diff options
Diffstat (limited to 'puppet/services')
44 files changed, 613 insertions, 100 deletions
diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index b85cfe71..4308052b 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -37,12 +37,18 @@ outputs: - get_attr: [AodhBase, role_data, config_settings] - aodh::wsgi::apache::ssl: false aodh::api::service_name: 'httpd' - aodh::api::keystone_tenant: 'service' - - tripleo.aodh_api.firewall_rules: + tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: - 8042 - 13042 - + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + aodh::api::host: {get_param: [ServiceNetMap, AodhApiNetwork]} + aodh::wsgi::apache::bind_host: {get_param: [ServiceNetMap, AodhApiNetwork]} step_config: | include tripleo::profile::base::aodh::api diff --git a/puppet/services/aodh-base.yaml b/puppet/services/aodh-base.yaml index 603b2d82..15f81953 100644 --- a/puppet/services/aodh-base.yaml +++ b/puppet/services/aodh-base.yaml @@ -82,9 +82,10 @@ outputs: aodh::rabbit_password: {get_param: RabbitPassword} aodh::rabbit_use_ssl: {get_param: RabbitClientUseSSL} aodh::rabbit_port: {get_param: RabbitClientPort} - aodh::api::keystone_password: {get_param: AodhPassword} - aodh::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - aodh::api::keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + aodh::keystone::authtoken::project_name: 'service' + aodh::keystone::authtoken::password: {get_param: AodhPassword} + aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } aodh::auth::auth_password: {get_param: AodhPassword} aodh::keystone::auth::public_url: {get_param: [EndpointMap, AodhPublic, uri]} aodh::keystone::auth::internal_url: {get_param: [EndpointMap, AodhInternal, uri]} diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index b9f021e3..85b9aacc 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -41,6 +41,12 @@ outputs: dport: - 8777 - 13777 - - ceilometer::api::keystone_tenant: 'service' + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + ceilometer::api::host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} step_config: | include ::tripleo::profile::base::ceilometer::api diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index 1a65a595..62fdd5c1 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -91,9 +91,10 @@ outputs: ceilometer::metering_secret: {get_param: CeilometerMeteringSecret} # we include db_sync class in puppet-tripleo ceilometer::db::sync_db: false - ceilometer::api::keystone_password: {get_param: CeilometerPassword} - ceilometer::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ceilometer::api::keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + ceilometer::keystone::authtoken::project_name: 'service' + ceilometer::keystone::authtoken::password: {get_param: CeilometerPassword} + ceilometer::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } ceilometer::agent::auth::auth_password: {get_param: CeilometerPassword} ceilometer::agent::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::notification::store_events: {get_param: CeilometerStoreEvents} diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml index 415b77b6..4d98546d 100644 --- a/puppet/services/ceph-base.yaml +++ b/puppet/services/ceph-base.yaml @@ -4,7 +4,9 @@ description: > Ceph base service. Shared by all Ceph services. parameters: + # NOTE(gfidente): needs a default to cope with external Ceph deployments were we don't pass (and need) an Admin key CephAdminKey: + default: '' description: The Ceph admin client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true @@ -77,6 +79,22 @@ outputs: ceph::profile::params::manage_repo: false ceph::profile::params::authentication_type: cephx ceph::profile::params::fsid: {get_param: CephClusterFSID} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + ceph::profile::params::cluster_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, CephClusterNetwork]} + ceph::profile::params::public_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, CephPublicNetwork]} + ceph::profile::params::public_addr: {get_param: [ServiceNetMap, CephPublicNetwork]} ceph::profile::params::client_keys: str_replace: template: "{ diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 5ff99dd2..5df0739f 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -78,5 +78,11 @@ outputs: dport: - 8776 - 13776 + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + cinder::api::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]} step_config: | include ::tripleo::profile::base::cinder::api diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index 5dab466e..de7e6bab 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -90,5 +90,15 @@ outputs: tripleo.cinder_volume.firewall_rules: '120 iscsi initiator': dport: 3260 + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address: + str_replace: + template: "NETWORK_uri" + params: + NETWORK: {get_param: [ServiceNetMap, CinderIscsiNetwork]} step_config: | include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index b6eb4803..36962a34 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -45,5 +45,12 @@ outputs: dport: 27018 '103 mongod': dport: 27017 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]} step_config: | include ::tripleo::profile::base::database::mongodb diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 8d2185f6..b0eea481 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > MySQL service deployment using puppet @@ -19,6 +19,21 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MysqlMaxConnections: + description: Configures MySQL max_connections config setting + type: number + default: 4096 + MysqlRootPassword: + type: string + hidden: true + default: '' + MysqlClustercheckPassword: + type: string + hidden: true + EnableGalera: + default: true + description: Whether to use Galera instead of regular MariaDB. + type: boolean outputs: role_data: @@ -42,5 +57,22 @@ outputs: - 4567 - 4568 - 9200 + mysql_max_connections: {get_param: MysqlMaxConnections} + mysql::server::root_password: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: MysqlRootPassword} + - {get_param: [DefaultPasswords, mysql_root_password]} + mysql_clustercheck_password: {get_param: MysqlClustercheckPassword} + enable_galera: {get_param: EnableGalera} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml index 301b2bb1..4ed3c007 100644 --- a/puppet/services/database/redis-base.yaml +++ b/puppet/services/database/redis-base.yaml @@ -32,8 +32,13 @@ outputs: redis::requirepass: {get_param: RedisPassword} redis::masterauth: {get_param: RedisPassword} redis::sentinel_auth_pass: {get_param: RedisPassword} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + redis::bind: {get_param: [ServiceNetMap, RedisNetwork]} redis::port: 6379 redis::sentinel::master_name: '"%{hiera(\"bootstrap_nodeid\")}"' redis::sentinel::redis_host: '"%{hiera(\"bootstrap_nodeid_ip\")}"' redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' - tripleo::loadbalancer::redis_password: {get_param: RedisPassword} diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 4954119f..d2376af3 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -131,6 +131,12 @@ outputs: glance::api::keystone_tenant: 'service' glance::api::pipeline: 'keystone' glance::api::show_image_direct_url: true - + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index d8861f70..06ef9379 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -66,5 +66,12 @@ outputs: '112 glance_registry': dport: - 9191 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} step_config: | include ::tripleo::profile::base::glance::registry diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index bc217743..d21e5b2b 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -56,7 +56,6 @@ outputs: - 8041 - 13041 gnocchi::api::enabled: true - gnocchi::api::manage_service: false gnocchi::api::service_name: 'httpd' gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] } gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]} @@ -70,5 +69,17 @@ outputs: gnocchi::keystone::authtoken::project_name: 'service' gnocchi::wsgi::apache::ssl: false tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} + gnocchi::api::host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} + + gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri]} step_config: | include ::tripleo::profile::base::gnocchi::api diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index ac5a17ca..9b9cafb8 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -85,7 +85,6 @@ outputs: - {get_param: CephClientUserName} - 'keyring' #Gnocchi statsd - gnocchi::statsd::manage_service: false gnocchi::statsd::resource_id: '0a8b55df-f90f-491c-8cb9-7cdecec6fc26' gnocchi::statsd::user_id: '27c0d3f8-e7ee-42f0-8317-72237d1c5ae3' gnocchi::statsd::project_id: '6c38cd8d-099a-4cb2-aecf-17be688e8616' diff --git a/puppet/services/gnocchi-metricd.yaml b/puppet/services/gnocchi-metricd.yaml index df342ebd..205d0552 100644 --- a/puppet/services/gnocchi-metricd.yaml +++ b/puppet/services/gnocchi-metricd.yaml @@ -35,6 +35,5 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] - - gnocchi::metricd::manage_service: false step_config: | include ::tripleo::profile::base::gnocchi::metricd diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index b6e63bf3..018ad2b1 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -35,6 +35,5 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] - - gnocchi::statsd::manage_service: false step_config: | include ::tripleo::profile::base::gnocchi::statsd diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 00574c2f..c0e1c113 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -18,6 +18,32 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HAProxyStatsPassword: + description: Password for HAProxy stats endpoint + hidden: true + type: string + HAProxyStatsUser: + description: User for HAProxy stats endpoint + default: admin + type: string + HAProxySyslogAddress: + default: /dev/log + description: Syslog address where HAproxy will send its log + type: string + RedisPassword: + description: The password for Redis + type: string + hidden: true + ControlVirtualInterface: + default: 'br-ex' + description: Interface where virtual ip will be assigned. + type: string + PublicVirtualInterface: + default: 'br-ex' + description: > + Specifies the interface where the public-facing virtual ip will be assigned. + This should be int_public when a VLAN is being used. + type: string outputs: role_data: @@ -49,5 +75,12 @@ outputs: tripleo::haproxy::heat_cloudwatch: true tripleo::haproxy::heat_cfn: true tripleo::haproxy::horizon: true + tripleo::haproxy::ironic: true + tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} + tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} + tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} + tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} + tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} step_config: | include ::tripleo::profile::base::haproxy diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 4f8900aa..a15ea32d 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -59,5 +59,12 @@ outputs: dport: - 8000 - 13800 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + heat::api_cfn::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} step_config: | include ::tripleo::profile::base::heat::api_cfn diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index 7a09aad0..6d645ee7 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -45,5 +45,12 @@ outputs: dport: - 8003 - 13003 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + heat::api_cloudwatch::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} step_config: | include ::tripleo::profile::base::heat::api_cloudwatch diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 3a5d2a13..ec3b0e37 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -59,5 +59,12 @@ outputs: dport: - 8004 - 13004 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]} step_config: | include ::tripleo::profile::base::heat::api diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index fba80c5d..b230ec1d 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Openstack Heat Engine service configured with Puppet @@ -35,6 +35,11 @@ parameters: description: Password for heat_stack_domain_admin user. type: string hidden: true + HeatAuthEncryptionKey: + description: Auth encryption key for heat-engine + type: string + hidden: true + default: '' resources: HeatBase: @@ -76,5 +81,12 @@ outputs: heat::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + heat::engine::auth_encryption_key: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: HeatAuthEncryptionKey} + - {get_param: [DefaultPasswords, heat_auth_encryption_key]} step_config: | include ::tripleo::profile::base::heat::engine diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index e185630e..d0516e1b 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -45,11 +45,12 @@ outputs: # the TFTP server IP in ironic-conductor.yaml as it should not be # the VIP, but rather a real IP of the controller. - ironic::my_ip: {get_param: [EndpointMap, MysqlInternal, host]} - ironic::api::admin_password: {get_param: IronicPassword} - ironic::api::admin_tenant_name: 'service' - ironic::api::admin_user: 'ironic' - ironic::api::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ironic::api::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ironic::api::authtoken::password: {get_param: IronicPassword} + ironic::api::authtoken::project_name: 'service' + ironic::api::authtoken::username: 'ironic' + ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ironic::api::host_ip: {get_input: ironic_api_network} ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} # This is used to build links in responses ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} @@ -59,5 +60,10 @@ outputs: ironic::keystone::auth::auth_name: 'ironic' ironic::keystone::auth::password: {get_param: IronicPassword } ironic::keystone::auth::tenant: 'service' + tripleo.ironic_api.firewall_rules: + '133 ironic api': + dport: + - 6385 + - 13385 step_config: | include ::tripleo::profile::base::ironic::api diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index 9bc86a2c..27479f79 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -41,10 +41,15 @@ outputs: - get_attr: [IronicBase, role_data, config_settings] # FIXME: I have no idea why neutron_url is in "api" manifest - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} + ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} ironic::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} ironic::enabled_drivers: {get_param: IronicEnabledDrivers} # Prevent tftp_server from defaulting to my_ip setting, which is # controller VIP, not a real IP. ironic::drivers::pxe::tftp_server: {get_input: ironic_api_network} + tripleo.ironic_conductor.firewall_rules: + '134 ironic conductor TFTP': + dport: 69 + proto: udp step_config: | include ::tripleo::profile::base::ironic::conductor diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml index c8c977c6..b783345b 100644 --- a/puppet/services/keepalived.yaml +++ b/puppet/services/keepalived.yaml @@ -18,11 +18,24 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + ControlVirtualInterface: + default: 'br-ex' + description: Interface where virtual ip will be assigned. + type: string + PublicVirtualInterface: + default: 'br-ex' + description: > + Specifies the interface where the public-facing virtual ip will be assigned. + This should be int_public when a VLAN is being used. + type: string outputs: role_data: description: Role data for the Keepalived role. value: service_name: keepalived + config_settings: + tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} + tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface} step_config: | include ::tripleo::profile::base::keepalived diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 0a5193df..c763c391 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -149,5 +149,16 @@ outputs: - 13000 - 35357 - 13357 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + # NOTE: this applies to all 4 bind IP settings below... + keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} step_config: | include ::tripleo::profile::base::keystone diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml index 8b456af5..b3987747 100644 --- a/puppet/services/manila-api.yaml +++ b/puppet/services/manila-api.yaml @@ -43,9 +43,10 @@ outputs: config_settings: map_merge: - get_attr: [ManilaBase, role_data, config_settings] - - manila::api::keystone_password: {get_param: ManilaPassword} - manila::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - manila::api::keystone_auth_host: {get_param: [EndpointMap, ManilaInternal, host]} + - manila::keystone::authtoken::password: {get_param: ManilaPassword} + manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::project_name: 'service' manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]} manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]} manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]} @@ -54,7 +55,13 @@ outputs: manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]} manila::keystone::auth::password: {get_param: ManilaPassword } manila::keystone::auth::region: {get_param: KeystoneRegion } - manila::api::keystone_tenant: 'service' + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + manila::api::bind_host: {get_param: [ServiceNetMap, ManilaApiNetwork]} step_config: | include ::tripleo::profile::base::manila::api diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index 59c639e8..3b47261e 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -25,6 +25,12 @@ outputs: value: service_name: memcached config_settings: + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + memcached::listen_ip: {get_param: [ServiceNetMap, MemcachedNetwork]} tripleo.memcached.firewall_rules: '121 memcached': dport: 11211 diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index ed2dbd0e..513cb2d4 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -18,10 +18,19 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + NeutronEnableMetadataNetwork: + default: false + description: If True, DHCP provide metadata network. Requires either + IsolatedMetadata or ForceMetadata parameters to also be True. + type: boolean NeutronEnableIsolatedMetadata: - default: 'False' + default: false description: If True, DHCP provide metadata route to VM. - type: string + type: boolean + NeutronEnableForceMetadata: + default: false + description: If True, DHCP always provides metadata route to VM. + type: boolean resources: @@ -41,6 +50,8 @@ outputs: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata} + neutron::agents::dhcp::enable_force_metadata: {get_param: NeutronEnableForceMetadata} + neutron::agents::dhcp::enable_metadata_network: {get_param: NeutronEnableMetadataNetwork} tripleo.neutron_dhcp.firewall_rules: '115 neutron dhcp input': proto: 'udp' diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index 7520f6f6..1b19f90f 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -48,6 +48,11 @@ parameters: description: | Enable support for distributed routing in the OVS Agent. type: boolean + NeutronEnableARPResponder: + default: false + description: | + Enable ARP responder feature in the OVS Agent. + type: boolean resources: @@ -68,6 +73,7 @@ outputs: - get_attr: [NeutronBase, role_data, config_settings] neutron::agents::ml2::ovs::l2_population: {get_param: NeutronEnableL2Pop} neutron::agents::ml2::ovs::enable_distributed_routing: {get_param: NeutronEnableDVR} + neutron::agents::ml2::ovs::arp_responder: {get_param: NeutronEnableARPResponder} neutron::agents::ml2::ovs::bridge_mappings: str_replace: template: MAPPINGS @@ -83,5 +89,12 @@ outputs: template: AGENT_EXTENSIONS params: AGENT_EXTENSIONS: {get_param: NeutronAgentExtensions} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} step_config: | include ::tripleo::profile::base::neutron::ovs diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml new file mode 100644 index 00000000..1f1e14ab --- /dev/null +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -0,0 +1,73 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Neutron OVS DPDK configured with Puppet for Compute Role + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NeutronDpdkCoreList: + default: "" + description: List of cores to be used for DPDK Poll Mode Driver + type: string + NeutronDpdkMemoryChannels: + default: "" + description: Number of memory channels to be used for DPDK + type: string + NeutronDpdkSocketMemory: + default: "" + description: Memory allocated for each socket + type: string + NeutronDpdkDriverType: + default: "vfio-pci" + description: DPDK Driver type + type: string + # below parameters has to be set in neutron agent only for compute nodes. + # as of now there is no other usecase for these parameters except dpdk. + # should be moved to compute only ovs agent in case of any other usecases. + NeutronDatapathType: + default: "" + description: Datapath type for ovs bridges + type: string + NeutronVhostuserSocketDir: + default: "" + description: The vhost-user socket directory for OVS + type: string + +resources: + + NeutronOvsAgent: + type: ./neutron-ovs-agent.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Neutron OVS DPDK Agent service. + value: + service_name: neutron_ovs_dpdk_agent + config_settings: + map_merge: + - get_attr: [NeutronOvsAgent, role_data, config_settings] + neutron::agents::ml2::ovs::enable_dpdk: true + neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType} + neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir} + vswitch::dpdk::core_list: {get_param: NeutronDpdkCoreList} + vswitch::dpdk::memory_channels: {get_param: NeutronDpdkMemoryChannels} + vswitch::dpdk::socket_mem: {get_param: NeutronDpdkSocketMemory} + vswitch::dpdk::driver_type: {get_param: NeutronDpdkDriverType} + step_config: {get_attr: [NeutronOvsAgent, role_data, step_config]} diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index 165b9687..5dbae3dc 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -60,7 +60,12 @@ parameters: default: 'vxlan' description: The tenant network type for Neutron. type: comma_delimited_list - + NeutronSupportedPCIVendorDevs: + description: | + List of supported pci vendor devices in the format VendorID:ProductID. + By default Intel & Mellanox SR-IOV capable NICs are supported. + type: comma_delimited_list + default: ['15b3:1004','8086:10ca'] resources: NeutronBase: @@ -118,6 +123,7 @@ outputs: template: TYPES params: TYPES: {get_param: NeutronNetworkType} + neutron::plugins::ml2::supported_pci_vendor_devs: {get_param: NeutronSupportedPCIVendorDevs} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-sriov-agent.yaml b/puppet/services/neutron-sriov-agent.yaml new file mode 100644 index 00000000..559500df --- /dev/null +++ b/puppet/services/neutron-sriov-agent.yaml @@ -0,0 +1,58 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Neutron SR-IOV nic agent configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: > + Mapping of service_name -> network name. Typically set via + parameter_defaults in the resource registry. This mapping overrides those + in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + NeutronPhysicalDevMappings: + description: > + List of <physical_network>:<physical device> + All physical networks listed in network_vlan_ranges + on the server should have mappings to appropriate + interfaces on each agent. + type: comma_delimited_list + default: "" + NeutronExcludeDevices: + description: > + List of <network_device>:<excluded_devices> mapping + network_device to the agent's node-specific list of virtual functions + that should not be used for virtual networking. excluded_devices is a + semicolon separated list of virtual functions to exclude from + network_device. The network_device in the mapping should appear in the + physical_device_mappings list. + type: comma_delimited_list + default: "" + NeutronSriovNumVFs: + description: > + Provide the list of VFs to be reserved for each SR-IOV interface. + Format "<interface_name1>:<numvfs1>","<interface_name2>:<numvfs2>" + Example "eth1:4096","eth2:128" + type: comma_delimited_list + default: "" + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the Neutron SR-IOV nic agent service. + value: + service_name: neutron_sriov_agent + config_settings: + neutron::agents::ml2::sriov::physical_device_mappings: {get_param: NeutronPhysicalDevMappings} + neutron::agents::ml2::sriov::exclude_devices: {get_param: NeutronExcludeDevices} + neutron::agents::ml2::sriov::number_of_vfs: {get_param: NeutronSriovNumVFs} + step_config: | + include ::tripleo::profile::base::neutron::sriov diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 143c0619..c2bd395e 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -61,7 +61,10 @@ outputs: - 8774 - 13774 - 8775 - nova::api::admin_tenant_name: 'service' + nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::password: {get_param: NovaPassword} + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} nova::api::enabled: true nova::api::default_floating_pool: 'public' nova::api::sync_db_api: true diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index 1a473a4e..dc962297 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -88,7 +88,14 @@ outputs: # example openvswitch. nova::compute::reserved_host_memory: 2048 nova::compute::neutron::libvirt_vif_driver: {get_param: NovaComputeLibvirtVifDriver} - + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::compute::vncserver_proxyclient_address: {get_param: [ServiceNetMap, NovaVncProxyNetwork]} + nova::compute::vncproxy_host: {get_param: [EndpointMap, NovaPublic, host]} step_config: | # TODO(emilien): figure how to deal with libvirt profile. # We'll probably treat it like we do with Neutron plugins. diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml index 78ff008b..c8f2591d 100644 --- a/puppet/services/nova-scheduler.yaml +++ b/puppet/services/nova-scheduler.yaml @@ -18,6 +18,17 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + NovaSchedulerAvailableFilters: + default: [] + description: List of scheduler available filters + type: comma_delimited_list + NovaSchedulerDefaultFilters: + type: comma_delimited_list + default: [] + description: > + An array of filters used by Nova to filter a node.These filters will be + applied in the order they are listed, so place your most restrictive + filters first to make the filtering process more efficient. resources: NovaBase: @@ -36,5 +47,7 @@ outputs: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::scheduler::filter::ram_allocation_ratio: '1.0' + nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters} + nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} step_config: | include tripleo::profile::base::nova::scheduler diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index e63a8f1e..d555ed0a 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -20,11 +20,21 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + MysqlBase: + type: ../../database/mysql.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Service MySQL with Pacemaker using composable services. value: service_name: mysql config_settings: + get_attr: [MysqlBase, role_data, config_settings] step_config: | include ::tripleo::profile::pacemaker::database::mysql diff --git a/puppet/services/pacemaker/gnocchi-api.yaml b/puppet/services/pacemaker/gnocchi-api.yaml index 1f6ed461..50bd3fa7 100644 --- a/puppet/services/pacemaker/gnocchi-api.yaml +++ b/puppet/services/pacemaker/gnocchi-api.yaml @@ -35,5 +35,7 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] + - gnocchi::metricd::manage_service: false + gnocchi::metricd::enabled: false step_config: | include ::tripleo::profile::pacemaker::gnocchi::api diff --git a/puppet/services/pacemaker/gnocchi-metricd.yaml b/puppet/services/pacemaker/gnocchi-metricd.yaml index cea27e9a..0a6b03ea 100644 --- a/puppet/services/pacemaker/gnocchi-metricd.yaml +++ b/puppet/services/pacemaker/gnocchi-metricd.yaml @@ -36,6 +36,7 @@ outputs: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] - gnocchi::metricd::manage_service: false + gnocchi::metricd::enabled: false tripleo::profile::pacemaker::gnocchi::gnocchi_indexer_backend: {get_attr: [GnocchiServiceBase, aux_parameters, gnocchi_indexer_backend]} step_config: | diff --git a/puppet/services/pacemaker/gnocchi-statsd.yaml b/puppet/services/pacemaker/gnocchi-statsd.yaml index 2e1531fc..12256d32 100644 --- a/puppet/services/pacemaker/gnocchi-statsd.yaml +++ b/puppet/services/pacemaker/gnocchi-statsd.yaml @@ -36,6 +36,7 @@ outputs: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] - gnocchi::statsd::manage_service: false + gnocchi::statsd::enabled: false tripleo::profile::pacemaker::gnocchi::gnocchi_indexer_backend: {get_attr: [GnocchiServiceBase, aux_parameters, gnocchi_indexer_backend]} step_config: | include ::tripleo::profile::pacemaker::gnocchi::statsd diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 5d580648..06595b07 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > RabbitMQ service configured with Puppet @@ -34,6 +34,10 @@ parameters: default: false description: Enable IPv6 in RabbitMQ type: boolean + RabbitCookie: + type: string + default: '' + hidden: true outputs: role_data: @@ -66,5 +70,19 @@ outputs: tcp_listen_options: '[binary, {packet, raw}, {reuseaddr, true}, {backlog, 128}, {nodelay, true}, {exit_on_close, false}, {keepalive, true}]' cluster_partition_handling: 'pause_minority' loopback_users: '[]' + rabbitmq::erlang_cookie: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: RabbitCookie} + - {get_param: [DefaultPasswords, rabbit_cookie]} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + rabbitmq::node_ip_address: {get_param: [ServiceNetMap, RabbitmqNetwork]} step_config: | include ::tripleo::profile::base::rabbitmq diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 5715a8c3..fae9c434 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -54,6 +54,12 @@ outputs: sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]} sahara::keystone::auth::password: {get_param: SaharaPassword } sahara::keystone::auth::region: {get_param: KeystoneRegion} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + sahara::host: {get_param: [ServiceNetMap, SaharaApiNetwork]} tripleo.sahara_api.firewall_rules: '132 sahara': dport: diff --git a/puppet/services/swift-base.yaml b/puppet/services/swift-base.yaml new file mode 100644 index 00000000..741adb4d --- /dev/null +++ b/puppet/services/swift-base.yaml @@ -0,0 +1,33 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Swift Proxy service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + SwiftHashSuffix: + description: A random string to be used as a salt when hashing to determine mappings + in the ring. + hidden: true + type: string + +outputs: + role_data: + description: Role data for the Swift common swift settings. + value: + service_name: swift_base + config_settings: + swift::swift_hash_path_suffix: {get_param: SwiftHashSuffix} diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 6c2bb44b..cba08090 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -39,6 +39,13 @@ parameters: default: 'regionOne' description: Keystone region for endpoint +resources: + SwiftBase: + type: ./swift-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} outputs: role_data: @@ -46,50 +53,59 @@ outputs: value: service_name: swift_proxy config_settings: - # Swift - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - swift::proxy::authtoken::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - swift::proxy::authtoken::admin_password: {get_param: SwiftPassword} - swift::proxy::authtoken::admin_tenant_name: 'service' - swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} - swift::proxy::workers: {get_param: SwiftWorkers} - swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]} - swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]} - swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]} - swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]} - swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]} - swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} - swift::keystone::auth::password: {get_param: SwiftPassword} - swift::keystone::auth::region: {get_param: KeystoneRegion} - tripleo.swift_proxy.firewall_rules: - '122 swift proxy': - dport: - - 8080 - - 13808 - swift::keystone::auth::tenant: 'service' - swift::keystone::auth::configure_s3_endpoint: false - swift::keystone::auth::operator_roles: - - admin - - swiftoperator - - ResellerAdmin - swift::proxy::keystone::operator_roles: - - admin - - swiftoperator - - ResellerAdmin - swift::proxy::pipeline: - - 'catch_errors' - - 'healthcheck' - - 'proxy-logging' - - 'cache' - - 'ratelimit' - - 'bulk' - - 'tempurl' - - 'formpost' - - 'authtoken' - - 'keystone' - - 'staticweb' - - 'proxy-logging' - - 'proxy-server' - swift::proxy::account_autocreate: true + map_merge: + - get_attr: [SwiftBase, role_data, config_settings] + + - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + swift::proxy::authtoken::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + swift::proxy::authtoken::admin_password: {get_param: SwiftPassword} + swift::proxy::authtoken::admin_tenant_name: 'service' + swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} + swift::proxy::workers: {get_param: SwiftWorkers} + swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]} + swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]} + swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]} + swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]} + swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]} + swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} + swift::keystone::auth::password: {get_param: SwiftPassword} + swift::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.swift_proxy.firewall_rules: + '122 swift proxy': + dport: + - 8080 + - 13808 + swift::keystone::auth::tenant: 'service' + swift::keystone::auth::configure_s3_endpoint: false + swift::keystone::auth::operator_roles: + - admin + - swiftoperator + - ResellerAdmin + swift::proxy::keystone::operator_roles: + - admin + - swiftoperator + - ResellerAdmin + swift::proxy::pipeline: + - 'catch_errors' + - 'healthcheck' + - 'proxy-logging' + - 'cache' + - 'ratelimit' + - 'bulk' + - 'tempurl' + - 'formpost' + - 'authtoken' + - 'keystone' + - 'staticweb' + - 'proxy-logging' + - 'proxy-server' + swift::proxy::account_autocreate: true + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]} step_config: | include ::tripleo::profile::base::swift::proxy diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 558f2752..6c7c3c7a 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -26,6 +26,10 @@ parameters: default: false description: Value of mount_check in Swift account/container/object -server.conf type: boolean + SwiftRawDisks: + default: {} + description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' + type: json # DEPRECATED options for compatibility with overcloud.yaml # This should be removed and manipulation of the ControllerServices list @@ -41,33 +45,44 @@ parameter_groups: parameters: - ControllerEnableSwiftStorage +resources: + SwiftBase: + type: ./swift-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Swift Proxy role. value: service_name: swift_storage config_settings: - # Swift - swift::storage::all::mount_check: {get_param: SwiftMountCheck} - tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} - tripleo.swift_storage.firewall_rules: - '123 swift storage': - dport: - - 873 - - 6000 - - 6001 - - 6002 - swift::storage::all::incoming_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' - swift::storage::all::outgoing_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' - swift::storage::all::object_pipeline: - - healthcheck - - recon - - object-server - swift::storage::all::container_pipeline: - - healthcheck - - container-server - swift::storage::all::account_pipeline: - - healthcheck - - account-server + map_merge: + - get_attr: [SwiftBase, role_data, config_settings] + - swift::storage::all::mount_check: {get_param: SwiftMountCheck} + tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} + tripleo.swift_storage.firewall_rules: + '123 swift storage': + dport: + - 873 + - 6000 + - 6001 + - 6002 + swift::storage::all::incoming_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' + swift::storage::all::outgoing_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' + swift::storage::all::object_pipeline: + - healthcheck + - recon + - object-server + swift::storage::all::container_pipeline: + - healthcheck + - container-server + swift::storage::all::account_pipeline: + - healthcheck + - account-server + swift::storage::disks: {get_param: SwiftRawDisks} + swift::storage::all::storage_local_net_ip: {get_param: [ServiceNetMap, SwiftMgmtNetwork]} step_config: | include ::tripleo::profile::base::swift::storage |