e.g the heat_engine service on a non Controller role. We check the enabled flag for heat engine so this only happens if the heat_engine service is running on some (any) role. Partial-Bug: #1631130 Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3
2016-09-27Move db syncs into mysql base roleDan Prince1-4/+0
This patch moves the various DB syncs into the MySQL role. Database creation needs to occur on the MySQL server to avoid permission issues. This patch also moves database creation to step 2 so we can guarantee that all per-service databases exist at this time. This avoids complex ordering needed during step 3 where services, on different hosts, can run their own db sync's in a distributed fashion. Change-Id: I05cc0afa9373429a3197c194c3e8f784ae96de5f Partial-bug: #1620595
2016-09-06Merge "Add Ceph RGW listener to HAProxy"Jenkins1-0/+3
2016-09-02Make service profiles default to rabbitmq_node_ipsSteven Hardy1-0/+6
Instead of hard-coded yaml aliases in t-h-t, make each service profile that requires rabbit default to the list of rabbit ips. Note this could still be extended in future to e.g enable per service rabbit clusters, but the default is to lookup the hiera which should be logically equivalent to current t-h-t. Change-Id: Ie53c93456529420588eb1927703ea91b54095d87 Partially-Implements: blueprint custom-roles
2016-08-31Add Ceph RGW listener to HAProxyGiulio Fidente1-0/+3
Shares the same (ssl)port with Swift Proxy Change-Id: I2e1de1a3fa6ad62895a1e972e43858f23c08bbea
2016-08-29Merge "Configure keystone endpoints in service profile"Jenkins1-0/+48
2016-08-26UI profile for tripleoMartin André1-0/+1
The new tripleo::profile::base::ui profile installs the openstack-tripleo-ui RPM package and setup CORS for required services. Change-Id: Ib9d8643da3f51171495fcb8b64d1a7ca86cd66bc
2016-08-26Configure keystone endpoints in service profileJuan Antonio Osorio Robles1-0/+48
This commit enables the configuration of the service users and keystone endpoints in the keystone profile. Since with the composable services work, we can't assure that the APIs will be in the same node as keystone, this needs to be done from the keystone profile. Depends-On: I62273f403838893602816204d9bc50d516c0057f Change-Id: I36e1c478e7c92be61da6a0d710e9025d4d354072
2016-08-08Fix parameters and headers inconsistency in the puppet manifests.Carlos Camacho1-6/+6
As we are staring to manually check overcloud services the first step is to check that the puppet profiles are all aligned. Changes applied: No logic added or removed in this submission. Removed unused parameters. Align header comments structure. All profiles parameters sorted following: "Mandatory params first sorted alphabetically then optional params sorted alphabetically." Note: Following submissions will check pacemaker, cinder, mistral and redis services in the base profiles as some of them has the $pacemaker_master parameter defaulted to true. Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
2016-08-05Remove keystone PKI cert generationSteven Hardy1-28/+0
We don't currently offer any parameter interface to enable PKI certs, and these have all been deprecated by keystone, so remove them. Change-Id: I8232262b928c91dcde7bea2f23fa2a7c2660719e
2016-07-18Make ::tripleo::profile::base classes work with multiple nodesMichele Baldessari1-16/+15
In the Next Generation HA architecture a number of active/active services will be run via systemd. In order for this to work we need to make sure that the sync_db operation only takes place on the bootstrap node, just like it is done today for the pacemaker profiles. We do this by removing sync_db as a parameter and instead set it to true or false depending if the hostname matches the bootstrap_node as it is done today in the pacemaker role. Note that we call hiera('bootstrap_nodeid', undef) because if a profile is included on a non controller node that variable will be undefined. The following testing was done: - HA puppet-pacemaker.yaml scenario with three computes - NonHA with one controller - NonHA with three controllers Fixes-Bug: 1600149 Co-Author: cmsj@tenshu.net Change-Id: I04a7b9e3c18627ea512000a34357acb7f27d6e0e Implements: blueprint ha-lightweight-architecture
2016-06-18keystone: fix a race condition in bootstrapEmilien Macchi1-11/+6
Before, we had bootstrap_master set to 'undef' by default that was used to whether or not run keystone bootstrap exec during deployment. Setting the value to undef was a mistake, because enable_bootstrap in puppet-keystone is set to true by default, so bootstrap was running on all controllers at step 4 for HA scenario, while we want it to run on a single controller (pacemaker_master) at step 4, like we do for db-sync. This patch: * removes bootstrap_master. * re-use sync_db to whether or not run keystone bootstrap. so it will only run on a single node when database is ready and db-sync done (orchestration dones by anchors in puppet-keystone). Change-Id: I1042862f7c346d1c358b908c33eae0f33afd5e9f
2016-05-18Merge "Remove manage_service and enabled from TripleO manifests"Jenkins1-12/+0
2016-05-13Update keystone service name for signing keysAlex Schultz1-3/+3
Since keystone is being run under apache, the signing keys should notify apache and not the keystone service. The keystone service is actually disabled, so if the keys get updated nothing happens. Change-Id: Idfebeabf03d010956569c32b24437245e2b93c2a Related-Bug: #1581591
2016-05-09Remove manage_service and enabled from TripleO manifestsGiulio Fidente1-12/+0
These can be controlled via the specific Pacemaker role template. Depends-On: I91a4267f0fc230f63df3333747d28463c7ae55fe Change-Id: I8ef7bb94e048b998712b3534ceb51a7d10d016e9
2016-05-04Create dbs in step 3 for the rolesGiulio Fidente1-1/+1
Before the roles we could make the create db operation depend on a 'galera-ready' resource [1]. We can't do it anymore from the role so we need to do create in step 3, when we do sync as well. 1. https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/manifests/overcloud_controller_pacemaker.pp#L382 Change-Id: Id065a9180f1f1a41ab225ec5f755498ec7d9a827
2016-05-03Move databases creation and sync with the roleGiulio Fidente1-3/+7
This change moves the database creation and sync with the role profile, so that it's only executed when the role is enabled and by the role itself. It also calls the non-pacemaker profiles out of the 'step' conditional because the non-pacemaker profiles know how to deal with 'step' already. Change-Id: I6c752cb53090e7ef8e0319bade462f2453ed7660 Related-Bug: 1572952
2016-03-22Add keystone and db sync profilesMichael Chapman1-0/+118
Implements: blueprint refactor-puppet-manifests Add keystone profiles for both pacemaker and non-ha. Add db sync profiles for pacemaker and non-ha. HA profiles are designed such that they include the base profiles, disabling features as needed, while the base profile can be used independently. Change-Id: I2faf5a78db802549053ec41678bf83bf28108189