1 files changed, 64 insertions, 15 deletions
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index d47e013e..388c06a2 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -106,6 +106,10 @@ parameters:
     default: true
     description: Whether to use Galera instead of regular MariaDB.
     type: boolean
+  EnableLoadBalancer:
+    default: true
+    description: Whether to deploy a LoadBalancer on the Controller
+    type: boolean
   EnableCephStorage:
     default: false
     description: Whether to deploy Ceph Storage (OSD) on the Controller
@@ -326,6 +330,22 @@ parameters:
     default: 'dhcp-option-force=26,1400'
     description: Dnsmasq options for neutron-dhcp-agent. The default value here forces MTU to be set to 1400 to account for the gre tunnel overhead.
     type: string
+  NeutronEnableDHCPAgent:
+    description: Knob to enable/disable DHCP Agent
+    type: boolean
+    default: true
+  NeutronEnableL3Agent:
+    description: Knob to enable/disable L3 agent
+    type: boolean
+    default: true
+  NeutronEnableMetadataAgent:
+    description: Knob to enable/disable Metadata agent
+    type: boolean
+    default: true
+  NeutronEnableOVSAgent:
+    description: Knob to enable/disable OVS Agent
+    type: boolean
+    default: true
   NeutronAgentMode:
     default: 'dvr_snat'
     description: Agent mode for the neutron-l3-agent on the controller hosts
@@ -522,20 +542,6 @@ parameters:
     description: The user password for SNMPd with readonly rights running on all Overcloud nodes
     type: string
     hidden: true
-  SSLCACertificate:
-    default: ''
-    description: If set, the contents of an SSL certificate authority file.
-    type: string
-  SSLCertificate:
-    default: ''
-    description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints.
-    type: string
-    hidden: true
-  SSLKey:
-    default: ''
-    description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
-    type: string
-    hidden: true
   SwiftHashSuffix:
     default: unset
     description: A random string to be used as a salt when hashing to determine mappings
@@ -619,6 +625,9 @@ parameters:
     description: >
       Heat action when to apply network configuration changes
     default: ['CREATE']
+  NodeIndex:
+    type: number
+    default: 0
 
 resources:
 
@@ -720,6 +729,21 @@ resources:
         bridge_name: br-ex
         interface_name: {get_param: NeutronPublicInterface}
 
+  # Resource for site-specific injection of root certificate
+  NodeTLSCAData:
+    depends_on: NetworkDeployment
+    type: OS::TripleO::NodeTLSCAData
+    properties:
+      server: {get_resource: Controller}
+
+  # Hook for site-specific passing of private keys/certificates
+  NodeTLSData:
+    depends_on: NodeTLSCAData
+    type: OS::TripleO::NodeTLSData
+    properties:
+      server: {get_resource: Controller}
+      NodeIndex: {get_param: NodeIndex}
+
   ControllerDeployment:
     type: OS::TripleO::SoftwareDeployment
     depends_on: NetworkDeployment
@@ -831,6 +855,7 @@ resources:
         keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] }
         enable_fencing: {get_param: EnableFencing}
         enable_galera: {get_param: EnableGalera}
+        enable_load_balancer: {get_param: EnableLoadBalancer}
         enable_ceph_storage: {get_param: EnableCephStorage}
         enable_swift_storage: {get_param: EnableSwiftStorage}
         manage_firewall: {get_param: ManageFirewall}
@@ -864,6 +889,10 @@ resources:
                 list_join:
                 - "','"
                 - {get_param: NeutronTypeDrivers}
+        neutron_enable_dhcp_agent: {get_param: NeutronEnableDHCPAgent}
+        neutron_enable_l3_agent: {get_param: NeutronEnableL3Agent}
+        neutron_enable_metadata_agent: {get_param: NeutronEnableMetadataAgent}
+        neutron_enable_ovs_agent: {get_param: NeutronEnableOVSAgent}
         neutron_mechanism_drivers: {get_param: NeutronMechanismDrivers}
         neutron_allow_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
         neutron_l3_ha: {get_param: NeutronL3HA}
@@ -1026,6 +1055,7 @@ resources:
             - neutron_bigswitch_data # Optionally provided by ControllerExtraConfigPre
             - neutron_cisco_data # Optionally provided by ControllerExtraConfigPre
             - cisco_n1kv_data # Optionally provided by ControllerExtraConfigPre
+            - neutron_nuage_data # Optionally provided by ControllerExtraConfigPre
           datafiles:
             controller_extraconfig:
               mapped_data: {get_param: ControllerExtraConfig}
@@ -1050,6 +1080,7 @@ resources:
 
                 # Pacemaker
                 enable_fencing: {get_input: enable_fencing}
+                enable_load_balancer: {get_input: enable_load_balancer}
                 hacluster_pwd: {get_input: pcsd_password}
                 tripleo::fencing::config: {get_input: fencing_config}
 
@@ -1202,6 +1233,10 @@ resources:
                 neutron_router_distributed: {get_input: neutron_router_distributed}
                 neutron::core_plugin: {get_input: neutron_core_plugin}
                 neutron::service_plugins: {get_input: neutron_service_plugins}
+                neutron::enable_dhcp_agent: {get_input: neutron_enable_dhcp_agent}
+                neutron::enable_l3_agent: {get_input: neutron_enable_l3_agent}
+                neutron::enable_metadata_agent: {get_input: neutron_enable_metadata_agent}
+                neutron::enable_ovs_agent: {get_input: neutron_enable_ovs_agent}
                 neutron::plugins::ml2::type_drivers: {get_input: neutron_type_drivers}
                 neutron_mechanism_drivers: {get_input: neutron_mechanism_drivers}
                 neutron::server::allow_automatic_l3agent_failover: {get_input: neutron_allow_l3agent_failover}
@@ -1302,6 +1337,12 @@ resources:
                 tripleo::loadbalancer::control_virtual_interface: {get_input: control_virtual_interface}
                 tripleo::loadbalancer::public_virtual_interface: {get_input: public_virtual_interface}
                 tripleo::loadbalancer::haproxy_log_address: {get_input: haproxy_log_address}
+                # NOTE(jaosorior): The service certificate configuration for
+                # HAProxy was left commented because to properly use this, we
+                # need to be able to set up the keystone endpoints. And
+                # currently that is not possible, but is being addressed by
+                # other commits.  A subsequent commit will uncomment this.
+                #tripleo::loadbalancer::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
                 tripleo::packages::enable_install: {get_input: enable_package_install}
                 tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
 
@@ -1315,7 +1356,7 @@ resources:
   # Hook for site-specific additional pre-deployment config,
   # applying to all nodes, e.g node registration/unregistration
   NodeExtraConfig:
-    depends_on: ControllerExtraConfigPre
+    depends_on: [ControllerExtraConfigPre, NodeTLSData]
     type: OS::TripleO::NodeExtraConfig
     properties:
         server: {get_resource: Controller}
@@ -1395,5 +1436,13 @@ outputs:
       list_join:
         - ','
         - - {get_attr: [ControllerDeployment, deploy_stdout]}
+          - {get_attr: [NodeTLSCAData, deploy_stdout]}
+          - {get_attr: [NodeTLSData, deploy_stdout]}
           - {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
           - {get_param: UpdateIdentifier}
+  tls_key_modulus_md5:
+    description: MD5 checksum of the TLS Key Modulus
+    value: {get_attr: [NodeTLSData, key_modulus_md5]}
+  tls_cert_modulus_md5:
+    description: MD5 checksum of the TLS Certificate Modulus
+    value: {get_attr: [NodeTLSData, cert_modulus_md5]}