diff options
Diffstat (limited to 'puppet/services')
74 files changed, 1647 insertions, 575 deletions
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index f4f5bad8..daed1665 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -21,11 +21,9 @@ parameters: MonitoringSubscriptionAodhApi: default: 'overcloud-ceilometer-aodh-api' type: string - EnableCombinationAlarms: - default: false - description: Combination alarms are deprecated in Newton, hence disabled - by default. To enable, set this parameter to true. + EnableInternalTLS: type: boolean + default: false resources: AodhBase: @@ -41,6 +39,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -52,7 +51,7 @@ outputs: map_merge: - get_attr: [AodhBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - - aodh::wsgi::apache::ssl: false + - aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS} aodh::wsgi::apache::servername: str_replace: template: @@ -60,20 +59,25 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} aodh::api::service_name: 'httpd' + aodh::api::enable_proxy_headers_parsing: true tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: - 8042 - 13042 + aodh::api::host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - aodh::api::host: {get_param: [ServiceNetMap, AodhApiNetwork]} aodh::wsgi::apache::bind_host: {get_param: [ServiceNetMap, AodhApiNetwork]} - tripleo::profile::base::aodh::api::enable_combination_alarms: {get_param: EnableCombinationAlarms} service_config_settings: get_attr: [AodhBase, role_data, service_config_settings] step_config: | diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml new file mode 100644 index 00000000..87e53f13 --- /dev/null +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -0,0 +1,50 @@ +heat_template_version: 2016-10-14 + +description: > + Apache service TLS configurations. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + # The following parameters are not needed by the template but are + # required to pass the pep8 tests + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the Apache role. + value: + service_name: apache_internal_tls_certmonger + config_settings: + generate_service_certificates: true + apache_certificates_specs: + map_merge: + repeat: + template: + httpd-NETWORK: + service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + hostname: "%{::fqdn_NETWORK}" + principal: "HTTP/%{::fqdn_NETWORK}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index c9792019..382e0ff9 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -27,6 +27,17 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + + +resources: + + ApacheTLS: + type: OS::TripleO::Services::ApacheTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} outputs: role_data: @@ -34,19 +45,22 @@ outputs: value: service_name: apache config_settings: - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} - apache::server_signature: 'Off' - apache::server_tokens: 'Prod' - apache_remote_proxy_ips_network: - str_replace: - template: "NETWORK_subnet" - params: - NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} - apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers } - apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } - apache::mod::remoteip::proxy_ips: - - "%{hiera('apache_remote_proxy_ips_network')}" + map_merge: + - get_attr: [ApacheTLS, role_data, config_settings] + - + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::server_signature: 'Off' + apache::server_tokens: 'Prod' + apache_remote_proxy_ips_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} + apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers } + apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } + apache::mod::remoteip::proxy_ips: + - "%{hiera('apache_remote_proxy_ips_network')}" diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml new file mode 100644 index 00000000..b266674f --- /dev/null +++ b/puppet/services/barbican-api.yaml @@ -0,0 +1,144 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Barbican API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + BarbicanPassword: + description: The password for the barbican service account. + type: string + hidden: true + BarbicanWorkers: + description: Set the number of workers for barbican::wsgi::apache + default: '"%{::processorcount}"' + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + EnableInternalTLS: + type: boolean + default: false + +resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Barbican API role. + value: + service_name: barbican_api + config_settings: + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - barbican::keystone::authtoken::password: {get_param: BarbicanPassword} + barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + barbican::keystone::authtoken::project_name: 'service' + barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} + barbican::api::db_auto_create: false + barbican::api::enabled_certificate_plugins: ['simple_certificate'] + barbican::api::logging::debug: {get_param: Debug} + barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + barbican::api::rabbit_userid: {get_param: RabbitUserName} + barbican::api::rabbit_password: {get_param: RabbitPassword} + barbican::api::rabbit_port: {get_param: RabbitClientPort} + barbican::api::rabbit_heartbeat_timeout_threshold: 60 + barbican::api::service_name: 'httpd' + barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]} + barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS} + barbican::wsgi::apache::workers: {get_param: BarbicanWorkers} + barbican::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]} + barbican::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://barbican:' + - {get_param: BarbicanPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/barbican' + tripleo.barbican_api.firewall_rules: + '117 barbican': + dport: + - 9311 + - 13311 + step_config: | + include ::tripleo::profile::base::barbican::api + service_config_settings: + mysql: + barbican::db::mysql::password: {get_param: BarbicanPassword} + barbican::db::mysql::user: barbican + barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + barbican::db::mysql::dbname: barbican + barbican::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + keystone: + barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]} + barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]} + barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]} + barbican::keystone::auth::password: {get_param: BarbicanPassword} + barbican::keystone::auth::region: {get_param: KeystoneRegion} + barbican::keystone::auth::tenant: 'service' + nova_compute: + nova::compute::keymgr_api_class: > + castellan.key_manager.barbican_key_manager.BarbicanKeyManager + nova::compute::barbican_endpoint: + get_param: [EndpointMap, BarbicanInternal, uri] + nova::compute::barbican_auth_endpoint: + get_param: [EndpointMap, KeystoneV3Internal, uri] + cinder_api: + cinder::api::keymgr_api_class: > + castellan.key_manager.barbican_key_manager.BarbicanKeyManager + cinder::api::keymgr_encryption_api_url: + get_param: [EndpointMap, BarbicanInternal, uri] + cinder::api::keymgr_encryption_auth_url: + get_param: [EndpointMap, KeystoneV3Internal, uri] diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index ecea38b2..97b255a9 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -26,7 +26,9 @@ parameters: default: tag: openstack.ceilometer.api path: /var/log/ceilometer/api.log - + EnableInternalTLS: + type: boolean + default: false resources: CeilometerServiceBase: @@ -42,6 +44,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -68,9 +71,15 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - ceilometer::api::service_name: 'httpd' - ceilometer::api::host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} + ceilometer::api::enable_proxy_headers_parsing: true + ceilometer::api::host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} - ceilometer::wsgi::apache::ssl: false + ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS} ceilometer::wsgi::apache::servername: str_replace: template: diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index 4ace7526..ded1bc03 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -36,6 +36,12 @@ parameters: type: string constraints: - allowed_values: ['gnocchi', 'database'] + CeilometerEventDispatcher: + default: ['gnocchi'] + description: Comma-separated list of Dispatchers to process events data + type: comma_delimited_list + constraints: + - allowed_values: ['panko', 'gnocchi', 'database'] CeilometerWorkers: default: 0 description: Number of workers for Ceilometer service. @@ -102,6 +108,7 @@ outputs: ceilometer::agent::auth::auth_tenant_name: 'service' ceilometer::agent::auth::auth_endpoint_type: 'internalURL' ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher} + ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher} ceilometer::dispatcher::gnocchi::url: {get_param: [EndpointMap, GnocchiInternal, uri]} ceilometer::dispatcher::gnocchi::filter_project: 'service' ceilometer::dispatcher::gnocchi::archive_policy: 'low' diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml index ce8d9158..786e9ddd 100644 --- a/puppet/services/ceph-base.yaml +++ b/puppet/services/ceph-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Ceph base service. Shared by all Ceph services. @@ -29,9 +29,20 @@ parameters: GlanceRbdPoolName: default: images type: string + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] GnocchiRbdPoolName: default: metrics type: string + NovaEnableRbdBackend: + default: false + description: Whether to enable or not the Rbd backend for Nova + type: boolean NovaRbdPoolName: default: vms type: string @@ -63,6 +74,16 @@ parameter_groups: parameters: - ControllerEnableCephStorage +conditions: + glance_multiple_locations: + and: + - equals: + - get_param: GlanceBackend + - rbd + - equals: + - get_param: NovaEnableRbdBackend + - true + outputs: role_data: description: Role data for the Ceph base service. @@ -75,6 +96,12 @@ outputs: ceph::profile::params::manage_repo: false ceph::profile::params::authentication_type: cephx ceph::profile::params::fsid: {get_param: CephClusterFSID} + # FIXME(gfidente): we should not have to list the packages explicitly in the templates, + # but this has to stay until https://bugs.launchpad.net/puppet-ceph/+bug/1629933 is fixed + ceph::params::packages: + - ceph-base + - ceph-mon + - ceph-osd # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -122,3 +149,6 @@ outputs: CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} GLANCE_POOL: {get_param: GlanceRbdPoolName} GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + service_config_settings: + glance_api: + glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml index 52c4824f..b708665f 100644 --- a/puppet/services/ceph-external.yaml +++ b/puppet/services/ceph-external.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Ceph External service. @@ -27,9 +27,20 @@ parameters: GlanceRbdPoolName: default: images type: string + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] GnocchiRbdPoolName: default: metrics type: string + NovaEnableRbdBackend: + default: false + description: Whether to enable or not the Rbd backend for Nova + type: boolean NovaRbdPoolName: default: vms type: string @@ -51,6 +62,16 @@ parameters: default: 'overcloud-ceph-external' type: string +conditions: + glance_multiple_locations: + and: + - equals: + - get_param: GlanceBackend + - rbd + - equals: + - get_param: NovaEnableRbdBackend + - true + outputs: role_data: description: Role data for the Ceph External service. @@ -78,5 +99,16 @@ outputs: CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} GLANCE_POOL: {get_param: GlanceRbdPoolName} GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + ceph::profile::params::manage_repo: false + # FIXME(gfidente): we should not have to list the packages explicitly in + # the templates, but this should stay until the following is fixed: + # https://bugs.launchpad.net/puppet-ceph/+bug/1629933 + ceph::params::packages: + - ceph-base + - ceph-mon + - ceph-osd + service_config_settings: + glance_api: + glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} step_config: | include ::tripleo::profile::base::ceph::client diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 552086ab..3471f16c 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -101,5 +101,7 @@ outputs: '110 ceph_mon': dport: - 6789 + service_config_settings: + get_attr: [CephBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceph::mon diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 18a4b780..89c1a5ee 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -55,15 +55,9 @@ outputs: - tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey} tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken} tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - ceph::profile::params::frontend_type: 'civetweb' - ceph_rgw_civetweb_bind_address: {get_param: [ServiceNetMap, CephRgwNetwork]} - ceph::profile::params::rgw_frontends: - list_join: - - '' - - - 'civetweb port=' - - '%{hiera("ceph_rgw_civetweb_bind_address")}' - - ':' - - {get_param: [EndpointMap, CephRgwInternal, port]} + tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]} + tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]} + ceph::params::user_radosgw: ceph tripleo.ceph_rgw.firewall_rules: '122 ceph rgw': dport: {get_param: [EndpointMap, CephRgwInternal, port]} diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 9c96acc4..803d8b83 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Cinder API service configured with Puppet @@ -39,9 +39,27 @@ parameters: default: tag: openstack.cinder.api path: /var/log/cinder/cinder-api.log + CinderWorkers: + type: string + description: Set the number of workers for cinder::wsgi::apache + default: '"%{::os_workers}"' + EnableInternalTLS: + type: boolean + default: false + +conditions: + cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]} resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + CinderBase: type: ./cinder-base.yaml properties: @@ -61,6 +79,7 @@ outputs: config_settings: map_merge: - get_attr: [CinderBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} cinder::keystone::authtoken::password: {get_param: CinderPassword} @@ -79,12 +98,31 @@ outputs: dport: - 8776 - 13776 + cinder::api::bind_host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS} + cinder::api::service_name: 'httpd' # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - cinder::api::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]} + cinder::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} + - + if: + - cinder_workers_zero + - {} + - cinder::wsgi::apache::workers: {get_param: CinderWorkers} step_config: | include ::tripleo::profile::base::cinder::api service_config_settings: diff --git a/puppet/services/cinder-base.yaml b/puppet/services/cinder-base.yaml index 93ab1d79..59c9b844 100644 --- a/puppet/services/cinder-base.yaml +++ b/puppet/services/cinder-base.yaml @@ -66,7 +66,6 @@ outputs: cinder::rabbit_password: {get_param: RabbitPassword} cinder::rabbit_port: {get_param: RabbitClientPort} cinder::rabbit_heartbeat_timeout_threshold: 60 - cinder::host: hostgroup cinder::cron::db_purge::destination: '/dev/null' cinder::db::database_db_max_retries: -1 cinder::db::database_max_retries: -1 diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml new file mode 100644 index 00000000..3ba51fb6 --- /dev/null +++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml @@ -0,0 +1,43 @@ +heat_template_version: 2016-10-14 + +description: > + MySQL configurations for using TLS via certmonger. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + # The following parameters are not needed by the template but are + # required to pass the pep8 tests + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: MySQL configurations for using TLS via certmonger. + value: + service_name: mysql_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::profile::base::database::mysql::certificate_specs: + service_certificate: '/etc/pki/tls/certs/mysql.crt' + service_key: '/etc/pki/tls/private/mysql.key' + hostname: + str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + principal: + str_replace: + template: "mysql/%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 094a7c9f..651bf4b1 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -35,50 +35,60 @@ parameters: description: Whether to use Galera instead of regular MariaDB. type: boolean +resources: + + MySQLTLS: + type: OS::TripleO::Services::MySQLTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + outputs: role_data: description: Service MySQL using composable services. value: service_name: mysql config_settings: - # The Galera package should work in cluster and - # non-cluster modes based on the config file. - # We set the package name here explicitly so - # that it matches what we pre-install - # in tripleo-puppet-elements. - mysql::server::package_name: 'mariadb-galera-server' - mysql::server::manage_config_file: true - tripleo.mysql.firewall_rules: - '104 mysql galera': - dport: - - 873 - - 3306 - - 4444 - - 4567 - - 4568 - - 9200 - mysql_max_connections: {get_param: MysqlMaxConnections} - mysql::server::root_password: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: MysqlRootPassword} - - {get_param: [DefaultPasswords, mysql_root_password]} - mysql_clustercheck_password: {get_param: MysqlClustercheckPassword} - enable_galera: {get_param: EnableGalera} - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]} - tripleo::profile::base::database::mysql::bind_address: - str_replace: - template: - '"%{::fqdn_$NETWORK}"' - params: - $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + map_merge: + - get_attr: [MySQLTLS, role_data, config_settings] + - + # The Galera package should work in cluster and + # non-cluster modes based on the config file. + # We set the package name here explicitly so + # that it matches what we pre-install + # in tripleo-puppet-elements. + mysql::server::package_name: 'mariadb-galera-server' + mysql::server::manage_config_file: true + tripleo.mysql.firewall_rules: + '104 mysql galera': + dport: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 + mysql_max_connections: {get_param: MysqlMaxConnections} + mysql::server::root_password: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: MysqlRootPassword} + - {get_param: [DefaultPasswords, mysql_root_password]} + mysql_clustercheck_password: {get_param: MysqlClustercheckPassword} + enable_galera: {get_param: EnableGalera} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]} + tripleo::profile::base::database::mysql::bind_address: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 80ba9aef..33abdbf9 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -18,32 +18,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - CephClientUserName: - default: openstack - type: string Debug: default: '' description: Set to True to enable debugging on all services. type: string - GlanceNotifierStrategy: - description: Strategy to use for Glance notification queue - type: string - default: noop - GlanceLogFile: - description: The filepath of the file to use for logging messages from Glance. - type: string - default: '' GlancePassword: description: The password for the glance service and db account, used by the glance services. type: string hidden: true - GlanceBackend: - default: swift - description: The short name of the Glance backend to use. Should be one - of swift, rbd, or file - type: string - constraints: - - allowed_values: ['swift', 'file', 'rbd'] GlanceWorkers: default: '' description: | @@ -55,31 +37,6 @@ parameters: memory consumption. It is recommended that a suitable non-default value be selected on such systems. type: string - GlanceRbdPoolName: - default: images - type: string - RabbitPassword: - description: The password for RabbitMQ - type: string - hidden: true - RabbitUserName: - default: guest - description: The username for RabbitMQ - type: string - RabbitClientPort: - default: 5672 - description: Set rabbit subscriber port, change this if using SSL - type: number - RabbitClientUseSSL: - default: false - description: > - Rabbit client subscriber parameter to specify - an SSL connection to the RabbitMQ host. - type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint MonitoringSubscriptionGlanceApi: default: 'overcloud-glance-api' type: string @@ -89,6 +46,14 @@ parameters: tag: openstack.glance.api path: /var/log/glance/api.log +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Glance API role. @@ -99,65 +64,46 @@ outputs: logging_groups: - glance config_settings: - glance::api::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} - glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::api::registry_host: - str_replace: - template: "'REGISTRY_HOST'" - params: - REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} - glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } - glance::api::authtoken::password: {get_param: GlancePassword} - glance::api::enable_proxy_headers_parsing: true - glance::api::debug: {get_param: Debug} - glance::api::workers: {get_param: GlanceWorkers} - glance_notifier_strategy: {get_param: GlanceNotifierStrategy} - glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::backend::swift::swift_store_user: service:glance - glance::backend::swift::swift_store_key: {get_param: GlancePassword} - glance::backend::swift::swift_store_create_container_on_put: true - glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} - glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} - glance_backend: {get_param: GlanceBackend} - glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} - glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} - glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} - glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_api.firewall_rules: - '112 glance_api': - dport: - - 9292 - - 13292 - glance::api::authtoken::project_name: 'service' - glance::api::pipeline: 'keystone' - glance::api::show_image_direct_url: true - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + - glance::api::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} + glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::api::registry_host: + str_replace: + template: "'REGISTRY_HOST'" + params: + REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} + glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } + glance::api::authtoken::password: {get_param: GlancePassword} + glance::api::enable_proxy_headers_parsing: true + glance::api::debug: {get_param: Debug} + glance::api::workers: {get_param: GlanceWorkers} + tripleo.glance_api.firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 + glance::api::authtoken::project_name: 'service' + glance::api::pipeline: 'keystone' + glance::api::show_image_direct_url: true + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: - keystone: - glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} - glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} - glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} - glance::keystone::auth::password: {get_param: GlancePassword } - glance::keystone::auth::region: {get_param: KeystoneRegion} - glance::keystone::auth::tenant: 'service' + get_attr: [GlanceBase, role_data, service_config_settings] diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml new file mode 100644 index 00000000..cc979af9 --- /dev/null +++ b/puppet/services/glance-base.yaml @@ -0,0 +1,128 @@ +heat_template_version: 2016-10-14 + +description: > + OpenStack Glance Common settings with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephClientUserName: + default: openstack + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + GlanceNotifierStrategy: + description: Strategy to use for Glance notification queue + type: string + default: noop + GlanceLogFile: + description: The filepath of the file to use for logging messages from Glance. + type: string + default: '' + GlancePassword: + description: The password for the glance service and db account, used by the glance services. + type: string + hidden: true + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] + GlanceNfsEnabled: + default: false + description: > + When using GlanceBackend 'file', mount NFS share for image storage. + type: boolean + GlanceNfsShare: + default: '' + description: > + NFS share to mount for image storage (when GlanceNfsEnabled is true) + type: string + GlanceNfsOptions: + default: 'intr,context=system_u:object_r:glance_var_lib_t:s0' + description: > + NFS mount options for image storage (when GlanceNfsEnabled is true) + type: string + GlanceRbdPoolName: + default: images + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Role data for the Glance common role. + value: + service_name: glance_base + config_settings: + glance_notifier_strategy: {get_param: GlanceNotifierStrategy} + glance_log_file: {get_param: GlanceLogFile} + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::backend::swift::swift_store_user: service:glance + glance::backend::swift::swift_store_key: {get_param: GlancePassword} + glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} + glance_backend: {get_param: GlanceBackend} + glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} + glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} + glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} + glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + glance::notify::rabbitmq::notification_driver: messagingv2 + glance::registry::db::database_db_max_retries: -1 + glance::registry::db::database_max_retries: -1 + tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} + tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} + tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} + service_config_settings: + keystone: + glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} + glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} + glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} + glance::keystone::auth::password: {get_param: GlancePassword } + glance::keystone::auth::region: {get_param: KeystoneRegion} + glance::keystone::auth::tenant: 'service' + mysql: + glance::db::mysql::password: {get_param: GlancePassword} + glance::db::mysql::user: glance + glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + glance::db::mysql::dbname: glance + glance::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index 30df67fe..c45582d4 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -46,6 +46,14 @@ parameters: tag: openstack.glance.registry path: /var/log/glance/registry.log +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Glance Registry role. @@ -56,43 +64,37 @@ outputs: logging_groups: - glance config_settings: - glance::registry::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::registry::authtoken::password: {get_param: GlancePassword} - glance::registry::authtoken::project_name: 'service' - glance::registry::pipeline: 'keystone' - glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::registry::debug: {get_param: Debug} - glance::registry::workers: {get_param: GlanceWorkers} - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_registry.firewall_rules: - '112 glance_registry': - dport: - - 9191 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + + - glance::registry::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::registry::authtoken::password: {get_param: GlancePassword} + glance::registry::authtoken::project_name: 'service' + glance::registry::pipeline: 'keystone' + glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::registry::debug: {get_param: Debug} + glance::registry::workers: {get_param: GlanceWorkers} + tripleo.glance_registry.firewall_rules: + '112 glance_registry': + dport: + - 9191 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} step_config: | include ::tripleo::profile::base::glance::registry service_config_settings: - mysql: - glance::db::mysql::password: {get_param: GlancePassword} - glance::db::mysql::user: glance - glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - glance::db::mysql::dbname: glance - glance::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" + get_attr: [GlanceBase, role_data, config_settings] diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 15121790..ac15de4f 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -41,6 +41,9 @@ parameters: default: tag: openstack.gnocchi.api path: /var/log/gnocchi/app.log + EnableInternalTLS: + type: boolean + default: false resources: @@ -57,6 +60,7 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -77,12 +81,13 @@ outputs: - 8041 - 13041 gnocchi::api::enabled: true + gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} gnocchi::keystone::authtoken::project_name: 'service' - gnocchi::wsgi::apache::ssl: false + gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} gnocchi::wsgi::apache::servername: str_replace: template: @@ -97,7 +102,12 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} - gnocchi::api::host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} + gnocchi::api::host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index 04339f46..983d6c91 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -39,5 +39,9 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] + - tripleo.gnocchi_statsd.firewall_rules: + '140 gnocchi-statsd': + dport: 8125 + proto: 'udp' step_config: | include ::tripleo::profile::base::gnocchi::statsd diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml new file mode 100644 index 00000000..c6d53542 --- /dev/null +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -0,0 +1,51 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy internal TLS via certmonger role. + value: + service_name: haproxy_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::use_internal_certificates: true + certificates_specs: + map_merge: + repeat: + template: + haproxy-NETWORK: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key' + hostname: "%{hiera('cloud_name_NETWORK')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_NETWORK')}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml new file mode 100644 index 00000000..1551d16a --- /dev/null +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -0,0 +1,37 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy public TLS via certmonger role. + value: + service_name: haproxy_public_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + certificates_specs: + haproxy-external: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-external.key' + hostname: "%{hiera('cloud_name_external')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_external')}" diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 974928c5..c8edade5 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > HAproxy service configured with Puppet @@ -34,20 +34,26 @@ parameters: description: The password for Redis type: string hidden: true - ControlVirtualInterface: - default: 'br-ex' - description: Interface where virtual ip will be assigned. - type: string - PublicVirtualInterface: - default: 'br-ex' - description: > - Specifies the interface where the public-facing virtual ip will be assigned. - This should be int_public when a VLAN is being used. - type: string MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string +resources: + + HAProxyPublicTLS: + type: OS::TripleO::Services::HAProxyPublicTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + + HAProxyInternalTLS: + type: OS::TripleO::Services::HAProxyInternalTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the HAproxy role. @@ -55,14 +61,19 @@ outputs: service_name: haproxy monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: - tripleo.haproxy.firewall_rules: - '107 haproxy stats': - dport: 1993 - tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} - tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} - tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} - tripleo::haproxy::redis_password: {get_param: RedisPassword} - tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} - tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] + - tripleo.haproxy.firewall_rules: + '107 haproxy stats': + dport: 1993 + tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} + tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} + tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} + tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::profile::base::haproxy::certificates_specs: + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] + - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] step_config: | include ::tripleo::profile::base::haproxy diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index a47fec5a..12d4a6a1 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -76,9 +76,11 @@ outputs: include ::tripleo::profile::base::heat::api_cfn service_config_settings: keystone: - heat::keystone::auth_cfn::tenant: 'service' - heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]} - heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]} - heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} - heat::keystone::auth_cfn::password: {get_param: HeatPassword} - heat::keystone::auth::region: {get_param: KeystoneRegion} + map_merge: + - get_attr: [HeatBase, role_data, service_config_settings, keystone] + - heat::keystone::auth_cfn::tenant: 'service' + heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]} + heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]} + heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} + heat::keystone::auth_cfn::password: {get_param: HeatPassword} + heat::keystone::auth_cfn::region: {get_param: KeystoneRegion} diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 2ea96fc0..b0cd16dd 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -76,9 +76,11 @@ outputs: include ::tripleo::profile::base::heat::api service_config_settings: keystone: - heat::keystone::auth::tenant: 'service' - heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]} - heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]} - heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} - heat::keystone::auth::password: {get_param: HeatPassword} - heat::keystone::auth::region: {get_param: KeystoneRegion} + map_merge: + - get_attr: [HeatBase, role_data, service_config_settings, keystone] + - heat::keystone::auth::tenant: 'service' + heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]} + heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]} + heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} + heat::keystone::auth::password: {get_param: HeatPassword} + heat::keystone::auth::region: {get_param: KeystoneRegion} diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml index 7eb58f56..a2a65d7d 100644 --- a/puppet/services/heat-base.yaml +++ b/puppet/services/heat-base.yaml @@ -77,3 +77,8 @@ outputs: heat::cron::purge_deleted::destination: '/dev/null' heat::db::database_db_max_retries: -1 heat::db::database_max_retries: -1 + service_config_settings: + keystone: + tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack' + tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin' + tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost' diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index 24c36362..3f0e4105 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -103,3 +103,6 @@ outputs: heat::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + keystone: + # This is needed because the keystone profile handles creating the domain + tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword} diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 6ea5ec4e..8eaf4044 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -24,18 +24,14 @@ parameters: type: json HorizonAllowedHosts: default: '*' - description: A list of IP/Hostname allowed to connect to horizon + description: A list of IP/Hostname for the server Horizon is running on. + Used for header checks. type: comma_delimited_list HorizonSecret: description: Secret key for Django type: string hidden: true default: '' - NeutronMechanismDrivers: - default: 'openvswitch' - description: | - The mechanism drivers for the Neutron tenant network. - type: comma_delimited_list MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. @@ -44,6 +40,10 @@ parameters: default: 'overcloud-horizon' type: string +conditions: + + debug_empty: {equals : [{get_param: Debug}, '']} + outputs: role_data: description: Role data for the Horizon role. @@ -51,33 +51,36 @@ outputs: service_name: horizon monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} config_settings: - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} - neutron::plugins::ml2::mechanism_drivers: - str_replace: - template: MECHANISMS - params: - MECHANISMS: {get_param: NeutronMechanismDrivers} - tripleo.horizon.firewall_rules: - '126 horizon': - dport: - - 80 - - 443 - horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache - horizon::django_session_engine: 'django.contrib.sessions.backends.cache' - horizon::vhost_extra_params: - add_listen: false - priority: 10 - access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' - horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} - horizon::django_debug: {get_param: Debug} - horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} - horizon::secret_key: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: HorizonSecret} - - {get_param: [DefaultPasswords, horizon_secret]} - memcached_ipv6: {get_param: MemcachedIPv6} + map_merge: + - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} + tripleo.horizon.firewall_rules: + '126 horizon': + dport: + - 80 + - 443 + horizon::disable_password_reveal: true + horizon::enforce_password_check: true + horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache + horizon::django_session_engine: 'django.contrib.sessions.backends.cache' + horizon::vhost_extra_params: + add_listen: false + priority: 10 + access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' + options: ['FollowSymLinks','MultiViews'] + horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} + horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::secret_key: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: HorizonSecret} + - {get_param: [DefaultPasswords, horizon_secret]} + memcached_ipv6: {get_param: MemcachedIPv6} + - + if: + - debug_empty + - {} + - horizon::django_debug: {get_param: Debug} step_config: | include ::tripleo::profile::base::horizon diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml index 2b069d67..fb0d32b6 100644 --- a/puppet/services/keepalived.yaml +++ b/puppet/services/keepalived.yaml @@ -19,14 +19,18 @@ parameters: via parameter_defaults in the resource registry. type: json ControlVirtualInterface: - default: 'br-ex' - description: Interface where virtual ip will be assigned. + default: '' + description: > + Interface where virtual ip will be assigned. This value will be + automatically set by the deployment tool. Overriding here will + override automatic setting. type: string PublicVirtualInterface: - default: 'br-ex' + default: '' description: > - Specifies the interface where the public-facing virtual ip will be assigned. - This should be int_public when a VLAN is being used. + Interface where virtual ip will be assigned. This value will be + automatically set by the deployment tool. Overriding here will + override automatic setting. type: string MonitoringSubscriptionKeepalived: default: 'overcloud-keepalived' @@ -41,5 +45,8 @@ outputs: config_settings: tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface} + tripleo.keepalived.firewall_rules: + '106 keepalived vrrp': + proto: vrrp step_config: | include ::tripleo::profile::base::keepalived diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 2f01578e..69898718 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -18,6 +18,10 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + KernelPidMax: + default: 1048576 + description: Configures sysctl kernel.pid_max key + type: number outputs: role_data: @@ -39,11 +43,17 @@ outputs: net.netfilter.nf_conntrack_max: value: 500000 # prevent neutron bridges from autoconfiguring ipv6 addresses + net.ipv6.conf.all.accept_ra: + value: 0 net.ipv6.conf.default.accept_ra: value: 0 + net.ipv6.conf.all.autoconf: + value: 0 net.ipv6.conf.default.autoconf: value: 0 net.core.netdev_max_backlog: value: 10000 + kernel.pid_max: + value: {get_param: KernelPidMax} step_config: | include ::tripleo::profile::base::kernel diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index e3531636..fe023a6a 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Keystone service configured with Puppet @@ -32,6 +32,12 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + KeystoneTokenProvider: + description: The keystone token format + type: string + default: 'uuid' + constraints: + - allowed_values: ['uuid', 'fernet'] ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -83,9 +89,9 @@ parameters: KeystoneWorkers: type: string description: Set the number of workers for keystone::wsgi::apache - default: '"%{::processorcount}"' + default: '"%{::os_workers}"' MonitoringSubscriptionKeystone: - default: 'overcloud-kestone' + default: 'overcloud-keystone' type: string KeystoneCredential0: type: string @@ -93,11 +99,20 @@ parameters: KeystoneCredential1: type: string description: The second Keystone credential key. Must be a valid key. + KeystoneFernetKey0: + type: string + description: The first Keystone fernet key. Must be a valid key. + KeystoneFernetKey1: + type: string + description: The second Keystone fernet key. Must be a valid key. KeystoneLoggingSource: type: json default: tag: openstack.keystone path: /var/log/keystone/keystone.log + EnableInternalTLS: + type: boolean + default: false resources: @@ -107,6 +122,10 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + +conditions: + keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} outputs: role_data: @@ -130,9 +149,12 @@ outputs: - {get_param: [EndpointMap, MysqlInternal, host]} - '/keystone' keystone::admin_token: {get_param: AdminToken} + keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} + keystone::token_provider: {get_param: KeystoneTokenProvider} + keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: @@ -140,6 +162,11 @@ outputs: content: {get_param: KeystoneCredential0} '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} + keystone::fernet_keys: + '/etc/keystone/fernet-keys/0': + content: {get_param: KeystoneFernetKey0} + '/etc/keystone/fernet-keys/1': + content: {get_param: KeystoneFernetKey1} keystone::debug: {get_param: Debug} keystone::rabbit_userid: {get_param: RabbitUserName} keystone::rabbit_password: {get_param: RabbitPassword} @@ -163,7 +190,8 @@ outputs: ec2/driver: value: 'keystone.contrib.ec2.backends.sql.Ec2' keystone::service_name: 'httpd' - keystone::wsgi::apache::ssl: false + keystone::enable_ssl: {get_param: EnableInternalTLS} + keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS} keystone::wsgi::apache::servername: str_replace: template: @@ -188,15 +216,25 @@ outputs: - 13000 - 35357 - 13357 + keystone::admin_bind_host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::public_bind_host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - # NOTE: this applies to all 4 bind IP settings below... - keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + # NOTE: this applies to all 2 bind IP settings below... keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} step_config: | diff --git a/puppet/services/logging/fluentd-config.yaml b/puppet/services/logging/fluentd-config.yaml index e051781e..58b423fd 100644 --- a/puppet/services/logging/fluentd-config.yaml +++ b/puppet/services/logging/fluentd-config.yaml @@ -70,7 +70,7 @@ parameters: - tag_pattern: '**' type: record_transformer record: - nodename: '${hostname}' + host: '${hostname}' - tag_pattern: 'openstack.**' type: record_transformer diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml index 4d3fd47c..b4b3d480 100644 --- a/puppet/services/manila-api.yaml +++ b/puppet/services/manila-api.yaml @@ -51,6 +51,11 @@ outputs: manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' + tripleo.manila_api.firewall_rules: + '150 manila': + dport: + - 8786 + - 13786 # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): @@ -62,21 +67,15 @@ outputs: step_config: | include ::tripleo::profile::base::manila::api service_config_settings: - keystone: - manila::keystone::auth::tenant: 'service' - manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]} - manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]} - manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]} - manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]} - manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]} - manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]} - manila::keystone::auth::password: {get_param: ManilaPassword} - manila::keystone::auth::region: {get_param: KeystoneRegion} - mysql: - manila::db::mysql::password: {get_param: ManilaPassword} - manila::db::mysql::user: manila - manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - manila::db::mysql::dbname: manila - manila::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" + map_merge: + - get_attr: [ManilaBase, role_data, service_config_settings] + - keystone: + manila::keystone::auth::tenant: 'service' + manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]} + manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]} + manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]} + manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]} + manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]} + manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]} + manila::keystone::auth::password: {get_param: ManilaPassword} + manila::keystone::auth::region: {get_param: KeystoneRegion} diff --git a/puppet/services/manila-backend-cephfs.yaml b/puppet/services/manila-backend-cephfs.yaml index 89a36d21..0fc39e2a 100644 --- a/puppet/services/manila-backend-cephfs.yaml +++ b/puppet/services/manila-backend-cephfs.yaml @@ -19,9 +19,6 @@ parameters: via parameter_defaults in the resource registry. type: json # CephFS Native backend params: - ManilaCephFSNativeEnableBackend: - type: boolean - default: false ManilaCephFSNativeBackendName: type: string default: cephfsnative @@ -33,7 +30,7 @@ parameters: default: 'cephfs' ManilaCephFSNativeCephFSConfPath: type: string - default: '/etc/ceph/cephfs.conf' + default: '/etc/ceph/ceph.conf' ManilaCephFSNativeCephFSAuthId: type: string default: 'manila' @@ -50,7 +47,6 @@ outputs: value: service_name: manila_backend_cephfs config_settings: - manila::backend::cephfsnative::enable_backend: {get_param: ManilaCephFSNativeEnableBackend} manila::backend::cephfsnative::title: {get_param: ManilaCephFSNativeBackendName} manila::backend::cephfsnative::driver_handles_share_servers: {get_param: ManilaCephFSNativeDriverHandlesShareServers} manila::backend::cephfsnative::share_backend_name: {get_param: ManilaCephFSNativeShareBackendName} diff --git a/puppet/services/manila-backend-generic.yaml b/puppet/services/manila-backend-generic.yaml index 5c001c82..c527666e 100644 --- a/puppet/services/manila-backend-generic.yaml +++ b/puppet/services/manila-backend-generic.yaml @@ -4,9 +4,6 @@ description: > Openstack Manila generic backend. parameters: - ManilaGenericEnableBackend: - type: boolean - default: false ManilaGenericBackendName: type: string default: tripleo_generic @@ -73,7 +70,6 @@ outputs: value: service_name: manila_backend_generic config_settings: - manila_generic_enable_backend: {get_param: ManilaGenericEnableBackend} manila::backend::generic::title: {get_param: ManilaGenericBackendName} manila::backend::generic::driver_handles_share_servers: {get_param: ManilaGenericDriverHandlesShareServers} manila::backend::generic::smb_template_config_path: {get_param: ManilaGenericSmbTemplateConfigPath} diff --git a/puppet/services/manila-backend-netapp.yaml b/puppet/services/manila-backend-netapp.yaml index c95a8da7..e6d2f250 100644 --- a/puppet/services/manila-backend-netapp.yaml +++ b/puppet/services/manila-backend-netapp.yaml @@ -4,9 +4,6 @@ description: > Openstack Manila netapp backend. parameters: - ManilaNetappEnableBackend: - type: boolean - default: false ManilaNetappDriverHandlesShareServers: type: string default: true @@ -88,7 +85,6 @@ outputs: value: service_name: manila_backend_netapp config_settings: - manila_netapp_enable_backend: {get_param: ManilaNetappEnableBackend} manila::backend::netapp::title: {get_param: ManilaNetappBackendName} manila::backend::netapp::netapp_login: {get_param: ManilaNetappLogin} manila::backend::netapp::driver_handles_share_servers: {get_param: ManilaNetappDriverHandlesShareServers} diff --git a/puppet/services/manila-base.yaml b/puppet/services/manila-base.yaml index d228577a..844bd3a3 100644 --- a/puppet/services/manila-base.yaml +++ b/puppet/services/manila-base.yaml @@ -40,6 +40,10 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + ManilaPassword: + description: The password for the manila service account. + type: string + hidden: true outputs: role_data: @@ -54,3 +58,21 @@ outputs: manila::debug: {get_param: Debug} manila::db::database_db_max_retries: -1 manila::db::database_max_retries: -1 + manila::sql_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://manila:' + - {get_param: ManilaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/manila' + service_config_settings: + mysql: + manila::db::mysql::password: {get_param: ManilaPassword} + manila::db::mysql::user: manila + manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + manila::db::mysql::dbname: manila + manila::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/manila-scheduler.yaml b/puppet/services/manila-scheduler.yaml index 474cc24f..d96b677b 100644 --- a/puppet/services/manila-scheduler.yaml +++ b/puppet/services/manila-scheduler.yaml @@ -57,14 +57,5 @@ outputs: manila::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} manila::network::neutron::neutron_admin_auth_url: {get_param: [EndpointMap, NeutronAdmin, uri]} manila::network::neutron::neutron_admin_password: {get_param: NeutronPassword} - manila::sql_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://manila:' - - {get_param: ManilaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/manila' step_config: | include ::tripleo::profile::base::manila::scheduler diff --git a/puppet/services/manila-share.yaml b/puppet/services/manila-share.yaml index e42d2fae..49c69fc1 100644 --- a/puppet/services/manila-share.yaml +++ b/puppet/services/manila-share.yaml @@ -21,6 +21,10 @@ parameters: MonitoringSubscriptionManilaShare: default: 'overcloud-manila-share' type: string + ManilaPassword: + description: The password for the manila service account. + type: string + hidden: true resources: ManilaBase: @@ -40,5 +44,11 @@ outputs: map_merge: - get_attr: [ManilaBase, role_data, config_settings] - manila::volume::cinder::cinder_admin_tenant_name: 'service' + manila::keystone::authtoken::password: {get_param: ManilaPassword} + manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::project_name: 'service' + service_config_settings: + get_attr: [ManilaBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::manila::share diff --git a/puppet/services/mistral-api.yaml b/puppet/services/mistral-api.yaml new file mode 100644 index 00000000..44d30358 --- /dev/null +++ b/puppet/services/mistral-api.yaml @@ -0,0 +1,52 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MistralWorkers: + default: 1 + description: The number of workers for the mistral-api. + type: number + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral API role. + value: + service_name: mistral_api + config_settings: + map_merge: + - get_attr: [MistralBase, role_data, config_settings] + - mistral::api::api_workers: {get_param: MistralWorkers} + mistral::api::bind_host: {get_param: [ServiceNetMap, MistralApiNetwork]} + tripleo.mistral_api.firewall_rules: + '133 mistral': + dport: + - 8989 + - 13989 + service_config_settings: + get_attr: [MistralBase, role_data, service_config_settings] + step_config: | + include ::tripleo::profile::base::mistral::api diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml new file mode 100644 index 00000000..a11624c0 --- /dev/null +++ b/puppet/services/mistral-base.yaml @@ -0,0 +1,93 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral base service. Shared for all Mistral services. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + MistralPassword: + description: The password for the Mistral service and db account, used by the Mistral services. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Shared role data for the Mistral services. + value: + service_name: mistral_base + config_settings: + mistral::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://mistral:' + - {get_param: MistralPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/mistral' + mistral::rabbit_userid: {get_param: RabbitUserName} + mistral::rabbit_password: {get_param: RabbitPassword} + mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + mistral::rabbit_port: {get_param: RabbitClientPort} + mistral::debug: {get_param: Debug} + mistral::keystone_password: {get_param: MistralPassword} + mistral::keystone_tenant: 'service' + mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} + mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + service_config_settings: + keystone: + mistral::keystone::auth::tenant: 'service' + mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]} + mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]} + mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]} + mistral::keystone::auth::password: {get_param: MistralPassword} + mistral::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + mistral::db::mysql::user: mistral + mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + mistral::db::mysql::dbname: mistral + mistral::db::mysql::password: {get_param: MistralPassword} + mistral::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/mistral-engine.yaml b/puppet/services/mistral-engine.yaml new file mode 100644 index 00000000..10af670d --- /dev/null +++ b/puppet/services/mistral-engine.yaml @@ -0,0 +1,38 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral Engine service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral Engine role. + value: + service_name: mistral_engine + config_settings: + get_attr: [MistralBase, role_data, config_settings] + step_config: | + include ::tripleo::profile::base::mistral::engine diff --git a/puppet/services/mistral-executor.yaml b/puppet/services/mistral-executor.yaml new file mode 100644 index 00000000..7afaf0db --- /dev/null +++ b/puppet/services/mistral-executor.yaml @@ -0,0 +1,38 @@ +heat_template_version: 2016-04-08 + +description: > + Openstack Mistral API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + MistralBase: + type: ./mistral-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Mistral Executor role. + value: + service_name: mistral_executor + config_settings: + get_attr: [MistralBase, role_data, config_settings] + step_config: | + include ::tripleo::profile::base::mistral::executor diff --git a/puppet/services/monitoring/sensu-base.yaml b/puppet/services/monitoring/sensu-base.yaml index d7350d07..ea23b8b6 100644 --- a/puppet/services/monitoring/sensu-base.yaml +++ b/puppet/services/monitoring/sensu-base.yaml @@ -43,7 +43,19 @@ parameters: description: The RabbitMQ vhost used for monitoring purposes. type: string default: '/sensu' - + SensuRedactVariables: + description: Variables from Sensu configuration, which have to be redacted. + type: comma_delimited_list + default: + - password + - passwd + - pass + - api_key + - api_token + - access_key + - secret_key + - private_key + - secret outputs: role_data: @@ -61,8 +73,7 @@ outputs: sensu::rabbitmq_ssl: {get_param: MonitoringRabbitUseSSL} sensu::rabbitmq_user: {get_param: MonitoringRabbitUserName} sensu::rabbitmq_vhost: {get_param: MonitoringRabbitVhost} - #sensu::redis_host: {get_param: MonitoringRedisHost} - #sensu::redis_password: {get_param: MonitoringRedisPassword} + sensu::redact: {get_param: SensuRedactVariables} sensu::sensu_plugin_provider: 'yum' sensu::sensu_plugin_name: 'rubygem-sensu-plugin' sensu::version: 'present' diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index 3f37e750..a26c7458 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -18,6 +18,13 @@ parameters: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + AdminPassword: + description: Keystone admin user password + type: string + KeystoneRegion: + default: 'regionOne' + description: Keystone region for endpoint + type: string SensuClientCustomConfig: default: {} description: Hash containing custom sensu-client variables. @@ -44,6 +51,14 @@ outputs: - sensu::api: false sensu::client: true sensu::server: false - sensu::client_custom: {get_param: SensuClientCustomConfig} + sensu::client_custom: + map_merge: + - {get_param: SensuClientCustomConfig} + - openstack: + username: 'admin' + password: {get_param: AdminPassword} + auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + tenant_name: 'admin' + region: {get_param: KeystoneRegion} step_config: | include ::tripleo::profile::base::monitoring::sensu diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 3b531ab3..5fd9d7a2 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -57,26 +57,20 @@ parameters: default: tag: openstack.neutron.api path: /var/log/neutron/server.log - ControllerCount: - description: | - Under normal conditions, this should not be overridden manually and is - set at deployment time. The default value is present to allow the - template to be used in environments that do not override it. - default: 1 - type: number # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. NeutronL3HA: - default: false + default: '' + type: string description: | - Whether to enable HA for virtual routers. While the default value is - 'false', L3 HA will be automatically enabled if the number of nodes - hosting controller configurations and DVR is disabled. This parameter is - being deprecated in Newton and is scheduled to be removed in Ocata. - Future releases will enable L3 HA by default if it is appropriate for the - deployment type. Alternate mechanisms will be available to override. - type: boolean + Whether to enable HA for virtual routers. When not set, L3 HA will be + automatically enabled if the number of nodes hosting controller + configurations and DVR is disabled. Valid values are 'true' or 'false' + This parameter is being deprecated in Newton and is scheduled to be + removed in Ocata. Future releases will enable L3 HA by default if it is + appropriate for the deployment type. Alternate mechanisms will be + available to override. parameter_groups: - label: deprecated @@ -97,18 +91,6 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} -conditions: - - auto_enable_l3_ha: - and: - - not: - equals: - - get_param: ControllerCount - - 1 - - equals: - - get_param: NeutronEnableDVR - - false - outputs: role_data: description: Role data for the Neutron Server agent service. @@ -135,7 +117,7 @@ outputs: neutron::server::api_workers: {get_param: NeutronWorkers} neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} - neutron::server::l3_ha: {if: ["auto_enable_l3_ha", true, {get_param: NeutronL3HA}]} + neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} neutron::server::notifications::nova_url: { get_param: [ EndpointMap, NovaInternal, uri ] } @@ -145,16 +127,11 @@ outputs: neutron::server::notifications::password: {get_param: NovaPassword} neutron::keystone::authtoken::project_name: 'service' neutron::server::sync_db: true - tripleo.neutron_server.firewall_rules: - '114 neutron server': + tripleo.neutron_api.firewall_rules: + '114 neutron api': dport: - 9696 - 13696 - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '106 vrrp': - proto: vrrp neutron::server::router_distributed: {get_param: NeutronEnableDVR} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): @@ -162,6 +139,7 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} step_config: | include tripleo::profile::base::neutron::server service_config_settings: diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 32d50d41..0b2cef07 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -33,7 +33,7 @@ parameters: from neutron.core_plugins namespace. type: string NeutronServicePlugins: - default: "router,qos" + default: "router,qos,trunk" description: | Comma-separated list of service plugin entrypoints to be loaded from the neutron.service_plugins namespace. @@ -50,16 +50,13 @@ parameters: to false may result in configuration remnants after updates/upgrades. NeutronGlobalPhysnetMtu: type: number - default: 1496 + default: 1500 description: | MTU of the underlying physical network. Neutron uses this value to calculate MTU for all virtual network components. For flat and VLAN networks, neutron uses this value without modification. For overlay networks such as VXLAN, neutron automatically subtracts the overlay - protocol overhead from this value. The default value of 1496 is - currently in effect to compensate for some additional overhead when - deploying with some network configurations (e.g. network isolation over - single network interfaces) + protocol overhead from this value. ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index 9e223374..a2157555 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Neutron L3 agent configured with Puppet @@ -43,6 +43,10 @@ parameters: tag: openstack.neutron.agent.l3 path: /var/log/neutron/l3-agent.log +conditions: + + external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]} + resources: NeutronBase: @@ -63,9 +67,16 @@ outputs: - neutron config_settings: map_merge: - - get_attr: [NeutronBase, role_data, config_settings] + - get_attr: [NeutronBase, role_data, config_settings] + - neutron::agents::l3::router_delete_namespaces: True + neutron::agents::l3::agent_mode: {get_param: NeutronL3AgentMode} + tripleo.neutron_l3.firewall_rules: + '106 neutron_l3 vrrp': + proto: vrrp + - + if: + - external_network_bridge_empty + - {} - neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge} - neutron::agents::l3::router_delete_namespaces: True - neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode} step_config: | include tripleo::profile::base::neutron::l3 diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index cbe65638..cca0deee 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -117,5 +117,11 @@ outputs: # internal_api_subnet - > IP/CIDR neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver} + tripleo.neutron_ovs_agent.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '136 neutron gre networks': + proto: 'gre' step_config: | include ::tripleo::profile::base::neutron::ovs diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index cc772c9d..fdfa1c03 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -22,7 +22,7 @@ parameters: description: List of cores to be used for DPDK Poll Mode Driver type: string constraints: - - allowed_pattern: "[0-9,-]+" + - allowed_pattern: "'[0-9,-]+'" NeutronDpdkMemoryChannels: description: Number of memory channels to be used for DPDK type: string diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index 17e8bca1..5dbae3dc 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -33,7 +33,7 @@ parameters: default: 'datacentre' description: If set, flat networks to configure in neutron plugins. NeutronPluginExtensions: - default: "qos,port_security,trunk" + default: "qos,port_security" description: | Comma-separated list of extensions enabled for the Neutron plugin. type: comma_delimited_list diff --git a/puppet/services/neutron-plugin-opencontrail.yaml b/puppet/services/neutron-plugin-opencontrail.yaml index 4e294965..098c9d05 100644 --- a/puppet/services/neutron-plugin-opencontrail.yaml +++ b/puppet/services/neutron-plugin-opencontrail.yaml @@ -59,7 +59,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions + - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions,/usr/lib/python2.7/site-packages/neutron_lbaas/extensions neutron::plugins::opencontrail::api_server_ip: {get_param: ContrailApiServerIp} neutron::plugins::opencontrail::api_server_port: {get_param: ContrailApiServerPort} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index b2ec0038..49bd84bc 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova API service configured with Puppet @@ -51,8 +51,22 @@ parameters: default: tag: openstack.nova.api path: /var/log/nova/nova-api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + NovaBase: type: ./nova-base.yaml properties: @@ -71,40 +85,55 @@ outputs: - nova config_settings: map_merge: - - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - nova::cron::archive_deleted_rows::hour: '"*/12"' + nova::cron::archive_deleted_rows::destination: '"/dev/null"' + tripleo.nova_api.firewall_rules: + '113 nova_api': + dport: + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 + nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::password: {get_param: NovaPassword} + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::api::enabled: true + nova::api::default_floating_pool: 'public' + nova::api::sync_db_api: true + nova::api::enable_proxy_headers_parsing: true + nova::api::api_bind_address: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::service_name: 'httpd' + nova::wsgi::apache::ssl: {get_param: EnableInternalTLS} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + nova::api::instance_name_template: {get_param: InstanceNameTemplate} + nova_enable_db_purge: {get_param: NovaEnableDBPurge} + - + if: + - nova_workers_zero + - {} - nova::api::osapi_compute_workers: {get_param: NovaWorkers} - nova::api::metadata_workers: {get_param: NovaWorkers} - nova::cron::archive_deleted_rows::hour: '"*/12"' - nova::cron::archive_deleted_rows::destination: '"/dev/null"' - tripleo.nova_api.firewall_rules: - '113 nova_api': - dport: - - 6080 - - 13080 - - 8773 - - 3773 - - 8774 - - 13774 - - 8775 - nova::keystone::authtoken::project_name: 'service' - nova::keystone::authtoken::password: {get_param: NovaPassword} - nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - nova::api::enabled: true - nova::api::default_floating_pool: 'public' - nova::api::sync_db_api: true - nova::api::enable_proxy_headers_parsing: true - # NOTE: bind IP is found in Heat replacing the network name with the local node IP - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} - nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - nova::api::instance_name_template: {get_param: InstanceNameTemplate} - nova_enable_db_purge: {get_param: NovaEnableDBPurge} - + nova::wsgi::apache::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::api service_config_settings: diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 8db00d8f..74a95d20 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova base service. Shared for all Nova services. @@ -66,6 +66,9 @@ parameters: type: string description: Nova Compute upgrade level default: '' +conditions: + + compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']} outputs: role_data: @@ -73,45 +76,50 @@ outputs: value: service_name: nova_base config_settings: - nova::rabbit_password: {get_param: RabbitPassword} - nova::rabbit_userid: {get_param: RabbitUserName} - nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - nova::rabbit_port: {get_param: RabbitClientPort} - nova::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://nova:' - - {get_param: NovaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/nova' - nova::api_database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://nova_api:' - - {get_param: NovaPassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/nova_api' - nova::debug: {get_param: Debug} - nova::purge_config: {get_param: EnableConfigPurge} - nova::network::neutron::neutron_project_name: 'service' - nova::network::neutron::neutron_username: 'neutron' - nova::network::neutron::dhcp_domain: '' - nova::network::neutron::neutron_password: {get_param: NeutronPassword} - nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} - nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]} - nova::rabbit_heartbeat_timeout_threshold: 60 - nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL' - nova::host: '"%{::fqdn}"' # NOTE: extra quoting is needed. - nova::notify_on_state_change: 'vm_and_task_state' - nova::notification_driver: messagingv2 - nova::network::neutron::neutron_auth_type: 'v3password' - nova::db::database_db_max_retries: -1 - nova::db::database_max_retries: -1 - nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} - nova::use_ipv6: {get_param: NovaIPv6} - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} - nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge} + map_merge: + - nova::rabbit_password: {get_param: RabbitPassword} + nova::rabbit_userid: {get_param: RabbitUserName} + nova::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + nova::rabbit_port: {get_param: RabbitClientPort} + nova::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://nova:' + - {get_param: NovaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/nova' + nova::api_database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://nova_api:' + - {get_param: NovaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/nova_api' + nova::debug: {get_param: Debug} + nova::purge_config: {get_param: EnableConfigPurge} + nova::network::neutron::neutron_project_name: 'service' + nova::network::neutron::neutron_username: 'neutron' + nova::network::neutron::dhcp_domain: '' + nova::network::neutron::neutron_password: {get_param: NeutronPassword} + nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} + nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]} + nova::rabbit_heartbeat_timeout_threshold: 60 + nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL' + nova::host: '"%{::fqdn}"' # NOTE: extra quoting is needed. + nova::notify_on_state_change: 'vm_and_task_state' + nova::notification_driver: messagingv2 + nova::network::neutron::neutron_auth_type: 'v3password' + nova::db::database_db_max_retries: -1 + nova::db::database_max_retries: -1 + nova::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} + nova::use_ipv6: {get_param: NovaIPv6} + nova::network::neutron::neutron_ovs_bridge: {get_param: NovaOVSBridge} + - + if: + - compute_upgrade_level_empty + - {} + - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index 2671cdd3..a10d9560 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova Conductor service configured with Puppet @@ -31,6 +31,9 @@ parameters: tag: openstack.nova.scheduler path: /var/log/nova/nova-scheduler.log +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + resources: NovaBase: type: ./nova-base.yaml @@ -50,7 +53,11 @@ outputs: - nova config_settings: map_merge: - - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - + if: + - nova_workers_zero + - {} - nova::conductor::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::conductor diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index b5ca2437..70774bac 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -50,6 +50,13 @@ outputs: tripleo::profile::base::nova::libvirt_enabled: true nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType} nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType} + tripleo.nova_libvirt.firewall_rules: + '200 nova_libvirt': + dport: + - 16509 + - 16514 + - '49152-49215' + - '5900-5999' step_config: | include tripleo::profile::base::nova::libvirt diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml index 92373c56..40931da6 100644 --- a/puppet/services/nova-metadata.yaml +++ b/puppet/services/nova-metadata.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova API service configured with Puppet @@ -23,12 +23,20 @@ parameters: description: Number of workers for Nova API service. type: number +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + outputs: role_data: description: Role data for the Nova Metadata service. value: service_name: nova_metadata config_settings: - nova::api::metadata_workers: {get_param: NovaWorkers} - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + map_merge: + - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + - + if: + - nova_workers_zero + - {} + - nova::api::metadata_workers: {get_param: NovaWorkers} step_config: "" diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml index d89e3e11..d4e5fff6 100644 --- a/puppet/services/nova-scheduler.yaml +++ b/puppet/services/nova-scheduler.yaml @@ -58,7 +58,7 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - - nova::scheduler::filter::ram_allocation_ratio: '1.0' + - nova::ram_allocation_ratio: '1.0' nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters} nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} step_config: | diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index 85d59ae6..e6b0703f 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -57,5 +57,10 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]} + tripleo.nova_vnc_proxy.firewall_rules: + '137 nova_vnc_proxy': + dport: + - 6080 + - 13080 step_config: | include tripleo::profile::base::nova::vncproxy diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml index d2ee036e..253d63ef 100644 --- a/puppet/services/opendaylight-api.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -8,10 +8,6 @@ parameters: default: 8081 description: Set opendaylight service port type: number - EnableOpenDaylightOnController: - default: false - description: Whether to install OpenDaylight on control nodes. - type: boolean OpenDaylightUsername: default: 'admin' description: The username for the opendaylight server. @@ -33,14 +29,6 @@ parameters: description: List of features to install with ODL type: comma_delimited_list default: ["odl-netvirt-openstack","odl-netvirt-ui"] - OpenDaylightConnectionProtocol: - description: L7 protocol used for REST access - type: string - default: 'http' - OpenDaylightCheckURL: - description: URL postfix to verify ODL has finished starting up - type: string - default: 'restconf/operational/network-topology:network-topology/topology/netvirt:1' OpenDaylightApiVirtualIP: type: string default: '' @@ -66,15 +54,11 @@ outputs: service_name: opendaylight_api config_settings: opendaylight::odl_rest_port: {get_param: OpenDaylightPort} - odl_on_controller: {get_param: EnableOpenDaylightOnController} - opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::username: {get_param: OpenDaylightUsername} opendaylight::password: {get_param: OpenDaylightPassword} opendaylight::enable_l3: {get_param: OpenDaylightEnableL3} opendaylight::extra_features: {get_param: OpenDaylightFeatures} opendaylight::enable_dhcp: {get_param: OpenDaylightEnableDHCP} - opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} - opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpenDaylightApiNetwork]} + opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} step_config: | include tripleo::profile::base::neutron::opendaylight - include tripleo::profile::base::neutron::plugins::ovs::opendaylight diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 8bcb72f7..907ecddc 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -19,6 +19,11 @@ parameters: OpenDaylightApiVirtualIP: type: string default: '' + OpenDaylightProviderMappings: + description: Mappings between logical networks and physical interfaces. + Required for VLAN deployments. For example physnet1 -> eth1. + type: comma_delimited_list + default: "datacentre:br-ex" EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -43,5 +48,17 @@ outputs: opendaylight::odl_rest_port: {get_param: OpenDaylightPort} opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} + neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} + neutron::plugins::ovs::opendaylight::provider_mappings: + str_replace: + template: MAPPINGS + params: + MAPPINGS: {get_param: OpenDaylightProviderMappings} + tripleo.opendaylight_ovs.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '136 neutron gre networks': + proto: 'gre' step_config: | include tripleo::profile::base::neutron::plugins::ovs::opendaylight diff --git a/puppet/services/pacemaker/cinder-volume.yaml b/puppet/services/pacemaker/cinder-volume.yaml index 11b9bf8f..d91a0181 100644 --- a/puppet/services/pacemaker/cinder-volume.yaml +++ b/puppet/services/pacemaker/cinder-volume.yaml @@ -41,5 +41,6 @@ outputs: - get_attr: [CinderVolumeBase, role_data, config_settings] - cinder::volume::manage_service: false cinder::volume::enabled: false + cinder::host: hostgroup step_config: include ::tripleo::profile::pacemaker::cinder::volume diff --git a/puppet/services/pacemaker/database/mongodb.yaml b/puppet/services/pacemaker/database/mongodb.yaml index 64ae2e91..982b6064 100644 --- a/puppet/services/pacemaker/database/mongodb.yaml +++ b/puppet/services/pacemaker/database/mongodb.yaml @@ -22,7 +22,7 @@ parameters: resources: MongoDbBase: - type: ../../database/mongodb-base.yaml + type: ../../database/mongodb.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} diff --git a/puppet/services/pacemaker/database/redis.yaml b/puppet/services/pacemaker/database/redis.yaml index d9156e67..196754eb 100644 --- a/puppet/services/pacemaker/database/redis.yaml +++ b/puppet/services/pacemaker/database/redis.yaml @@ -21,7 +21,7 @@ parameters: resources: RedisBase: - type: ../../database/redis-base.yaml + type: ../../database/redis.yaml properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml index 52104a71..e4115d64 100644 --- a/puppet/services/pacemaker/haproxy.yaml +++ b/puppet/services/pacemaker/haproxy.yaml @@ -38,7 +38,5 @@ outputs: - get_attr: [LoadbalancerServiceBase, role_data, config_settings] - tripleo::haproxy::haproxy_service_manage: false tripleo::haproxy::mysql_clustercheck: true - enable_keepalived: false - tripleo::haproxy::keepalived: false step_config: | include ::tripleo::profile::pacemaker::haproxy diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml new file mode 100644 index 00000000..63f631a0 --- /dev/null +++ b/puppet/services/panko-api.yaml @@ -0,0 +1,84 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Panko API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionPankoApi: + default: 'overcloud-ceilometer-panko-api' + type: string + EnableInternalTLS: + type: boolean + default: false + +resources: + PankoBase: + type: ./panko-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + +outputs: + role_data: + description: Role data for the Panko API service. + value: + service_name: panko_api + monitoring_subscription: {get_param: MonitoringSubscriptionPankoApi} + config_settings: + map_merge: + - get_attr: [PankoBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - panko::wsgi::apache::ssl: {get_param: EnableInternalTLS} + panko::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + panko::api::service_name: 'httpd' + panko::api::enable_proxy_headers_parsing: true + tripleo.panko_api.firewall_rules: + '140 panko-api': + dport: + - 8779 + - 13779 + panko::api::host: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + panko::wsgi::apache::bind_host: {get_param: [ServiceNetMap, PankoApiNetwork]} + service_config_settings: + get_attr: [PankoBase, role_data, service_config_settings] + step_config: | + include tripleo::profile::base::panko::api diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml new file mode 100644 index 00000000..32754a55 --- /dev/null +++ b/puppet/services/panko-base.yaml @@ -0,0 +1,74 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Panko service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PankoPassword: + description: The password for the panko services. + type: string + hidden: true + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Role data for the Panko role. + value: + service_name: panko_base + config_settings: + panko_redis_password: {get_param: RedisPassword} + panko::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://panko:' + - {get_param: PankoPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/panko' + panko::debug: {get_param: Debug} + panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } + panko::keystone::authtoken::project_name: 'service' + panko::keystone::authtoken::password: {get_param: PankoPassword} + panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + panko::auth::auth_password: {get_param: PankoPassword} + panko::auth::auth_region: 'regionOne' + panko::auth::auth_tenant_name: 'service' + service_config_settings: + keystone: + panko::keystone::auth::public_url: {get_param: [EndpointMap, PankoPublic, uri]} + panko::keystone::auth::internal_url: {get_param: [EndpointMap, PankoInternal, uri]} + panko::keystone::auth::admin_url: {get_param: [EndpointMap, PankoAdmin, uri]} + panko::keystone::auth::password: {get_param: PankoPassword} + panko::keystone::auth::region: {get_param: KeystoneRegion} + panko::keystone::auth::tenant: 'service' + mysql: + panko::db::mysql::user: panko + panko::db::mysql::password: {get_param: PankoPassword} + panko::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + panko::db::mysql::dbname: panko + panko::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 5387529d..44a09a42 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -71,6 +71,7 @@ outputs: rabbitmq::port: '5672' rabbitmq::package_source: undef rabbitmq::repos_ensure: false + rabbitmq::tcp_keepalive: true rabbitmq_environment: RABBITMQ_NODENAME: "rabbit@%{::hostname}" RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true},{raw,6,18,<<5000:64/native>>}] -kernel inet_default_listen_options [{raw,6,18,<<5000:64/native>>}]"' @@ -78,7 +79,6 @@ outputs: inet_dist_listen_min: '25672' inet_dist_listen_max: '25672' rabbitmq_config_variables: - tcp_listen_options: '[binary, {packet, raw}, {reuseaddr, true}, {backlog, 128}, {nodelay, true}, {exit_on_close, false}, {keepalive, true}]' cluster_partition_handling: 'pause_minority' queue_master_locator: '<<"min-masters">>' loopback_users: '[]' diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index 5fc8ed61..4072a150 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -44,6 +44,10 @@ parameters: type: string default: '' description: Set to True to enable debugging on all services. + SaharaPlugins: + default: ["ambari","cdh","mapr","vanilla","spark","storm"] + description: Sahara enabled plugin list + type: comma_delimited_list outputs: role_data: @@ -69,13 +73,7 @@ outputs: sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } sahara::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } sahara::use_neutron: true - sahara::plugins: - - ambari - - cdh - - mapr - - vanilla - - spark - - storm + sahara::plugins: {get_param: SaharaPlugins} sahara::rpc_backend: rabbit sahara::admin_tenant_name: 'service' sahara::db::database_db_max_retries: -1 diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index 7b5fa40c..ffe2d2d4 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -54,8 +54,8 @@ outputs: data: {s_names: {get_attr: [ServiceChain, role_data, service_name]}} monitoring_subscriptions: yaql: - expression: list($.data.where($ != null).select($.get('monitoring_subscription')).where($ != null)) - data: {get_attr: [ServiceChain, role_data]} + expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} logging_sources: # Transform the individual logging_source configuration from # each service in the chain into a global list, adding some @@ -78,8 +78,9 @@ outputs: sources: - {get_attr: [LoggingConfiguration, LoggingDefaultSources]} - yaql: - expression: list($.data.where($ != null).select($.get('logging_sources')).where($ != null)) - data: {get_attr: [ServiceChain, role_data]} + expression: list($.data.role_data.where($ != null).select($.get('logging_source')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} + - {get_attr: [LoggingConfiguration, LoggingExtraSources]} default_format: {get_attr: [LoggingConfiguration, LoggingDefaultFormat]} pos_file_path: {get_attr: [LoggingConfiguration, LoggingPosFilePath]} @@ -93,17 +94,17 @@ outputs: groups: - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}] - yaql: - expression: list($.data.where($ != null).select($.get('logging_groups')).where($ != null)) - data: {get_attr: [ServiceChain, role_data]} + expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}] config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} global_config_settings: map_merge: yaql: - expression: list($.data.where($ != null).select($.get('global_config_settings')).where($ != null)) - data: {get_attr: [ServiceChain, role_data]} + expression: list($.data.role_data.where($ != null).select($.get('global_config_settings')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} service_config_settings: yaql: - expression: $.data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) - data: {get_attr: [ServiceChain, role_data]} + expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) + data: {role_data: {get_attr: [ServiceChain, role_data]}} step_config: {list_join: ["\n", {get_attr: [ServiceChain, role_data, step_config]}]} diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 8b990bcd..ba184ab0 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -41,6 +41,14 @@ parameters: MonitoringSubscriptionSwiftProxy: default: 'overcloud-swift-proxy' type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string resources: SwiftBase: @@ -66,6 +74,10 @@ outputs: swift::proxy::authtoken::project_name: 'service' swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} swift::proxy::workers: {get_param: SwiftWorkers} + swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName} + swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword} + swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} + swift::proxy::ceilometer::nonblocking_notify: true tripleo.swift_proxy.firewall_rules: '122 swift proxy': dport: @@ -75,6 +87,7 @@ outputs: - admin - swiftoperator - ResellerAdmin + swift::proxy::versioned_writes::allow_versioned_writes: true swift::proxy::pipeline: - 'catch_errors' - 'healthcheck' @@ -87,6 +100,13 @@ outputs: - 'authtoken' - 'keystone' - 'staticweb' + - 'copy' + - 'container-quotas' + - 'account-quotas' + - 'slo' + - 'dlo' + - 'versioned_writes' + - 'ceilometer' - 'proxy-logging' - 'proxy-server' swift::proxy::account_autocreate: true diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index e151d185..5c70b6ab 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -38,7 +38,10 @@ parameters: default: {} description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' type: json - + SwiftUseLocalDir: + default: true + description: 'Use a local directory for Swift storage services when building rings' + type: boolean outputs: role_data: @@ -48,18 +51,18 @@ outputs: config_settings: tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild} tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas} + tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower} + tripleo::profile::base::swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours} tripleo::profile::base::swift::ringbuilder::raw_disk_prefix: 'r1z1-' tripleo::profile::base::swift::ringbuilder::raw_disks: yaql: expression: $.data.raw_disk_lists.flatten() data: raw_disk_lists: - - [':%PORT%/d1'] + - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]} - repeat: template: ':%PORT%/DEVICE' for_each: DEVICE: {get_param: SwiftRawDisks} - swift::ringbuilder::part_power: {get_param: SwiftPartPower} - swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours} step_config: | include ::tripleo::profile::base::swift::ringbuilder diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 7fbb8d90..cffe78f5 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -86,7 +86,7 @@ outputs: swift::storage::all::account_pipeline: - healthcheck - account-server - swift::storage::disks: {get_param: SwiftRawDisks} + swift::storage::disks::args: {get_param: SwiftRawDisks} swift::storage::all::storage_local_net_ip: {get_param: [ServiceNetMap, SwiftStorageNetwork]} step_config: | include ::tripleo::profile::base::swift::storage diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index f6ec458f..7eb39905 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -19,7 +19,7 @@ parameters: via parameter_defaults in the resource registry. type: json ManageFirewall: - default: false + default: true description: Whether to manage IPtables rules. type: boolean PurgeFirewallRules: diff --git a/puppet/services/vip-hosts.yaml b/puppet/services/vip-hosts.yaml deleted file mode 100644 index a9d757ee..00000000 --- a/puppet/services/vip-hosts.yaml +++ /dev/null @@ -1,56 +0,0 @@ -heat_template_version: 2016-04-08 - -description: > - If the deployer doesn't have a DNS server for the overcloud nodes. This will - populate the node-names and IPs for the VIPs of the overcloud. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -outputs: - role_data: - description: role data for the VIP hosts role - value: - service_name: vip_hosts - config_settings: - tripleo::vip_hosts::hosts_spec: - external: - name: "%{hiera('cloud_name_external')}" - ip: "%{hiera('public_virtual_ip')}" - ensure: present - comment: FQDN of the external VIP - internal_api: - name: "%{hiera('cloud_name_internal_api')}" - ip: "%{hiera('internal_api_virtual_ip')}" - ensure: present - comment: FQDN of the internal api VIP - storage: - name: "%{hiera('cloud_name_storage')}" - ip: "%{hiera('storage_virtual_ip')}" - ensure: present - comment: FQDN of the storage VIP - storage_mgmt: - name: "%{hiera('cloud_name_storage_mgmt')}" - ip: "%{hiera('storage_mgmt_virtual_ip')}" - ensure: present - comment: FQDN of the storage mgmt VIP - ctlplane: - name: "%{hiera('cloud_name_ctlplane')}" - ip: "%{hiera('controller_virtual_ip')}" - ensure: present - comment: FQDN of the ctlplane VIP - step_config: | - include ::tripleo::vip_hosts |