11 files changed, 160 insertions, 47 deletions

diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml
index d524e612..6e909097 100644
--- a/puppet/services/ceilometer-base.yaml
+++ b/puppet/services/ceilometer-base.yaml
@@ -18,10 +18,6 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
-  CeilometerBackend:
-    default: 'mongodb'
-    description: The ceilometer backend type.
-    type: string
   CeilometerMeteringSecret:
     description: Secret shared by the ceilometer services.
     type: string
@@ -30,18 +26,6 @@ parameters:
     description: The password for the ceilometer service account.
     type: string
     hidden: true
-  CeilometerMeterDispatcher:
-    default: ['gnocchi']
-    description: Comma-seperated list of Dispatcher to process meter data
-    type: comma_delimited_list
-    constraints:
-    - allowed_values: ['gnocchi', 'database']
-  CeilometerEventDispatcher:
-    default: ['panko', 'gnocchi']
-    description: Comma-separated list of Dispatchers to process events data
-    type: comma_delimited_list
-    constraints:
-    - allowed_values: ['panko', 'gnocchi', 'database']
   CeilometerWorkers:
     default: 0
     description: Number of workers for Ceilometer service.
@@ -81,6 +65,14 @@ parameters:
     description: Whether to create or skip API endpoint. Set this to
         false, if you choose to disable Ceilometer API service.
     type: boolean
+  SnmpdReadonlyUserName:
+    default: ro_snmp_user
+    description: The user name for SNMPd with readonly rights running on all Overcloud nodes
+    type: string
+  SnmpdReadonlyUserPassword:
+    description: The user password for SNMPd with readonly rights running on all Overcloud nodes
+    type: string
+    hidden: true
 
 outputs:
   role_data:
@@ -89,19 +81,6 @@ outputs:
       service_name: ceilometer_base
       config_settings:
         ceilometer::debug: {get_param: Debug}
-        ceilometer::db::database_connection:
-          list_join:
-            - ''
-            - - {get_param: [EndpointMap, MysqlInternal, protocol]}
-            - - '://ceilometer:'
-              - {get_param: CeilometerPassword}
-              - '@'
-              - {get_param: [EndpointMap, MysqlInternal, host]}
-              - '/ceilometer'
-              - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
-        ceilometer_backend: {get_param: CeilometerBackend}
-        # we include db_sync class in puppet-tripleo
-        ceilometer::db::sync_db: false
         ceilometer::keystone::authtoken::project_name: 'service'
         ceilometer::keystone::authtoken::user_domain_name: 'Default'
         ceilometer::keystone::authtoken::project_domain_name: 'Default'
@@ -116,8 +95,6 @@ outputs:
         ceilometer::agent::auth::auth_user_domain_name: 'Default'
         ceilometer::agent::auth::auth_project_domain_name: 'Default'
         ceilometer::agent::auth::auth_endpoint_type: 'internalURL'
-        ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher}
-        ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher}
         ceilometer::dispatcher::gnocchi::url: {get_param: [EndpointMap, GnocchiInternal, uri]}
         ceilometer::dispatcher::gnocchi::filter_project: 'service'
         ceilometer::dispatcher::gnocchi::archive_policy: 'low'
@@ -127,9 +104,9 @@ outputs:
         ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
         ceilometer::rabbit_port: {get_param: RabbitClientPort}
         ceilometer::rabbit_heartbeat_timeout_threshold: 60
-        ceilometer::db::database_db_max_retries: -1
-        ceilometer::db::database_max_retries: -1
         ceilometer::telemetry_secret: {get_param: CeilometerMeteringSecret}
+        ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
+        ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
       service_config_settings:
         keystone:
           ceilometer_auth_enabled: true
diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml
index b0ec971f..111b3e8b 100644
--- a/puppet/services/ceilometer-collector.yaml
+++ b/puppet/services/ceilometer-collector.yaml
@@ -2,6 +2,7 @@ heat_template_version: ocata
 
 description: >
   OpenStack Ceilometer Collector service configured with Puppet
+  This service is deprecated and will be removed in future releases.
 
 parameters:
   ServiceNetMap:
@@ -18,6 +19,14 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  CeilometerBackend:
+    default: 'mongodb'
+    description: The ceilometer backend type.
+    type: string
+  CeilometerPassword:
+    description: The password for the ceilometer service account.
+    type: string
+    hidden: true
   MonitoringSubscriptionCeilometerCollector:
     default: 'overcloud-ceilometer-collector'
     type: string
@@ -26,7 +35,32 @@ parameters:
     default:
       tag: openstack.ceilometer.collector
       path: /var/log/ceilometer/collector.log
-
+  CeilometerMeterDispatcher:
+    default: ['gnocchi']
+    description: Comma-seperated list of Dispatcher to process meter data
+                 Note that database option is deprecated and will not be
+                 supported in future.
+    type: comma_delimited_list
+    constraints:
+    - allowed_values: ['gnocchi', 'database']
+  CeilometerEventDispatcher:
+    default: ['panko', 'gnocchi']
+    description: Comma-separated list of Dispatchers to process events data
+                 Note that database option is deprecated and will not be
+                 supported in future.
+    type: comma_delimited_list
+    constraints:
+    - allowed_values: ['panko', 'gnocchi', 'database']
+  CeilometerEventTTL:
+    default: '86400'
+    description: Number of seconds that events are kept in the database for
+                 (<= 0 means forever)
+    type: string
+  CeilometerMeteringTTL:
+    default: '86400'
+    description: Number of seconds that samples are kept in the database for
+                 (<= 0 means forever)
+    type: string
 resources:
   CeilometerServiceBase:
     type: ./ceilometer-base.yaml
@@ -55,6 +89,25 @@ outputs:
         map_merge:
           - get_attr: [MongoDbBase, role_data, config_settings]
           - get_attr: [CeilometerServiceBase, role_data, config_settings]
+          - ceilometer::db::database_connection:
+              list_join:
+                - ''
+                - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+                - - '://ceilometer:'
+                  - {get_param: CeilometerPassword}
+                  - '@'
+                  - {get_param: [EndpointMap, MysqlInternal, host]}
+                  - '/ceilometer'
+                  - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+            ceilometer_backend: {get_param: CeilometerBackend}
+            ceilometer::event_time_to_live: {get_param: CeilometerEventTTL}
+            ceilometer::metering_time_to_live: {get_param: CeilometerMeteringTTL}
+            # we include db_sync class in puppet-tripleo
+            ceilometer::db::sync_db: false
+            ceilometer::db::database_db_max_retries: -1
+            ceilometer::db::database_max_retries: -1
+            ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher}
+            ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher}
       service_config_settings:
         get_attr: [CeilometerServiceBase, role_data, service_config_settings]
       step_config: |
diff --git a/puppet/services/database/mysql-client.yaml b/puppet/services/database/mysql-client.yaml
index 78456e28..b6bd060e 100644
--- a/puppet/services/database/mysql-client.yaml
+++ b/puppet/services/database/mysql-client.yaml
@@ -21,6 +21,11 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 outputs:
   role_data:
@@ -30,5 +35,6 @@ outputs:
       config_settings:
         tripleo::profile::base::database::mysql::client::mysql_client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]}
         tripleo::profile::base::database::mysql::client::enable_ssl: {get_param: EnableInternalTLS}
+        tripleo::profile::base::database::mysql::client::ssl_ca: {get_param: InternalTLSCAFile}
       step_config: |
         include ::tripleo::profile::base::database::mysql::client
diff --git a/puppet/services/disabled/ceilometer-collector.yaml b/puppet/services/disabled/ceilometer-collector.yaml
new file mode 100644
index 00000000..25c79209
--- /dev/null
+++ b/puppet/services/disabled/ceilometer-collector.yaml
@@ -0,0 +1,30 @@
+heat_template_version: pike
+
+description: >
+  OpenStack Ceilometer Collector service, disabled since pike
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the disabled Ceilometer Collector role.
+    value:
+      service_name: ceilometer_collector
+      upgrade_tasks:
+        - name: Stop and disable ceilometer_collector service on upgrade
+          tags: step1
+          service: name=openstack-ceilometer-collector state=stopped enabled=no
diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml
index d1adefe5..98d656a5 100644
--- a/puppet/services/ec2-api.yaml
+++ b/puppet/services/ec2-api.yaml
@@ -30,6 +30,15 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  Ec2ApiExternalNetwork:
+    type: string
+    default: ''
+    description: Name of the external network, which is used to connect VPCs to
+                 Internet and to allocate Elastic IPs
+  NovaDefaultFloatingPool:
+    default: 'public'
+    description: Default pool for floating IP addresses
+    type: string
   MonitoringSubscriptionEc2Api:
     default: 'overcloud-ec2-api'
     type: string
@@ -52,6 +61,7 @@ parameters:
 
 conditions:
   nova_workers_zero: {equals : [{get_param: Ec2ApiWorkers}, 0]}
+  external_network_unset: {equals : [{get_param: Ec2ApiExternalNetwork}, '']}
 
 outputs:
   role_data:
@@ -109,6 +119,11 @@ outputs:
           - {}
           - ec2api::api::ec2api_workers: {get_param: Ec2ApiWorkers}
             ec2api::metadata::metadata_workers: {get_param: Ec2ApiWorkers}
+        -
+          if:
+          - external_network_unset
+          - ec2api::api::external_network: {get_param: NovaDefaultFloatingPool}
+          - ec2api::api::external_network: {get_param: Ec2ApiExternalNetwork}
       step_config: |
         include tripleo::profile::base::nova::ec2api
       service_config_settings:
diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml
index dc6daece..24f4157b 100644
--- a/puppet/services/gnocchi-base.yaml
+++ b/puppet/services/gnocchi-base.yaml
@@ -22,6 +22,10 @@ parameters:
     default: 'mysql'
     description: The short name of the Gnocchi indexer backend to use.
     type: string
+  MetricProcessingDelay:
+    default: 60
+    description: Delay between processing metrics.
+    type: number
   GnocchiPassword:
     description: The password for the gnocchi service and db account.
     type: string
@@ -65,6 +69,7 @@ outputs:
               - '/gnocchi'
               - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
         gnocchi::db::sync::extra_opts: '--skip-storage'
+        gnocchi::storage::metric_processing_delay: {get_param: MetricProcessingDelay}
         gnocchi::storage::swift::swift_user: 'service:gnocchi'
         gnocchi::storage::swift::swift_auth_version: 3
         gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword}
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index bd5b9ef6..e32b44dd 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -1,4 +1,4 @@
-heat_template_version: ocata
+heat_template_version: pike
 
 description: >
   HAproxy service configured with Puppet
@@ -37,6 +37,11 @@ parameters:
   MonitoringSubscriptionHaproxy:
     default: 'overcloud-haproxy'
     type: string
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 resources:
 
@@ -71,6 +76,7 @@ outputs:
             tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
             tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
             tripleo::haproxy::redis_password: {get_param: RedisPassword}
+            tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
             tripleo::profile::base::haproxy::certificates_specs:
               map_merge:
                 - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
@@ -96,8 +102,6 @@ outputs:
           when: haproxy_enabled.rc == 0
           service: name=haproxy state=started
       metadata_settings:
-        yaql:
-          expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))'
-          data:
-            public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
-            internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}
+        list_concat:
+          - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
+          - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 21a5e78a..c3e6f4e4 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -41,16 +41,23 @@ parameters:
     description: If set to true and if EnableInternalTLS is enabled, it will
                  set the libvirt URI's transport to tls and configure the
                  relevant keys for libvirt.
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
   LibvirtCACert:
     type: string
-    default: '/etc/ipa/ca.crt'
+    default: ''
     description: This specifies the CA certificate to use for TLS in libvirt.
                  This file will be symlinked to the default CA path in libvirt,
                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
                  GNU TLS, which is the TLS backend for libvirt, the file must
-                 be less than 65K (so we can't use the system's CA bundle). The
-                 current default reflects TripleO's default CA, which is
-                 FreeIPA. It will only be used if internal TLS is enabled.
+                 be less than 65K (so we can't use the system's CA bundle).
+                 This parameter should be used if the default (which comes from
+                 the InternalTLSCAFile parameter) is not desired. The current
+                 default reflects TripleO's default CA, which is FreeIPA.
+                 It will only be used if internal TLS is enabled.
 
 conditions:
 
@@ -63,6 +70,11 @@ conditions:
       - {get_param: UseTLSTransportForLiveMigration}
       - true
 
+  libvirt_specific_ca_unset:
+    equals:
+      - {get_param: LibvirtCACert}
+      - ''
+
 resources:
   NovaBase:
     type: ./nova-base.yaml
@@ -113,7 +125,10 @@ outputs:
                     params:
                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
-                  get_param: LibvirtCACert
+                  if:
+                    - libvirt_specific_ca_unset
+                    - get_param: InternalTLSCAFile
+                    - get_param: LibvirtCACert
                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
                 libvirt_certificates_specs:
diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml
index 2f898a67..99212857 100644
--- a/puppet/services/octavia-api.yaml
+++ b/puppet/services/octavia-api.yaml
@@ -84,7 +84,6 @@ outputs:
                   - 9876
                   - 13876
             octavia::api::host: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
-            neutron::server::service_providers: ['LOADBALANCERV2:Octavia:neutron_lbaas.drivers.octavia.driver.OctaviaDriver:default']
       step_config: |
         include tripleo::profile::base::octavia::api
       service_config_settings:
@@ -103,3 +102,5 @@ outputs:
           octavia::db::mysql::allowed_hosts:
             - '%'
             - "%{hiera('mysql_bind_host')}"
+        neutron_api:
+          neutron::server::service_providers: ['LOADBALANCERV2:Octavia:neutron_lbaas.drivers.octavia.driver.OctaviaDriver:default']
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
index 63cddb04..b23073df 100644
--- a/puppet/services/panko-api.yaml
+++ b/puppet/services/panko-api.yaml
@@ -1,7 +1,9 @@
 heat_template_version: ocata
 
 description: >
-  OpenStack Panko API service configured with Puppet
+  OpenStack Panko API service configured with Puppet.
+  Note, This service is deprecated in Pike release and will
+  be disabled in future releases.
 
 parameters:
   ServiceNetMap:
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index 80c29f95..072ccc1a 100644
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -28,6 +28,10 @@ parameters:
     description: The user password for SNMPd with readonly rights running on all Overcloud nodes
     type: string
     hidden: true
+  SnmpdBindHost:
+    description: An array of bind host addresses on which SNMP daemon will listen.
+    type: comma_delimited_list
+    default: ['udp:161','udp6:[::1]:161']
 
 outputs:
   role_data:
@@ -37,6 +41,7 @@ outputs:
       config_settings:
         tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
         tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
+        snmp::agentaddress: {get_param: SnmpdBindHost}
         tripleo.snmp.firewall_rules:
           '127 snmp':
             dport: 161