1 files changed, 49 insertions, 12 deletions
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index cf444215..bb102c08 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -71,6 +71,9 @@ parameters:
       removed in Ocata.  Future releases will enable L3 HA by default if it is
       appropriate for the deployment type. Alternate mechanisms will be
       available to override.
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 parameter_groups:
 - label: deprecated
@@ -82,8 +85,19 @@ parameter_groups:
   parameters:
   - NeutronL3HA
 
+conditions:
+  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+
 resources:
 
+  TLSProxyBase:
+    type: OS::TripleO::Services::TLSProxyBase
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
+
   NeutronBase:
     type: ./neutron-base.yaml
     properties:
@@ -103,6 +117,7 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [NeutronBase, role_data, config_settings]
+          - get_attr: [TLSProxyBase, role_data, config_settings]
           - neutron::server::database_connection:
               list_join:
                 - ''
@@ -112,22 +127,21 @@ outputs:
                   - '@'
                   - {get_param: [EndpointMap, MysqlInternal, host]}
                   - '/ovs_neutron'
-                  - '?bind_address='
-                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
-            neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+                  - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+            neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             neutron::server::api_workers: {get_param: NeutronWorkers}
             neutron::server::rpc_workers: {get_param: NeutronWorkers}
             neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
             neutron::server::enable_proxy_headers_parsing: true
             neutron::keystone::authtoken::password: {get_param: NeutronPassword}
-
-            neutron::server::notifications::nova_url: { get_param: [ EndpointMap, NovaInternal, uri ] }
-            neutron::server::notifications::auth_url: { get_param: [ EndpointMap, KeystoneV3Admin, uri ] }
+            neutron::server::notifications::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
             neutron::server::notifications::tenant_name: 'service'
             neutron::server::notifications::project_name: 'service'
             neutron::server::notifications::password: {get_param: NovaPassword}
             neutron::keystone::authtoken::project_name: 'service'
+            neutron::keystone::authtoken::user_domain_name: 'Default'
+            neutron::keystone::authtoken::project_domain_name: 'Default'
             neutron::server::sync_db: true
             tripleo.neutron_api.firewall_rules:
               '114 neutron api':
@@ -140,7 +154,23 @@ outputs:
             # internal_api -> IP
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
-            neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+            tripleo::profile::base::neutron::server::tls_proxy_bind_ip:
+              get_param: [ServiceNetMap, NeutronApiNetwork]
+            tripleo::profile::base::neutron::server::tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+            tripleo::profile::base::neutron::server::tls_proxy_port:
+              get_param: [EndpointMap, NeutronInternal, port]
+            # Bind to localhost if internal TLS is enabled, since we put a TLS
+            # proxy in front.
+            neutron::bind_host:
+              if:
+              - use_tls_proxy
+              - 'localhost'
+              - {get_param: [ServiceNetMap, NeutronApiNetwork]}
             tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
       step_config: |
         include tripleo::profile::base::neutron::server
@@ -161,9 +191,16 @@ outputs:
             - '%'
             - "%{hiera('mysql_bind_host')}"
       upgrade_tasks:
+        - name: Check if neutron_server is deployed
+          command: systemctl is-enabled neutron-server
+          tags: common
+          ignore_errors: True
+          register: neutron_server_enabled
+        - name: "PreUpgrade step0,validation: Check service neutron-server is running"
+          shell: /usr/bin/systemctl show 'neutron-server' --property ActiveState | grep '\bactive\b'
+          when: neutron_server_enabled.rc == 0
+          tags: step0,validation
         - name: Stop neutron_api service
-          tags: step2
+          tags: step1
+          when: neutron_server_enabled.rc == 0
           service: name=neutron-server state=stopped
-        - name: Sync neutron_api DB
-          tags: step5
-          command: neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head