3 files changed, 72 insertions, 10 deletions

diff --git a/extraconfig/tasks/major_upgrade_pacemaker_migrations.sh b/extraconfig/tasks/major_upgrade_pacemaker_migrations.sh
index 1f420b32..b63198db 100644
--- a/extraconfig/tasks/major_upgrade_pacemaker_migrations.sh
+++ b/extraconfig/tasks/major_upgrade_pacemaker_migrations.sh
@@ -13,6 +13,42 @@
 # been already applied, it should be possible to call the function
 # again without damaging the deployment or failing the upgrade.
 
+function add_missing_openstack_core_constraints {
+    # The CIBs are saved under /root as they might contain sensitive data
+    CIB="/root/migration.cib"
+    CIB_BACKUP="/root/backup.cib"
+    CIB_PUSH_NEEDED=n
+
+    rm -f "$CIB" "$CIB_BACKUP" || /bin/true
+    pcs cluster cib "$CIB"
+    cp "$CIB" "$CIB_BACKUP"
+
+    if ! pcs -f "$CIB" constraint --full | grep 'start openstack-sahara-api-clone then start openstack-sahara-engine-clone'; then
+        pcs -f "$CIB" constraint order start openstack-sahara-api-clone then start openstack-sahara-engine-clone
+        CIB_PUSH_NEEDED=y
+    fi
+
+    if ! pcs -f "$CIB" constraint --full | grep 'start openstack-core-clone then start openstack-ceilometer-notification-clone'; then
+        pcs -f "$CIB" constraint order start openstack-core-clone then start openstack-ceilometer-notification-clone
+        CIB_PUSH_NEEDED=y
+    fi
+
+    if ! pcs -f "$CIB" constraint --full | grep 'start openstack-aodh-evaluator-clone then start openstack-aodh-listener-clone'; then
+        pcs -f "$CIB" constraint order start openstack-aodh-evaluator-clone then start openstack-aodh-listener-clone
+        CIB_PUSH_NEEDED=y
+    fi
+
+    if pcs -f "$CIB" constraint --full | grep 'start openstack-core-clone then start openstack-heat-api-clone'; then
+        CID=$(pcs -f "$CIB" constraint --full | grep 'start openstack-core-clone then start openstack-heat-api-clone' | sed -e 's/.*id\://g' -e 's/)//g')
+        pcs -f "$CIB" constraint remove $CID
+        CIB_PUSH_NEEDED=y
+    fi
+
+    if [ "$CIB_PUSH_NEEDED" = 'y' ]; then
+        pcs cluster cib-push "$CIB"
+    fi
+}
+
 function remove_ceilometer_alarm {
     if pcs status | grep openstack-ceilometer-alarm; then
         # Disable pacemaker resources for ceilometer-alarms
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
index 77b11378..e281ef51 100644
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -63,6 +63,14 @@ resources:
         openssl rsa -noout -modulus -in ${cert_path} \
           | openssl md5 | cut -c 10- \
           > ${heat_outputs_path}.key_modulus
+        # We need to reload haproxy in case the certificate changed because
+        # puppet doesn't know the contents of the cert file.  The pacemaker
+        # case is handled separately in a pacemaker-specific resource.
+        pacemaker_status=$(systemctl is-active pacemaker)
+        haproxy_status=$(systemctl is-active haproxy)
+        if [ "$pacemaker_status" != "active" -a "$haproxy_status" = "active"]; then
+            systemctl reload haproxy
+        fi
 
   ControllerTLSDeployment:
     type: OS::Heat::SoftwareDeployment
diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index f152a141..3a6dbc06 100644
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -1168,6 +1168,15 @@ if hiera('step') >= 5 {
       require         => [Pacemaker::Resource::Service[$::sahara::params::api_service_name],
                           Pacemaker::Resource::Ocf['openstack-core']],
     }
+    pacemaker::constraint::base { 'sahara-api-then-sahara-engine-constraint':
+      constraint_type => 'order',
+      first_resource  => "${::sahara::params::api_service_name}-clone",
+      second_resource => "${::sahara::params::engine_service_name}-clone",
+      first_action    => 'start',
+      second_action   => 'start',
+      require         => [Pacemaker::Resource::Service[$::sahara::params::api_service_name],
+                          Pacemaker::Resource::Service[$::sahara::params::engine_service_name]],
+    }
 
     # Glance
     if $glance_backend == 'file' and hiera('glance_file_pcmk_manage', false) {
@@ -1351,7 +1360,7 @@ if hiera('step') >= 5 {
                     Pacemaker::Resource::Service[$::neutron::params::dhcp_agent_service]],
       }
     }
-    if hiera('neutron::enable_dhcp_agent',true) and hiera('l3_agent_service',true) {
+    if hiera('neutron::enable_dhcp_agent',true) and hiera('neutron::enable_l3_agent',true) {
       pacemaker::constraint::base { 'neutron-dhcp-agent-to-l3-agent-constraint':
         constraint_type => 'order',
         first_resource  => "${::neutron::params::dhcp_agent_service}-clone",
@@ -1584,6 +1593,15 @@ if hiera('step') >= 5 {
       require         => [Pacemaker::Resource::Service[$::ceilometer::params::agent_central_service_name],
                           Pacemaker::Resource::Ocf['openstack-core']],
     }
+    pacemaker::constraint::base { 'keystone-then-ceilometer-notification-constraint':
+      constraint_type => 'order',
+      first_resource  => 'openstack-core-clone',
+      second_resource => "${::ceilometer::params::agent_notification_service_name}-clone",
+      first_action    => 'start',
+      second_action   => 'start',
+      require         => [Pacemaker::Resource::Service[$::ceilometer::params::agent_central_service_name],
+                          Pacemaker::Resource::Ocf['openstack-core']],
+    }
     pacemaker::constraint::base { 'ceilometer-central-then-ceilometer-collector-constraint':
       constraint_type => 'order',
       first_resource  => "${::ceilometer::params::agent_central_service_name}-clone",
@@ -1667,6 +1685,15 @@ if hiera('step') >= 5 {
       require => [Pacemaker::Resource::Service[$::aodh::params::evaluator_service_name],
                   Pacemaker::Resource::Service[$::aodh::params::notifier_service_name]],
     }
+    pacemaker::constraint::base { 'aodh-evaluator-then-aodh-listener-constraint':
+      constraint_type => 'order',
+      first_resource  => "${::aodh::params::evaluator_service_name}-clone",
+      second_resource => "${::aodh::params::listener_service_name}-clone",
+      first_action    => 'start',
+      second_action   => 'start',
+      require         => [Pacemaker::Resource::Service[$::aodh::params::evaluator_service_name],
+                          Pacemaker::Resource::Service[$::aodh::params::listener_service_name]],
+    }
     pacemaker::constraint::colocation { 'aodh-listener-with-aodh-evaluator-colocation':
       source  => "${::aodh::params::listener_service_name}-clone",
       target  => "${::aodh::params::evaluator_service_name}-clone",
@@ -1723,15 +1750,6 @@ if hiera('step') >= 5 {
     pacemaker::resource::service { $::heat::params::engine_service_name :
       clone_params => 'interleave=true',
     }
-    pacemaker::constraint::base { 'keystone-then-heat-api-constraint':
-      constraint_type => 'order',
-      first_resource  => 'openstack-core-clone',
-      second_resource => "${::heat::params::api_service_name}-clone",
-      first_action    => 'start',
-      second_action   => 'start',
-      require         => [Pacemaker::Resource::Service[$::heat::params::api_service_name],
-                          Pacemaker::Resource::Ocf['openstack-core']],
-    }
     pacemaker::constraint::base { 'heat-api-then-heat-api-cfn-constraint':
       constraint_type => 'order',
       first_resource  => "${::heat::params::api_service_name}-clone",