10 files changed, 136 insertions, 9 deletions

diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index 6e912faa..d2fc59c6 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -6,3 +6,5 @@ resource_registry:
   OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
   OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
   OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
+  # We use apache as a TLS proxy
+  OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
diff --git a/environments/puppet-pacemaker.yaml b/environments/puppet-pacemaker.yaml
index 0b71dbd9..da607a72 100644
--- a/environments/puppet-pacemaker.yaml
+++ b/environments/puppet-pacemaker.yaml
@@ -12,6 +12,7 @@ resource_registry:
   OS::TripleO::Services::RabbitMQ: ../puppet/services/pacemaker/rabbitmq.yaml
   OS::TripleO::Services::HAproxy: ../puppet/services/pacemaker/haproxy.yaml
   OS::TripleO::Services::Pacemaker: ../puppet/services/pacemaker.yaml
+  OS::TripleO::Services::PacemakerRemote: ../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Redis: ../puppet/services/pacemaker/database/redis.yaml
   OS::TripleO::Services::MySQL: ../puppet/services/pacemaker/database/mysql.yaml
   # Services that are disabled by default (use relevant environment files):
diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh
index 74af7b02..edcc9e8e 100755
--- a/extraconfig/tasks/yum_update.sh
+++ b/extraconfig/tasks/yum_update.sh
@@ -42,7 +42,7 @@ if [[ "$list_updates" == "" ]]; then
     exit 0
 fi
 
-pacemaker_status=$(systemctl is-active pacemaker)
+pacemaker_status=$(systemctl is-active pacemaker || :)
 
 # Fix the redis/rabbit resource start/stop timeouts. See https://bugs.launchpad.net/tripleo/+bug/1633455
 # and https://bugs.launchpad.net/tripleo/+bug/1634851
diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml
index 36342cb7..cb4f464a 100644
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@@ -64,6 +64,7 @@ parameters:
       OvnDbsNetwork: internal_api
       MistralApiNetwork: internal_api
       ZaqarApiNetwork: internal_api
+      PacemakerRemoteNetwork: internal_api
       # We special-case the default ResolveNetwork for the CephStorage role
       # for backwards compatibility, all other roles default to internal_api
       CephStorageHostnameResolveNetwork: storage
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 47dfebb2..0612b186 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -130,6 +130,7 @@ resource_registry:
   OS::TripleO::Services::BlockStorageCinderVolume: puppet/services/cinder-volume.yaml
   OS::TripleO::Services::Keystone: puppet/services/keystone.yaml
   OS::TripleO::Services::GlanceApi: puppet/services/glance-api.yaml
+  OS::TripleO::Services::GlanceRegistry: puppet/services/disabled/glance-registry.yaml
   OS::TripleO::Services::HeatApi: puppet/services/heat-api.yaml
   OS::TripleO::Services::HeatApiCfn: puppet/services/heat-api-cfn.yaml
   OS::TripleO::Services::HeatApiCloudwatch: puppet/services/heat-api-cloudwatch.yaml
@@ -159,6 +160,7 @@ resource_registry:
   OS::TripleO::Services::NeutronOvsAgent: puppet/services/neutron-ovs-agent.yaml
   OS::TripleO::Services::ComputeNeutronOvsAgent: puppet/services/neutron-ovs-agent.yaml
   OS::TripleO::Services::Pacemaker: OS::Heat::None
+  OS::TripleO::Services::PacemakerRemote: OS::Heat::None
   OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
   OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml
   OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml
@@ -229,6 +231,7 @@ resource_registry:
   OS::TripleO::Services::ContrailControl: puppet/services/network/contrail-control.yaml
   OS::TripleO::Services::ContrailDatabase: puppet/services/network/contrail-database.yaml
   OS::TripleO::Services::ContrailWebui: puppet/services/network/contrail-webui.yaml
+  OS::TripleO::Services::TLSProxyBase: OS::Heat::None
   OS::TripleO::Services::Zaqar: OS::Heat::None
   OS::TripleO::Services::NeutronML2FujitsuCfab: OS::Heat::None
   OS::TripleO::Services::NeutronML2FujitsuFossw: OS::Heat::None
diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml
index 2a02ea19..83c32868 100644
--- a/puppet/post.j2.yaml
+++ b/puppet/post.j2.yaml
@@ -21,11 +21,10 @@ parameters:
       perform configuration on a Heat stack-update.
 
 resources:
-
-{% for role in roles %}
   # Post deployment steps for all roles
   # A single config is re-applied with an incrementing step number
-  # {{role.name}} Role steps
+{% for role in roles %}
+  # {{role.name}} Role post deploy steps
   {{role.name}}ArtifactsConfig:
     type: deploy-artifacts.yaml
 
@@ -58,8 +57,6 @@ resources:
 
   # Step through a series of configuration steps
 {% for step in range(1, 6) %}
-  {% for role in roles %}
-
   {{role.name}}Deployment_Step{{step}}:
     type: OS::Heat::StructuredDeploymentGroup
   {% if step == 1 %}
@@ -77,8 +74,6 @@ resources:
       input_values:
         step: {{step}}
         update_identifier: {get_param: DeployIdentifier}
-
-  {% endfor %}
 {% endfor %}
 
   {{role.name}}PostConfig:
diff --git a/puppet/services/disabled/glance-registry.yaml b/puppet/services/disabled/glance-registry.yaml
new file mode 100644
index 00000000..4d22bddc
--- /dev/null
+++ b/puppet/services/disabled/glance-registry.yaml
@@ -0,0 +1,30 @@
+heat_template_version: ocata
+
+description: >
+  OpenStack Glance Registry service, disabled since ocata
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the disabled Glance Registry role.
+    value:
+      service_name: glance_registry
+      upgrade_tasks:
+        - name: Stop and disable glance_registry service on upgrade
+          tags: step2
+          service: name=openstack-glance-registry state=stopped enabled=no
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index 3ddb1927..09ea5d22 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -45,8 +45,23 @@ parameters:
     default:
       tag: openstack.glance.api
       path: /var/log/glance/api.log
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
 
 resources:
+
+  TLSProxyBase:
+    type: OS::TripleO::Services::TLSProxyBase
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
+
   GlanceBase:
     type: ./glance-base.yaml
     properties:
@@ -66,6 +81,7 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [GlanceBase, role_data, config_settings]
+          - get_attr: [TLSProxyBase, role_data, config_settings]
           - glance::api::database_connection:
               list_join:
                 - ''
@@ -100,7 +116,23 @@ outputs:
             # internal_api -> IP
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
-            glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]}
+            tripleo::profile::base::glance::api::tls_proxy_bind_ip:
+              get_param: [ServiceNetMap, GlanceApiNetwork]
+            tripleo::profile::base::glance::api::tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
+            tripleo::profile::base::glance::api::tls_proxy_port:
+              get_param: [EndpointMap, GlanceInternal, port]
+            # Bind to localhost if internal TLS is enabled, since we put a TLs
+            # proxy in front.
+            glance::api::bind_host:
+              if:
+              - use_tls_proxy
+              - 'localhost'
+              - {get_param: [ServiceNetMap, GlanceApiNetwork]}
       step_config: |
         include ::tripleo::profile::base::glance::api
       service_config_settings:
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
index 9adf1bdb..a8a9fb99 100644
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@@ -29,6 +29,11 @@ parameters:
     default: false
     description: Whether to enable fencing in Pacemaker or not.
     type: boolean
+  PacemakerRemoteAuthkey:
+    type: string
+    description: The authkey for the pacemaker remote service.
+    hidden: true
+    default: ''
   PcsdPassword:
     type: string
     description: The password for the 'pcsd' user for pacemaker.
@@ -112,5 +117,6 @@ outputs:
               passwords:
                 - {get_param: PcsdPassword}
                 - {get_param: [DefaultPasswords, pcsd_password]}
+        tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey}
       step_config: |
         include ::tripleo::profile::base::pacemaker
diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml
new file mode 100644
index 00000000..daee43e6
--- /dev/null
+++ b/puppet/services/pacemaker_remote.yaml
@@ -0,0 +1,57 @@
+heat_template_version: ocata
+
+description: >
+  Pacemaker remote service configured with Puppet
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  PacemakerRemoteAuthkey:
+    type: string
+    description: The authkey for the pacemaker remote service.
+    hidden: true
+    default: ''
+  MonitoringSubscriptionPacemakerRemote:
+    default: 'overcloud-pacemaker_remote'
+    type: string
+  PacemakerRemoteLoggingSource:
+    type: json
+    default:
+      tag: system.pacemaker_remote
+      path: /var/log/pacemaker.log
+      format: >-
+        /^(?<time>[^ ]*\s*[^ ]* [^ ]*)
+        \[(?<pid>[^ ]*)\]
+        (?<host>[^ ]*)
+        (?<message>.*)$/
+
+outputs:
+  role_data:
+    description: Role data for the Pacemaker remote role.
+    value:
+      service_name: pacemaker_remote
+      monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote}
+      logging_groups:
+        - haclient
+      logging_source: {get_param: PacemakerRemoteLoggingSource}
+      config_settings:
+        tripleo.pacemaker_remote.firewall_rules:
+          '130 pacemaker_remote tcp':
+            proto: 'tcp'
+            dport:
+              - 3121
+        tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey}
+      step_config: |
+        include ::tripleo::profile::base::pacemaker_remote