aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
AgeCommit message (Collapse)AuthorFilesLines
2016-12-22Merge "add support for collectd"Jenkins2-0/+94
2016-12-22Merge "[CVE-2016-9599] Enforce Firewall TCP / UDP rules management"Jenkins2-9/+39
2016-12-22Merge "Ensure package updates don't happen unexpectedly"Jenkins1-2/+2
2016-12-22Merge "HPELeftHandISCSIDriver support for cinder"Jenkins2-8/+92
2016-12-22Merge "Add TLS proxy resource"Jenkins1-0/+60
2016-12-22Merge "Split ovn plugin and northd configuration"Jenkins4-16/+110
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi2-9/+39
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-12-22Ensure package updates don't happen unexpectedlySteven Hardy1-2/+2
I'm seeing this run yum update on deploy, even though hiera tripleo::packages::enable_upgrade says false. I assume these are needed because we're getting "false", but I'm unclear if this is a recently introduced problem (I only noticed it today as my image has outdated centos packages and it thus hung on step2 of the deploy. Change-Id: If09cdde9883f2674dbbc40944be5fe4445caa08e Closes-Bug: #1652107
2016-12-22Merge "Decouple swift-proxy from ceilometer packages"Jenkins1-8/+15
2016-12-22Merge "Add networking-fujitsu support to puppet-tripleo"Jenkins1-0/+5
2016-12-22Merge "Do not use hardcoded controller_node_names when setting up the cluster"Jenkins1-1/+2
2016-12-20Decouples neutron services from OpenDaylight API serviceTim Rozet1-12/+7
Removes including Neutron services in the OpenDaylight API service. This was breaking custom roles when splitting up OpenDaylight and Neutron into different roles. Also, references to "controller" are removed because with custom roles OpenDaylight could be isolated to any role type. The 'bootstrap_nodeid' still works with any role, and only resolves to the first node in the series of nodes for that role type. Partial-Bug: 1651499 Change-Id: I418643810ee6b8a2c17a4754c83453140ebe39c7 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-12-20Add TLS proxy resourceJuan Antonio Osorio Robles1-0/+60
some services need a terminating proxy to do TLS on their main interfaces, to address this, we use httpd's mod_proxy and make it listen in front of these services with an appropriate certificate. bp tls-via-certmonger Change-Id: I82243fd3acfe4f23aab373116b78e1daf9d08467
2016-12-19Merge "Disable legacy ceilometer api by default"Jenkins1-1/+6
2016-12-19Merge "Drop vip_hosts"Jenkins1-39/+0
2016-12-19Merge "Fix a typo in haproxy.pp"Jenkins1-1/+1
2016-12-16add support for collectdLars Kellogg-Stedman2-0/+94
This is the glue between the collectd composable service in tripleo-heat-templates and the puppet-collectd module. Change-Id: I7e899e3af870b04dcd45503bd322278997fa53d0
2016-12-12Add networking-fujitsu support to puppet-tripleoKoki Sanagi1-0/+5
Enable ml2.pp to call networking-fujitsu manifest in puppet-neutron. The implementation in puppet-neutron is in progress separately. Change-Id: I5eb2c2a9c50b5991d62f4b6d74b83351c86b02de Implements: blueprint integration-networking-fujitsu Depends-On: I37a502b43eb7d91bfe20625248ed117eae3ca535
2016-12-11Decouple swift-proxy from ceilometer packagesDan Prince1-8/+15
This patch updates the swift proxy so that it only depends on ceilometer if the ceilometer_api_enabled all-nodes-data hiera setting has been set. Also removes a parameter dependency where the tripleo::profile::base::swift::proxy class was referencing a puppet-ceilometer value from hiera (which can also cause ceilometer dependencies). Depends-On: Ief5399d7ea4d26e96ce54903a69d660fa4fe3ce9 Change-Id: I8d9f69f5e9160543b372bd9886800f16f625fdc6 Closes-bug: #1648736
2016-12-11Merge "Changes default MidoNet API port on HAProxy"Jenkins1-4/+5
2016-12-09Disable legacy ceilometer api by defaultPradeep Kilambi1-1/+6
Ceilometer api is deprectaed in Ocata. Lets disable by default. This can still be enabled by setting enable_legacy_ceilometer_api param. Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09HPELeftHandISCSIDriver support for cinderchinthagovardhan2-8/+92
Cinder Backend configuration support for HPELeftHandISCSIDriver for VSA storage Change-Id: Ia7e5f3d436283f7949b0eb8f109b3dc0309af4f5
2016-12-09Merge "Add cinder profile spec tests"Jenkins1-7/+13
2016-12-09Merge "Delete MidoNet deprecated classes and their tests"Jenkins1-122/+0
2016-12-08Do not use hardcoded controller_node_names when setting up the clusterMichele Baldessari1-1/+2
Currently we chose the pacemaker cluster node by simply taking hiera('controller_node_names'). We should instead use the pacemaker_short_node_names array which is built dynamically from all the nodes that include the pacemaker service. Change-Id: I0a3e4acaab11e078da5eeb2ef2adde5387785927
2016-12-07Create Glance's database if glance-api is enabledFlavio Percoco1-1/+1
Instead of checking for glance_registry_enabled, we should be checking for glance_api_enabled. The glance-api v1 depends on the registry, which means the database will be created but glance-api v2 doesn't which means that not deploying the registry would result in the glance database not being created. On the other hand, glance-registry is never deployed without glance-api Change-Id: Ief25dafb65f7a043fbb3d16f1d7ef834c9947a93
2016-12-07Delete MidoNet deprecated classes and their testsAlejandro Andreu1-122/+0
MidoNet no longer uses the API component. It has been renamed/refactored to "cluster" as it can be seen on the docs at https://blog.midonet.org/introducing-midonet-cluster-services/ Also there is no need to have a Cassandra and Zookeeper dedicated classes, as we leverage this through the use of the midonet_openstack puppet module. Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270 Partial-Bug: #1647302
2016-12-05Add cinder profile spec testsAlex Schultz1-7/+13
This change adds rspec testing for the cinder profiles with in puppet-tripleo. Additionally while testing, it was found that the backends may incorrectly have an extra , included in the settings for cinder volume when running puppet 3. This change includes a fix the cinder volume backends to make sure we are not improperly configuring it with a trailing comma. Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
2016-12-04Merge "Remove unused pacemaker profiles"Jenkins42-2553/+0
2016-12-04Merge "Add verify required and CA bundle to haproxy"Jenkins1-2/+7
2016-12-01Merge "Update ceilometer collector ipv6 handling"Jenkins1-13/+2
2016-11-30Merge "Use FQDNs for RabbitMQ's cluster configuration"Jenkins1-2/+2
2016-11-30Merge "Use FQDNs for the services' RabbitMQ configuration"Jenkins13-52/+52
2016-11-30Add verify required and CA bundle to haproxyJuan Antonio Osorio Robles1-2/+7
This only takes effect is internal-tls is used, and forces haproxy to do proper verifications of the SSL certificates provided by the servers. bp tls-via-certmonger Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642
2016-11-29pacemaker: create Mysql_user once Galera is ready (puppet4)Emilien Macchi1-1/+2
Puppet 4 ordering make things more strict in catalog, which is good. Resources have to be orchestrated or Puppet will take them in the order they are found in catalog. This patch makes sure we create MySQL users only when Galera is actually ready. Closes-Bug: #1645787 Change-Id: I536a1a128c3a7eca49bcc4f34a1307bcd60b029e
2016-11-29Merge "Include local CA in haproxy PEM"Jenkins1-2/+18
2016-11-28Merge "Enable TLS in the internal network for Panko API"Jenkins1-2/+53
2016-11-28Use FQDNs for RabbitMQ's cluster configurationJuan Antonio Osorio Robles1-2/+2
This sets the cluster_nodes configuration in RabbitMQ to use FQDNs instead of IP addresses. Note that in HA, RabbitMQ is already configured using FQDNs. Change-Id: I2b1cec25ff25f4afd72a28246c2cda9c58d7b61e
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles13-52/+52
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-28Merge "adding new swift middleware that is typically enabled by default"Jenkins1-0/+5
2016-11-27Drop vip_hostsDan Prince1-39/+0
This should no longer be used based on problems discovered in https://bugs.launchpad.net/tripleo/+bug/1645123 Change-Id: I53b13d514a15226dacbeda1c7b2ede09e7f8807e Depends-On: Ic6aaeb249a127df83894f32a704219683a6382b2
2016-11-25Merge "Enable internal TLS for MySQL"Jenkins2-6/+131
2016-11-25Merge "Do not configure state matching when using GRE"Jenkins1-2/+9
2016-11-25Enable TLS in the internal network for Panko APIJuan Antonio Osorio Robles1-2/+53
This optionally enables TLS for Panko API in the internal network. If internal TLS is enabled, each node that is serving the Panko API service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: Ie9be7ce19601435b1b83b4ba58d9c7e8d53f23ba
2016-11-25Enable internal TLS for MySQLJuan Antonio Osorio Robles2-6/+131
this adds the necessary code in the manfiest to configure TLS if internal TLS is enabled. this also adds the capability of auto-generating the certificate via certmonger. bp tls-via-certmonger Change-Id: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-11-24Do not configure state matching when using GREBrent Eagles1-2/+9
The firewall rule quite reasonably sets up a default state matching rule but this is invalid for GRE. This patch conditionally adds the state matching if the protocol is not GRE. Closes-Bug: #1644360 Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
2016-11-23Merge "Remove Combination alarms support"Jenkins1-12/+0
2016-11-23Merge "Proxy manila in http mode"Jenkins1-0/+1
2016-11-23Merge "Move calculation of neutron l3_ha into puppet profile"Jenkins1-0/+33
2016-11-22Update ceilometer collector ipv6 handlingAlex Schultz1-13/+2
The normalize_ip_for_uri handles ipv6 bracketing correctly. Rather than continue to do it manually, this change updates the ceilometer collector profile to leverage the normalize_ip_for_uri function to properly escape ipv6 addresses. Change-Id: Ifaf6568785235db55f8dc593d83e534216413d31 Closes-Bug: #1629380