Age | Commit message (Collapse) | Author | Files | Lines |
|
This should no longer be used based on problems discovered in
https://bugs.launchpad.net/tripleo/+bug/1645123
Change-Id: I53b13d514a15226dacbeda1c7b2ede09e7f8807e
Depends-On: Ic6aaeb249a127df83894f32a704219683a6382b2
|
|
|
|
|
|
This optionally enables TLS for Panko API in the internal network.
If internal TLS is enabled, each node that is serving the Panko API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: Ie9be7ce19601435b1b83b4ba58d9c7e8d53f23ba
|
|
this adds the necessary code in the manfiest to configure TLS
if internal TLS is enabled. this also adds the capability of
auto-generating the certificate via certmonger.
bp tls-via-certmonger
Change-Id: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
|
|
The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.
Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
|
|
|
|
|
|
|
|
The normalize_ip_for_uri handles ipv6 bracketing correctly. Rather
than continue to do it manually, this change updates the ceilometer
collector profile to leverage the normalize_ip_for_uri function to
properly escape ipv6 addresses.
Change-Id: Ifaf6568785235db55f8dc593d83e534216413d31
Closes-Bug: #1629380
|
|
This allows us to use the composable services interfaces to handle
providing the IP address for northd, and will be more flexible in
the event folks want to deploy northd/ovndb on a different node to
the neutron plugin.
This also adds ovn_northd to the haproxy configuration so we can access
it via the ovn_northd_vip in other service profiles. Note we need
to ensure the haproxy config only hits the bootstrap node as northd
won't be running on the other nodes.
Change-Id: I9af7bd837c340c3df016fc7ad4238b2941ba7a95
Partial-Bug: #1634171
|
|
|
|
It needs it so HAProxy will be able to set the X-Forwarded-Proto header.
Related-Bug: #1640126
Change-Id: I1726fa1742bc70518338b80fc6d27567bb020e7c
|
|
HAProxy won't pass X-Forwarded-Proto to these services in mode tcp, so we need
to switch it to http in order for it to work and for the services to properly
set the protocol in the links they serve.
Change-Id: Ib10282159fb9269eebe81af23171ec9fb1297cd0
Closes-Bug: #1640126
|
|
|
|
|
|
|
|
Using Puppet stdlib in TripleO is risky because it exposes deployments
to dependency cycles in the catalog.
We should rather use native functions to make orchestrations, like
ordering and dependencies management.
This patch:
- removes usage of stages from stdlib
- use ordering to make sure we run pre rules before post
- use ordering to make sure we start all Services in catalog before post
rules. It ensure that we don't drop all traffic before starting the
services, which could lead to services errors (e.g. trying to reach database
or amqp)
Change-Id: Iec4705d6b785a40ccf6f43809b94b726ccd47fef
Closes-Bug: #1643575
|
|
This is currently calculated in t-h-t but has a hard-coded reference
to the ControllerCount which is incompatible with custom-roles.
So instead calculate the setting based on the number of neutron API
services running (on any role, not just Controller), combined with
whether DVR is enabled (equivalent to current t-h-t logic).
To avoid breaking the NeutronL3HA parameter in t-h-t we maintain an
optional parameter to override the calculated value.
Change-Id: I01c50973eec8138ec61304f2982d5026142f267c
Partial-Bug: #1629187
|
|
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan
deployments ends up being the wrong interface. The public VIP interface
was also defaulted to 'br-ex' which would be incorrect for vlan based
deployments. Since a user has already given the nic template (and in
most cases the subnet that corresponds to the nic) the installer should
be able to figure out which interface the public/control vip should be
on.
These changes enable that type of auto-detection, unless a user
explicitly overrides the heat parameters for ControlVirtualInterface and
PublicVirtualInterface. Also removes calling keepalived from haproxy
now that the services are composed separately on the Controller role.
Partial-Bug: 1606632
Change-Id: I05105fce85be8ace986db351cdca2916f405ed04
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
The default port of the MidoNet Cluster (formerly known as MidoNet API)
is now 8181 instead of 8081.
Since this parameter is configurable through the settings, the default
value for the port has been added to the $service_ports array.
Change-Id: I2785d3109993bca0bd68077ff55cfeafbf594e19
|
|
We have a variable in hiera which tells us if the keepalived
service is enabled, so use it here. Without this any deployment
disabling OS::TripleO::Services::Keepalived will fail.
Change-Id: I90faf51881bd05920067c1e1d82baf5d7586af23
Closes-Bug: #1642677
|
|
combination alarms are completely removed in Ocata.
Remove this from tripleo.
Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
|
|
Change-Id: I035c26e0f50e4b3fc0f6085fa5a4bf524e4852b7
|
|
These are now passed via the heat profiles in t-h-t (via
heat-base.yaml and heat-engine.yaml) and use the actual names of
keystone parameters instead.
Change-Id: Id0f5dd03b6757df989339c93b58a5b7eac3402a2
Depends-On: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
|
|
|
|
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
|
|
|
|
This optionally enables TLS for Barbican API in the internal network.
If internal TLS is enabled, each node that is serving the Barbican API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
|
|
|
|
|
|
|
|
The civetweb binding format is IP:PORT; this change ensures the IP
is enclosed in brackets if IPv6.
To do so we add the bind_ip and bind_port parameters to the
rgw service class.
Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
Co-Authored-By: Lukas Bezdicka <social@v3.sk>
Related-Bug: #1636515
|
|
When a physical function that was allocated to a guest is released back
the system, it is not automatically brought "up" and the VF
configuration is not restored. This patch creates a file containing some
udev rules to force the VF configuration.
Note: we may find that the ifup-local script is no longer required but
this will require further testing.
Change-Id: Ie6e78730aa0a748b3b5100ab7c7bc007d8ab176d
Partial-Bug: #1639901
|
|
this looks like a copy/paste error. Let barbican use its own
hiera data.
Change-Id: I84118c1a561c3db2f18504b55c5a8c4f042e7e3b
|
|
I'm not sure how this merged, but it's causing failures in other
patches to puppet-tripleo.
Change-Id: Ib20d349fa9abd6347739190bb29a02b6e3eb839d
|
|
These are features that are typically enabled by default
in any swift cluster.
Change-Id: Ie323f68255a73d46e774cbf49d9353c3bf90c35e
Signed-off-by: Thiago da Silva <thiago@redhat.com>
|
|
|
|
|
|
|
|
|
|
If os-collect-config/config.json is updated before an upgrade/update,
then the os-net-config run will automatically erase the keepalived
managed ips.
This is a hackish way to ensure that keepalived is restarted during the
next phase in order to have the ip recreated.
It basically adds a comment line to the keepalived.conf file (making it
different than the puppet one) if it's there. This will force a puppet
restart of the keepalive service puting the ips back on the undercloud.
Change-Id: I56b706ff44ba31aa87a63f870940831ce02a6e77
Closes-Bug: #1640213
Related-Bug: #1638029
|
|
|
|
The lastest patchset of https://review.openstack.org/393361 was actually
not working.
The `if defined` idiom depends on *evaluation* order.
At the time it's red in the haproxy.pp class, the line that loads the
class 'haproxy' has still not yet been reached and thus the `defined`
result is false. The constraint is not added.
For this reason, the use of `defined` in module is not advised by
puppetlabs[1].
[1] https://docs.puppet.com/puppet/latest/reference/function.html#defined
Change-Id: Ibd352cb313f8863d62db8987419378bed5b87256
Relates-To: #1638029
|
|
|
|
|
|
Update default doc default for bind_host to match previous change
http://review.openstack.org/386817/
Change-Id: Iff048ba7152c1b7e945f284311215c8f872c1409
Closes-bug: #1640104
|
|
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in
order to return links with the correct protocol when SSL is enabled.
This enables it in HAProxy
Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8
Closes-Bug: #1640126
|
|
In HA deployments, we now check mysql nodes every 1s and removed them
immediately if they are failed. Previously we would check every 2s and
allow them to fail 5 checks before being removed, producing errors from
other OpenStack services for 10s, which causes confusion and delay for
operators.
Additionally, these check options are now also a class parameter so can
be overridden by operators.
Closes-Bug: #1639189
Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
|
|
In order for the browser to trust the certificate served by HAProxy
we need to include the CA cert in the PEM file that the endpoints
serve.
Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417
Closes-Bug: #1639807
|