aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docker/services/nova-libvirt.yaml56
-rw-r--r--docker/services/pacemaker/database/mysql.yaml23
-rw-r--r--environments/docker-ha.yaml2
-rw-r--r--environments/docker-services-tls-everywhere.yaml13
-rw-r--r--environments/neutron-nuage-config.yaml23
-rw-r--r--environments/nova-nuage-config.yaml6
-rw-r--r--environments/puppet-ceph-external.yaml2
-rw-r--r--firstboot/userdata_example.yaml3
-rw-r--r--network/external.yaml2
-rw-r--r--network/external_v6.yaml2
-rw-r--r--network/internal_api.yaml2
-rw-r--r--network/internal_api_v6.yaml2
-rw-r--r--network/management.yaml2
-rw-r--r--network/management_v6.yaml2
-rw-r--r--network/network.network.j2.yaml3
-rw-r--r--network/networks.j2.yaml7
-rw-r--r--network/storage.yaml2
-rw-r--r--network/storage_mgmt.yaml2
-rw-r--r--network/storage_mgmt_v6.yaml2
-rw-r--r--network/storage_v6.yaml2
-rw-r--r--network/tenant.yaml2
-rw-r--r--network/tenant_v6.yaml2
-rw-r--r--network_data.yaml3
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml1
-rw-r--r--puppet/controller-role.yaml1
-rw-r--r--puppet/extraconfig/tls/tls-cert-inject.yaml1
-rw-r--r--puppet/role.role.j2.yaml3
-rw-r--r--puppet/services/haproxy-internal-tls-certmonger.yaml30
-rw-r--r--puppet/services/haproxy-public-tls-certmonger.yaml36
-rw-r--r--puppet/services/haproxy.yaml26
-rw-r--r--puppet/services/keystone.yaml4
-rw-r--r--puppet/services/neutron-base.yaml7
-rw-r--r--puppet/services/neutron-plugin-ml2-nuage.yaml99
-rw-r--r--puppet/services/neutron-plugin-ml2.yaml5
-rw-r--r--puppet/services/nova-compute.yaml5
-rw-r--r--puppet/services/nova-libvirt.yaml5
36 files changed, 333 insertions, 55 deletions
diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 2f3851a5..916b057e 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -56,7 +56,21 @@ parameters:
description: Port that dockerized nova migration target sshd service
binds to.
type: number
-
+ NovaEnableRbdBackend:
+ default: false
+ description: Whether to enable or not the Rbd backend for Nova
+ type: boolean
+ CinderEnableRbdBackend:
+ default: false
+ description: Whether to enable or not the Rbd backend for Cinder
+ type: boolean
+ CephClientKey:
+ description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring.
+ type: string
+ hidden: true
+ CephClusterFSID:
+ type: string
+ description: The Ceph cluster FSID. Must be a UUID.
conditions:
@@ -69,6 +83,15 @@ conditions:
- {get_param: UseTLSTransportForLiveMigration}
- true
+ need_libvirt_secret:
+ or:
+ - equals:
+ - {get_param: NovaEnableRbdBackend}
+ - true
+ - equals:
+ - {get_param: CinderEnableRbdBackend}
+ - true
+
resources:
ContainersCommon:
@@ -102,7 +125,7 @@ outputs:
- {get_attr: [MySQLClient, role_data, step_config]}
puppet_config:
config_volume: nova_libvirt
- puppet_tags: libvirtd_config,nova_config,file,exec
+ puppet_tags: libvirtd_config,nova_config,file
step_config: *step_config
config_image: {get_param: DockerNovaLibvirtConfigImage}
kolla_config:
@@ -145,21 +168,46 @@ outputs:
- /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup
- /var/lib/nova:/var/lib/nova
- - /etc/libvirt/secrets:/etc/libvirt/secrets
+ - /etc/libvirt:/etc/libvirt
# Needed to use host's virtlogd
- /var/run/libvirt:/var/run/libvirt
- /var/lib/libvirt:/var/lib/libvirt
- - /etc/libvirt/qemu:/etc/libvirt/qemu
- /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
- /var/log/containers/nova:/var/log/nova
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ step_4:
+ if:
+ - need_libvirt_secret
+ - nova_libvirt_init_secret:
+ detach: false
+ image: {get_param: DockerNovaLibvirtImage}
+ privileged: false
+ user: root
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
+ - /etc/libvirt:/etc/libvirt
+ - /var/run/libvirt:/var/run/libvirt
+ - /var/lib/libvirt:/var/lib/libvirt
+ command:
+ - /bin/bash
+ - -c
+ - str_replace:
+ template: /usr/bin/virsh secret-define --file /etc/nova/secret.xml && /usr/bin/virsh secret-set-value --secret 'SECRET_UUID' --base64 'SECRET_KEY'
+ params:
+ SECRET_UUID: {get_param: CephClusterFSID}
+ SECRET_KEY: {get_param: CephClientKey}
+ - {}
host_prep_tasks:
- name: create libvirt persistent data directories
file:
path: "{{ item }}"
state: directory
with_items:
+ - /etc/libvirt
- /etc/libvirt/secrets
- /etc/libvirt/qemu
- /var/lib/libvirt
diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index f12852f8..3fb38349 100644
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -32,6 +32,9 @@ parameters:
type: string
hidden: true
default: ''
+ MysqlClustercheckPassword:
+ type: string
+ hidden: true
RoleName:
default: ''
description: Role name on which the service is applied
@@ -118,7 +121,19 @@ outputs:
image: *mysql_image
net: host
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
- command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
+ command:
+ - 'bash'
+ - '-ec'
+ -
+ list_join:
+ - "\n"
+ - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
+ - 'kolla_start'
+ - 'mysqld_safe --skip-networking --wsrep-on=OFF &'
+ - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
+ - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''clustercheck''@''localhost'' IDENTIFIED BY ''${DB_CLUSTERCHECK_PASSWORD}'';"'
+ - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "GRANT PROCESS ON *.* TO ''clustercheck''@''localhost'' WITH GRANT OPTION;"'
+ - 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
volumes: &mysql_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
@@ -131,6 +146,12 @@ outputs:
- KOLLA_BOOTSTRAP=True
# NOTE(mandre) skip wsrep cluster status check
- KOLLA_KUBERNETES=True
+ - DB_MAX_TIMEOUT=60
+ -
+ list_join:
+ - '='
+ - - 'DB_CLUSTERCHECK_PASSWORD'
+ - {get_param: MysqlClustercheckPassword}
-
list_join:
- '='
diff --git a/environments/docker-ha.yaml b/environments/docker-ha.yaml
index 474e9966..1e25a357 100644
--- a/environments/docker-ha.yaml
+++ b/environments/docker-ha.yaml
@@ -5,6 +5,8 @@ resource_registry:
# Pacemaker runs on the host
OS::TripleO::Services::Pacemaker: ../puppet/services/pacemaker.yaml
OS::TripleO::Services::PacemakerRemote: ../puppet/services/pacemaker_remote.yaml
+ OS::TripleO::Tasks::ControllerPreConfig: OS::Heat::None
+ OS::TripleO::Tasks::ControllerPostConfig: OS::Heat::None
# Services that are disabled for HA deployments with pacemaker
OS::TripleO::Services::Keepalived: OS::Heat::None
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
index 57cf2c5e..d4743326 100644
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -14,6 +14,10 @@ resource_registry:
OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml
OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml
OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml
+ OS::TripleO::Services::CeilometerAgentCentral: ../docker/services/ceilometer-agent-central.yaml
+ OS::TripleO::Services::CeilometerAgentIpmi: ../docker/services/ceilometer-agent-ipmi.yaml
+ OS::TripleO::Services::CeilometerAgentNotification: ../docker/services/ceilometer-agent-notification.yaml
+ OS::TripleO::Services::ComputeCeilometerAgent: ../docker/services/ceilometer-agent-compute.yaml
OS::TripleO::Services::ComputeNeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml
OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml
@@ -24,15 +28,16 @@ resource_registry:
OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
OS::TripleO::Services::Iscsid: ../docker/services/iscsid.yaml
OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
- OS::TripleO::Services::NovaMigrationTarget: ../docker/services/nova-migration-target.yaml
- OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
+ OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml
OS::TripleO::Services::NeutronApi: ../docker/services/neutron-api.yaml
OS::TripleO::Services::NeutronCorePlugin: ../docker/services/neutron-plugin-ml2.yaml
- OS::TripleO::Services::NeutronMetadataAgent: ../docker/services/neutron-metadata.yaml
- OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
OS::TripleO::Services::NeutronDhcpAgent: ../docker/services/neutron-dhcp.yaml
OS::TripleO::Services::NeutronL3Agent: ../docker/services/neutron-l3.yaml
+ OS::TripleO::Services::NeutronMetadataAgent: ../docker/services/neutron-metadata.yaml
+ OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
+ OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
+ OS::TripleO::Services::Redis: ../docker/services/database/redis.yaml
OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
diff --git a/environments/neutron-nuage-config.yaml b/environments/neutron-nuage-config.yaml
index 601554a1..ce64311b 100644
--- a/environments/neutron-nuage-config.yaml
+++ b/environments/neutron-nuage-config.yaml
@@ -1,13 +1,13 @@
# A Heat environment file which can be used to enable a
# a Neutron Nuage backend on the controller, configured via puppet
resource_registry:
+ OS::TripleO::Services::NeutronDhcpAgent: OS::Heat::None
OS::TripleO::Services::NeutronL3Agent: OS::Heat::None
OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None
OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None
# Override the NeutronCorePlugin to use Nuage
- OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginNuage
- OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-nuage.yaml
+ OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginML2Nuage
parameter_defaults:
NeutronNuageNetPartitionName: 'default_name'
@@ -18,9 +18,18 @@ parameter_defaults:
NeutronNuageBaseURIVersion: 'default_uri_version'
NeutronNuageCMSId: ''
UseForwardedFor: true
- NeutronCorePlugin: 'nuage_neutron.plugins.nuage.plugin.NuagePlugin'
- NeutronEnableDHCPAgent: false
- NeutronServicePlugins: []
- NovaOVSBridge: 'alubr0'
- controllerExtraConfig:
+ NeutronServicePlugins: ''
+ NeutronDBSyncExtraParams: '--config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini'
+ NeutronTypeDrivers: ''
+ NeutronNetworkType: ''
+ NeutronMechanismDrivers: ''
+ NeutronPluginExtensions: ''
+ NeutronFlatNetworks: ''
+ NeutronTunnelIdRanges: ''
+ NeutronNetworkVLANRanges: ''
+ NeutronVniRanges: ''
+ NovaOVSBridge: 'default_bridge'
+ NeutronMetadataProxySharedSecret: 'default'
+ InstanceNameTemplate: 'inst-%08x'
+ ControllerExtraConfig:
neutron::api_extensions_path: '/usr/lib/python2.7/site-packages/neutron/plugins/nuage/'
diff --git a/environments/nova-nuage-config.yaml b/environments/nova-nuage-config.yaml
index 56c64d15..5e75ed9e 100644
--- a/environments/nova-nuage-config.yaml
+++ b/environments/nova-nuage-config.yaml
@@ -2,7 +2,13 @@
# Nuage backend on the compute, configured via puppet
resource_registry:
OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml
+ OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-nuage.yaml
parameter_defaults:
NuageActiveController: '0.0.0.0'
NuageStandbyController: '0.0.0.0'
+ NovaOVSBridge: 'default_bridge'
+ NovaComputeLibvirtType: 'default_type'
+ NovaIPv6: False
+ NuageMetadataProxySharedSecret: 'default'
+ NuageNovaApiEndpoint: 'default_endpoint'
diff --git a/environments/puppet-ceph-external.yaml b/environments/puppet-ceph-external.yaml
index 2f577c26..7718b821 100644
--- a/environments/puppet-ceph-external.yaml
+++ b/environments/puppet-ceph-external.yaml
@@ -1,5 +1,5 @@
# ******************************************************************************
-# DEPRECATED: Use tripleo-heat-templates/environments/storage/ceph-external.yaml
+# DEPRECATED: Use tripleo-heat-templates/environments/storage/external-ceph.yaml
# instead.
# ******************************************************************************
# A Heat environment file which can be used to enable the
diff --git a/firstboot/userdata_example.yaml b/firstboot/userdata_example.yaml
index 2f03c83b..32da7eda 100644
--- a/firstboot/userdata_example.yaml
+++ b/firstboot/userdata_example.yaml
@@ -42,10 +42,9 @@ resources:
str_replace:
template: |
#!/bin/bash
- curl http://169.254.169.254/openstack/2012-08-10/meta_data.json -o /root/meta_data.json
mkdir -p /home/$user/.ssh
chmod 700 /home/$user/.ssh
- cat /root/meta_data.json | jq -r ".keys[0].data" > /home/$user/.ssh/authorized_keys
+ os-apply-config --key public-keys.0.openssh-key --type raw > /home/$user/.ssh/authorized_keys
chmod 600 /home/$user/.ssh/authorized_keys
chown -R $user:$user /home/$user/.ssh
params:
diff --git a/network/external.yaml b/network/external.yaml
index 8dbe3e20..708d4635 100644
--- a/network/external.yaml
+++ b/network/external.yaml
@@ -66,4 +66,4 @@ outputs:
description: Neutron external network
value: {get_resource: ExternalNetwork}
subnet_cidr:
- value: {get_attr: ExternalSubnet, cidr}
+ value: {get_attr: [ExternalSubnet, cidr]}
diff --git a/network/external_v6.yaml b/network/external_v6.yaml
index 3266932a..9d1c3d00 100644
--- a/network/external_v6.yaml
+++ b/network/external_v6.yaml
@@ -73,4 +73,4 @@ outputs:
description: Neutron external network
value: {get_resource: ExternalNetwork}
subnet_cidr:
- value: {get_attr: ExternalSubnet, cidr}
+ value: {get_attr: [ExternalSubnet, cidr]}
diff --git a/network/internal_api.yaml b/network/internal_api.yaml
index 7ff0dafd..6e1885a9 100644
--- a/network/internal_api.yaml
+++ b/network/internal_api.yaml
@@ -62,4 +62,4 @@ outputs:
description: Neutron internal network
value: {get_resource: InternalApiNetwork}
subnet_cidr:
- value: {get_attr: InternalApiSubnet, cidr}
+ value: {get_attr: [InternalApiSubnet, cidr]}
diff --git a/network/internal_api_v6.yaml b/network/internal_api_v6.yaml
index 0688f138..7264b1c0 100644
--- a/network/internal_api_v6.yaml
+++ b/network/internal_api_v6.yaml
@@ -69,4 +69,4 @@ outputs:
description: Neutron internal network
value: {get_resource: InternalApiNetwork}
subnet_cidr:
- value: {get_attr: InternalApiSubnet, cidr}
+ value: {get_attr: [InternalApiSubnet, cidr]}
diff --git a/network/management.yaml b/network/management.yaml
index d9f773c1..be197e5c 100644
--- a/network/management.yaml
+++ b/network/management.yaml
@@ -67,4 +67,4 @@ outputs:
description: Neutron management network
value: {get_resource: ManagementNetwork}
subnet_cidr:
- value: {get_attr: ManagementSubnet, cidr}
+ value: {get_attr: [ManagementSubnet, cidr]}
diff --git a/network/management_v6.yaml b/network/management_v6.yaml
index bf715513..2eb8c876 100644
--- a/network/management_v6.yaml
+++ b/network/management_v6.yaml
@@ -68,4 +68,4 @@ outputs:
description: Neutron management network
value: {get_resource: ManagementNetwork}
subnet_cidr:
- value: {get_attr: ManagementSubnet, cidr}
+ value: {get_attr: [ManagementSubnet, cidr]}
diff --git a/network/network.network.j2.yaml b/network/network.network.j2.yaml
index 2c223c16..ccf437bb 100644
--- a/network/network.network.j2.yaml
+++ b/network/network.network.j2.yaml
@@ -88,5 +88,4 @@ outputs:
description: {{network.name_lower}} network
value: {get_resource: {{network.name}}Network}
subnet_cidr:
- value: {get_attr: {{network.name}}Subnet, cidr}
-
+ value: {get_attr: [{{network.name}}Subnet, cidr]}
diff --git a/network/networks.j2.yaml b/network/networks.j2.yaml
index c790d370..48c509df 100644
--- a/network/networks.j2.yaml
+++ b/network/networks.j2.yaml
@@ -3,9 +3,9 @@ heat_template_version: pike
description: Create networks to split out Overcloud traffic
resources:
-
{%- for network in networks %}
- {{network.name}}Network:
+ {%- set network_name = network.compat_name|default(network.name) %}
+ {{network_name}}Network:
type: OS::TripleO::Network::{{network.name}}
{%- endfor %}
@@ -19,8 +19,9 @@ outputs:
# NOTE(gfidente): we need to replace the null value with a
# string to work around https://bugs.launchpad.net/heat/+bug/1700025
{%- for network in networks %}
+ {%- set network_name = network.compat_name|default(network.name) %}
{{network.name_lower}}:
yaql:
- data: {get_attr: [{{network.name}}Network, subnet_cidr]}
+ data: {get_attr: [{{network_name}}Network, subnet_cidr]}
expression: str($.data).replace('null', 'disabled')
{%- endfor %}
diff --git a/network/storage.yaml b/network/storage.yaml
index 00316c51..9729044d 100644
--- a/network/storage.yaml
+++ b/network/storage.yaml
@@ -62,4 +62,4 @@ outputs:
description: Neutron storage network
value: {get_resource: StorageNetwork}
subnet_cidr:
- value: {get_attr: StorageSubnet, cidr}
+ value: {get_attr: [StorageSubnet, cidr]}
diff --git a/network/storage_mgmt.yaml b/network/storage_mgmt.yaml
index bc4347c2..fc005573 100644
--- a/network/storage_mgmt.yaml
+++ b/network/storage_mgmt.yaml
@@ -62,4 +62,4 @@ outputs:
description: Neutron storage management network
value: {get_resource: StorageMgmtNetwork}
subnet_cidr:
- value: {get_attr: StorageMgmtSubnet, cidr}
+ value: {get_attr: [StorageMgmtSubnet, cidr]}
diff --git a/network/storage_mgmt_v6.yaml b/network/storage_mgmt_v6.yaml
index 0d6614f9..cef87de9 100644
--- a/network/storage_mgmt_v6.yaml
+++ b/network/storage_mgmt_v6.yaml
@@ -69,4 +69,4 @@ outputs:
description: Neutron storage management network
value: {get_resource: StorageMgmtNetwork}
subnet_cidr:
- value: {get_attr: StorageMgmtSubnet, cidr}
+ value: {get_attr: [StorageMgmtSubnet, cidr]}
diff --git a/network/storage_v6.yaml b/network/storage_v6.yaml
index bf796b2b..51edd4b3 100644
--- a/network/storage_v6.yaml
+++ b/network/storage_v6.yaml
@@ -69,4 +69,4 @@ outputs:
description: Neutron storage network
value: {get_resource: StorageNetwork}
subnet_cidr:
- value: {get_attr: StorageSubnet, cidr}
+ value: {get_attr: [StorageSubnet, cidr]}
diff --git a/network/tenant.yaml b/network/tenant.yaml
index 2104f0bd..67c4abbc 100644
--- a/network/tenant.yaml
+++ b/network/tenant.yaml
@@ -62,4 +62,4 @@ outputs:
description: Neutron tenant network
value: {get_resource: TenantNetwork}
subnet_cidr:
- value: {get_attr: TenantSubnet, cidr}
+ value: {get_attr: [TenantSubnet, cidr]}
diff --git a/network/tenant_v6.yaml b/network/tenant_v6.yaml
index 9993eec9..9f139cb1 100644
--- a/network/tenant_v6.yaml
+++ b/network/tenant_v6.yaml
@@ -69,4 +69,4 @@ outputs:
description: Neutron tenant network
value: {get_resource: TenantNetwork}
subnet_cidr:
- value: {get_attr: TenantSubnet, cidr}
+ value: {get_attr: [TenantSubnet, cidr]}
diff --git a/network_data.yaml b/network_data.yaml
index 947769ae..6ad37dfe 100644
--- a/network_data.yaml
+++ b/network_data.yaml
@@ -17,6 +17,8 @@
# allocation_pools: IP range list e.g. [{'start':'10.0.0.4', 'end':'10.0.0.250}]
# gateway_ip: gateway for the network (optional, may use parameter defaults)
# NOTE: IP-related values set parameter defaults in templates, may be overridden.
+# compat_name: for existing stack you may need to override the default transformation
+# for the resource's name.
#
# Example:
# - name Example
@@ -39,6 +41,7 @@
vip: true
ip_subnet: '172.16.2.0/24'
allocation_pools: [{'start': '172.16.2.4', 'end': '172.16.2.250'}]
+ compat_name: Internal
- name: Storage
vip: true
name_lower: storage
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 0d3b875a..0b4b4feb 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -154,6 +154,7 @@ resource_registry:
OS::TripleO::Services::NeutronCorePluginML2OVN: puppet/services/neutron-plugin-ml2-ovn.yaml
OS::TripleO::Services::NeutronCorePluginPlumgrid: puppet/services/neutron-plugin-plumgrid.yaml
OS::TripleO::Services::NeutronCorePluginNuage: puppet/services/neutron-plugin-nuage.yaml
+ OS::TripleO::Services::NeutronCorePluginML2Nuage: puppet/services/neutron-plugin-ml2-nuage.yaml
OS::TripleO::Services::NeutronCorePluginNSX: puppet/services/neutron-plugin-nsx.yaml
OS::TripleO::Services::OVNDBs: OS::Heat::None
OS::TripleO::Services::OVNController: OS::Heat::None
diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml
index 38589a4e..ab81d1aa 100644
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@@ -563,7 +563,6 @@ resources:
extraconfig: {get_param: ExtraConfig}
controller:
# Misc
- tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
fqdn_internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]}
fqdn_storage: {get_attr: [NetHostMap, value, storage, fqdn]}
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
index 8cba4351..e81b1142 100644
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -7,6 +7,7 @@ description: >
parameters:
# Can be overridden via parameter_defaults in the environment
SSLCertificate:
+ default: ''
description: >
The content of the SSL certificate (without Key) in PEM format.
type: string
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index 23d8896e..f1abf8dd 100644
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -513,9 +513,6 @@ resources:
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
- {%- if 'primary' in role.tags and 'controller' in role.tags %}
- tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
- {%- endif -%}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml
index 3355a0d3..642685a8 100644
--- a/puppet/services/haproxy-internal-tls-certmonger.yaml
+++ b/puppet/services/haproxy-internal-tls-certmonger.yaml
@@ -30,6 +30,12 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ HAProxyInternalTLSCertsDirectory:
+ default: '/etc/pki/tls/certs/haproxy'
+ type: string
+ HAProxyInternalTLSKeysDirectory:
+ default: '/etc/pki/tls/private/haproxy'
+ type: string
resources:
@@ -55,16 +61,30 @@ outputs:
config_settings:
generate_service_certificates: true
tripleo::haproxy::use_internal_certificates: true
- tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy'
- tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy'
+ tripleo::certmonger::haproxy_dirs::certificate_dir:
+ get_param: HAProxyInternalTLSCertsDirectory
+ tripleo::certmonger::haproxy_dirs::key_dir:
+ get_param: HAProxyInternalTLSKeysDirectory
certificates_specs:
map_merge:
repeat:
template:
haproxy-NETWORK:
- service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.pem'
- service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.crt'
- service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-NETWORK.key'
+ service_pem:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-NETWORK.pem'
+ service_certificate:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-NETWORK.crt'
+ service_key:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSKeysDirectory}
+ - '/overcloud-haproxy-NETWORK.key'
hostname: "%{hiera('cloud_name_NETWORK')}"
postsave_cmd: "" # TODO
principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml
index f1739f78..b2766c44 100644
--- a/puppet/services/haproxy-public-tls-certmonger.yaml
+++ b/puppet/services/haproxy-public-tls-certmonger.yaml
@@ -30,6 +30,12 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ HAProxyInternalTLSCertsDirectory:
+ default: '/etc/pki/tls/certs/haproxy'
+ type: string
+ HAProxyInternalTLSKeysDirectory:
+ default: '/etc/pki/tls/private/haproxy'
+ type: string
outputs:
role_data:
@@ -38,14 +44,32 @@ outputs:
service_name: haproxy_public_tls_certmonger
config_settings:
generate_service_certificates: true
- tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem'
- tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy'
- tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy'
+ tripleo::haproxy::service_certificate:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-external.pem'
+ tripleo::certmonger::haproxy_dirs::certificate_dir:
+ get_param: HAProxyInternalTLSCertsDirectory
+ tripleo::certmonger::haproxy_dirs::key_dir:
+ get_param: HAProxyInternalTLSKeysDirectory
certificates_specs:
haproxy-external:
- service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem'
- service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'
- service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'
+ service_pem:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-external.pem'
+ service_certificate:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/overcloud-haproxy-external.crt'
+ service_key:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSKeysDirectory}
+ - '/overcloud-haproxy-external.key'
hostname: "%{hiera('cloud_name_external')}"
postsave_cmd: "" # TODO
principal: "haproxy/%{hiera('cloud_name_external')}"
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index a37135da..6b2d028f 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -57,6 +57,16 @@ parameters:
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
+ SSLCertificate:
+ default: ''
+ description: >
+ The content of the SSL certificate (without Key) in PEM format.
+ type: string
+ DeployedSSLCertificatePath:
+ default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
@@ -68,6 +78,14 @@ parameters:
description: Specifies the default CRL PEM file to use for revocation if
TLS is used for services in the internal network.
+conditions:
+
+ public_tls_enabled:
+ not:
+ equals:
+ - {get_param: SSLCertificate}
+ - ""
+
resources:
HAProxyPublicTLS:
@@ -98,8 +116,6 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
config_settings:
map_merge:
- - get_attr: [HAProxyPublicTLS, role_data, config_settings]
- - get_attr: [HAProxyInternalTLS, role_data, config_settings]
- tripleo.haproxy.firewall_rules:
'107 haproxy stats':
dport: 1993
@@ -115,6 +131,12 @@ outputs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
+ - if:
+ - public_tls_enabled
+ - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
+ - {}
+ - get_attr: [HAProxyPublicTLS, role_data, config_settings]
+ - get_attr: [HAProxyInternalTLS, role_data, config_settings]
step_config: |
include ::tripleo::profile::base::haproxy
upgrade_tasks:
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 8796209b..218ba740 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -178,10 +178,10 @@ parameters:
Cron to purge expired tokens - Week Day
default: '*'
KeystoneCronTokenFlushMaxDelay:
- type: string
+ type: number
description: >
Cron to purge expired tokens - Max Delay
- default: '0'
+ default: 0
KeystoneCronTokenFlushDestination:
type: string
description: >
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index b9556890..b6980045 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -69,6 +69,12 @@ parameters:
networks, neutron uses this value without modification. For overlay
networks such as VXLAN, neutron automatically subtracts the overlay
protocol overhead from this value.
+ NeutronDBSyncExtraParams:
+ default: ''
+ description: |
+ String of extra command line parameters to append to the neutron-db-manage
+ upgrade head command.
+ type: string
ServiceData:
default: {}
description: Dictionary packing service data
@@ -134,6 +140,7 @@ outputs:
neutron::db::database_max_retries: -1
neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout}
neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu}
+ neutron::db::sync::extra_params: {get_param: NeutronDBSyncExtraParams}
- if:
- dhcp_agents_zero
- {}
diff --git a/puppet/services/neutron-plugin-ml2-nuage.yaml b/puppet/services/neutron-plugin-ml2-nuage.yaml
new file mode 100644
index 00000000..a7dc2e8b
--- /dev/null
+++ b/puppet/services/neutron-plugin-ml2-nuage.yaml
@@ -0,0 +1,99 @@
+heat_template_version: pike
+
+description: >
+ OpenStack Neutron ML2/Nuage plugin configured with Puppet
+
+parameters:
+ ServiceData:
+ default: {}
+ description: Dictionary packing service data
+ type: json
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ # Config specific parameters, to be provided via parameter_defaults
+ NeutronNuageNetPartitionName:
+ description: Specifies the title that you will see on the VSD
+ type: string
+ default: 'default_name'
+
+ NeutronNuageVSDIp:
+ description: IP address and port of the Virtual Services Directory
+ type: string
+
+ NeutronNuageVSDUsername:
+ description: Username to be used to log into VSD
+ type: string
+
+ NeutronNuageVSDPassword:
+ description: Password to be used to log into VSD
+ type: string
+
+ NeutronNuageVSDOrganization:
+ description: Organization parameter required to log into VSD
+ type: string
+ default: 'organization'
+
+ NeutronNuageBaseURIVersion:
+ description: URI version to be used based on the VSD release
+ type: string
+ default: 'default_uri_version'
+
+ NeutronNuageCMSId:
+ description: Cloud Management System ID (CMS ID) to distinguish between OS instances on the same VSD
+ type: string
+
+ UseForwardedFor:
+ description: Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy.
+ type: boolean
+ default: false
+
+resources:
+
+ NeutronML2Base:
+ type: ./neutron-plugin-ml2.yaml
+ properties:
+ ServiceData: {get_param: ServiceData}
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+
+outputs:
+ role_data:
+ description: Role data for the Neutron ML2/Nuage plugin
+ value:
+ service_name: neutron_plugin_ml2_nuage
+ config_settings:
+ map_merge:
+ - get_attr: [NeutronML2Base, role_data, config_settings]
+ - neutron::plugins::ml2::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName}
+ neutron::plugins::ml2::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp}
+ neutron::plugins::ml2::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername}
+ neutron::plugins::ml2::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword}
+ neutron::plugins::ml2::nuage::nuage_vsd_organization: {get_param: NeutronNuageVSDOrganization}
+ neutron::plugins::ml2::nuage::nuage_base_uri_version: {get_param: NeutronNuageBaseURIVersion}
+ neutron::plugins::ml2::nuage::nuage_cms_id: {get_param: NeutronNuageCMSId}
+ nova::api::use_forwarded_for: {get_param: UseForwardedFor}
+ step_config: |
+ include tripleo::profile::base::neutron::plugins::ml2
diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml
index dd757b5d..bc91374a 100644
--- a/puppet/services/neutron-plugin-ml2.yaml
+++ b/puppet/services/neutron-plugin-ml2.yaml
@@ -72,6 +72,10 @@ parameters:
default: 'vxlan'
description: The tenant network type for Neutron.
type: comma_delimited_list
+ NeutronFirewallDriver:
+ description: Firewall driver for realizing neutron security group function
+ type: string
+ default: 'openvswitch'
resources:
NeutronBase:
@@ -100,6 +104,7 @@ outputs:
neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges}
neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges}
neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType}
+ neutron::plugins::ml2::firewall_driver: {get_param: NeutronFirewallDriver}
step_config: |
include ::tripleo::profile::base::neutron::plugins::ml2
diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml
index 6e1f3f56..36866a3a 100644
--- a/puppet/services/nova-compute.yaml
+++ b/puppet/services/nova-compute.yaml
@@ -170,6 +170,11 @@ outputs:
tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName}
nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
+ nova::compute::rbd::rbd_keyring:
+ list_join:
+ - '.'
+ - - 'client'
+ - {get_param: CephClientUserName}
tripleo::profile::base::nova::compute::cinder_nfs_backend: {get_param: CinderEnableNfsBackend}
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index e2ae7260..04936c33 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -139,6 +139,11 @@ outputs:
# we manage migration in nova common puppet profile
nova::compute::libvirt::migration_support: false
nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
+ nova::compute::rbd::rbd_keyring:
+ list_join:
+ - '.'
+ - - 'client'
+ - {get_param: CephClientUserName}
nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
tripleo::profile::base::nova::migration::client::libvirt_enabled: true