aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--environments/enable-internal-tls.yaml1
-rw-r--r--net-config-bond.yaml9
-rw-r--r--net-config-bridge.yaml8
-rw-r--r--net-config-static-bridge-with-external-dhcp.yaml9
-rw-r--r--network/config/bond-with-vlans/controller-v6.yaml2
-rw-r--r--network/config/multiple-nics/compute.yaml2
-rw-r--r--network/config/multiple-nics/controller-v6.yaml4
-rw-r--r--network/config/multiple-nics/controller.yaml3
-rw-r--r--network/config/single-nic-linux-bridge-vlans/controller-v6.yaml3
-rw-r--r--network/config/single-nic-linux-bridge-vlans/controller.yaml3
-rw-r--r--network/config/single-nic-vlans/controller-v6.yaml3
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml1
-rw-r--r--puppet/services/database/mysql-internal-tls-certmonger.yaml43
-rw-r--r--puppet/services/database/mysql.yaml88
-rw-r--r--puppet/services/monitoring/sensu-base.yaml2
-rw-r--r--puppet/services/swift-proxy.yaml5
16 files changed, 100 insertions, 86 deletions
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index 7116da37..c01b4888 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -4,3 +4,4 @@ parameter_defaults:
EnableInternalTLS: true
resource_registry:
OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
+ OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
diff --git a/net-config-bond.yaml b/net-config-bond.yaml
index ec881bdc..01f8ac1d 100644
--- a/net-config-bond.yaml
+++ b/net-config-bond.yaml
@@ -56,14 +56,6 @@ resources:
type: ovs_bridge
name: {get_input: bridge_name}
use_dhcp: true
- # Can't do this yet: https://bugs.launchpad.net/heat/+bug/1344284
- #ovs_extra:
- # - list_join:
- # - ' '
- # - - br-set-external-id
- # - {get_input: bridge_name}
- # - bridge-id
- # - {get_input: bridge_name}
members:
-
type: ovs_bond
@@ -71,7 +63,6 @@ resources:
use_dhcp: true
ovs_options: {get_param: BondInterfaceOvsOptions}
members:
- # os-net-config translates nic1 => em1 (for example)
-
type: interface
name: nic1
diff --git a/net-config-bridge.yaml b/net-config-bridge.yaml
index 4f7a19dc..318eca8a 100644
--- a/net-config-bridge.yaml
+++ b/net-config-bridge.yaml
@@ -45,14 +45,6 @@ resources:
type: ovs_bridge
name: {get_input: bridge_name}
use_dhcp: true
- # Can't do this yet: https://bugs.launchpad.net/heat/+bug/1344284
- #ovs_extra:
- # - list_join:
- # - ' '
- # - - br-set-external-id
- # - {get_input: bridge_name}
- # - bridge-id
- # - {get_input: bridge_name}
members:
-
type: interface
diff --git a/net-config-static-bridge-with-external-dhcp.yaml b/net-config-static-bridge-with-external-dhcp.yaml
index 6dbe5982..3ea4e6ab 100644
--- a/net-config-static-bridge-with-external-dhcp.yaml
+++ b/net-config-static-bridge-with-external-dhcp.yaml
@@ -68,15 +68,6 @@ resources:
primary: true
-
type: interface
- # would like to do the following, but can't b/c of:
- # https://bugs.launchpad.net/heat/+bug/1344284
- # name:
- # list_join:
- # - '/'
- # - - {get_input: bridge_name}
- # - ':0'
- # So, just hardcode to br-ex:0 for now, br-ex is hardcoded in
- # controller.yaml anyway.
name: br-ex:0
addresses:
-
diff --git a/network/config/bond-with-vlans/controller-v6.yaml b/network/config/bond-with-vlans/controller-v6.yaml
index 1361d969..d45ab33c 100644
--- a/network/config/bond-with-vlans/controller-v6.yaml
+++ b/network/config/bond-with-vlans/controller-v6.yaml
@@ -115,7 +115,6 @@ resources:
-
ip_netmask: 169.254.169.254/32
next_hop: {get_param: EC2MetadataIp}
- # IPv4 Default Route
-
default: true
next_hop: {get_param: ControlPlaneDefaultRoute}
@@ -144,7 +143,6 @@ resources:
-
ip_netmask: {get_param: ExternalIpSubnet}
routes:
- # IPv6 Default Route
-
default: true
next_hop: {get_param: ExternalInterfaceDefaultRoute}
diff --git a/network/config/multiple-nics/compute.yaml b/network/config/multiple-nics/compute.yaml
index 77514745..2e07d45e 100644
--- a/network/config/multiple-nics/compute.yaml
+++ b/network/config/multiple-nics/compute.yaml
@@ -122,7 +122,6 @@ resources:
-
ip_netmask: {get_param: InternalApiIpSubnet}
-
- # Create a bridge which can also be used for VLAN-mode bridge mapping
type: ovs_bridge
name: br-tenant
use_dhcp: false
@@ -134,7 +133,6 @@ resources:
type: interface
name: nic5
use_dhcp: false
- # force the MAC address of the bridge to this interface
primary: true
# Uncomment when including environments/network-management.yaml
# If setting default route on the Management interface, comment
diff --git a/network/config/multiple-nics/controller-v6.yaml b/network/config/multiple-nics/controller-v6.yaml
index da1f95f1..bbc89ab6 100644
--- a/network/config/multiple-nics/controller-v6.yaml
+++ b/network/config/multiple-nics/controller-v6.yaml
@@ -132,7 +132,6 @@ resources:
-
ip_netmask: {get_param: InternalApiIpSubnet}
-
- # Create a bridge which can also be used for VLAN-mode bridge mapping
type: ovs_bridge
name: br-tenant
use_dhcp: false
@@ -144,7 +143,6 @@ resources:
type: interface
name: nic5
use_dhcp: false
- # force the MAC address of the bridge to this interface
primary: true
-
type: ovs_bridge
@@ -155,7 +153,6 @@ resources:
-
ip_netmask: {get_param: ExternalIpSubnet}
routes:
- # IPv6 Default Route
-
default: true
next_hop: {get_param: ExternalInterfaceDefaultRoute}
@@ -163,7 +160,6 @@ resources:
-
type: interface
name: nic6
- # force the MAC address of the bridge to this interface
primary: true
# Uncomment when including environments/network-management.yaml
# If setting default route on the Management interface, comment
diff --git a/network/config/multiple-nics/controller.yaml b/network/config/multiple-nics/controller.yaml
index 7a1f9e5f..a0176b5b 100644
--- a/network/config/multiple-nics/controller.yaml
+++ b/network/config/multiple-nics/controller.yaml
@@ -126,7 +126,6 @@ resources:
-
ip_netmask: {get_param: InternalApiIpSubnet}
-
- # Create a bridge which can also be used for VLAN-mode bridge mapping
type: ovs_bridge
name: br-tenant
use_dhcp: false
@@ -138,7 +137,6 @@ resources:
type: interface
name: nic5
use_dhcp: false
- # force the MAC address of the bridge to this interface
primary: true
-
type: ovs_bridge
@@ -156,7 +154,6 @@ resources:
-
type: interface
name: nic6
- # force the MAC address of the bridge to this interface
primary: true
# Uncomment when including environments/network-management.yaml
# If setting default route on the Management interface, comment
diff --git a/network/config/single-nic-linux-bridge-vlans/controller-v6.yaml b/network/config/single-nic-linux-bridge-vlans/controller-v6.yaml
index 80125149..a299d23e 100644
--- a/network/config/single-nic-linux-bridge-vlans/controller-v6.yaml
+++ b/network/config/single-nic-linux-bridge-vlans/controller-v6.yaml
@@ -106,7 +106,6 @@ resources:
-
ip_netmask: 169.254.169.254/32
next_hop: {get_param: EC2MetadataIp}
- # IPv4 Default Route
-
default: true
next_hop: {get_param: ControlPlaneDefaultRoute}
@@ -114,7 +113,6 @@ resources:
-
type: interface
name: {get_input: interface_name}
- # force the MAC address of the bridge to this interface
primary: true
-
type: vlan
@@ -124,7 +122,6 @@ resources:
-
ip_netmask: {get_param: ExternalIpSubnet}
routes:
- # IPv6 Default Route
-
default: true
next_hop: {get_param: ExternalInterfaceDefaultRoute}
diff --git a/network/config/single-nic-linux-bridge-vlans/controller.yaml b/network/config/single-nic-linux-bridge-vlans/controller.yaml
index aef5d4e3..bd97ccb0 100644
--- a/network/config/single-nic-linux-bridge-vlans/controller.yaml
+++ b/network/config/single-nic-linux-bridge-vlans/controller.yaml
@@ -104,7 +104,6 @@ resources:
-
ip_netmask: 169.254.169.254/32
next_hop: {get_param: EC2MetadataIp}
- # IPv4 Default Route
-
default: true
next_hop: {get_param: ControlPlaneDefaultRoute}
@@ -112,7 +111,6 @@ resources:
-
type: interface
name: {get_input: interface_name}
- # force the MAC address of the bridge to this interface
primary: true
-
type: vlan
@@ -122,7 +120,6 @@ resources:
-
ip_netmask: {get_param: ExternalIpSubnet}
routes:
- # IPv6 Default Route
-
default: true
next_hop: {get_param: ExternalInterfaceDefaultRoute}
diff --git a/network/config/single-nic-vlans/controller-v6.yaml b/network/config/single-nic-vlans/controller-v6.yaml
index ecbf2efb..bf5656ed 100644
--- a/network/config/single-nic-vlans/controller-v6.yaml
+++ b/network/config/single-nic-vlans/controller-v6.yaml
@@ -106,7 +106,6 @@ resources:
-
ip_netmask: 169.254.169.254/32
next_hop: {get_param: EC2MetadataIp}
- # IPv4 Default Route
-
default: true
next_hop: {get_param: ControlPlaneDefaultRoute}
@@ -114,7 +113,6 @@ resources:
-
type: interface
name: nic1
- # force the MAC address of the bridge to this interface
primary: true
-
type: vlan
@@ -123,7 +121,6 @@ resources:
-
ip_netmask: {get_param: ExternalIpSubnet}
routes:
- # IPv6 Default Route
-
default: true
next_hop: {get_param: ExternalInterfaceDefaultRoute}
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 701c0c6e..30b9f2b9 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -125,6 +125,7 @@ resource_registry:
OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
+ OS::TripleO::Services::MySQLTLS: OS::Heat::None
OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml
OS::TripleO::Services::NeutronMetadataAgent: puppet/services/neutron-metadata.yaml
diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..3ba51fb6
--- /dev/null
+++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml
@@ -0,0 +1,43 @@
+heat_template_version: 2016-10-14
+
+description: >
+ MySQL configurations for using TLS via certmonger.
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ # The following parameters are not needed by the template but are
+ # required to pass the pep8 tests
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: MySQL configurations for using TLS via certmonger.
+ value:
+ service_name: mysql_internal_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ tripleo::profile::base::database::mysql::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/mysql.crt'
+ service_key: '/etc/pki/tls/private/mysql.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ principal:
+ str_replace:
+ template: "mysql/%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 094a7c9f..651bf4b1 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -35,50 +35,60 @@ parameters:
description: Whether to use Galera instead of regular MariaDB.
type: boolean
+resources:
+
+ MySQLTLS:
+ type: OS::TripleO::Services::MySQLTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+
outputs:
role_data:
description: Service MySQL using composable services.
value:
service_name: mysql
config_settings:
- # The Galera package should work in cluster and
- # non-cluster modes based on the config file.
- # We set the package name here explicitly so
- # that it matches what we pre-install
- # in tripleo-puppet-elements.
- mysql::server::package_name: 'mariadb-galera-server'
- mysql::server::manage_config_file: true
- tripleo.mysql.firewall_rules:
- '104 mysql galera':
- dport:
- - 873
- - 3306
- - 4444
- - 4567
- - 4568
- - 9200
- mysql_max_connections: {get_param: MysqlMaxConnections}
- mysql::server::root_password:
- yaql:
- expression: $.data.passwords.where($ != '').first()
- data:
- passwords:
- - {get_param: MysqlRootPassword}
- - {get_param: [DefaultPasswords, mysql_root_password]}
- mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
- enable_galera: {get_param: EnableGalera}
- # NOTE: bind IP is found in Heat replacing the network name with the
- # local node IP for the given network; replacement examples
- # (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
- tripleo::profile::base::database::mysql::bind_address:
- str_replace:
- template:
- '"%{::fqdn_$NETWORK}"'
- params:
- $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ map_merge:
+ - get_attr: [MySQLTLS, role_data, config_settings]
+ -
+ # The Galera package should work in cluster and
+ # non-cluster modes based on the config file.
+ # We set the package name here explicitly so
+ # that it matches what we pre-install
+ # in tripleo-puppet-elements.
+ mysql::server::package_name: 'mariadb-galera-server'
+ mysql::server::manage_config_file: true
+ tripleo.mysql.firewall_rules:
+ '104 mysql galera':
+ dport:
+ - 873
+ - 3306
+ - 4444
+ - 4567
+ - 4568
+ - 9200
+ mysql_max_connections: {get_param: MysqlMaxConnections}
+ mysql::server::root_password:
+ yaql:
+ expression: $.data.passwords.where($ != '').first()
+ data:
+ passwords:
+ - {get_param: MysqlRootPassword}
+ - {get_param: [DefaultPasswords, mysql_root_password]}
+ mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
+ enable_galera: {get_param: EnableGalera}
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
+ tripleo::profile::base::database::mysql::bind_address:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
step_config: |
include ::tripleo::profile::base::database::mysql
diff --git a/puppet/services/monitoring/sensu-base.yaml b/puppet/services/monitoring/sensu-base.yaml
index e5762328..ea23b8b6 100644
--- a/puppet/services/monitoring/sensu-base.yaml
+++ b/puppet/services/monitoring/sensu-base.yaml
@@ -45,7 +45,7 @@ parameters:
default: '/sensu'
SensuRedactVariables:
description: Variables from Sensu configuration, which have to be redacted.
- type: array
+ type: comma_delimited_list
default:
- password
- passwd
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 129f9b10..ba184ab0 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -100,6 +100,11 @@ outputs:
- 'authtoken'
- 'keystone'
- 'staticweb'
+ - 'copy'
+ - 'container-quotas'
+ - 'account-quotas'
+ - 'slo'
+ - 'dlo'
- 'versioned_writes'
- 'ceilometer'
- 'proxy-logging'