Age | Commit message (Collapse) | Author | Files | Lines |
|
Implements: blueprint refactor-puppet-manifests
This is the puppet-tripleo side for the memcached as a composable
service. The related tht review that uses this is at
I8802c2a0cf1e5fa1a6d1fab5e87f6014bea2f517
Change-Id: Icd504aef7dda144582c286c56c925a78566af72c
|
|
THT does not deploy Nova EC2 anymore, so we don't need the HAproxy
endpoint anymore.
Change-Id: Ia888fe7e14c736ef3678d9a7cf69a2deb9233342
Depends-On: Ief2d0e5c77b5ac58560606fee930fbd66c40ffc3
|
|
Since keystone is being run under apache, the signing keys should notify
apache and not the keystone service. The keystone service is actually
disabled, so if the keys get updated nothing happens.
Change-Id: Idfebeabf03d010956569c32b24437245e2b93c2a
Related-Bug: #1581591
|
|
|
|
This was in the initial neutron profile patches but got removed
mid-way (see patch 16 comments here:
Ida781badbcd63bbcb481a2170638aefe262b717b). The file is in fact
required in order to get the ping test properly passing with TripleO.
Change-Id: Ibbfd79421f871e41f870745a593cca65e8c0e58a
|
|
* Manage roles & endpoints at step 5
* Set correct orchestration for Pacemaker resources within a single
step.
Change-Id: I079e65f535af069312b602e8ff58be80ab2f2226
|
|
|
|
|
|
|
|
Adds a class to configure SELinux. The code is taken from
puppet-openstack-cloud:
https://github.com/redhat-cip/puppet-openstack-cloud
This allows to share the same code for usage by both the Undercloud and
Overcloud.
Co-Authored By: Emilien Macchi <emilien@redhat.com>
Co-Authored By: Yanis Guenane <yguenane@redhat.com>
blueprint undercloud-elements
Change-Id: If214005df733d41c2fa4e197df247d8a14baaa14
|
|
The port parameter to puppetlabs-firewall is actually deprecated[1].
This adds support for using the new parameter names dport and sport. The
port parameter is still retained in puppet-tripleo for backwards
compatibily for anyone using that interface. It is marked deprecated in
the documentation, however no deprecation warning is needed because
there is already a warning from from puppetlabs-firewall.
blueprint undercloud-elements
Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
|
|
Implements: blueprint refactor-puppet-manifests
Add neutron profiles for both pacemaker and non-ha.
HA profiles are designed such that they include the base
profiles, disabling features as needed, while the base
profile can be used independently.
Co-Authored-By: Dan Prince <dprince@redhat.com>
Change-Id: Ida781badbcd63bbcb481a2170638aefe262b717b
|
|
Before the roles we could make the create db operation depend on a
'galera-ready' resource [1]. We can't do it anymore from the role so
we need to do create in step 3, when we do sync as well.
1. https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/manifests/overcloud_controller_pacemaker.pp#L382
Change-Id: Id065a9180f1f1a41ab225ec5f755498ec7d9a827
|
|
Change-Id: I1d95746cb990292462106c191987147eba30ee61
|
|
This change moves the database creation and sync with the role
profile, so that it's only executed when the role is enabled and
by the role itself.
It also calls the non-pacemaker profiles out of the 'step'
conditional because the non-pacemaker profiles know how to deal with
'step' already.
Change-Id: I6c752cb53090e7ef8e0319bade462f2453ed7660
Related-Bug: 1572952
|
|
Change-Id: Ifb0cc7769ef99e4c7142c8f955f0ca721d61e9b5
|
|
|
|
|
|
|
|
|
|
Specifying a destination cidr is already supported by
puppetlabs-firewall, we just need to pass through the parameter in
rule.pp in puppet-tripleo.
This will allow creating iptables rules that forward network traffic for
a given cidr via puppet-tripleo.
Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
|
|
Database schema profiles were missing step information, causing
schemas to be created too early.
Change-Id: Ic381804ce5f1aa257ece75d2e079f4b02f446344
|
|
TL;DR:
If keystone_public_api_vip and/or public_virtual_ip is an array of IPs,
HAproxy will be configured to listen on all IPs that are given in the
arrays.
It allows to specify an array for keystone_public_api_vip and/or
public_virtual_ip where one IP is v4 and another one is v6.
HAproxy will configured to listen on both and redirect the traffic to
the IPv6 network (Dual-Stack).
Implementation & background:
HAproxy requires binding options as an hash where each IP contains an
array of binding options.
TripleO does not support Puppet Parser [1] (yet) so we can't manipulate
data iterations inside the manifests.
This patch creates a custom function, called list_to_hash.
Example:
keystone_vips = ['192.168.0.1:5000', '192.168.0.2:5000']
$keystone_bind_opts = ['transparent']
Using this function:
$keystone_vips_hash = list_to_hash($keystone_vips,
$keystone_bind_opts)
Would return:
$keystone_vips_hash = {
'192.168.0.1:5000' => ['transparent'],
'192.168.0.2:5000' => ['transparent'],
}
This function will help us in loadbalancer.pp to construct binding
options in dynamic way.
It's backward compatible, so you don't have to give an array.
But if you do, multiple binding will be configured in HAproxy and you'll
also be able to deploy IPv6 Dual-Stack.
[1] https://docs.puppetlabs.com/puppet/latest/reference/lang_iteration.html
Change-Id: I003b6d7d171652654745861d4231882f9e0d373e
|
|
|
|
Horizon's backends (httpd) see IP address of the haproxy in the logs instead
of the client address.
Adding forwardfor option allows to add the client address to the
X-Forwarded-For HTTP header and can be replace in the logs by configured the
backend servers with this header.
Change-Id: I54f0f5549d64768dacca71539c71a28cc99d9d95
|
|
|
|
|
|
In tripleo heat template, overcloud_controller_pacemaker.pp has a lot of
duplicate code to define haproxy and vip creation. This is an attempt
to refactor this.
Change-Id: I4cc6711911c1bfa1bc6063979e2b2a7ab5b8d37b
|
|
|
|
Add Glance profiles for non-ha & ha scenarios.
Change-Id: Ifc388f7058ccfff2818f531bcbc00c7179874bbc
Implements: blueprint refactor-puppet-manifests
|
|
This commits adds the option to pass an internal certificate.
The aforementioned certificate will be used to terminate TLS
connections for the internal and admin endpoints.
Change-Id: I9d781b42c63cf34bd1f5ba2c71014c6b9de0f990
|
|
In order to reduce repeated code in the loadbalancer manifest, the
repeated parts were moved into one manifest that contains the
endpoint resource.
Change-Id: Ib72abe9de7ab073dcbd780298385b0c519f363aa
|
|
There were two issues with the SSL port for sahara.
* It was conflicting with Manila's port
* It was documented incorrectly
This has been fixed
Change-Id: I9f710e014890b6daa6b3e511fd811c1e25bd0de3
|
|
Change-Id: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2
|
|
|
|
They are not being used and add extra logic and unnecessary clutter
to the code. So this CR removes them in favor of just configuring
TLS with the service_certificate. The only individual cert left was
the one for haproxy stats.
Change-Id: Ic3b769423917e723ecc83e32bcbae17568345661
|
|
AODH, Gnocchi, Sahara and Trove were missing from the service_ports
maps and thus had hardcoded ports in the listener configuration. The
addition of those ports to the map is required to give the
possibility to deployers to configure those ports if needed. This
commit adds them to that map.
Change-Id: Id009d65bf68ba91f97b0d60d32028da50fc88fc3
|
|
When managing the vip's, we were incorrectly comparing the vip to
$control_virtual_interface instead of $controller_virtual_ip when
determining if we needed to actually create the vip or not.
This caused the vips for internal api, storage, and storage mgmt to
always be created even if they were the same as the control vip. Afaict,
this didn't actually cause any problems, other than having extra vip's
created when they weren't needed. Still, this corrects the code to do
what it was intended to do.
Change-Id: I29aee95afcba25008b8b7bee37ba636eb2595cca
|
|
|
|
|
|
|
|
When accessing Redis, if password protected, we need to update
the HAProxy checks so that they use a password or we won't be able
to gather which node is the replica master.
Also adds PING/PONG and QUIT/OK sequence before and after the info
command is sent.
More at https://bugzilla.redhat.com/show_bug.cgi?id=1320036
Change-Id: Ia9e61e66c5426061eab8172f0a25820989597780
|
|
This CR enables the ability to set the cipher suite to be used by
HAproxy and the SSL options. So now the user can enable these through
hiera. The cipher suite comes from the Fedora system crypto policy.
Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48
Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
|
|
Implements: blueprint refactor-puppet-manifests
Add keystone profiles for both pacemaker and non-ha.
Add db sync profiles for pacemaker and non-ha.
HA profiles are designed such that they include the base
profiles, disabling features as needed, while the base
profile can be used independently.
Change-Id: I2faf5a78db802549053ec41678bf83bf28108189
|
|
This adds a TLS binding listening on the internal network for
horizon. And on the other hand, if the public binding for horizon is
accessed via non-https, it will redirect to https.
Change-Id: I1f92ecd0c4845450df4b24f6b621d313ba9cbfc4
Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
|
|
Right now we always deploy the haproxy.stats endpoint with no
authentication, which is a security concern. Allow setting a
password on the endpoint so it isn't accessible to the world.
While this allows configuring SSL on the stats endpoint, it does
not use the service_certificate parameter because that certificate
is intended to be used only for public endpoints, and the stats
endpoint is actually on the admin VIP. Once we have support for
SSL on admin endpoints we can have stats use it by default.
Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
|
|
|
|
Some deployments were expecting specific ports for the OpenStack
services; In case the default ports are not meeting those needs, we
need to provide the means of changing the defaults.
Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
|
|
|
|
Heat has the ssl middleware to handle the X-Forwarded-Proto header by
default. We override this header when SSL is enabled because we need
to, but overriding it even when we won't be terminating SSL will
prevent some attacks using this header.
Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
|