aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
AgeCommit message (Collapse)AuthorFilesLines
2015-12-23Upgrade all packages after puppet managed onesDan Prince1-1/+20
This updates tripleo::packages so that when enable_upgrade is used it will: 1) upgrade puppet managed packages (will trigger puppet dependencies) 2) then upgrade all packages via exec 3) then restart services NOTE: the intention here is that the Exec['update-packages'] will always execute if enable_upgrade is set. It is not idempotent in this regard because I think we always want to execute it if enable_upgrade is set. Change-Id: I02f7cf07792765359f19fdf357024d9e48690e42 Related-bug: #1522943
2015-12-17Enable X-Forwarded-Proto header for Heat and NovaJuan Antonio Osorio Robles1-0/+5
Change-Id: Icd666d9988d14ac1e9581f55589bf95243cc7641
2015-12-17Merge "Allows customization of the HAProxy default timeouts"Jenkins1-1/+6
2015-12-14Modify cassandra dependencyJaume Devesa1-10/+9
Switch to locp/cassandra module since it has much more options than midonet/puppet-cassandra and it is already defined on the openstack-puppet-modules packages in RHEL. More info: https://bugzilla.redhat.com/show_bug.cgi?id=1285718 Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b Change-Id: Icea9bd96e4c80a26b9e813d383f84099c736d7bf
2015-12-12Merge "Remove all 'validate_array' statements"Jenkins4-6/+25
2015-12-11Adding MidoNet LoadBalancing optionsJaume Devesa1-0/+24
MidoNet API needs to be loadbalanced if the midonet environment is activated. Change-Id: I6f1ac659297b8cf6671e11ad23284f8f543568b0
2015-12-11Remove all 'validate_array' statementsJaume Devesa4-6/+25
Unfortunately, some distributions like CentOS 7 (I guess RedHat 7 as well) still using puppet < 3.7, which experience the annoying 'PUP-1299' bug: https://tickets.puppetlabs.com/browse/PUP-1299 So passing a single array element, it magically transforms to a string (or whatever the inside elements are) and the validate_array fails. We need to get rid of these validations. Change-Id: Icc22ee575b7c236d1a6358f8593cf813d339a4b5
2015-12-10Merge "loadbalancer: add Aodh API support"Jenkins1-0/+43
2015-12-10Allows customization of the HAProxy default timeoutsGiulio Fidente1-1/+6
Change-Id: I3fdb705bbac26b4bc43a18131407a0a86d36a8a5
2015-12-08Enable X-Forwarded-Proto header for keystone_publicJuan Antonio Osorio Robles1-0/+4
One of the ways to make use of TLS in keystone is through the usage of the X-Fowarded-Proto header, which will be forwarded with the request by the loadbalancer, and it will tell keystone what protocol was used to access it. This also requires configuration from the keystone side. Change-Id: I9b899ba95e28b7dfae0c1ed84ca8431054673925
2015-12-01loadbalancer: add Gnocchi API supportEmilien Macchi1-0/+43
Add Gnocchi (OpenStack Metric storage) support in TripleO Loadbalancer config. Change-Id: Ia991819f57616a9a11bd4dfb77893748130268a0
2015-11-26Merge "MidoNet services manifests"Jenkins4-0/+312
2015-11-25Merge "Set tunnel timeout for nova_novncproxy"Jenkins1-0/+1
2015-11-25loadbalancer: add Aodh API supportEmilien Macchi1-0/+43
Add Aodh (Ceilometer Alarming) support in TripleO Loadbalancer config. Change-Id: I891985da9248a88c6ce2df1dd186881f582605ee
2015-11-23MidoNet services manifestsJaume Devesa4-0/+312
Provide TripleO overcloud manifests to deploy MidoNet and the cluster services that needs to run. Change-Id: I24f852e74fc4652d4609e1a71897e813448055fe
2015-10-22Resolve repeated ports for ssl frontends (nova vnc and swift proxy)Juan Antonio Osorio Robles1-1/+1
Nova vnc and swift proxy were listening on the same port if SSL is enabled in the load balancer Change-Id: Ibf4aa118d6c8e94f8f2a68bf270d5445ebda7593
2015-10-22Merge "Resolve repeated ports for ssl frontends"Jenkins1-1/+1
2015-10-21Resolve repeated ports for ssl frontendsJuan Antonio Osorio Robles1-1/+1
keystone and heat_cfn were listening on the same port if SSL is enabled inm the load balancer. Change-Id: I099119198ebf3322a783581f0c6758417e705a2e
2015-10-09Set tunnel timeout for nova_novncproxyJavier Pena1-0/+1
When using websockets in HAProxy, like nova_novncproxy does, we need to set "timeout tunnel" to avoid disconnections after a short period without traffic. Change-Id: I1b66cd9a1d20cbbe35a2ada5782a76a01b14bcd1 Closes-BZ: 1267043
2015-10-01loadbalancer: fix MySQL timeout HAproxy configEmilien Macchi1-5/+7
Current HAproxy config is broken for MySQL timeout parameters. This is what we have today by default in HAproxy logs: -------------- [WARNING] 238/115010 (13878) : config : missing timeouts for proxy 'mysql'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. -------------- This patch aims to: * Use the correct parameters to configure puppetlabs-haproxy * Update the database timeouts to higher values to prevent the services from disconnecting too frequently by setting the Galera HAProxy timeout to 90 minutes. Change-Id: I06dd4bf81d4f4fd3c01bb681f6f0b3152f2b8eea
2015-10-01Merge "Automatically install packages when upgrading"Jenkins1-4/+1
2015-09-29Fix manila conditional statementGael Chamoulaud1-1/+1
- s/manila/$manila Change-Id: I7aaa8f83fe758484ab39af28c914fa3d78464633 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-09-28Automatically install packages when upgradingDan Prince1-4/+1
This simplifies use of tripleo::packages so that when enable_upgrade is set to true you no longer have to enable_install as well. Change-Id: Ic3050a64530be9e2b6827ed8566f59d28547ae81
2015-09-15Merge "Allow a user to specify the syslog address for HAProxy"Jenkins1-1/+6
2015-09-13loadbalancer: use http mode for Horizon haproxy configEmilien Macchi1-0/+1
The haproxy configuration for horizon does not have 'mode http' set. This proxy needs to be in http mode since it is using a cookie for persistence. The default section has 'mode tcp', which is fine, but horizon proxy needs to override this setting to get http mode. Without this, you will likely see an error like this: [WARNING] 238/115010 (13878) : config : cookie will be ignored for proxy 'horizon' (needs 'mode http').' Closes BZ-1257687 Change-Id: I397986ea022f47a33a5210696752509f4a2731a5
2015-09-11Allow a user to specify the syslog address for HAProxyYanis Guenane1-1/+6
Currently the address of the syslog server for HAProxy is hardcoded to /dev/log without a way to customize this setting. This commit aims to give a user more flexibility about which syslog server address to use. Change-Id: If7f7c8154e544e5d8a49f79f642e1ad01644a66d
2015-09-03loadbalancer: use 'source' for novnc balance modeEmilien Macchi1-0/+3
When establishing a connection from the client (Web Browser) to the novncproxy (loadbalanced by HAproxy), we need to make sure the client will stick on the same server the time he's connected, because HAproxy load-balance to another novncproxy node, the client will loose the connection and timeout like 'Connection Reset By Peer error'. This patch aims to configure novnc HAproxy configuration to balance using 'source' mode, so it will make sure the server remains the same while the connection is established. Change-Id: Ibbb7162b763f1fd2854a10a92a681910e0683c0a Closes-BZ: 1257324
2015-08-07Remove httpchk option from haproxy listenersGiulio Fidente1-55/+9
To make sure we don't use the ssl-hello-chk option set by the puppet-haproxy module we used to redefine the listener options for all listeners. With this change a default for the options hash is provided to the puppet class instead. This change also configures use of tcpka only where wanted, as documented by [1], removing it from the haproxy defaults section, given it wasn't used anyway by the other listeners which were indeed overriding options. 1. https://github.com/beekhof/osp-ha-deploy/blob/master/pcmk/lb.scenario Change-Id: Ic8deb77533f561cea7ce7db1d20f6be5e2dc0d33
2015-08-05Enable Manila ServiceRyan Hefner1-0/+46
Adds bindings to the Manila service for HAProxy. Change-Id: I175d5b7e35a781d04452fc6aee610e8dca005419
2015-07-27Fix HAProxy config for Nova EC2 APIJiri Stransky1-1/+1
EC2 API returns 400 for unauthenticated requests, making HAProxy believe that the service is down. We'll use TCP check instead of HTTP check for EC2 API. Change-Id: Ide7f9390603c9893b95cacd51d468461255dcf07
2015-07-23Merge "Implement firewalling in tripleo::firewall"Jenkins2-69/+92
2015-07-17Listener options for Ironic/ceilometer/glance_registryJames Slagle1-0/+9
This updates some of the listener options set by loadbalancer.pp. Iroinc needs to pass in the option to do a httpchk, otherwise puppet-haproxy defaults it to doing a ssl-hello-chk, which won't work against the non-ssl loadbalancer server. Ceilometer and glance_registry both don't support a httpchk against the root (/) of their webservers (they return a straight 401) so disable those checks completely. Change-Id: Ibfc81175842a748eb077b132b0818c4ea17bbcf6
2015-07-16Add param to configure HAProxy default maxconn (per frontend)Giulio Fidente1-2/+8
The default per frontend maxconn is set to 2000, which can easily be reached with modern hardware with multiple logic cores; this change adds a parameter to configure the default maxconn value, default it to 4096 and also increases the global maxconn to 20480 to preserve the 1:5 ratio. Change-Id: I3fffc51ecc704ceccb86ca008ecba02578c29eb5
2015-07-15Implement firewalling in tripleo::firewallYanis Guenane2-69/+92
Currently firewalling is implemented in tripleo/init.pp this commit moves it to its own scope tripleo/firewall.pp. This is done so that in tripleo-heat-templates we can have a simple and generic `include tripleo::firewall` in every manifest - unconditional. The rest of the behavior will all be managed by hiera. If a user wants to enable firewalling: ``` tripleo::firewall::manage_firewall: true ``` If a user wants to specify firewall rules: ``` tripleo::firewall::firewall_rules: '103 mongod': port: 27017 ``` Change-Id: I144c60db2a568a94dce5b51257f1d10980173325
2015-07-14Merge "Add missing options to Ceilometer/Ironic/Horizon"Jenkins1-2/+3
2015-07-14Merge "Remove mode tcp enforcement where unneeded, we default to mode tcp"Jenkins1-4/+0
2015-07-10Merge "Implement Advanced Firewalling support"Jenkins4-1/+257
2015-07-10Add missing options to Ceilometer/Ironic/HorizonGiulio Fidente1-2/+3
Backend options for Ceilometer and Ironic are aligned with what we use for the other OpenStack services. Listener options for Horizon is updated so that we do cookie tracking as suggested by refarch doc. Change-Id: I4640d974a3ab8188919eaae79dde71463234b5ff
2015-07-09Merge "Add class to set noop on various puppet resources"Jenkins1-0/+68
2015-07-08Merge "Add tripleo::packages"Jenkins1-0/+54
2015-07-08Remove mode tcp enforcement where unneeded, we default to mode tcpGiulio Fidente1-4/+0
Change-Id: Ic0ae6b743a732ccd2cf7e395b5ab172bf3daaf7d
2015-07-08Merge "Fix Heat 302 redirects"Jenkins1-3/+9
2015-07-05Merge "Remove database code from puppet-tripleo"Jenkins1-367/+0
2015-07-03Add class to set noop on various puppet resourcesDan Prince1-0/+68
This patch adds a new tripleo::noop class that can be used to help switch all resources of a given type to noop mode. The class does this via Puppet resource collectors to enable the noop metaparam on all resources of the specified type. When a resource is in noop mode no action will get taken (however puppet stdout will log information about what would happen if noop were removed). The motivation for this patch is to be able to do something like this and run puppet to configure select resources (like only config files): class {'tripleo::noop': file => false } It is important to note that when tripleo::noop is used all common resources default to noop mode. This could be used alongside docker containers to provide a mechanism to pre-configure all related config files for a set of docker containers ahead of time. Change-Id: I67f9dbbf33a2d6bcee5005ae0b6b1aa7091039ad
2015-06-29Fix Heat 302 redirectsBen Nemec1-3/+9
When doing a heat stack-show, Heat initially returns a 302 redirect. With the existing loadbalancer config for SSL, this results in a redirect to an http:// address pointing at the SSL port, which naturally doesn't work. The fix for this is to use the rsprep haproxy option to rewrite the Location header in responses from the Heat api server. This allows us to properly handle redirect traffic as https. Also note that http header rewriting requires "mode http", so that is added here as well. Change-Id: I7e5c5b1877e9aa46c4b88dfba45c1fddf61727fc
2015-06-25Enable support for loadbalancing IronicBen Nemec1-0/+44
Just like any other OpenStack API endpoint. Change-Id: Iaa45d7bef94c3c42df0988a58f146bb8a530f74e
2015-06-25Add tripleo::packagesDan Prince1-0/+54
This adds a new class to help configure package installation and upgrades. The previous approach was to use a global package declaration at the top of each manifest within the tripleo-heat-templates. The new approach is to use a Package collector (<| |>) to allow us to configure the package provider within a class. This should help remove some of the duplicated logic within the triplo-heat-template manifests and is also a good fit for puppet-tripleo in that is generic and unlikely to change that often. In addition to installation this class also support upgrades to puppet managed packages as well. Change-Id: Ie8fbc344149bc8c9977e127de77636903607617a
2015-06-25Merge "Introduce param to enable use of clustercheck"Jenkins1-4/+21
2015-06-25Merge "Use mode tcp for glance-registry balancing"Jenkins1-1/+1
2015-06-25Use mode tcp for glance-registry balancingGiulio Fidente1-1/+1
The glance-registry service is returning 401 to httpchk, which makes haproxy think it is down. This change switches the check mode to tcp. Closes-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1234637 Closes-Bug: 1468566 Change-Id: Icdd80aa9cd56e5afd3707eb7fa38aaedb8535af6