diff options
Diffstat (limited to 'puppet/services')
| -rw-r--r-- | puppet/services/ceilometer-base.yaml | 2 | ||||
| -rw-r--r-- | puppet/services/etcd.yaml | 77 | ||||
| -rw-r--r-- | puppet/services/ironic-conductor.yaml | 6 | ||||
| -rw-r--r-- | puppet/services/manila-backend-cephfs.yaml | 2 | ||||
| -rw-r--r-- | puppet/services/metrics/collectd.yaml | 4 | ||||
| -rw-r--r-- | puppet/services/neutron-plugin-nsx.yaml | 66 | ||||
| -rw-r--r-- | puppet/services/zaqar.yaml | 66 |
7 files changed, 187 insertions, 36 deletions
diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index e1613720..d524e612 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -88,7 +88,6 @@ outputs: value: service_name: ceilometer_base config_settings: - ceilometer_auth_enabled: true ceilometer::debug: {get_param: Debug} ceilometer::db::database_connection: list_join: @@ -133,6 +132,7 @@ outputs: ceilometer::telemetry_secret: {get_param: CeilometerMeteringSecret} service_config_settings: keystone: + ceilometer_auth_enabled: true ceilometer::keystone::auth::public_url: {get_param: [EndpointMap, CeilometerPublic, uri]} ceilometer::keystone::auth::internal_url: {get_param: [EndpointMap, CeilometerInternal, uri]} ceilometer::keystone::auth::admin_url: {get_param: [EndpointMap, CeilometerAdmin, uri]} diff --git a/puppet/services/etcd.yaml b/puppet/services/etcd.yaml index 5db8bec0..ec682531 100644 --- a/puppet/services/etcd.yaml +++ b/puppet/services/etcd.yaml @@ -25,6 +25,13 @@ parameters: MonitoringSubscriptionEtcd: default: 'overcloud-etcd' type: string + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -33,27 +40,47 @@ outputs: service_name: etcd monitoring_subscription: {get_param: MonitoringSubscriptionEtcd} config_settings: - etcd::etcd_name: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} - # NOTE: bind IP is found in Heat replacing the network name with the local node IP - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - tripleo::profile::base::etcd::bind_ip: {get_param: [ServiceNetMap, EtcdNetwork]} - tripleo::profile::base::etcd::client_port: '2379' - tripleo::profile::base::etcd::peer_port: '2380' - etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken} - etcd::manage_package: false - tripleo.etcd.firewall_rules: - '141 etcd': - dport: - - 2379 - - 2380 + map_merge: + - + etcd::etcd_name: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + tripleo::profile::base::etcd::bind_ip: {get_param: [ServiceNetMap, EtcdNetwork]} + tripleo::profile::base::etcd::client_port: '2379' + tripleo::profile::base::etcd::peer_port: '2380' + etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken} + etcd::manage_package: false + tripleo.etcd.firewall_rules: + '141 etcd': + dport: + - 2379 + - 2380 + - + if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::profile::base::etcd::certificate_specs: + service_certificate: '/etc/pki/tls/certs/etcd.crt' + service_key: '/etc/pki/tls/private/etcd.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} + principal: + str_replace: + template: "etcd/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} + - {} step_config: | include ::tripleo::profile::base::etcd upgrade_tasks: @@ -71,3 +98,11 @@ outputs: - name: Stop etcd service tags: step2 service: name=etcd state=stopped + metadata_settings: + if: + - internal_tls_enabled + - + - service: etcd + network: {get_param: [ServiceNetMap, EtcdNetwork]} + type: node + - null diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index be910d10..666967b9 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -45,6 +45,10 @@ parameters: default: ['pxe_ipmitool', 'pxe_drac', 'pxe_ilo'] description: Enabled Ironic drivers type: comma_delimited_list + IronicEnabledHardwareTypes: + default: ['ipmi'] + description: Enabled Ironic hardware types + type: comma_delimited_list IronicIPXEEnabled: default: true description: Whether to use iPXE instead of PXE for deployment. @@ -92,6 +96,7 @@ outputs: ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} ironic::conductor::provisioning_network: {get_param: IronicProvisioningNetwork} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} + ironic::conductor::enabled_hardware_types: {get_param: IronicEnabledHardwareTypes} # We need an endpoint containing a real IP, not a VIP here ironic_conductor_http_host: {get_param: [ServiceNetMap, IronicNetwork]} ironic::conductor::http_url: @@ -112,6 +117,7 @@ outputs: # NOTE(dtantsur): UEFI only works with iPXE currently for us ironic::drivers::pxe::uefi_pxe_config_template: '$pybasedir/drivers/modules/ipxe_config.template' ironic::drivers::pxe::uefi_pxe_bootfile_name: 'ipxe.efi' + ironic::drivers::interfaces::enabled_console_interfaces: ['ipmitool-socat', 'no-console'] ironic::drivers::interfaces::enabled_network_interfaces: ['flat', 'neutron'] ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface} tripleo.ironic_conductor.firewall_rules: diff --git a/puppet/services/manila-backend-cephfs.yaml b/puppet/services/manila-backend-cephfs.yaml index 36ef1ea9..2a6d7e34 100644 --- a/puppet/services/manila-backend-cephfs.yaml +++ b/puppet/services/manila-backend-cephfs.yaml @@ -39,7 +39,7 @@ parameters: default: 'ceph' ManilaCephFSNativeCephFSEnableSnapshots: type: boolean - default: true + default: false ManilaCephFSDataPoolName: default: manila_data type: string diff --git a/puppet/services/metrics/collectd.yaml b/puppet/services/metrics/collectd.yaml index 49b2d4c2..d2d9f3dc 100644 --- a/puppet/services/metrics/collectd.yaml +++ b/puppet/services/metrics/collectd.yaml @@ -70,7 +70,9 @@ parameters: CollectdSecurityLevel: type: string description: > - Security level setting for remote collectd connection. + Security level setting for remote collectd connection. If it is + set to Sign or Encrypt the CollectdPassword and CollectdUsername + parameters need to be set. default: 'None' constraints: - allowed_values: diff --git a/puppet/services/neutron-plugin-nsx.yaml b/puppet/services/neutron-plugin-nsx.yaml new file mode 100644 index 00000000..3ac219ba --- /dev/null +++ b/puppet/services/neutron-plugin-nsx.yaml @@ -0,0 +1,66 @@ +heat_template_version: ocata + +description: > + OpenStack Neutron NSX + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + DefaultOverlayTz: + description: UUID of the default NSX overlay transport zone. + type: string + DefaultTier0Router: + description: UUID of the default tier0 router that will be used for connecting to + tier1 logical routers and configuring external networks. + type: string + NsxApiManagers: + description: IP address of one or more NSX managers separated by commas. + type: string + NsxApiUser: + description: User name of NSX Manager. + type: string + NsxApiPassword: + description: Password of NSX Manager. + type: string + NativeDhcpMetadata: + default: True + description: This is the flag to indicate if using native DHCP/Metadata or not. + type: string + DhcpProfileUuid: + description: This is the UUID of the NSX DHCP Profile that will be used to enable + native DHCP service. + type: string + MetadataProxyUuid: + description: This is the UUID of the NSX Metadata Proxy that will be used to enable + native metadata service. + type: string + +outputs: + role_data: + description: Role data for the Neutron NSX plugin + value: + service_name: neutron_plugin_nsx + config_settings: + neutron::plugins::nsx_v3::default_overlay_tz: {get_param: DefaultOverlayTz} + neutron::plugins::nsx_v3::default_tier0_router: {get_param: DefaultTier0Router} + neutron::plugins::nsx_v3::nsx_api_managers: {get_param: NsxApiManagers} + neutron::plugins::nsx_v3::nsx_api_user: {get_param: NsxApiUser} + neutron::plugins::nsx_v3::nsx_api_password: {get_param: NsxApiPassword} + neutron::plugins::nsx_v3::native_dhcp_metadata: {get_param: NativeDhcpMetadata} + neutron::plugins::nsx_v3::dhcp_profile_uuid: {get_param: DhcpProfileUuid} + neutron::plugins::nsx_v3::metadata_proxy_uuid: {get_param: MetadataProxyUuid} + + step_config: | + include tripleo::profile::base::neutron::plugins::nsx_v3 diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index 33769d02..06965c8c 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -36,7 +36,26 @@ parameters: e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json + ZaqarWorkers: + type: string + description: Set the number of workers for zaqar::wsgi::apache + default: '%{::os_workers}' + EnableInternalTLS: + type: boolean + default: false + +conditions: + zaqar_workers_zero: {equals : [{get_param: ZaqarWorkers}, 0]} + +resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -44,16 +63,30 @@ outputs: value: service_name: zaqar config_settings: - zaqar::policy::policies: {get_param: ZaqarPolicies} - zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} - zaqar::keystone::authtoken::project_name: 'service' - zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - zaqar::debug: {get_param: Debug} - zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} - zaqar::transport::wsgi::bind: {get_param: [ServiceNetMap, ZaqarApiNetwork]} - zaqar::message_pipeline: 'zaqar.notification.notifier' - zaqar::unreliable: true + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - zaqar::policy::policies: {get_param: ZaqarPolicies} + zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} + zaqar::keystone::authtoken::project_name: 'service' + zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + zaqar::debug: {get_param: Debug} + zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} + zaqar::wsgi::apache::ssl: false + zaqar::wsgi::apache::bind_host: {get_param: [ServiceNetMap, ZaqarApiNetwork]} + zaqar::message_pipeline: 'zaqar.notification.notifier' + zaqar::unreliable: true + zaqar::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, ZaqarApiNetwork]} + - + if: + - zaqar_workers_zero + - {} + - zaqar::wsgi::apache::workers: {get_param: ZaqarWorkers} service_config_settings: keystone: zaqar::keystone::auth::password: {get_param: ZaqarPassword} @@ -83,10 +116,19 @@ outputs: grep '\bactive\b' when: zaqar_enabled.rc == 0 tags: step0,validation - - name: Stop zaqar service + - name: Check for zaqar running under apache (post upgrade) + tags: step1 + shell: "httpd -t -D DUMP_VHOSTS | grep -q zaqar_wsgi" + register: zaqar_apache + ignore_errors: true + - name: Stop zaqar service (running under httpd) + tags: step1 + service: name=httpd state=stopped + when: zaqar_apache.rc == 0 + - name: Stop and disable zaqar service (pre-upgrade not under httpd) tags: step1 when: zaqar_enabled.rc == 0 - service: name=openstack-zaqar state=stopped + service: name=openstack-zaqar state=stopped enabled=no - name: Install openstack-zaqar package if it was disabled tags: step3 yum: name=openstack-zaqar state=latest |