diff options
author | Dan Prince <dprince@redhat.com> | 2016-08-26 12:41:53 -0400 |
---|---|---|
committer | Dan Prince <dprince@redhat.com> | 2016-08-30 08:59:07 -0400 |
commit | e3cb92a5db51eb80d0806a9bf42b689756a4ac9f (patch) | |
tree | 770d11ce23f6830cf63fd802e1b59c3c902fb4d5 | |
parent | a02cee9e3ba1311c5782365914ca0758ff413dec (diff) |
Mv Nova, Neutron, Horizon out of controller.yaml
This patch moves the settings for Nova, Neutron, and Horizon
out of controller.yaml.
Also fixes the NovaPassword settings in nova-base.yaml
so they don't use get_input.
Also, creates a new apache.yaml base service to contain shared
apache settings for several services which use Apache for WSGI.
Co-Authored-By: Giulio Fidente <gfidente@redhat.com>
Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e
Related-bug: #1604414
-rw-r--r-- | network/service_net_map.yaml | 1 | ||||
-rw-r--r-- | overcloud-resource-registry-puppet.yaml | 1 | ||||
-rw-r--r-- | overcloud.yaml | 1 | ||||
-rw-r--r-- | puppet/controller.yaml | 88 | ||||
-rw-r--r-- | puppet/services/aodh-api.yaml | 8 | ||||
-rw-r--r-- | puppet/services/apache.yaml | 40 | ||||
-rw-r--r-- | puppet/services/ceilometer-api.yaml | 8 | ||||
-rw-r--r-- | puppet/services/gnocchi-api.yaml | 9 | ||||
-rw-r--r-- | puppet/services/horizon.yaml | 39 | ||||
-rw-r--r-- | puppet/services/keystone.yaml | 153 | ||||
-rw-r--r-- | puppet/services/neutron-api.yaml | 6 | ||||
-rw-r--r-- | puppet/services/neutron-metadata.yaml | 6 | ||||
-rw-r--r-- | puppet/services/nova-api.yaml | 24 | ||||
-rw-r--r-- | puppet/services/nova-base.yaml | 4 | ||||
-rw-r--r-- | puppet/services/nova-vncproxy.yaml | 6 |
15 files changed, 232 insertions, 162 deletions
diff --git a/network/service_net_map.yaml b/network/service_net_map.yaml index 50f5c55a..e30a6304 100644 --- a/network/service_net_map.yaml +++ b/network/service_net_map.yaml @@ -13,6 +13,7 @@ parameters: ServiceNetMapDefaults: default: + ApacheNetwork: internal_api NeutronTenantNetwork: tenant CeilometerApiNetwork: internal_api AodhApiNetwork: internal_api diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml index 57399210..c9870982 100644 --- a/overcloud-resource-registry-puppet.yaml +++ b/overcloud-resource-registry-puppet.yaml @@ -130,6 +130,7 @@ resource_registry: # services OS::TripleO::Services: puppet/services/services.yaml + OS::TripleO::Services::Apache: puppet/services/apache.yaml OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMon: OS::Heat::None OS::TripleO::Services::CephOSD: OS::Heat::None diff --git a/overcloud.yaml b/overcloud.yaml index 38a36800..82fdedc3 100644 --- a/overcloud.yaml +++ b/overcloud.yaml @@ -435,7 +435,6 @@ resources: properties: CloudDomain: {get_param: CloudDomain} controllerExtraConfig: {get_param: controllerExtraConfig} - HorizonSecret: {get_resource: HorizonSecret} PcsdPassword: {get_resource: PcsdPassword} RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]} RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]} diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 28fd08da..0225231e 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -83,10 +83,6 @@ parameters: type: string constraints: - custom_constraint: nova.flavor - HorizonSecret: - description: Secret key for Django - type: string - hidden: true controllerImage: type: string default: overcloud-full @@ -96,10 +92,6 @@ parameters: default: 'REBUILD_PRESERVE_EPHEMERAL' description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt. type: string - InstanceNameTemplate: - default: 'instance-%08x' - description: Template string to be used to generate instance names - type: string KeyName: default: default description: Name of an existing Nova key pair to enable SSH access to the instances @@ -110,39 +102,14 @@ parameters: default: false description: Whether to manage IPtables rules. type: boolean - MemcachedIPv6: - default: false - description: Enable IPv6 features in Memcached. - type: boolean PurgeFirewallRules: default: false description: Whether IPtables rules should be purged before setting up the new ones. type: boolean - NeutronMetadataProxySharedSecret: - description: Shared secret to prevent spoofing - type: string - hidden: true - NeutronPassword: - description: The password for the neutron service and db account, used by neutron agents. - type: string - hidden: true NeutronPublicInterface: default: nic1 description: What interface to bridge onto br-ex for network nodes. type: string - NovaEnableDBPurge: - default: true - description: | - Whether to create cron job for purging soft deleted rows in Nova database. - type: boolean - NovaIPv6: - default: false - description: Enable IPv6 features in Nova - type: boolean - NovaPassword: - description: The password for the nova service and db account, used by nova-api. - type: string - hidden: true PcsdPassword: type: string description: The password for the 'pcsd' user. @@ -162,10 +129,6 @@ parameters: default: {} description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' type: json - UpgradeLevelNovaCompute: - type: string - description: Nova Compute upgrade level - default: '' ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -392,43 +355,15 @@ resources: server: {get_resource: Controller} input_values: bootstack_nodeid: {get_attr: [Controller, name]} - horizon_secret: {get_param: HorizonSecret} debug: {get_param: Debug} - keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] } enable_fencing: {get_param: EnableFencing} enable_load_balancer: {get_param: EnableLoadBalancer} manage_firewall: {get_param: ManageFirewall} purge_firewall_rules: {get_param: PurgeFirewallRules} - neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - nova_enable_db_purge: {get_param: NovaEnableDBPurge} - nova_ipv6: {get_param: NovaIPv6} corosync_ipv6: {get_param: CorosyncIPv6} - memcached_ipv6: {get_param: MemcachedIPv6} - nova_password: {get_param: NovaPassword} - upgrade_level_nova_compute: {get_param: UpgradeLevelNovaCompute} - instance_name_template: {get_param: InstanceNameTemplate} fencing_config: {get_param: FencingConfig} pcsd_password: {get_param: PcsdPassword} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} - glance_api_servers: { get_param: [EndpointMap, GlanceInternal, uri]} - neutron_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]} - nova_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaApiNetwork]}]} - nova_metadata_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaMetadataNetwork]}]} - horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]} - horizon_subnet: - str_replace: - template: "['SUBNET']" - params: - SUBNET: - get_attr: - - NetIpMap - - net_ip_map - - str_replace: - template: "NETWORK_subnet" - params: - NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} redis_vip: {get_param: RedisVirtualIP} ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]} @@ -489,37 +424,14 @@ resources: tripleo::fencing::config: {get_input: fencing_config} # Neutron - neutron::bind_host: {get_input: neutron_api_network} - neutron::agents::metadata::metadata_ip: {get_input: neutron_api_network} snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name} snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password} - - # Nova - nova::upgrade_level_compute: {get_input: upgrade_level_nova_compute} - nova::use_ipv6: {get_input: nova_ipv6} - nova::api::api_bind_address: {get_input: nova_api_network} - nova::api::metadata_listen: {get_input: nova_metadata_network} - nova::glance_api_servers: {get_input: glance_api_servers} - nova::api::neutron_metadata_proxy_shared_secret: {get_input: neutron_metadata_proxy_shared_secret} - nova::api::instance_name_template: {get_input: instance_name_template} - nova::vncproxy::host: {get_input: nova_api_network} - nova_enable_db_purge: {get_input: nova_enable_db_purge} - - # Horizon - apache::mod::remoteip::proxy_ips: {get_input: horizon_subnet} - apache::ip: {get_input: horizon_network} - horizon::django_debug: {get_input: debug} - horizon::secret_key: {get_input: horizon_secret} - horizon::bind_address: {get_input: horizon_network} - horizon::keystone_url: {get_input: keystone_auth_uri} - # Redis redis_vip: {get_input: redis_vip} # Firewall tripleo::firewall::manage_firewall: {get_input: manage_firewall} tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules} # Misc - memcached_ipv6: {get_input: memcached_ipv6} tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 4308052b..cc1f4b09 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -27,6 +27,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Aodh API service. @@ -35,6 +42,7 @@ outputs: config_settings: map_merge: - get_attr: [AodhBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - aodh::wsgi::apache::ssl: false aodh::api::service_name: 'httpd' tripleo.aodh_api.firewall_rules: diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml new file mode 100644 index 00000000..758d9510 --- /dev/null +++ b/puppet/services/apache.yaml @@ -0,0 +1,40 @@ +heat_template_version: 2016-10-14 + +description: > + Apache service configured with Puppet. Note this is typically included + automatically via other services which run via Apache. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the Apache role. + value: + service_name: apache + config_settings: + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 201a2b7b..2baac511 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -28,6 +28,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Ceilometer API role. @@ -35,6 +42,7 @@ outputs: service_name: ceilometer_api config_settings: map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [CeilometerServiceBase, role_data, config_settings] - tripleo.ceilometer_api.firewall_rules: '124 ceilometer': diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index ec42f3f5..dc6e7de7 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -35,6 +35,7 @@ parameters: description: Keystone region for endpoint resources: + GnocchiServiceBase: type: ./gnocchi-base.yaml properties: @@ -42,6 +43,13 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Gnocchi role. @@ -49,6 +57,7 @@ outputs: service_name: gnocchi_api config_settings: map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [GnocchiServiceBase, role_data, config_settings] - tripleo.gnocchi_api.firewall_rules: '129 gnocchi-api': diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index c5d96819..1ea686b9 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Horizon service configured with Puppet @@ -10,6 +10,10 @@ parameters: via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string DefaultPasswords: default: {} type: json @@ -22,11 +26,20 @@ parameters: default: '*' description: A list of IP/Hostname allowed to connect to horizon type: comma_delimited_list + HorizonSecret: + description: Secret key for Django + type: string + hidden: true + default: '' NeutronMechanismDrivers: default: 'openvswitch' description: | The mechanism drivers for the Neutron tenant network. type: comma_delimited_list + MemcachedIPv6: + default: false + description: Enable IPv6 features in Memcached. + type: boolean outputs: role_data: @@ -51,5 +64,29 @@ outputs: add_listen: false priority: 10 access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, HorizonNetwork]} + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" + horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} + horizon::django_debug: {get_param: Debug} + horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::secret_key: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: HorizonSecret} + - {get_param: [DefaultPasswords, horizon_secret]} + memcached_ipv6: {get_param: MemcachedIPv6} step_config: | include ::tripleo::profile::base::horizon diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index c763c391..45531abc 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -84,81 +84,94 @@ parameters: type: string description: Set the number of workers for keystone::wsgi::apache default: '"%{::processorcount}"' + +resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Keystone role. value: service_name: keystone config_settings: - keystone::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://keystone:' - - {get_param: AdminToken} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/keystone' - keystone::admin_token: {get_param: AdminToken} - keystone::roles::admin::password: {get_param: AdminPassword} - keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} - keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} - keystone::enable_proxy_headers_parsing: true - keystone::debug: {get_param: Debug} - keystone::db::mysql::password: {get_param: AdminToken} - keystone::rabbit_userid: {get_param: RabbitUserName} - keystone::rabbit_password: {get_param: RabbitPassword} - keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - keystone::rabbit_port: {get_param: RabbitClientPort} - keystone::notification_driver: {get_param: KeystoneNotificationDriver} - keystone::notification_format: {get_param: KeystoneNotificationFormat} - keystone::roles::admin::email: {get_param: AdminEmail} - keystone::roles::admin::password: {get_param: AdminPassword} - keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - keystone::endpoint::region: {get_param: KeystoneRegion} - keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} - keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - keystone::db::mysql::user: keystone - keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - keystone::db::mysql::dbname: keystone - keystone::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - keystone::rabbit_heartbeat_timeout_threshold: 60 - keystone::cron::token_flush::maxdelay: 3600 - keystone::roles::admin::service_tenant: 'service' - keystone::roles::admin::admin_tenant: 'admin' - keystone::cron::token_flush::destination: '/dev/null' - keystone::config::keystone_config: - ec2/driver: - value: 'keystone.contrib.ec2.backends.sql.Ec2' - keystone::service_name: 'httpd' - keystone::wsgi::apache::ssl: false - - keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} - # override via extraconfig: - keystone::wsgi::apache::threads: 1 - keystone::db::database_db_max_retries: -1 - keystone::db::database_max_retries: -1 - tripleo.keystone.firewall_rules: - '111 keystone': - dport: - - 5000 - - 13000 - - 35357 - - 13357 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - # NOTE: this applies to all 4 bind IP settings below... - keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} - keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} - keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + config_settings: + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - keystone::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://keystone:' + - {get_param: AdminToken} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/keystone' + keystone::admin_token: {get_param: AdminToken} + keystone::roles::admin::password: {get_param: AdminPassword} + keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} + keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} + keystone::enable_proxy_headers_parsing: true + keystone::debug: {get_param: Debug} + keystone::db::mysql::password: {get_param: AdminToken} + keystone::rabbit_userid: {get_param: RabbitUserName} + keystone::rabbit_password: {get_param: RabbitPassword} + keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + keystone::rabbit_port: {get_param: RabbitClientPort} + keystone::notification_driver: {get_param: KeystoneNotificationDriver} + keystone::notification_format: {get_param: KeystoneNotificationFormat} + keystone::roles::admin::email: {get_param: AdminEmail} + keystone::roles::admin::password: {get_param: AdminPassword} + keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + keystone::endpoint::region: {get_param: KeystoneRegion} + keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} + keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + keystone::db::mysql::user: keystone + keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + keystone::db::mysql::dbname: keystone + keystone::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + keystone::rabbit_heartbeat_timeout_threshold: 60 + keystone::cron::token_flush::maxdelay: 3600 + keystone::roles::admin::service_tenant: 'service' + keystone::roles::admin::admin_tenant: 'admin' + keystone::cron::token_flush::destination: '/dev/null' + keystone::config::keystone_config: + ec2/driver: + value: 'keystone.contrib.ec2.backends.sql.Ec2' + keystone::service_name: 'httpd' + keystone::wsgi::apache::ssl: false + + keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} + # override via extraconfig: + keystone::wsgi::apache::threads: 1 + keystone::db::database_db_max_retries: -1 + keystone::db::database_max_retries: -1 + tripleo.keystone.firewall_rules: + '111 keystone': + dport: + - 5000 + - 13000 + - 35357 + - 13357 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + # NOTE: this applies to all 4 bind IP settings below... + keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} step_config: | include ::tripleo::profile::base::keystone diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 35ac32db..cd8a20a1 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -111,5 +111,11 @@ outputs: '106 vrrp': proto: vrrp neutron::server::router_distributed: {get_param: NeutronEnableDVR} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} step_config: | include tripleo::profile::base::neutron::server diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index b9ec277a..6bb931b1 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -53,5 +53,11 @@ outputs: neutron::agents::metadata::auth_password: {get_param: NeutronPassword} neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + neutron::agents::metadata::metadata_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} step_config: | include tripleo::profile::base::neutron::metadata diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index c2bd395e..b5c3815e 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -30,6 +30,19 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + NeutronMetadataProxySharedSecret: + description: Shared secret to prevent spoofing + type: string + hidden: true + InstanceNameTemplate: + default: 'instance-%08x' + description: Template string to be used to generate instance names + type: string + NovaEnableDBPurge: + default: true + description: | + Whether to create cron job for purging soft deleted rows in Nova database. + type: boolean resources: NovaBase: @@ -75,5 +88,16 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + nova::api::instance_name_template: {get_param: InstanceNameTemplate} + nova_enable_db_purge: {get_param: NovaEnableDBPurge} + step_config: | include tripleo::profile::base::nova::api diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 471ece34..24a63bb4 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -95,14 +95,14 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_api' - nova::db::mysql::password: {get_input: nova_password} + nova::db::mysql::password: {get_param: NovaPassword} nova::db::mysql::user: nova nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql::dbname: nova nova::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" - nova::db::mysql_api::password: {get_input: nova_password} + nova::db::mysql_api::password: {get_param: NovaPassword} nova::db::mysql_api::user: nova_api nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql_api::dbname: nova_api diff --git a/puppet/services/nova-vncproxy.yaml b/puppet/services/nova-vncproxy.yaml index 0a1785d8..7444d7d8 100644 --- a/puppet/services/nova-vncproxy.yaml +++ b/puppet/services/nova-vncproxy.yaml @@ -46,5 +46,11 @@ outputs: '[': '' ']': '' nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]} step_config: | include tripleo::profile::base::nova::vncproxy |