diff options
-rw-r--r-- | environments/enable-internal-tls.yaml | 2 | ||||
-rw-r--r-- | environments/puppet-pacemaker.yaml | 1 | ||||
-rwxr-xr-x | extraconfig/tasks/yum_update.sh | 2 | ||||
-rw-r--r-- | network/service_net_map.j2.yaml | 1 | ||||
-rw-r--r-- | overcloud-resource-registry-puppet.j2.yaml | 3 | ||||
-rw-r--r-- | puppet/post.j2.yaml | 9 | ||||
-rw-r--r-- | puppet/services/disabled/glance-registry.yaml | 30 | ||||
-rw-r--r-- | puppet/services/glance-api.yaml | 34 | ||||
-rw-r--r-- | puppet/services/pacemaker.yaml | 6 | ||||
-rw-r--r-- | puppet/services/pacemaker_remote.yaml | 57 |
10 files changed, 136 insertions, 9 deletions
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml index 6e912faa..d2fc59c6 100644 --- a/environments/enable-internal-tls.yaml +++ b/environments/enable-internal-tls.yaml @@ -6,3 +6,5 @@ resource_registry: OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml + # We use apache as a TLS proxy + OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml diff --git a/environments/puppet-pacemaker.yaml b/environments/puppet-pacemaker.yaml index 0b71dbd9..da607a72 100644 --- a/environments/puppet-pacemaker.yaml +++ b/environments/puppet-pacemaker.yaml @@ -12,6 +12,7 @@ resource_registry: OS::TripleO::Services::RabbitMQ: ../puppet/services/pacemaker/rabbitmq.yaml OS::TripleO::Services::HAproxy: ../puppet/services/pacemaker/haproxy.yaml OS::TripleO::Services::Pacemaker: ../puppet/services/pacemaker.yaml + OS::TripleO::Services::PacemakerRemote: ../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Redis: ../puppet/services/pacemaker/database/redis.yaml OS::TripleO::Services::MySQL: ../puppet/services/pacemaker/database/mysql.yaml # Services that are disabled by default (use relevant environment files): diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index 74af7b02..edcc9e8e 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -42,7 +42,7 @@ if [[ "$list_updates" == "" ]]; then exit 0 fi -pacemaker_status=$(systemctl is-active pacemaker) +pacemaker_status=$(systemctl is-active pacemaker || :) # Fix the redis/rabbit resource start/stop timeouts. See https://bugs.launchpad.net/tripleo/+bug/1633455 # and https://bugs.launchpad.net/tripleo/+bug/1634851 diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml index 36342cb7..cb4f464a 100644 --- a/network/service_net_map.j2.yaml +++ b/network/service_net_map.j2.yaml @@ -64,6 +64,7 @@ parameters: OvnDbsNetwork: internal_api MistralApiNetwork: internal_api ZaqarApiNetwork: internal_api + PacemakerRemoteNetwork: internal_api # We special-case the default ResolveNetwork for the CephStorage role # for backwards compatibility, all other roles default to internal_api CephStorageHostnameResolveNetwork: storage diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 47dfebb2..0612b186 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -130,6 +130,7 @@ resource_registry: OS::TripleO::Services::BlockStorageCinderVolume: puppet/services/cinder-volume.yaml OS::TripleO::Services::Keystone: puppet/services/keystone.yaml OS::TripleO::Services::GlanceApi: puppet/services/glance-api.yaml + OS::TripleO::Services::GlanceRegistry: puppet/services/disabled/glance-registry.yaml OS::TripleO::Services::HeatApi: puppet/services/heat-api.yaml OS::TripleO::Services::HeatApiCfn: puppet/services/heat-api-cfn.yaml OS::TripleO::Services::HeatApiCloudwatch: puppet/services/heat-api-cloudwatch.yaml @@ -159,6 +160,7 @@ resource_registry: OS::TripleO::Services::NeutronOvsAgent: puppet/services/neutron-ovs-agent.yaml OS::TripleO::Services::ComputeNeutronOvsAgent: puppet/services/neutron-ovs-agent.yaml OS::TripleO::Services::Pacemaker: OS::Heat::None + OS::TripleO::Services::PacemakerRemote: OS::Heat::None OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml @@ -229,6 +231,7 @@ resource_registry: OS::TripleO::Services::ContrailControl: puppet/services/network/contrail-control.yaml OS::TripleO::Services::ContrailDatabase: puppet/services/network/contrail-database.yaml OS::TripleO::Services::ContrailWebui: puppet/services/network/contrail-webui.yaml + OS::TripleO::Services::TLSProxyBase: OS::Heat::None OS::TripleO::Services::Zaqar: OS::Heat::None OS::TripleO::Services::NeutronML2FujitsuCfab: OS::Heat::None OS::TripleO::Services::NeutronML2FujitsuFossw: OS::Heat::None diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml index 2a02ea19..83c32868 100644 --- a/puppet/post.j2.yaml +++ b/puppet/post.j2.yaml @@ -21,11 +21,10 @@ parameters: perform configuration on a Heat stack-update. resources: - -{% for role in roles %} # Post deployment steps for all roles # A single config is re-applied with an incrementing step number - # {{role.name}} Role steps +{% for role in roles %} + # {{role.name}} Role post deploy steps {{role.name}}ArtifactsConfig: type: deploy-artifacts.yaml @@ -58,8 +57,6 @@ resources: # Step through a series of configuration steps {% for step in range(1, 6) %} - {% for role in roles %} - {{role.name}}Deployment_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup {% if step == 1 %} @@ -77,8 +74,6 @@ resources: input_values: step: {{step}} update_identifier: {get_param: DeployIdentifier} - - {% endfor %} {% endfor %} {{role.name}}PostConfig: diff --git a/puppet/services/disabled/glance-registry.yaml b/puppet/services/disabled/glance-registry.yaml new file mode 100644 index 00000000..4d22bddc --- /dev/null +++ b/puppet/services/disabled/glance-registry.yaml @@ -0,0 +1,30 @@ +heat_template_version: ocata + +description: > + OpenStack Glance Registry service, disabled since ocata + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the disabled Glance Registry role. + value: + service_name: glance_registry + upgrade_tasks: + - name: Stop and disable glance_registry service on upgrade + tags: step2 + service: name=openstack-glance-registry state=stopped enabled=no diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 3ddb1927..09ea5d22 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -45,8 +45,23 @@ parameters: default: tag: openstack.glance.api path: /var/log/glance/api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: + + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + GlanceBase: type: ./glance-base.yaml properties: @@ -66,6 +81,7 @@ outputs: config_settings: map_merge: - get_attr: [GlanceBase, role_data, config_settings] + - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: list_join: - '' @@ -100,7 +116,23 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_bind_ip: + get_param: [ServiceNetMap, GlanceApiNetwork] + tripleo::profile::base::glance::api::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_port: + get_param: [EndpointMap, GlanceInternal, port] + # Bind to localhost if internal TLS is enabled, since we put a TLs + # proxy in front. + glance::api::bind_host: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 9adf1bdb..a8a9fb99 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -29,6 +29,11 @@ parameters: default: false description: Whether to enable fencing in Pacemaker or not. type: boolean + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' PcsdPassword: type: string description: The password for the 'pcsd' user for pacemaker. @@ -112,5 +117,6 @@ outputs: passwords: - {get_param: PcsdPassword} - {get_param: [DefaultPasswords, pcsd_password]} + tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey} step_config: | include ::tripleo::profile::base::pacemaker diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml new file mode 100644 index 00000000..daee43e6 --- /dev/null +++ b/puppet/services/pacemaker_remote.yaml @@ -0,0 +1,57 @@ +heat_template_version: ocata + +description: > + Pacemaker remote service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' + MonitoringSubscriptionPacemakerRemote: + default: 'overcloud-pacemaker_remote' + type: string + PacemakerRemoteLoggingSource: + type: json + default: + tag: system.pacemaker_remote + path: /var/log/pacemaker.log + format: >- + /^(?<time>[^ ]*\s*[^ ]* [^ ]*) + \[(?<pid>[^ ]*)\] + (?<host>[^ ]*) + (?<message>.*)$/ + +outputs: + role_data: + description: Role data for the Pacemaker remote role. + value: + service_name: pacemaker_remote + monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote} + logging_groups: + - haclient + logging_source: {get_param: PacemakerRemoteLoggingSource} + config_settings: + tripleo.pacemaker_remote.firewall_rules: + '130 pacemaker_remote tcp': + proto: 'tcp' + dport: + - 3121 + tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey} + step_config: | + include ::tripleo::profile::base::pacemaker_remote |