Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
This adds a TLS proxy in front of it so it serves TLS in the internal
network.
bp tls-via-certmonger
Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
|
|
If we're using local registries, we may want to use different
registries e.g. for Ceph and for OpenStack. We allow multiple
registries in general for this purpose, and we should also allow it in
the insecure registry configuration.
Change-Id: I5cddd20a123a85516577bde1b793a30d43171285
Related-Bug: #1709310
|
|
|
|
This enables the usage of TLS by the apache vhost that hosts horizon.
bp tls-via-certmonger
Change-Id: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e
|
|
This makes sure that the database creation is only executed on the mysql
profile (or container if that's enabled), and stops the conflicts and
errors that were happening when barbican was deployed in containerized
environments.
Change-Id: Ib5c99482f62397fc5fb79a9dc537dfb06ee7f4df
Closes-Bug: #1710928
|
|
Generate a cron job and a config for logrotate
to be run against containerized services logs.
Related-bug: #1700912
Change-Id: Ib9d5d8ca236296179182613e1ff625deea168614
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
The internal details of enabling IPv6 have moved upstream[1], so just
set the ipv6 flag when desired and don't worry about the details
anymore!
[1] https://github.com/puppetlabs/puppetlabs-rabbitmq/pull/552
Closes-Bug: #1710658
Change-Id: Ib22507c4d02f0fae5c0189ab7e040efac3df7e2f
|
|
|
|
|
|
|
|
|
|
In a containerized environment the haproxy class might not be defined,
so this was made optional. On the other hand, this also retrieves the
CRL before any certmonger_certificate resources are created.
bp tls-via-certmonger-containers
Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
|
|
When mds creates manila key [1], then manila manifest needs to check
first if this resource already exists otherwise puppet fails.
[1] I6308a317ffe0af244396aba5197c85e273e69f68
Change-Id: I3f18bbe476c4f43fa4e162cc66c5df443122cd0c
|
|
|
|
|
|
In non-containerized deployments, HAProxy can be configured to use TLS
for proxying internal services.
Fix the creation of the of the haproxy bundle resource to enable TLS
when configured. The keys and certs files, as well as the crl file are
all passed as configuration files and must be copied by Kolla at
container startup.
Change-Id: I4b72739446c63f0f0ac9f859314a4d6746e20255
Partial-Bug: #1709563
|
|
|
|
In non-containerized deployments, RabbitMQ can be configured to use TLS for
serving and mirroring traffic.
Fix the creation of the rabbitmq bundle resource to enable TLS when configured.
The key and cert are passed as other configuration files and must be copied by
Kolla at container startup.
Change-Id: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9
Partial-Bug: #1709558
|
|
This only enables correct offline upgrade for now, proper rolling
upgrade support will follow in the Queens release.
Change-Id: Iebbd0c6dfc704ba2e0b5176d607354dd31f13a0d
Depends-On: I548c80cf138b661ba3a5e45a6dfe8711f3322ed0
Partial-Bug: #1708149
|
|
In non-containerized deployments, Galera can be configured to use TLS
for gcomm group communication when enable_internal_tls is set to true.
Fix the creation of the mysql bundle resource to enable TLS when
configured. The key and cert are passed as other configuration files
and must be copied by Kolla at container startup.
Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814
Partial-Bug: #1708135
|
|
|
|
|
|
|
|
Adds a hiera-enabled setting for mysql.pp to
allow configuration of innodb_buffer_pool_size, a key
configurational element for MySQL performance tuning.
Change-Id: Iabdcb6f76510becb98cba35c95db550ffce44ff3
Closes-bug: #1704978
|
|
This change defaults --iptables=false for dockerd to avoid
having Docker create its own FORWARD iptables rules. These
rules can interact with normal OS networking rules and disable
communications between hosts on reboot.
Change-Id: I875fa14f7d810c7f0aba3b3a1b04b60a19470f0f
Closes-bug: #1708279
|
|
The default (on RHEL/CentOS) is to use polkit but this is only useful
for GUI support or for fine grained API access control. As we don't
require either we can achieve identical control using plain old unix
filesystem permissions.
I've merged Sven's changes from https://review.openstack.org/484979
and https://review.openstack.org/487150.
As we need to be careful with the libvirtd option quoting I think it's
best to do this in puppet-tripleo instead of t-h-t yaml.
The option to override the settings from t-h-t remains.
Co-Authored-By: Sven Anderson <sven@redhat.com>
Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
Closes-bug: 1696504
Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
|
|
|
|
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
|
|
We already are setting a pre-shared key by default for the pacemaker
cluster. This was done in order to communicate with TLS-PSK with
pacemaker-remote clusters. This key is also useful for us to enable
encrypted traffic for the regular cluster traffic, which we enable by
default with this patch.
Change-Id: I349b8bf79eeeaa4ddde1c17b7014603913f184cf
|
|
The clustercheck service currently connects to mysql as root
to poll the state of the galera cluster.
Update the generated config to use clustercheck credentials.
Depends-On: If8e0b3f9e4f317fde5328e71115aab87a5fa655f
Closes-Bug: #1707683
Change-Id: I4ee6e1f56a7880ccf456f5c08d26a267fb810361
|
|
|
|
Recent changes in Nova [0] and Cinder [1] result in Barbican being selected
as the default encryption key manager, even when TripleO is not deploying
Barbican.
This change ensures the legacy key manager is enabled when no key manager
(such as Barbican) has been specified. This restores the previous behavior,
where the legacy key manager was enabled by default.
[0] https://review.openstack.org/484501
[1] https://review.openstack.org/485322
Closes-Bug: #1706389
Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
|
|
This changes adds Dell EMC Unity backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I015f7dfec4bedf72332d91b91cda3ef1dc8caf8c
|
|
This allows running Zaqar with SSL under Apache.
Change-Id: I4c68a662c2433398249f770ac50ba0791449fe71
|
|
When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.
Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.
Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921
|
|
The unit tests jobs are failing because of missing pre conditions for
the new shared class introduced by
Ib233689fdcdda391596d01a21f77bd8e1672ae04. Additionally this change
moved some classes around so that the tests are now failing due to
duplicate class declarations for nova::compute::libvirt::services. This
change moves the include that pulls in the declaration first prior to
the include that exists in tripleo::profile::base::nova::libvirt.
The selinux test was also failing due to a type issue with the fact
being used (boolean vs string)
Change-Id: I5bd4b61d6008820729d58f7743e7e61955dd6f51
Closes-Bug: #1707034
|
|
|
|
Having this run in step 4 causes a refresh (restart) for httpd, which
in turn is problematic for the gnocchi db upgrade command, since when
it runs httpd is not available at that point. This fixes the issue,
since the API configuration is now ran at the same time as the wsgi
bits.
Change-Id: Ie0ab389a4450bb940757e34d1964423911885fa3
|
|
puppet support for this is added in Id8d4d091da2611de75390e045ebd473caf2a8909
Change-Id: I3354b54571a1b9d0a9187698217628d273cd7d7e
|
|
|
|
|
|
|
|
|