summaryrefslogtreecommitdiffstats
path: root/manifests
AgeCommit message (Collapse)AuthorFilesLines
2016-11-22Merge "firewall: stop using stdlib stages"Jenkins1-4/+3
2016-11-21Merge "Adds auto-detection for VIP interfaces"Jenkins2-15/+44
2016-11-21Merge "Add panko service support"Jenkins5-0/+120
2016-11-21firewall: stop using stdlib stagesEmilien Macchi1-4/+3
Using Puppet stdlib in TripleO is risky because it exposes deployments to dependency cycles in the catalog. We should rather use native functions to make orchestrations, like ordering and dependencies management. This patch: - removes usage of stages from stdlib - use ordering to make sure we run pre rules before post - use ordering to make sure we start all Services in catalog before post rules. It ensure that we don't drop all traffic before starting the services, which could lead to services errors (e.g. trying to reach database or amqp) Change-Id: Iec4705d6b785a40ccf6f43809b94b726ccd47fef Closes-Bug: #1643575
2016-11-20Adds auto-detection for VIP interfacesTim Rozet2-15/+44
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan deployments ends up being the wrong interface. The public VIP interface was also defaulted to 'br-ex' which would be incorrect for vlan based deployments. Since a user has already given the nic template (and in most cases the subnet that corresponds to the nic) the installer should be able to figure out which interface the public/control vip should be on. These changes enable that type of auto-detection, unless a user explicitly overrides the heat parameters for ControlVirtualInterface and PublicVirtualInterface. Also removes calling keepalived from haproxy now that the services are composed separately on the Controller role. Partial-Bug: 1606632 Change-Id: I05105fce85be8ace986db351cdca2916f405ed04 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-17Replace hard-coded haproxy/keepalived couplingSteven Hardy1-3/+3
We have a variable in hiera which tells us if the keepalived service is enabled, so use it here. Without this any deployment disabling OS::TripleO::Services::Keepalived will fail. Change-Id: I90faf51881bd05920067c1e1d82baf5d7586af23 Closes-Bug: #1642677
2016-11-16Sort parameters in keystone profile alphabeticallyJuan Antonio Osorio Robles1-20/+20
Change-Id: I035c26e0f50e4b3fc0f6085fa5a4bf524e4852b7
2016-11-16Remove explicit hiera calls for heat in keystone profileJuan Antonio Osorio Robles1-9/+8
These are now passed via the heat profiles in t-h-t (via heat-base.yaml and heat-engine.yaml) and use the actual names of keystone parameters instead. Change-Id: Id0f5dd03b6757df989339c93b58a5b7eac3402a2 Depends-On: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
2016-11-15Merge " Enable TLS in the internal network for Barbican API"Jenkins2-4/+56
2016-11-14Add panko service supportPradeep Kilambi5-0/+120
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
2016-11-14Merge "Fix barbican server name to not use aodh hiera"Jenkins1-1/+1
2016-11-14 Enable TLS in the internal network for Barbican APIJuan Antonio Osorio Robles2-4/+56
This optionally enables TLS for Barbican API in the internal network. If internal TLS is enabled, each node that is serving the Barbican API service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
2016-11-11Merge "Normalize civetweb binding address if IPv6"Jenkins1-2/+18
2016-11-11Merge "Enable TLS in the internal network for Cinder API"Jenkins2-3/+55
2016-11-11Merge "Ensure keepalived is restarted when necessary."Jenkins1-0/+11
2016-11-11Normalize civetweb binding address if IPv6Giulio Fidente1-2/+18
The civetweb binding format is IP:PORT; this change ensures the IP is enclosed in brackets if IPv6. To do so we add the bind_ip and bind_port parameters to the rgw service class. Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c Co-Authored-By: Lukas Bezdicka <social@v3.sk> Related-Bug: #1636515
2016-11-11Fix barbican server name to not use aodh hieraPradeep Kilambi1-1/+1
this looks like a copy/paste error. Let barbican use its own hiera data. Change-Id: I84118c1a561c3db2f18504b55c5a8c4f042e7e3b
2016-11-10Fix puppet lint failureBen Nemec1-3/+3
I'm not sure how this merged, but it's causing failures in other patches to puppet-tripleo. Change-Id: Ib20d349fa9abd6347739190bb29a02b6e3eb839d
2016-11-09Merge "Enable TLS in the internal network for Nova API"Jenkins2-3/+55
2016-11-09Merge "Better way to ensure keepalived before haproxy."Jenkins2-4/+2
2016-11-09Merge "Wrong default in docstring"Jenkins1-1/+1
2016-11-09Merge "Pass X-Forwarded-Proto for missing services"Jenkins1-0/+20
2016-11-09Ensure keepalived is restarted when necessary.Sofer Athlan-Guyot1-0/+11
If os-collect-config/config.json is updated before an upgrade/update, then the os-net-config run will automatically erase the keepalived managed ips. This is a hackish way to ensure that keepalived is restarted during the next phase in order to have the ip recreated. It basically adds a comment line to the keepalived.conf file (making it different than the puppet one) if it's there. This will force a puppet restart of the keepalive service puting the ips back on the undercloud. Change-Id: I56b706ff44ba31aa87a63f870940831ce02a6e77 Closes-Bug: #1640213 Related-Bug: #1638029
2016-11-08Merge "Add proper handling of IPv6 addresses for rabbit host/port handling"Jenkins12-13/+24
2016-11-08Better way to ensure keepalived before haproxy.Sofer Athlan-Guyot2-4/+2
The lastest patchset of https://review.openstack.org/393361 was actually not working. The `if defined` idiom depends on *evaluation* order. At the time it's red in the haproxy.pp class, the line that loads the class 'haproxy' has still not yet been reached and thus the `defined` result is false. The constraint is not added. For this reason, the use of `defined` in module is not advised by puppetlabs[1]. [1] https://docs.puppet.com/puppet/latest/reference/function.html#defined Change-Id: Ibd352cb313f8863d62db8987419378bed5b87256 Relates-To: #1638029
2016-11-08Merge "Enable TLS in the internal network for gnocchi"Jenkins2-4/+56
2016-11-08Merge "Improve failed mysql node removal time in HA deploys."Jenkins1-3/+20
2016-11-08Wrong default in docstringMikeG4511-1/+1
Update default doc default for bind_host to match previous change http://review.openstack.org/386817/ Change-Id: Iff048ba7152c1b7e945f284311215c8f872c1409 Closes-bug: #1640104
2016-11-08Pass X-Forwarded-Proto for missing servicesJuan Antonio Osorio Robles1-0/+20
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in order to return links with the correct protocol when SSL is enabled. This enables it in HAProxy Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8 Closes-Bug: #1640126
2016-11-08Improve failed mysql node removal time in HA deploys.Chris Jones1-3/+20
In HA deployments, we now check mysql nodes every 1s and removed them immediately if they are failed. Previously we would check every 2s and allow them to fail 5 checks before being removed, producing errors from other OpenStack services for 10s, which causes confusion and delay for operators. Additionally, these check options are now also a class parameter so can be overridden by operators. Closes-Bug: #1639189 Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
2016-11-08Add proper handling of IPv6 addresses for rabbit host/port handlingBrent Eagles12-13/+24
This patch changes the rabbit_hosts config generation to work properly with IPv6 addresses. Closes-Bug: #1639881 Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
2016-11-07Increase haproxy timeoutsSteven Hardy1-2/+2
It's been proposed this may help with the ('Connection aborted.', BadStatusLine("''",)) errors. This patch increase queue, server and client timeouts to 2m (default is 1m) Related-Bug: #1638908 Change-Id: Ie4f059f3fad2271bb472697e85ede296eee91f5d
2016-11-04swift/proxy: configure rabbitmq properlyEmilien Macchi1-3/+16
Use rabbitmq_node_ips to find out where rabbitmq nodes are, and have correct ipv6 syntax if required. Closes-Bug: 1637443 Change-Id: Ibc0ed642931dd3ada7ee594bb8c70a1c3462206d
2016-11-03Merge "Fix default for barbican documentation"Jenkins1-1/+1
2016-11-03Merge "Make sure keepalived is restarted before haproxy."Jenkins1-1/+4
2016-11-02Create heat user in keystone profileAlex Schultz2-16/+37
Rather than use the heat::keystone::domain class which also includes the configuration options, we should just create the user for heat in keystone independently of the configuration. Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe Related-Bug: #1638350 Closes-Bug: #1638626
2016-11-02Enable TLS in the internal network for Cinder APIJuan Antonio Osorio Robles2-3/+55
This optionally enables TLS for Cinder API in the internal network. If internal TLS is enabled, each node that is serving the Cinder API service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863
2016-11-01Fix default for barbican documentationJuan Antonio Osorio Robles1-1/+1
Change-Id: Id4dc2379b0c423012a0b3aaf49d1e1a7d633a03b
2016-11-01Merge "Add barbican profile"Jenkins4-0/+121
2016-11-01Merge "Fixes transparent binding to OpenDaylight in HA Proxy"Jenkins1-2/+2
2016-11-01Merge "NFS mounting for Glance file backend"Jenkins2-4/+93
2016-11-01Enable TLS in the internal network for Nova APIJuan Antonio Osorio Robles2-3/+55
This optionally enables TLS for Nova API in the internal network. If internal TLS is enabled, each node that is serving the Nova API service will use certmonger to request its certificate. Note that this doesn't enable internal TLS for the nova metadata service since it doesn't run over httpd. This will be handled in a later commit. bp tls-via-certmonger Change-Id: I88380a1ed8fd597a1a80488cbc6ce357f133bd70
2016-10-31Make sure keepalived is restarted before haproxy.Sofer Athlan-Guyot1-1/+4
When using SSL setup for undercloud, the admin and public vip required for ssl binding by haproxy are created by keepalived. This makes sure that keepalived is started before haproxy and thus that the interfaces are indeed present. This patch also ensures this is happening for overcloud ssl configuration. The case where another load-balancing technology other than haproxy is used is not covered. Closes-Bug: #1638029 Change-Id: I98cb0dcd7f389a1dd38ec8324429bfef4979aa66
2016-10-31Merge "Calculate zaqar mongo from mongodb_node_ips"Jenkins1-2/+17
2016-10-31Merge "Reload haproxy if any configuration changes on HA"Jenkins1-1/+1
2016-10-31Merge "Enable TLS in the internal network for aodh"Jenkins2-3/+56
2016-10-31Merge "Enable TLS in the internal network for ceilometer"Jenkins2-2/+54
2016-10-30Fixes transparent binding to OpenDaylight in HA ProxyTim Rozet1-2/+2
ODL was missing transparent binding mode, which causes HA deployments to fail since HA Proxy will try to come up on every node (even without VIP). Closes-Bug: 1637833 Change-Id: I0bb7839cdcfeacb4ca1a9fc6f878e8b51330be92 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-10-27Clean up service name from cinder apiJuan Antonio Osorio Robles1-3/+1
Since the service_name is now being passed from t-h-t, we can clean it up from the profile in puppet. Change-Id: I724af8c355c3077be64cf472cedbca80af55da01 Depends-On: I13638cd1af52537bef8540f0d5fa5f5f7decd392
2016-10-27Calculate zaqar mongo from mongodb_node_ipsBrad P. Crochet1-2/+17
In order to make the zaqar service fully composable, the mongo ips need to be calculated without assuming that mongo and zaqar are on the same node. Change-Id: I0b077e85ba5fcd9fdfd33956cf33ce2403fcb088