summaryrefslogtreecommitdiffstats
path: root/puppet/services
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/services')
-rw-r--r--puppet/services/database/redis-base.yaml20
-rw-r--r--puppet/services/database/redis.yaml41
-rw-r--r--puppet/services/manila-backend-isilon.yaml72
-rw-r--r--puppet/services/pacemaker/database/redis.yaml11
-rw-r--r--puppet/services/rabbitmq.yaml1
5 files changed, 143 insertions, 2 deletions
diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml
index 2a6a89e9..8436062a 100644
--- a/puppet/services/database/redis-base.yaml
+++ b/puppet/services/database/redis-base.yaml
@@ -38,6 +38,12 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+ use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -53,10 +59,20 @@ outputs:
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- redis::bind: {get_param: [ServiceNetMap, RedisNetwork]}
+ # Bind to localhost if internal TLS is enabled, since we put a TLs
+ # proxy in front.
+ redis::bind:
+ if:
+ - use_tls_proxy
+ - 'localhost'
+ - {get_param: [ServiceNetMap, RedisNetwork]}
redis::port: 6379
redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}"
redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}"
redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
- redis::sentinel::sentinel_bind: {get_param: [ServiceNetMap, RedisNetwork]}
+ redis::sentinel::sentinel_bind:
+ if:
+ - use_tls_proxy
+ - 'localhost'
+ - {get_param: [ServiceNetMap, RedisNetwork]}
redis::ulimit: {get_param: RedisFDLimit}
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
index bdcc4fcd..810e467e 100644
--- a/puppet/services/database/redis.yaml
+++ b/puppet/services/database/redis.yaml
@@ -30,8 +30,15 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+ use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
resources:
+
RedisBase:
type: ./redis-base.yaml
properties:
@@ -41,6 +48,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -55,8 +63,41 @@ outputs:
dport:
- 6379
- 26379
+ tripleo::profile::base::database::redis::tls_proxy_bind_ip:
+ get_param: [ServiceNetMap, RedisNetwork]
+ tripleo::profile::base::database::redis::tls_proxy_fqdn:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+ tripleo::profile::base::database::redis::tls_proxy_port: 6379
+ - if:
+ - use_tls_proxy
+ - redis_certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/redis.crt'
+ service_key: '/etc/pki/tls/private/redis.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+ principal:
+ str_replace:
+ template: "redis/%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+ - {}
step_config: |
include ::tripleo::profile::base::database::redis
+ metadata_settings:
+ if:
+ - use_tls_proxy
+ -
+ - service: redis
+ network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ type: vip
+ - null
upgrade_tasks:
- name: Check if redis is deployed
command: systemctl is-enabled redis
diff --git a/puppet/services/manila-backend-isilon.yaml b/puppet/services/manila-backend-isilon.yaml
new file mode 100644
index 00000000..6d8a1fb6
--- /dev/null
+++ b/puppet/services/manila-backend-isilon.yaml
@@ -0,0 +1,72 @@
+heat_template_version: pike
+
+description: >
+ Openstack Manila isilon backend.
+
+parameters:
+ ManilaIsilonDriverHandlesShareServers:
+ type: string
+ default: true
+ ManilaIsilonBackendName:
+ type: string
+ default: tripleo_isilon
+ ManilaIsilonNasLogin:
+ type: string
+ default: ''
+ ManilaIsilonNasPassword:
+ type: string
+ default: ''
+ ManilaIsilonNasServer:
+ type: string
+ default: ''
+ ManilaIsilonNasRootDir:
+ type: string
+ default: ''
+ ManilaIsilonNasServerPort:
+ type: number
+ default: 8080
+ ManilaIsilonNasServerSecure:
+ type: string
+ default: ''
+ ServiceData:
+ default: {}
+ description: Dictionary packing service data
+ type: json
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ type: json
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+
+outputs:
+ role_data:
+ description: Role data for the Manila Isilon backend.
+ value:
+ service_name: manila_backend_isilon
+ config_settings:
+ manila::backend::dellemc_isilon::title: {get_param: ManilaIsilonBackendName}
+ manila::backend::dellemc_isilon::emc_nas_login: {get_param: ManilaIsilonNasLogin}
+ manila::backend::dellemc_isilon::driver_handles_share_servers: {get_param: ManilaIsilonDriverHandlesShareServers}
+ manila::backend::dellemc_isilon::emc_nas_password: {get_param: ManilaIsilonNasPassword}
+ manila::backend::dellemc_isilon::emc_nas_server: {get_param: ManilaIsilonNasServer}
+ manila::backend::dellemc_isilon::emc_nas_root_dir: {get_param: ManilaIsilonNasRootDir}
+ manila::backend::dellemc_isilon::emc_nas_server_port: {get_param: ManilaIsilonNasServerPort}
+ manila::backend::dellemc_isilon::emc_nas_server_secure: {get_param: ManilaIsilonNasServerSecure}
+ step_config:
diff --git a/puppet/services/pacemaker/database/redis.yaml b/puppet/services/pacemaker/database/redis.yaml
index 66eb4b2a..e466f304 100644
--- a/puppet/services/pacemaker/database/redis.yaml
+++ b/puppet/services/pacemaker/database/redis.yaml
@@ -53,5 +53,16 @@ outputs:
- redis::service_manage: false
redis::notify_service: false
redis::managed_by_cluster_manager: true
+ tripleo::profile::pacemaker::database::redis::tls_proxy_bind_ip:
+ get_param: [ServiceNetMap, RedisNetwork]
+ tripleo::profile::pacemaker::database::redis::tls_proxy_fqdn:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+ tripleo::profile::pacemaker::database::redis::tls_proxy_port: 6379
step_config: |
include ::tripleo::profile::pacemaker::database::redis
+ metadata_settings:
+ get_attr: [RedisBase, role_data, metadata_settings]
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index ba3a0984..a1a60201 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -122,6 +122,7 @@ outputs:
rabbitmq::interface: {get_param: [ServiceNetMap, RabbitmqNetwork]}
rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues}
rabbitmq::ssl: {get_param: EnableInternalTLS}
+ rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS}
rabbitmq::ssl_port: 5672
rabbitmq::ssl_depth: 1
rabbitmq::ssl_only: {get_param: EnableInternalTLS}