summaryrefslogtreecommitdiffstats
path: root/manifests
AgeCommit message (Collapse)AuthorFilesLines
2016-05-19Adds the base and pacemaker profile for the memcached servicemarios2-0/+95
Implements: blueprint refactor-puppet-manifests This is the puppet-tripleo side for the memcached as a composable service. The related tht review that uses this is at I8802c2a0cf1e5fa1a6d1fab5e87f6014bea2f517 Change-Id: Icd504aef7dda144582c286c56c925a78566af72c
2016-05-14Remove Nova EC2 HAproxy endpointEmilien Macchi1-20/+0
THT does not deploy Nova EC2 anymore, so we don't need the HAproxy endpoint anymore. Change-Id: Ia888fe7e14c736ef3678d9a7cf69a2deb9233342 Depends-On: Ief2d0e5c77b5ac58560606fee930fbd66c40ffc3
2016-05-13Update keystone service name for signing keysAlex Schultz1-3/+3
Since keystone is being run under apache, the signing keys should notify apache and not the keystone service. The keystone service is actually disabled, so if the keys get updated nothing happens. Change-Id: Idfebeabf03d010956569c32b24437245e2b93c2a Related-Bug: #1581591
2016-05-11Merge "Add the neutron-dnsmasq.conf to neutron profile"Jenkins1-0/+8
2016-05-10Add the neutron-dnsmasq.conf to neutron profileDan Prince1-0/+8
This was in the initial neutron profile patches but got removed mid-way (see patch 16 comments here: Ida781badbcd63bbcb481a2170638aefe262b717b). The file is in fact required in order to get the ping test properly passing with TripleO. Change-Id: Ibbfd79421f871e41f870745a593cca65e8c0e58a
2016-05-10keystone: drop usage of step 6Emilien Macchi1-1/+3
* Manage roles & endpoints at step 5 * Set correct orchestration for Pacemaker resources within a single step. Change-Id: I079e65f535af069312b602e8ff58be80ab2f2226
2016-05-10Merge "Add tripleo::selinux"Jenkins1-0/+96
2016-05-07Merge "Add neutron profiles"Jenkins18-0/+1148
2016-05-06Merge "Add dport/sport parameter to firewall rule"Jenkins2-1/+13
2016-05-05Add tripleo::selinuxJames Slagle1-0/+96
Adds a class to configure SELinux. The code is taken from puppet-openstack-cloud: https://github.com/redhat-cip/puppet-openstack-cloud This allows to share the same code for usage by both the Undercloud and Overcloud. Co-Authored By: Emilien Macchi <emilien@redhat.com> Co-Authored By: Yanis Guenane <yguenane@redhat.com> blueprint undercloud-elements Change-Id: If214005df733d41c2fa4e197df247d8a14baaa14
2016-05-05Add dport/sport parameter to firewall ruleJames Slagle2-1/+13
The port parameter to puppetlabs-firewall is actually deprecated[1]. This adds support for using the new parameter names dport and sport. The port parameter is still retained in puppet-tripleo for backwards compatibily for anyone using that interface. It is marked deprecated in the documentation, however no deprecation warning is needed because there is already a warning from from puppetlabs-firewall. blueprint undercloud-elements Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
2016-05-05Add neutron profilesMichael Chapman18-0/+1148
Implements: blueprint refactor-puppet-manifests Add neutron profiles for both pacemaker and non-ha. HA profiles are designed such that they include the base profiles, disabling features as needed, while the base profile can be used independently. Co-Authored-By: Dan Prince <dprince@redhat.com> Change-Id: Ida781badbcd63bbcb481a2170638aefe262b717b
2016-05-04Create dbs in step 3 for the rolesGiulio Fidente2-2/+2
Before the roles we could make the create db operation depend on a 'galera-ready' resource [1]. We can't do it anymore from the role so we need to do create in step 3, when we do sync as well. 1. https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/manifests/overcloud_controller_pacemaker.pp#L382 Change-Id: Id065a9180f1f1a41ab225ec5f755498ec7d9a827
2016-05-04Noop start/stop/restart action for Glance and Keystone in the rolesGiulio Fidente2-0/+14
Change-Id: I1d95746cb990292462106c191987147eba30ee61
2016-05-03Move databases creation and sync with the roleGiulio Fidente6-221/+32
This change moves the database creation and sync with the role profile, so that it's only executed when the role is enabled and by the role itself. It also calls the non-pacemaker profiles out of the 'step' conditional because the non-pacemaker profiles know how to deal with 'step' already. Change-Id: I6c752cb53090e7ef8e0319bade462f2453ed7660 Related-Bug: 1572952
2016-04-22Add aodh and gnocchi to schema profilesGiulio Fidente2-16/+51
Change-Id: Ifb0cc7769ef99e4c7142c8f955f0ca721d61e9b5
2016-04-22Merge "Add steps to database profiles"Jenkins2-26/+37
2016-04-21Merge "Enable HAProxy forwardfor option for Horizon."Jenkins1-0/+2
2016-04-21Merge "Add destination parameter to firewall rule"Jenkins1-16/+22
2016-04-20Merge "Add Glance profiles"Jenkins3-0/+261
2016-04-20Add destination parameter to firewall ruleJames Slagle1-16/+22
Specifying a destination cidr is already supported by puppetlabs-firewall, we just need to pass through the parameter in rule.pp in puppet-tripleo. This will allow creating iptables rules that forward network traffic for a given cidr via puppet-tripleo. Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
2016-04-20Add steps to database profilesMichael Chapman2-26/+37
Database schema profiles were missing step information, causing schemas to be created too early. Change-Id: Ic381804ce5f1aa257ece75d2e079f4b02f446344
2016-04-19IPv6 dual-stack supportEmilien Macchi1-12/+4
TL;DR: If keystone_public_api_vip and/or public_virtual_ip is an array of IPs, HAproxy will be configured to listen on all IPs that are given in the arrays. It allows to specify an array for keystone_public_api_vip and/or public_virtual_ip where one IP is v4 and another one is v6. HAproxy will configured to listen on both and redirect the traffic to the IPv6 network (Dual-Stack). Implementation & background: HAproxy requires binding options as an hash where each IP contains an array of binding options. TripleO does not support Puppet Parser [1] (yet) so we can't manipulate data iterations inside the manifests. This patch creates a custom function, called list_to_hash. Example: keystone_vips = ['192.168.0.1:5000', '192.168.0.2:5000'] $keystone_bind_opts = ['transparent'] Using this function: $keystone_vips_hash = list_to_hash($keystone_vips, $keystone_bind_opts) Would return: $keystone_vips_hash = { '192.168.0.1:5000' => ['transparent'], '192.168.0.2:5000' => ['transparent'], } This function will help us in loadbalancer.pp to construct binding options in dynamic way. It's backward compatible, so you don't have to give an array. But if you do, multiple binding will be configured in HAproxy and you'll also be able to deploy IPv6 Dual-Stack. [1] https://docs.puppetlabs.com/puppet/latest/reference/lang_iteration.html Change-Id: I003b6d7d171652654745861d4231882f9e0d373e
2016-04-18Merge "Disable ip_nonlocal_bind (rely on the HAProxy 'transparent' option)"Jenkins1-2/+0
2016-04-15Enable HAProxy forwardfor option for Horizon.Dimitri Savineau1-0/+2
Horizon's backends (httpd) see IP address of the haproxy in the logs instead of the client address. Adding forwardfor option allows to add the client address to the X-Forwarded-For HTTP header and can be replace in the logs by configured the backend servers with this header. Change-Id: I54f0f5549d64768dacca71539c71a28cc99d9d95
2016-04-14Merge "Add support for internal/admin endpoint TLS in HAProxy"Jenkins2-2/+20
2016-04-14Merge "Add generic manifest for loadbalancer endpoints"Jenkins2-458/+286
2016-04-13Refactor HAproxy and VIP creation.Sofer Athlan-Guyot1-0/+64
In tripleo heat template, overcloud_controller_pacemaker.pp has a lot of duplicate code to define haproxy and vip creation. This is an attempt to refactor this. Change-Id: I4cc6711911c1bfa1bc6063979e2b2a7ab5b8d37b
2016-04-11Merge "Fix Sahara SSL default port"Jenkins1-2/+2
2016-04-11Add Glance profilesEmilien Macchi3-0/+261
Add Glance profiles for non-ha & ha scenarios. Change-Id: Ifc388f7058ccfff2818f531bcbc00c7179874bbc Implements: blueprint refactor-puppet-manifests
2016-04-11Add support for internal/admin endpoint TLS in HAProxyJuan Antonio Osorio Robles2-2/+20
This commits adds the option to pass an internal certificate. The aforementioned certificate will be used to terminate TLS connections for the internal and admin endpoints. Change-Id: I9d781b42c63cf34bd1f5ba2c71014c6b9de0f990
2016-04-11Add generic manifest for loadbalancer endpointsJuan Antonio Osorio Robles2-458/+286
In order to reduce repeated code in the loadbalancer manifest, the repeated parts were moved into one manifest that contains the endpoint resource. Change-Id: Ib72abe9de7ab073dcbd780298385b0c519f363aa
2016-04-11Fix Sahara SSL default portJuan Antonio Osorio Robles1-2/+2
There were two issues with the SSL port for sahara. * It was conflicting with Manila's port * It was documented incorrectly This has been fixed Change-Id: I9f710e014890b6daa6b3e511fd811c1e25bd0de3
2016-04-11Map gnocchi vip to haproxy_listen_bind_paramPradeep Kilambi1-4/+4
Change-Id: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2
2016-04-11Merge "Fix comparison to control_virtual_ip"Jenkins1-3/+3
2016-04-08Remove individual service certificatesJuan Antonio Osorio Robles1-201/+36
They are not being used and add extra logic and unnecessary clutter to the code. So this CR removes them in favor of just configuring TLS with the service_certificate. The only individual cert left was the one for haproxy stats. Change-Id: Ic3b769423917e723ecc83e32bcbae17568345661
2016-04-07Add missing services ports to service_ports mapJuan Antonio Osorio Robles1-16/+32
AODH, Gnocchi, Sahara and Trove were missing from the service_ports maps and thus had hardcoded ports in the listener configuration. The addition of those ports to the map is required to give the possibility to deployers to configure those ports if needed. This commit adds them to that map. Change-Id: Id009d65bf68ba91f97b0d60d32028da50fc88fc3
2016-04-04Fix comparison to control_virtual_ipJames Slagle1-3/+3
When managing the vip's, we were incorrectly comparing the vip to $control_virtual_interface instead of $controller_virtual_ip when determining if we needed to actually create the vip or not. This caused the vips for internal api, storage, and storage mgmt to always be created even if they were the same as the control vip. Afaict, this didn't actually cause any problems, other than having extra vip's created when they weren't needed. Still, this corrects the code to do what it was intended to do. Change-Id: I29aee95afcba25008b8b7bee37ba636eb2595cca
2016-04-01Merge "Make cipher suite and SSL options configurable"Jenkins1-6/+20
2016-03-28Merge "Redirect to https for horizon"Jenkins1-3/+15
2016-03-27Merge "Add keystone and db sync profiles"Jenkins4-0/+357
2016-03-23Allow the Redis specific monitor to use authenticationGiulio Fidente1-1/+12
When accessing Redis, if password protected, we need to update the HAProxy checks so that they use a password or we won't be able to gather which node is the replica master. Also adds PING/PONG and QUIT/OK sequence before and after the info command is sent. More at https://bugzilla.redhat.com/show_bug.cgi?id=1320036 Change-Id: Ia9e61e66c5426061eab8172f0a25820989597780
2016-03-22Make cipher suite and SSL options configurableJuan Antonio Osorio Robles1-6/+20
This CR enables the ability to set the cipher suite to be used by HAproxy and the SSL options. So now the user can enable these through hiera. The cipher suite comes from the Fedora system crypto policy. Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
2016-03-22Add keystone and db sync profilesMichael Chapman4-0/+357
Implements: blueprint refactor-puppet-manifests Add keystone profiles for both pacemaker and non-ha. Add db sync profiles for pacemaker and non-ha. HA profiles are designed such that they include the base profiles, disabling features as needed, while the base profile can be used independently. Change-Id: I2faf5a78db802549053ec41678bf83bf28108189
2016-03-18Redirect to https for horizonJuan Antonio Osorio Robles1-3/+15
This adds a TLS binding listening on the internal network for horizon. And on the other hand, if the public binding for horizon is accessed via non-https, it will redirect to https. Change-Id: I1f92ecd0c4845450df4b24f6b621d313ba9cbfc4 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
2016-03-11Allow enabling authentication on haproxy.statsBen Nemec1-3/+42
Right now we always deploy the haproxy.stats endpoint with no authentication, which is a security concern. Allow setting a password on the endpoint so it isn't accessible to the world. While this allows configuring SSL on the stats endpoint, it does not use the service_certificate parameter because that certificate is intended to be used only for public endpoints, and the stats endpoint is actually on the admin VIP. Once we have support for SSL on admin endpoints we can have stats use it by default. Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
2016-03-09Merge "Make OpenStack service ports configurable in HAProxy"Jenkins1-62/+135
2016-03-08Make OpenStack service ports configurable in HAProxyJuan Antonio Osorio Robles1-62/+135
Some deployments were expecting specific ports for the OpenStack services; In case the default ports are not meeting those needs, we need to provide the means of changing the defaults. Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
2016-03-03Merge "loadbalancer: fix Redis timeout HAproxy config"Jenkins1-1/+0
2016-03-01Always override X-Forwarded-Proto header for HeatJuan Antonio Osorio Robles1-5/+7
Heat has the ssl middleware to handle the X-Forwarded-Proto header by default. We override this header when SSL is enabled because we need to, but overriding it even when we won't be terminating SSL will prevent some attacks using this header. Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2