summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docker/services/pacemaker/database/mysql.yaml23
-rw-r--r--environments/docker-services-tls-everywhere.yaml13
-rw-r--r--environments/neutron-nuage-config.yaml23
-rw-r--r--environments/nova-nuage-config.yaml6
-rw-r--r--firstboot/userdata_example.yaml3
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml1
-rw-r--r--puppet/services/haproxy-internal-tls-certmonger.yaml30
-rw-r--r--puppet/services/haproxy-public-tls-certmonger.yaml36
-rw-r--r--puppet/services/keystone.yaml4
-rw-r--r--puppet/services/neutron-base.yaml7
-rw-r--r--puppet/services/neutron-plugin-ml2-nuage.yaml99
-rw-r--r--puppet/services/neutron-plugin-ml2.yaml5
12 files changed, 223 insertions, 27 deletions
diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index f12852f8..3fb38349 100644
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -32,6 +32,9 @@ parameters:
type: string
hidden: true
default: ''
+ MysqlClustercheckPassword:
+ type: string
+ hidden: true
RoleName:
default: ''
description: Role name on which the service is applied
@@ -118,7 +121,19 @@ outputs:
image: *mysql_image
net: host
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
- command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
+ command:
+ - 'bash'
+ - '-ec'
+ -
+ list_join:
+ - "\n"
+ - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
+ - 'kolla_start'
+ - 'mysqld_safe --skip-networking --wsrep-on=OFF &'
+ - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
+ - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''clustercheck''@''localhost'' IDENTIFIED BY ''${DB_CLUSTERCHECK_PASSWORD}'';"'
+ - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "GRANT PROCESS ON *.* TO ''clustercheck''@''localhost'' WITH GRANT OPTION;"'
+ - 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
volumes: &mysql_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
@@ -131,6 +146,12 @@ outputs:
- KOLLA_BOOTSTRAP=True
# NOTE(mandre) skip wsrep cluster status check
- KOLLA_KUBERNETES=True
+ - DB_MAX_TIMEOUT=60
+ -
+ list_join:
+ - '='
+ - - 'DB_CLUSTERCHECK_PASSWORD'
+ - {get_param: MysqlClustercheckPassword}
-
list_join:
- '='
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
index 57cf2c5e..d4743326 100644
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -14,6 +14,10 @@ resource_registry:
OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml
OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml
OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml
+ OS::TripleO::Services::CeilometerAgentCentral: ../docker/services/ceilometer-agent-central.yaml
+ OS::TripleO::Services::CeilometerAgentIpmi: ../docker/services/ceilometer-agent-ipmi.yaml
+ OS::TripleO::Services::CeilometerAgentNotification: ../docker/services/ceilometer-agent-notification.yaml
+ OS::TripleO::Services::ComputeCeilometerAgent: ../docker/services/ceilometer-agent-compute.yaml
OS::TripleO::Services::ComputeNeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml
OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml
@@ -24,15 +28,16 @@ resource_registry:
OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
OS::TripleO::Services::Iscsid: ../docker/services/iscsid.yaml
OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
- OS::TripleO::Services::NovaMigrationTarget: ../docker/services/nova-migration-target.yaml
- OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
+ OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml
OS::TripleO::Services::NeutronApi: ../docker/services/neutron-api.yaml
OS::TripleO::Services::NeutronCorePlugin: ../docker/services/neutron-plugin-ml2.yaml
- OS::TripleO::Services::NeutronMetadataAgent: ../docker/services/neutron-metadata.yaml
- OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
OS::TripleO::Services::NeutronDhcpAgent: ../docker/services/neutron-dhcp.yaml
OS::TripleO::Services::NeutronL3Agent: ../docker/services/neutron-l3.yaml
+ OS::TripleO::Services::NeutronMetadataAgent: ../docker/services/neutron-metadata.yaml
+ OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
+ OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
+ OS::TripleO::Services::Redis: ../docker/services/database/redis.yaml
OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
diff --git a/environments/neutron-nuage-config.yaml b/environments/neutron-nuage-config.yaml
index 601554a1..ce64311b 100644
--- a/environments/neutron-nuage-config.yaml
+++ b/environments/neutron-nuage-config.yaml
@@ -1,13 +1,13 @@
# A Heat environment file which can be used to enable a
# a Neutron Nuage backend on the controller, configured via puppet
resource_registry:
+ OS::TripleO::Services::NeutronDhcpAgent: OS::Heat::None
OS::TripleO::Services::NeutronL3Agent: OS::Heat::None
OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None
OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None
# Override the NeutronCorePlugin to use Nuage
- OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginNuage
- OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-nuage.yaml
+ OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginML2Nuage
parameter_defaults:
NeutronNuageNetPartitionName: 'default_name'
@@ -18,9 +18,18 @@ parameter_defaults:
NeutronNuageBaseURIVersion: 'default_uri_version'
NeutronNuageCMSId: ''
UseForwardedFor: true
- NeutronCorePlugin: 'nuage_neutron.plugins.nuage.plugin.NuagePlugin'
- NeutronEnableDHCPAgent: false
- NeutronServicePlugins: []
- NovaOVSBridge: 'alubr0'
- controllerExtraConfig:
+ NeutronServicePlugins: ''
+ NeutronDBSyncExtraParams: '--config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini'
+ NeutronTypeDrivers: ''
+ NeutronNetworkType: ''
+ NeutronMechanismDrivers: ''
+ NeutronPluginExtensions: ''
+ NeutronFlatNetworks: ''
+ NeutronTunnelIdRanges: ''
+ NeutronNetworkVLANRanges: ''
+ NeutronVniRanges: ''
+ NovaOVSBridge: 'default_bridge'
+ NeutronMetadataProxySharedSecret: 'default'
+ InstanceNameTemplate: 'inst-%08x'
+ ControllerExtraConfig:
neutron::api_extensions_path: '/usr/lib/python2.7/site-packages/neutron/plugins/nuage/'
diff --git a/environments/nova-nuage-config.yaml b/environments/nova-nuage-config.yaml
index 56c64d15..5e75ed9e 100644
--- a/environments/nova-nuage-config.yaml
+++ b/environments/nova-nuage-config.yaml
@@ -2,7 +2,13 @@
# Nuage backend on the compute, configured via puppet
resource_registry:
OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml
+ OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-nuage.yaml
parameter_defaults:
NuageActiveController: '0.0.0.0'
NuageStandbyController: '0.0.0.0'
+ NovaOVSBridge: 'default_bridge'
+ NovaComputeLibvirtType: 'default_type'
+ NovaIPv6: False
+ NuageMetadataProxySharedSecret: 'default'
+ NuageNovaApiEndpoint: 'default_endpoint'
diff --git a/firstboot/userdata_example.yaml b/firstboot/userdata_example.yaml
index 2f03c83b..32da7eda 100644
--- a/firstboot/userdata_example.yaml
+++ b/firstboot/userdata_example.yaml
@@ -42,10 +42,9 @@ resources:
str_replace:
template: |
#!/bin/bash
- curl http://169.254.169.254/openstack/2012-08-10/meta_data.json -o /root/meta_data.json
mkdir -p /home/$user/.ssh
chmod 700 /home/$user/.ssh
- cat /root/meta_data.json | jq -r ".keys[0].data" > /home/$user/.ssh/authorized_keys
+ os-apply-config --key public-keys.0.openssh-key --type raw > /home/$user/.ssh/authorized_keys
chmod 600 /home/$user/.ssh/authorized_keys
chown -R $user:$user /home/$user/.ssh
params:
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 0d3b875a..0b4b4feb 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -154,6 +154,7 @@ resource_registry:
OS::TripleO::Services::NeutronCorePluginML2OVN: puppet/services/neutron-plugin-ml2-ovn.yaml
OS::TripleO::Services::NeutronCorePluginPlumgrid: puppet/services/neutron-plugin-plumgrid.yaml
OS::TripleO::Services::NeutronCorePluginNuage: puppet/services/neutron-plugin-nuage.yaml
+ OS::TripleO::Services::NeutronCorePluginML2Nuage: puppet/services/neutron-plugin-ml2-nuage.yaml
OS::TripleO::Services::NeutronCorePluginNSX: puppet/services/neutron-plugin-nsx.yaml
OS::TripleO::Services::OVNDBs: OS::Heat::None
OS::TripleO::Services::OVNController: OS::Heat::None
diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml
index 3355a0d3..642685a8 100644
--- a/puppet/services/haproxy-internal-tls-certmonger.yaml
+++ b/puppet/services/haproxy-internal-tls-certmonger.yaml
@@ -30,6 +30,12 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ HAProxyInternalTLSCertsDirectory:
+ default: '/etc/pki/tls/certs/haproxy'
+ type: string
+ HAProxyInternalTLSKeysDirectory:
+ default: '/etc/pki/tls/private/haproxy'
+ type: string
resources:
@@ -55,16 +61,30 @@ outputs:
config_settings:
generate_service_certificates: true
tripleo::haproxy::use_internal_certificates: true
- tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy'
- tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy'
+ tripleo::certmonger::haproxy_dirs::certificate_dir:
+ get_param: HAProxyInternalTLSCertsDirectory
+ tripleo::certmonger::haproxy_dirs::key_dir:
+ get_param: HAProxyInternalTLSKeysDirectory
certificates_specs:
map_merge:
repeat:
template:
haproxy-NETWORK:
- service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.pem'
- service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.crt'
- service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-NETWORK.key'
+ service_pem:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-NETWORK.pem'
+ service_certificate:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-NETWORK.crt'
+ service_key:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSKeysDirectory}
+ - '/overcloud-haproxy-NETWORK.key'
hostname: "%{hiera('cloud_name_NETWORK')}"
postsave_cmd: "" # TODO
principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml
index f1739f78..b2766c44 100644
--- a/puppet/services/haproxy-public-tls-certmonger.yaml
+++ b/puppet/services/haproxy-public-tls-certmonger.yaml
@@ -30,6 +30,12 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ HAProxyInternalTLSCertsDirectory:
+ default: '/etc/pki/tls/certs/haproxy'
+ type: string
+ HAProxyInternalTLSKeysDirectory:
+ default: '/etc/pki/tls/private/haproxy'
+ type: string
outputs:
role_data:
@@ -38,14 +44,32 @@ outputs:
service_name: haproxy_public_tls_certmonger
config_settings:
generate_service_certificates: true
- tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem'
- tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy'
- tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy'
+ tripleo::haproxy::service_certificate:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-external.pem'
+ tripleo::certmonger::haproxy_dirs::certificate_dir:
+ get_param: HAProxyInternalTLSCertsDirectory
+ tripleo::certmonger::haproxy_dirs::key_dir:
+ get_param: HAProxyInternalTLSKeysDirectory
certificates_specs:
haproxy-external:
- service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem'
- service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'
- service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'
+ service_pem:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-external.pem'
+ service_certificate:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-external.crt'
+ service_key:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSKeysDirectory}
+ - '/overcloud-haproxy-external.key'
hostname: "%{hiera('cloud_name_external')}"
postsave_cmd: "" # TODO
principal: "haproxy/%{hiera('cloud_name_external')}"
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 8796209b..218ba740 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -178,10 +178,10 @@ parameters:
Cron to purge expired tokens - Week Day
default: '*'
KeystoneCronTokenFlushMaxDelay:
- type: string
+ type: number
description: >
Cron to purge expired tokens - Max Delay
- default: '0'
+ default: 0
KeystoneCronTokenFlushDestination:
type: string
description: >
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index b9556890..b6980045 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -69,6 +69,12 @@ parameters:
networks, neutron uses this value without modification. For overlay
networks such as VXLAN, neutron automatically subtracts the overlay
protocol overhead from this value.
+ NeutronDBSyncExtraParams:
+ default: ''
+ description: |
+ String of extra command line parameters to append to the neutron-db-manage
+ upgrade head command.
+ type: string
ServiceData:
default: {}
description: Dictionary packing service data
@@ -134,6 +140,7 @@ outputs:
neutron::db::database_max_retries: -1
neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout}
neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu}
+ neutron::db::sync::extra_params: {get_param: NeutronDBSyncExtraParams}
- if:
- dhcp_agents_zero
- {}
diff --git a/puppet/services/neutron-plugin-ml2-nuage.yaml b/puppet/services/neutron-plugin-ml2-nuage.yaml
new file mode 100644
index 00000000..a7dc2e8b
--- /dev/null
+++ b/puppet/services/neutron-plugin-ml2-nuage.yaml
@@ -0,0 +1,99 @@
+heat_template_version: pike
+
+description: >
+ OpenStack Neutron ML2/Nuage plugin configured with Puppet
+
+parameters:
+ ServiceData:
+ default: {}
+ description: Dictionary packing service data
+ type: json
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ # Config specific parameters, to be provided via parameter_defaults
+ NeutronNuageNetPartitionName:
+ description: Specifies the title that you will see on the VSD
+ type: string
+ default: 'default_name'
+
+ NeutronNuageVSDIp:
+ description: IP address and port of the Virtual Services Directory
+ type: string
+
+ NeutronNuageVSDUsername:
+ description: Username to be used to log into VSD
+ type: string
+
+ NeutronNuageVSDPassword:
+ description: Password to be used to log into VSD
+ type: string
+
+ NeutronNuageVSDOrganization:
+ description: Organization parameter required to log into VSD
+ type: string
+ default: 'organization'
+
+ NeutronNuageBaseURIVersion:
+ description: URI version to be used based on the VSD release
+ type: string
+ default: 'default_uri_version'
+
+ NeutronNuageCMSId:
+ description: Cloud Management System ID (CMS ID) to distinguish between OS instances on the same VSD
+ type: string
+
+ UseForwardedFor:
+ description: Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy.
+ type: boolean
+ default: false
+
+resources:
+
+ NeutronML2Base:
+ type: ./neutron-plugin-ml2.yaml
+ properties:
+ ServiceData: {get_param: ServiceData}
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+
+outputs:
+ role_data:
+ description: Role data for the Neutron ML2/Nuage plugin
+ value:
+ service_name: neutron_plugin_ml2_nuage
+ config_settings:
+ map_merge:
+ - get_attr: [NeutronML2Base, role_data, config_settings]
+ - neutron::plugins::ml2::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName}
+ neutron::plugins::ml2::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp}
+ neutron::plugins::ml2::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername}
+ neutron::plugins::ml2::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword}
+ neutron::plugins::ml2::nuage::nuage_vsd_organization: {get_param: NeutronNuageVSDOrganization}
+ neutron::plugins::ml2::nuage::nuage_base_uri_version: {get_param: NeutronNuageBaseURIVersion}
+ neutron::plugins::ml2::nuage::nuage_cms_id: {get_param: NeutronNuageCMSId}
+ nova::api::use_forwarded_for: {get_param: UseForwardedFor}
+ step_config: |
+ include tripleo::profile::base::neutron::plugins::ml2
diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml
index dd757b5d..bc91374a 100644
--- a/puppet/services/neutron-plugin-ml2.yaml
+++ b/puppet/services/neutron-plugin-ml2.yaml
@@ -72,6 +72,10 @@ parameters:
default: 'vxlan'
description: The tenant network type for Neutron.
type: comma_delimited_list
+ NeutronFirewallDriver:
+ description: Firewall driver for realizing neutron security group function
+ type: string
+ default: 'openvswitch'
resources:
NeutronBase:
@@ -100,6 +104,7 @@ outputs:
neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges}
neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges}
neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType}
+ neutron::plugins::ml2::firewall_driver: {get_param: NeutronFirewallDriver}
step_config: |
include ::tripleo::profile::base::neutron::plugins::ml2