summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docker/firstboot/start_docker_agents.sh2
-rw-r--r--environments/enable-internal-tls.yaml2
-rw-r--r--environments/services/haproxy-internal-tls-certmonger.yaml4
-rw-r--r--environments/services/haproxy-public-tls-certmonger.yaml4
-rw-r--r--environments/tls-everywhere-endpoints-dns.yaml52
-rw-r--r--hosts-config.yaml30
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml14
-rw-r--r--overcloud.j2.yaml30
-rw-r--r--puppet/all-nodes-config.yaml16
-rw-r--r--puppet/services/aodh-api.yaml1
-rw-r--r--puppet/services/ceilometer-api.yaml1
-rw-r--r--puppet/services/ceph-base.yaml26
-rw-r--r--puppet/services/ceph-external.yaml2
-rw-r--r--puppet/services/ceph-mon.yaml2
-rw-r--r--puppet/services/glance-api.yaml151
-rw-r--r--puppet/services/glance-base.yaml110
-rw-r--r--puppet/services/glance-registry.yaml76
-rw-r--r--puppet/services/gnocchi-api.yaml1
-rw-r--r--puppet/services/haproxy-internal-tls-certmonger.yaml51
-rw-r--r--puppet/services/haproxy-public-tls-certmonger.yaml37
-rw-r--r--puppet/services/haproxy.yaml43
-rw-r--r--puppet/services/kernel.yaml4
-rw-r--r--puppet/services/nova-api.yaml90
-rw-r--r--puppet/services/nova-conductor.yaml11
-rw-r--r--puppet/services/nova-metadata.yaml14
-rw-r--r--puppet/services/swift-proxy.yaml2
-rw-r--r--puppet/services/swift-ringbuilder.yaml4
27 files changed, 567 insertions, 213 deletions
diff --git a/docker/firstboot/start_docker_agents.sh b/docker/firstboot/start_docker_agents.sh
index 65c4e6dc..68625032 100644
--- a/docker/firstboot/start_docker_agents.sh
+++ b/docker/firstboot/start_docker_agents.sh
@@ -23,7 +23,7 @@ if [ $docker_namespace_is_registry ]; then
# if namespace is used with local registry, trim all namespacing
trim_var=$docker_registry
registry_host="${trim_var%%/*}"
- /bin/sed -i "s/# INSECURE_REGISTRY='--insecure-registry[ ]'/INSECURE_REGISTRY='--insecure-registry $registry_host'/g" /etc/sysconfig/docker
+ /bin/sed -i -r "s/^[# ]*INSECURE_REGISTRY *=.+$/INSECURE_REGISTRY='--insecure-registry $registry_host'/" /etc/sysconfig/docker
/usr/bin/systemctl start --no-block docker.service
fi
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
new file mode 100644
index 00000000..801dcde9
--- /dev/null
+++ b/environments/enable-internal-tls.yaml
@@ -0,0 +1,2 @@
+parameter_defaults:
+ EnableInternalTLS: true
diff --git a/environments/services/haproxy-internal-tls-certmonger.yaml b/environments/services/haproxy-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..074fec4d
--- /dev/null
+++ b/environments/services/haproxy-internal-tls-certmonger.yaml
@@ -0,0 +1,4 @@
+# A Heat environment file which can be used to enable a
+# a TLS for HAProxy via certmonger
+resource_registry:
+ OS::TripleO::Services::HAProxyInternalTLS: ../../puppet/services/haproxy-internal-tls-certmonger.yaml
diff --git a/environments/services/haproxy-public-tls-certmonger.yaml b/environments/services/haproxy-public-tls-certmonger.yaml
new file mode 100644
index 00000000..d3ad3ad4
--- /dev/null
+++ b/environments/services/haproxy-public-tls-certmonger.yaml
@@ -0,0 +1,4 @@
+# A Heat environment file which can be used to enable a
+# a TLS for HAProxy via certmonger
+resource_registry:
+ OS::TripleO::Services::HAProxyPublicTLS: ../../puppet/services/haproxy-public-tls-certmonger.yaml
diff --git a/environments/tls-everywhere-endpoints-dns.yaml b/environments/tls-everywhere-endpoints-dns.yaml
new file mode 100644
index 00000000..88a108a6
--- /dev/null
+++ b/environments/tls-everywhere-endpoints-dns.yaml
@@ -0,0 +1,52 @@
+# Use this environment when deploying an overcloud where all the endpoints are
+# DNS names and there's TLS in all endpoint types.
+parameter_defaults:
+ EndpointMap:
+ AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
+ AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
+ AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
+ CeilometerAdmin: {protocol: 'https', port: '8777', host: 'CLOUDNAME'}
+ CeilometerInternal: {protocol: 'https', port: '8777', host: 'CLOUDNAME'}
+ CeilometerPublic: {protocol: 'https', port: '13777', host: 'CLOUDNAME'}
+ CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
+ CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
+ CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
+ GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
+ GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
+ GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
+ GlanceRegistryInternal: {protocol: 'https', port: '9191', host: 'CLOUDNAME'}
+ GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
+ GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
+ GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
+ HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
+ HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
+ HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
+ HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
+ HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
+ HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
+ HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
+ IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
+ IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
+ IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
+ KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'}
+ KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'}
+ KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
+ ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
+ ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
+ ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
+ MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'}
+ NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
+ NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
+ NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
+ NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
+ NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
+ NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
+ NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
+ NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
+ NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
+ SaharaAdmin: {protocol: 'https', port: '8386', host: 'CLOUDNAME'}
+ SaharaInternal: {protocol: 'https', port: '8386', host: 'CLOUDNAME'}
+ SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'}
+ SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
+ SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
+ SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
diff --git a/hosts-config.yaml b/hosts-config.yaml
new file mode 100644
index 00000000..df0addfd
--- /dev/null
+++ b/hosts-config.yaml
@@ -0,0 +1,30 @@
+heat_template_version: 2016-10-14
+description: 'All Hosts Config'
+
+parameters:
+ hosts:
+ type: comma_delimited_list
+
+resources:
+
+ hostsConfigImpl:
+ type: OS::Heat::StructuredConfig
+ properties:
+ group: os-apply-config
+ config:
+ hosts:
+ list_join:
+ - "\n"
+ - {get_param: hosts}
+
+outputs:
+ config_id:
+ description: The ID of the hostsConfigImpl resource.
+ value:
+ {get_resource: hostsConfigImpl}
+ hosts_entries:
+ description: |
+ The content that should be appended to your /etc/hosts if you want to get
+ hostname-based access to the deployed nodes (useful for testing without
+ setting up a DNS).
+ value: {get_attr: [hostsConfigImpl, config, hosts]}
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 2d633e4d..218cd2d3 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -3,6 +3,7 @@ resource_registry:
OS::TripleO::SoftwareDeployment: OS::Heat::StructuredDeployment
OS::TripleO::PostDeploySteps: puppet/post.yaml
OS::TripleO::AllNodes::SoftwareConfig: puppet/all-nodes-config.yaml
+ OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml
OS::TripleO::DefaultPasswords: default_passwords.yaml
# Tasks (for internal TripleO usage)
@@ -16,14 +17,23 @@ resource_registry:
OS::TripleO::Tasks::{{role.name}}PostConfig: OS::Heat::None
OS::TripleO::{{role.name}}ExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
# Port assignments for the {{role.name}} role
+ # Note we have to special-case ObjectStorage for backwards compatibility
+ {% if role.name != 'ObjectStorage' %}
OS::TripleO::{{role.name}}::Ports::ExternalPort: network/ports/noop.yaml
OS::TripleO::{{role.name}}::Ports::InternalApiPort: network/ports/noop.yaml
OS::TripleO::{{role.name}}::Ports::StoragePort: network/ports/noop.yaml
OS::TripleO::{{role.name}}::Ports::StorageMgmtPort: network/ports/noop.yaml
OS::TripleO::{{role.name}}::Ports::TenantPort: network/ports/noop.yaml
OS::TripleO::{{role.name}}::Ports::ManagementPort: network/ports/noop.yaml
+ {% else %}
+ OS::TripleO::SwiftStorage::Ports::ExternalPort: network/ports/noop.yaml
+ OS::TripleO::SwiftStorage::Ports::InternalApiPort: network/ports/noop.yaml
+ OS::TripleO::SwiftStorage::Ports::StoragePort: network/ports/noop.yaml
+ OS::TripleO::SwiftStorage::Ports::StorageMgmtPort: network/ports/noop.yaml
+ OS::TripleO::SwiftStorage::Ports::TenantPort: network/ports/noop.yaml
+ OS::TripleO::SwiftStorage::Ports::ManagementPort: network/ports/noop.yaml
+ {% endif %}
OS::TripleO::{{role.name}}::Net::SoftwareConfig: net-config-noop.yaml
-
{% endfor %}
# This resource registry entry will override the one generated by default
@@ -133,6 +143,8 @@ resource_registry:
OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml
OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml
+ OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None
+ OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None
OS::TripleO::Services::Keepalived: puppet/services/keepalived.yaml
OS::TripleO::Services::Memcached: puppet/services/memcached.yaml
OS::TripleO::Services::SaharaApi: OS::Heat::None
diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index db1a78bf..7e1f496c 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -214,8 +214,16 @@ resources:
EndpointMap: {get_attr: [EndpointMap, endpoint_map]}
DefaultPasswords: {get_attr: [DefaultPasswords, passwords]}
+ {{role.name}}HostsDeployment:
+ type: OS::Heat::StructuredDeployments
+ properties:
+ name: {{role.name}}HostsDeployment
+ config: {get_attr: [hostsConfig, config_id]}
+ servers: {get_attr: [{{role.name}}, attributes, nova_server_resource]}
+
{{role.name}}AllNodesDeployment:
type: OS::Heat::StructuredDeployments
+ depends_on: {{role.name}}HostsDeployment
properties:
name: {{role.name}}AllNodesDeployment
config: {get_attr: [allNodesConfig, config_id]}
@@ -303,6 +311,16 @@ resources:
MonitoringSubscriptions: {get_attr: [{{role.name}}ServiceChain, role_data, monitoring_subscriptions]}
{% endfor %}
+ hostsConfig:
+ type: OS::TripleO::Hosts::SoftwareConfig
+ properties:
+ hosts:
+{% for role in roles %}
+ - list_join:
+ - '\n'
+ - {get_attr: [{{role.name}}, hosts_entry]}
+{% endfor %}
+
allNodesConfig:
type: OS::TripleO::AllNodes::SoftwareConfig
properties:
@@ -311,12 +329,6 @@ resources:
cloud_name_storage: {get_param: CloudNameStorage}
cloud_name_storage_mgmt: {get_param: CloudNameStorageManagement}
cloud_name_ctlplane: {get_param: CloudNameCtlplane}
- hosts:
-{% for role in roles %}
- - list_join:
- - '\n'
- - {get_attr: [{{role.name}}, hosts_entry]}
-{% endfor %}
enabled_services:
list_join:
- ','
@@ -517,6 +529,10 @@ resources:
# Post deployment steps for all roles
AllNodesDeploySteps:
type: OS::TripleO::PostDeploySteps
+{% for role in roles %}
+ depends_on:
+ - {{role.name}}AllNodesDeployment
+{% endfor %}
properties:
servers:
{% for role in roles %}
@@ -599,7 +615,7 @@ outputs:
value:
list_join:
- "\n"
- - - {get_attr: [allNodesConfig, hosts_entries]}
+ - - {get_attr: [hostsConfig, hosts_entries]}
-
- str_replace:
template: IP HOST
diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml
index cae60aab..cc5e4eac 100644
--- a/puppet/all-nodes-config.yaml
+++ b/puppet/all-nodes-config.yaml
@@ -12,8 +12,6 @@ parameters:
type: string
cloud_name_ctlplane:
type: string
- hosts:
- type: comma_delimited_list
# FIXME(shardy) this can be comma_delimited_list when
# https://bugs.launchpad.net/heat/+bug/1617019 is fixed
enabled_services:
@@ -64,6 +62,9 @@ parameters:
CertmongerCA:
type: string
default: 'IPA'
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
@@ -72,10 +73,6 @@ resources:
properties:
group: os-apply-config
config:
- hosts:
- list_join:
- - "\n"
- - {get_param: hosts}
hiera:
datafiles:
bootstrap_node:
@@ -207,15 +204,10 @@ resources:
cloud_name_ctlplane: {get_param: cloud_name_ctlplane}
# TLS parameters
certmonger_ca: {get_param: CertmongerCA}
+ enable_internal_tls: {get_param: EnableInternalTLS}
outputs:
config_id:
description: The ID of the allNodesConfigImpl resource.
value:
{get_resource: allNodesConfigImpl}
- hosts_entries:
- description: |
- The content that should be appended to your /etc/hosts if you want to get
- hostname-based access to the deployed nodes (useful for testing without
- setting up a DNS).
- value: {get_attr: [allNodesConfigImpl, config, hosts]}
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml
index f4f5bad8..da043c80 100644
--- a/puppet/services/aodh-api.yaml
+++ b/puppet/services/aodh-api.yaml
@@ -60,6 +60,7 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]}
aodh::api::service_name: 'httpd'
+ aodh::api::enable_proxy_headers_parsing: true
tripleo.aodh_api.firewall_rules:
'128 aodh-api':
dport:
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index ecea38b2..27c32bfd 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -68,6 +68,7 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- ceilometer::api::service_name: 'httpd'
+ ceilometer::api::enable_proxy_headers_parsing: true
ceilometer::api::host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
ceilometer::wsgi::apache::ssl: false
diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml
index adb17b26..71d81dc2 100644
--- a/puppet/services/ceph-base.yaml
+++ b/puppet/services/ceph-base.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
Ceph base service. Shared by all Ceph services.
@@ -29,9 +29,20 @@ parameters:
GlanceRbdPoolName:
default: images
type: string
+ GlanceBackend:
+ default: swift
+ description: The short name of the Glance backend to use. Should be one
+ of swift, rbd, or file
+ type: string
+ constraints:
+ - allowed_values: ['swift', 'file', 'rbd']
GnocchiRbdPoolName:
default: metrics
type: string
+ NovaEnableRbdBackend:
+ default: false
+ description: Whether to enable or not the Rbd backend for Nova
+ type: boolean
NovaRbdPoolName:
default: vms
type: string
@@ -63,6 +74,16 @@ parameter_groups:
parameters:
- ControllerEnableCephStorage
+conditions:
+ glance_multiple_locations:
+ and:
+ - equals:
+ - get_param: GlanceBackend
+ - rbd
+ - equals:
+ - get_param: NovaEnableRbdBackend
+ - false
+
outputs:
role_data:
description: Role data for the Ceph base service.
@@ -128,3 +149,6 @@ outputs:
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
+ service_config_settings:
+ glance_api:
+ glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml
index 52c4824f..7d75074c 100644
--- a/puppet/services/ceph-external.yaml
+++ b/puppet/services/ceph-external.yaml
@@ -78,5 +78,7 @@ outputs:
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
+ service_config_settings:
+ get_attr: [CephBase, role_data, service_config_settings]
step_config: |
include ::tripleo::profile::base::ceph::client
diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml
index 552086ab..3471f16c 100644
--- a/puppet/services/ceph-mon.yaml
+++ b/puppet/services/ceph-mon.yaml
@@ -101,5 +101,7 @@ outputs:
'110 ceph_mon':
dport:
- 6789
+ service_config_settings:
+ get_attr: [CephBase, role_data, service_config_settings]
step_config: |
include ::tripleo::profile::base::ceph::mon
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index b47d98a7..33abdbf9 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -18,32 +18,14 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
- CephClientUserName:
- default: openstack
- type: string
Debug:
default: ''
description: Set to True to enable debugging on all services.
type: string
- GlanceNotifierStrategy:
- description: Strategy to use for Glance notification queue
- type: string
- default: noop
- GlanceLogFile:
- description: The filepath of the file to use for logging messages from Glance.
- type: string
- default: ''
GlancePassword:
description: The password for the glance service and db account, used by the glance services.
type: string
hidden: true
- GlanceBackend:
- default: swift
- description: The short name of the Glance backend to use. Should be one
- of swift, rbd, or file
- type: string
- constraints:
- - allowed_values: ['swift', 'file', 'rbd']
GlanceWorkers:
default: ''
description: |
@@ -55,31 +37,6 @@ parameters:
memory consumption. It is recommended that a suitable non-default value
be selected on such systems.
type: string
- GlanceRbdPoolName:
- default: images
- type: string
- RabbitPassword:
- description: The password for RabbitMQ
- type: string
- hidden: true
- RabbitUserName:
- default: guest
- description: The username for RabbitMQ
- type: string
- RabbitClientPort:
- default: 5672
- description: Set rabbit subscriber port, change this if using SSL
- type: number
- RabbitClientUseSSL:
- default: false
- description: >
- Rabbit client subscriber parameter to specify
- an SSL connection to the RabbitMQ host.
- type: string
- KeystoneRegion:
- type: string
- default: 'regionOne'
- description: Keystone region for endpoint
MonitoringSubscriptionGlanceApi:
default: 'overcloud-glance-api'
type: string
@@ -89,6 +46,14 @@ parameters:
tag: openstack.glance.api
path: /var/log/glance/api.log
+resources:
+ GlanceBase:
+ type: ./glance-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
outputs:
role_data:
description: Role data for the Glance API role.
@@ -99,66 +64,46 @@ outputs:
logging_groups:
- glance
config_settings:
- glance::api::database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://glance:'
- - {get_param: GlancePassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/glance'
- glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
- glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
- glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
- glance::api::registry_host:
- str_replace:
- template: "'REGISTRY_HOST'"
- params:
- REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]}
- glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] }
- glance::api::authtoken::password: {get_param: GlancePassword}
- glance::api::enable_proxy_headers_parsing: true
- glance::api::debug: {get_param: Debug}
- glance::api::workers: {get_param: GlanceWorkers}
- glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
- glance_log_file: {get_param: GlanceLogFile}
- glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] }
- glance::backend::swift::swift_store_user: service:glance
- glance::backend::swift::swift_store_key: {get_param: GlancePassword}
- glance::backend::swift::swift_store_create_container_on_put: true
- glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
- glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
- glance_backend: {get_param: GlanceBackend}
- glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
- glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
- glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
- glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
- glance::notify::rabbitmq::notification_driver: messagingv2
- glance::registry::db::database_db_max_retries: -1
- glance::registry::db::database_max_retries: -1
- tripleo.glance_api.firewall_rules:
- '112 glance_api':
- dport:
- - 9292
- - 13292
- glance::api::authtoken::project_name: 'service'
- glance::api::pipeline: 'keystone'
- glance::api::show_image_direct_url: true
- # NOTE: bind IP is found in Heat replacing the network name with the
- # local node IP for the given network; replacement examples
- # (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]}
+ map_merge:
+ - get_attr: [GlanceBase, role_data, config_settings]
+ - glance::api::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://glance:'
+ - {get_param: GlancePassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/glance'
+ glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
+ glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+ glance::api::registry_host:
+ str_replace:
+ template: "'REGISTRY_HOST'"
+ params:
+ REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]}
+ glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] }
+ glance::api::authtoken::password: {get_param: GlancePassword}
+ glance::api::enable_proxy_headers_parsing: true
+ glance::api::debug: {get_param: Debug}
+ glance::api::workers: {get_param: GlanceWorkers}
+ tripleo.glance_api.firewall_rules:
+ '112 glance_api':
+ dport:
+ - 9292
+ - 13292
+ glance::api::authtoken::project_name: 'service'
+ glance::api::pipeline: 'keystone'
+ glance::api::show_image_direct_url: true
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]}
step_config: |
include ::tripleo::profile::base::glance::api
service_config_settings:
- keystone:
- glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
- glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
- glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
- glance::keystone::auth::password: {get_param: GlancePassword }
- glance::keystone::auth::region: {get_param: KeystoneRegion}
- glance::keystone::auth::tenant: 'service'
+ get_attr: [GlanceBase, role_data, service_config_settings]
diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml
new file mode 100644
index 00000000..3294fc0f
--- /dev/null
+++ b/puppet/services/glance-base.yaml
@@ -0,0 +1,110 @@
+heat_template_version: 2016-10-14
+
+description: >
+ OpenStack Glance Common settings with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ CephClientUserName:
+ default: openstack
+ type: string
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ GlanceNotifierStrategy:
+ description: Strategy to use for Glance notification queue
+ type: string
+ default: noop
+ GlanceLogFile:
+ description: The filepath of the file to use for logging messages from Glance.
+ type: string
+ default: ''
+ GlancePassword:
+ description: The password for the glance service and db account, used by the glance services.
+ type: string
+ hidden: true
+ GlanceBackend:
+ default: swift
+ description: The short name of the Glance backend to use. Should be one
+ of swift, rbd, or file
+ type: string
+ constraints:
+ - allowed_values: ['swift', 'file', 'rbd']
+ GlanceRbdPoolName:
+ default: images
+ type: string
+ RabbitPassword:
+ description: The password for RabbitMQ
+ type: string
+ hidden: true
+ RabbitUserName:
+ default: guest
+ description: The username for RabbitMQ
+ type: string
+ RabbitClientPort:
+ default: 5672
+ description: Set rabbit subscriber port, change this if using SSL
+ type: number
+ RabbitClientUseSSL:
+ default: false
+ description: >
+ Rabbit client subscriber parameter to specify
+ an SSL connection to the RabbitMQ host.
+ type: string
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+
+outputs:
+ role_data:
+ description: Role data for the Glance common role.
+ value:
+ service_name: glance_base
+ config_settings:
+ glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
+ glance_log_file: {get_param: GlanceLogFile}
+ glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::backend::swift::swift_store_user: service:glance
+ glance::backend::swift::swift_store_key: {get_param: GlancePassword}
+ glance::backend::swift::swift_store_create_container_on_put: true
+ glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
+ glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
+ glance_backend: {get_param: GlanceBackend}
+ glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
+ glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
+ glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
+ glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+ glance::notify::rabbitmq::notification_driver: messagingv2
+ glance::registry::db::database_db_max_retries: -1
+ glance::registry::db::database_max_retries: -1
+ service_config_settings:
+ keystone:
+ glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
+ glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
+ glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
+ glance::keystone::auth::password: {get_param: GlancePassword }
+ glance::keystone::auth::region: {get_param: KeystoneRegion}
+ glance::keystone::auth::tenant: 'service'
+ mysql:
+ glance::db::mysql::password: {get_param: GlancePassword}
+ glance::db::mysql::user: glance
+ glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ glance::db::mysql::dbname: glance
+ glance::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml
index 30df67fe..c45582d4 100644
--- a/puppet/services/glance-registry.yaml
+++ b/puppet/services/glance-registry.yaml
@@ -46,6 +46,14 @@ parameters:
tag: openstack.glance.registry
path: /var/log/glance/registry.log
+resources:
+ GlanceBase:
+ type: ./glance-base.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
outputs:
role_data:
description: Role data for the Glance Registry role.
@@ -56,43 +64,37 @@ outputs:
logging_groups:
- glance
config_settings:
- glance::registry::database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://glance:'
- - {get_param: GlancePassword}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/glance'
- glance::registry::authtoken::password: {get_param: GlancePassword}
- glance::registry::authtoken::project_name: 'service'
- glance::registry::pipeline: 'keystone'
- glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
- glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
- glance::registry::debug: {get_param: Debug}
- glance::registry::workers: {get_param: GlanceWorkers}
- glance::registry::db::database_db_max_retries: -1
- glance::registry::db::database_max_retries: -1
- tripleo.glance_registry.firewall_rules:
- '112 glance_registry':
- dport:
- - 9191
- # NOTE: bind IP is found in Heat replacing the network name with the
- # local node IP for the given network; replacement examples
- # (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]}
+ map_merge:
+ - get_attr: [GlanceBase, role_data, config_settings]
+
+ - glance::registry::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://glance:'
+ - {get_param: GlancePassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/glance'
+ glance::registry::authtoken::password: {get_param: GlancePassword}
+ glance::registry::authtoken::project_name: 'service'
+ glance::registry::pipeline: 'keystone'
+ glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+ glance::registry::debug: {get_param: Debug}
+ glance::registry::workers: {get_param: GlanceWorkers}
+ tripleo.glance_registry.firewall_rules:
+ '112 glance_registry':
+ dport:
+ - 9191
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]}
step_config: |
include ::tripleo::profile::base::glance::registry
service_config_settings:
- mysql:
- glance::db::mysql::password: {get_param: GlancePassword}
- glance::db::mysql::user: glance
- glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
- glance::db::mysql::dbname: glance
- glance::db::mysql::allowed_hosts:
- - '%'
- - "%{hiera('mysql_bind_host')}"
+ get_attr: [GlanceBase, role_data, config_settings]
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index 15121790..e3397769 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -77,6 +77,7 @@ outputs:
- 8041
- 13041
gnocchi::api::enabled: true
+ gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..c6d53542
--- /dev/null
+++ b/puppet/services/haproxy-internal-tls-certmonger.yaml
@@ -0,0 +1,51 @@
+heat_template_version: 2016-10-14
+
+description: >
+ HAProxy deployment with TLS enabled, powered by certmonger
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: Role data for the HAProxy internal TLS via certmonger role.
+ value:
+ service_name: haproxy_internal_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ tripleo::haproxy::use_internal_certificates: true
+ certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ haproxy-NETWORK:
+ service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem'
+ service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key'
+ hostname: "%{hiera('cloud_name_NETWORK')}"
+ postsave_cmd: "" # TODO
+ principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
+ for_each:
+ NETWORK:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # network will be handled in another template.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml
new file mode 100644
index 00000000..1551d16a
--- /dev/null
+++ b/puppet/services/haproxy-public-tls-certmonger.yaml
@@ -0,0 +1,37 @@
+heat_template_version: 2016-10-14
+
+description: >
+ HAProxy deployment with TLS enabled, powered by certmonger
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: Role data for the HAProxy public TLS via certmonger role.
+ value:
+ service_name: haproxy_public_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.pem'
+ certificates_specs:
+ haproxy-external:
+ service_pem: '/etc/pki/tls/certs/overcloud-haproxy-external.pem'
+ service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.crt'
+ service_key: '/etc/pki/tls/private/overcloud-haproxy-external.key'
+ hostname: "%{hiera('cloud_name_external')}"
+ postsave_cmd: "" # TODO
+ principal: "haproxy/%{hiera('cloud_name_external')}"
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 974928c5..0813cb7e 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
HAproxy service configured with Puppet
@@ -48,6 +48,22 @@ parameters:
default: 'overcloud-haproxy'
type: string
+resources:
+
+ HAProxyPublicTLS:
+ type: OS::TripleO::Services::HAProxyPublicTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
+ HAProxyInternalTLS:
+ type: OS::TripleO::Services::HAProxyInternalTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
outputs:
role_data:
description: Role data for the HAproxy role.
@@ -55,14 +71,21 @@ outputs:
service_name: haproxy
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
config_settings:
- tripleo.haproxy.firewall_rules:
- '107 haproxy stats':
- dport: 1993
- tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
- tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
- tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
- tripleo::haproxy::redis_password: {get_param: RedisPassword}
- tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface}
- tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface}
+ map_merge:
+ - get_attr: [HAProxyPublicTLS, role_data, config_settings]
+ - get_attr: [HAProxyInternalTLS, role_data, config_settings]
+ - tripleo.haproxy.firewall_rules:
+ '107 haproxy stats':
+ dport: 1993
+ tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
+ tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
+ tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
+ tripleo::haproxy::redis_password: {get_param: RedisPassword}
+ tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface}
+ tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface}
+ tripleo::profile::base::haproxy::certificates_specs:
+ map_merge:
+ - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
+ - get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
step_config: |
include ::tripleo::profile::base::haproxy
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 2f01578e..1fc88bf1 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -39,8 +39,12 @@ outputs:
net.netfilter.nf_conntrack_max:
value: 500000
# prevent neutron bridges from autoconfiguring ipv6 addresses
+ net.ipv6.conf.all.accept_ra:
+ value: 0
net.ipv6.conf.default.accept_ra:
value: 0
+ net.ipv6.conf.all.autoconf:
+ value: 0
net.ipv6.conf.default.autoconf:
value: 0
net.core.netdev_max_backlog:
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index b2ec0038..a12742ff 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Nova API service configured with Puppet
@@ -52,7 +52,17 @@ parameters:
tag: openstack.nova.api
path: /var/log/nova/nova-api.log
+conditions:
+ nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+
resources:
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
NovaBase:
type: ./nova-base.yaml
properties:
@@ -71,40 +81,52 @@ outputs:
- nova
config_settings:
map_merge:
- - get_attr: [NovaBase, role_data, config_settings]
+ - get_attr: [NovaBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
+ - nova::cron::archive_deleted_rows::hour: '"*/12"'
+ nova::cron::archive_deleted_rows::destination: '"/dev/null"'
+ tripleo.nova_api.firewall_rules:
+ '113 nova_api':
+ dport:
+ - 6080
+ - 13080
+ - 8773
+ - 3773
+ - 8774
+ - 13774
+ - 8775
+ nova::keystone::authtoken::project_name: 'service'
+ nova::keystone::authtoken::password: {get_param: NovaPassword}
+ nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+ nova::api::enabled: true
+ nova::api::default_floating_pool: 'public'
+ nova::api::sync_db_api: true
+ nova::api::enable_proxy_headers_parsing: true
+ # NOTE: bind IP is found in Heat replacing the network name with the local node IP
+ # for the given network; replacement examples (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]}
+ nova::wsgi::apache::ssl: false
+ nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]}
+ nova::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ nova::wsgi::apache::workers: {get_param: NovaWorkers}
+ nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]}
+ nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
+ nova::api::instance_name_template: {get_param: InstanceNameTemplate}
+ nova_enable_db_purge: {get_param: NovaEnableDBPurge}
+ -
+ if:
+ - nova_workers_zero
+ - {}
- nova::api::osapi_compute_workers: {get_param: NovaWorkers}
- nova::api::metadata_workers: {get_param: NovaWorkers}
- nova::cron::archive_deleted_rows::hour: '"*/12"'
- nova::cron::archive_deleted_rows::destination: '"/dev/null"'
- tripleo.nova_api.firewall_rules:
- '113 nova_api':
- dport:
- - 6080
- - 13080
- - 8773
- - 3773
- - 8774
- - 13774
- - 8775
- nova::keystone::authtoken::project_name: 'service'
- nova::keystone::authtoken::password: {get_param: NovaPassword}
- nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
- nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
- nova::api::enabled: true
- nova::api::default_floating_pool: 'public'
- nova::api::sync_db_api: true
- nova::api::enable_proxy_headers_parsing: true
- # NOTE: bind IP is found in Heat replacing the network name with the local node IP
- # for the given network; replacement examples (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]}
- nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
- nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
- nova::api::instance_name_template: {get_param: InstanceNameTemplate}
- nova_enable_db_purge: {get_param: NovaEnableDBPurge}
-
step_config: |
include tripleo::profile::base::nova::api
service_config_settings:
diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml
index 2671cdd3..a10d9560 100644
--- a/puppet/services/nova-conductor.yaml
+++ b/puppet/services/nova-conductor.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Nova Conductor service configured with Puppet
@@ -31,6 +31,9 @@ parameters:
tag: openstack.nova.scheduler
path: /var/log/nova/nova-scheduler.log
+conditions:
+ nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+
resources:
NovaBase:
type: ./nova-base.yaml
@@ -50,7 +53,11 @@ outputs:
- nova
config_settings:
map_merge:
- - get_attr: [NovaBase, role_data, config_settings]
+ - get_attr: [NovaBase, role_data, config_settings]
+ -
+ if:
+ - nova_workers_zero
+ - {}
- nova::conductor::workers: {get_param: NovaWorkers}
step_config: |
include tripleo::profile::base::nova::conductor
diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml
index 92373c56..40931da6 100644
--- a/puppet/services/nova-metadata.yaml
+++ b/puppet/services/nova-metadata.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Nova API service configured with Puppet
@@ -23,12 +23,20 @@ parameters:
description: Number of workers for Nova API service.
type: number
+conditions:
+ nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+
outputs:
role_data:
description: Role data for the Nova Metadata service.
value:
service_name: nova_metadata
config_settings:
- nova::api::metadata_workers: {get_param: NovaWorkers}
- nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+ map_merge:
+ - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+ -
+ if:
+ - nova_workers_zero
+ - {}
+ - nova::api::metadata_workers: {get_param: NovaWorkers}
step_config: ""
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 8b990bcd..ed0d12cf 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -75,6 +75,7 @@ outputs:
- admin
- swiftoperator
- ResellerAdmin
+ swift::proxy::versioned_writes::allow_versioned_writes: true
swift::proxy::pipeline:
- 'catch_errors'
- 'healthcheck'
@@ -87,6 +88,7 @@ outputs:
- 'authtoken'
- 'keystone'
- 'staticweb'
+ - 'versioned_writes'
- 'proxy-logging'
- 'proxy-server'
swift::proxy::account_autocreate: true
diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml
index e151d185..8ed4e9f4 100644
--- a/puppet/services/swift-ringbuilder.yaml
+++ b/puppet/services/swift-ringbuilder.yaml
@@ -48,6 +48,8 @@ outputs:
config_settings:
tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild}
tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas}
+ tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower}
+ tripleo::profile::base::swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours}
tripleo::profile::base::swift::ringbuilder::raw_disk_prefix: 'r1z1-'
tripleo::profile::base::swift::ringbuilder::raw_disks:
yaql:
@@ -59,7 +61,5 @@ outputs:
template: ':%PORT%/DEVICE'
for_each:
DEVICE: {get_param: SwiftRawDisks}
- swift::ringbuilder::part_power: {get_param: SwiftPartPower}
- swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours}
step_config: |
include ::tripleo::profile::base::swift::ringbuilder