Age | Commit message (Collapse) | Author | Files | Lines |
|
This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.
Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
|
|
This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.
Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
|
|
|
|
|
|
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug: 1666072
|
|
|
|
|
|
|
|
|
|
Users may have an external swift proxy already available (i.e. radosgw
from already existing ceph, or hardware appliance implementing swift
proxy). With this change user may specify an environment file that
registers the specified urls as endpoint for the object-store service.
The internal swift proxy is left as unconfigured.
Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
|
|
|
|
|
|
By default the undercloud and the overcloud share virtual_router_id
definition, leading to errors like "ip address associated with VRID not
present in received packet". This allows setting the range for the IDs.
Change-Id: I0c822777824b469b0f8ef0f31b3708fe47d5b2d7
|
|
This option allows users to exclude some fault domains.
Otherwise all domains are returned.
Change-Id: I6eb2bcc7db003a5eebd3924e3e4eb44e35f60483
Depends-On: I8ac91e6720e52da9cf7480f80bcfb456bf0c2433
|
|
This defaults to 'True' to keep backward compatibility and can be
disabled by setting 'enable_container_images_built' to false in
undercloud.conf.
Depends-On: Ia3379cf66b1d6b180def69c2a5b22b2602baacef
Change-Id: I33e7e9a6a3865fed38f7ed6490455457da67782b
|
|
We configure apache in step3 so we need to configure the gnocchi api in
step 3 as well to prevent unnecessary service restarts during updates.
Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be
Related-Bug: #1664418
|
|
Apache is configured in step 3 so if we configure ceilometer in step 4,
the configuration is removed on updates. We need to configure it in step
3 with the other apache services to ensure we don't have issues on
updates.
Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423
Related-Bug: #1664418
|
|
|
|
Change-Id: I9e1a56782e258fb6982b70d9a07f35808f2b2de5
Depends-On: Ic975ec1d6b2bf6e6bd28b47ba9dd2a3ae629d149
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
|
|
bp secure-etcd
Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
Including the ::ssh manifest will manage both client and server config.
Managing the client config was not intended and will clobber the OS
default config with the puppet ssh moduled defaults.
Follow up for https://review.openstack.org/443113 where I found the issue after
the changes merged.
Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
Related-Bug: 1668543
|
|
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
|
|
Change-Id: I848b3cc747f1be06aeda57ba15d4ec557c23ad46
Depends-On: Idf3d82058d87d9c8a3b6d8973d5166043dad2252
|
|
|
|
|
|
When TLS is enabled for the internal network, HAProxy needs to handle
etcd's TLS termination. Else it will use plain text.
bp secure-etcd
Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
|
|
|
|
This patch adds a new registry_mirror option to help
configure /etc/docker/daemon.json so that we can make use
of HTTP docker mirrors within upstream TripleO CI (infra).
Change-Id: I4b966e9b9b174ca5a6f57974185e0149ea12f232
|
|
The docker_registry profile has resources to configure
the docker service and package. These conflict with the
entries in the tripleo::profile::base::docker class which
exists specifically to manage these resources (and has
unit tests).
This patch removes the duplicate resources and updates
the docker_registry profile to simply include the
base docker profile instead.
This instack-undercloud change below needs to land first.
Depends-On: I6154f4c7435b02b92f6f64687e9ee89d6b86186a
Change-Id: I75c740e7efc6662861c28caeb7fa965ba55438cb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bundle rake syntax
Could not parse for environment *root*: Syntax error at ')'; expected '}'
Change-Id: Idfb254df068b3d7342a6ea3c71dabd1316a61bdf
|
|
The SSH drivers are deprecated, pxe_ipmitool + virtualbmc should be used instead.
This is a follow-up to blueprint switch-to-virtualbmc.
Change-Id: I4fd567dffa3992042eebcf495334b8130e1bdc9f
|
|
This merely requests the certificates that will be used for libvirt's
live migration if TLS-everywhere is enabled.
bp tls-via-certmonger
Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
|
|
|
|
This sets the flag create_domain_entry for the ldap_backend resource,
which will create the domain for the ldap backend (this was previously
not the case since only the configuration was created). Furtherly, this
flag will also refresh the keystone server, so the changes come into
effect.
Note that this is only done in step 3, so the domains are created there
and the refresh happens in that step. Also, this is only done for the
bootstrap node, since when the other nodes start, they will already have
the domains available in the keystone database and there won't be a need
to restart.
Related-Bug: #1677603
Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28
Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c
|
|
|
|
|
|
puppet-tripleo"
|
|
|
|
|
|
|
|
|