diff options
Diffstat (limited to 'puppet/services')
| -rw-r--r-- | puppet/services/apache.yaml | 39 | ||||
| -rw-r--r-- | puppet/services/neutron-api.yaml | 1 | ||||
| -rw-r--r-- | puppet/services/neutron-l2gw-agent.yaml | 106 | ||||
| -rw-r--r-- | puppet/services/snmp.yaml | 5 |
4 files changed, 136 insertions, 15 deletions
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index ac371927..12ecc7b5 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -38,6 +38,11 @@ parameters: EnableInternalTLS: type: boolean default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. conditions: @@ -84,21 +89,25 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" - - - generate_service_certificates: true - tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd' - tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd' - apache_certificates_specs: - map_merge: - repeat: - template: - httpd-NETWORK: - service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt' - service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key' - hostname: "%{hiera('fqdn_NETWORK')}" - principal: "HTTP/%{hiera('fqdn_NETWORK')}" - for_each: - NETWORK: {get_attr: [ApacheNetworks, value]} + - if: + - internal_tls_enabled + - + generate_service_certificates: true + apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile} + tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd' + tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd' + apache_certificates_specs: + map_merge: + repeat: + template: + httpd-NETWORK: + service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key' + hostname: "%{hiera('fqdn_NETWORK')}" + principal: "HTTP/%{hiera('fqdn_NETWORK')}" + for_each: + NETWORK: {get_attr: [ApacheNetworks, value]} + - {} metadata_settings: if: - internal_tls_enabled diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index b4a21a31..8e1e0b80 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -166,6 +166,7 @@ outputs: - 9696 - 13696 neutron::server::router_distributed: {get_param: NeutronEnableDVR} + neutron::server::enable_dvr: {get_param: NeutronEnableDVR} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP diff --git a/puppet/services/neutron-l2gw-agent.yaml b/puppet/services/neutron-l2gw-agent.yaml new file mode 100644 index 00000000..39c443f7 --- /dev/null +++ b/puppet/services/neutron-l2gw-agent.yaml @@ -0,0 +1,106 @@ +heat_template_version: pike + +description: > + L2 Gateway agent configured with Puppet +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + L2gwAgentOvsdbHosts: + default: '' + description: L2 gateway agent OVSDB server list. + type: comma_delimited_list + L2gwAgentEnableManager: + default: false + description: Connection can be initiated by the ovsdb server. + type: boolean + L2gwAgentManagerTableListeningPort: + default: 6632 + description: port number for L2 gateway agent, so that it can listen + type: number + L2gwAgentPeriodicInterval: + default: 20 + description: The L2 gateway agent checks connection state with the OVSDB + servers. The interval is number of seconds between attempts. + type: number + L2gwAgentMaxConnectionRetries: + default: 10 + description: The L2 gateway agent retries to connect to the OVSDB server + type: number + L2gwAgentSocketTimeout: + default: 30 + description: socket timeout + type: number + MonitoringSubscriptionNeutronL2gwAgent: + default: 'overcloud-neutron-l2gw-agent' + type: string + NeutronL2gwAgentLoggingSource: + type: json + default: + tag: openstack.neutron.agent.l2gw + path: /var/log/neutron/l2gw-agent.log + +conditions: + internal_manager_enabled: {equals: [{get_param: L2gwAgentEnableManager}, True]} + +outputs: + role_data: + description: Role data for the L2 Gateway role. + value: + service_name: neutron_l2gw_agent + monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL2gwAgent} + logging_source: {get_param: NeutronL2gwAgentLoggingSource} + logging_groups: + - neutron + config_settings: + map_merge: + - neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts} + neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager} + neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort} + neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval} + neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries} + neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout} + - + if: + - internal_manager_enabled + - tripleo.neutron_l2gw_agent.firewall_rules: + '142 neutron l2gw agent input': + proto: 'tcp' + dport: {get_param: L2gwAgentManagerTableListeningPort} + - null + + step_config: | + include tripleo::profile::base::neutron::agents::l2gw + upgrade_tasks: + - name: Check if neutron_l2gw_agent is deployed + command: systemctl is-enabled neutron-l2gw-agent + tags: common + ignore_errors: True + register: neutron_l2gw_agent_enabled + - name: "PreUpgrade step0,validation: Check service neutron-l2gw-agent is running" + shell: /usr/bin/systemctl show 'neutron-l2gw-agent' --property ActiveState | grep '\bactive\b' + when: neutron_l2gw_agent_enabled.rc == 0 + tags: step0,validation + - name: Stop neutron_l2gw_agent service + tags: step1 + when: neutron_l2gw_agent_enabled.rc == 0 + service: name=neutron-l2gw-agent state=stopped diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index 325656eb..b51242aa 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -40,6 +40,10 @@ parameters: description: An array of bind host addresses on which SNMP daemon will listen. type: comma_delimited_list default: ['udp:161','udp6:[::1]:161'] + SnmpdOptions: + description: A string containing the commandline options passed to snmpd + type: string + default: '-LS0-5d' outputs: role_data: @@ -50,6 +54,7 @@ outputs: tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName} tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword} snmp::agentaddress: {get_param: SnmpdBindHost} + snmp::snmpd_options: {get_param: SnmpdOptions} tripleo.snmp.firewall_rules: '127 snmp': dport: 161 |