5 files changed, 60 insertions, 19 deletions

diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml
index 3f6dba60..a933a94b 100644
--- a/puppet/services/heat-base.yaml
+++ b/puppet/services/heat-base.yaml
@@ -57,6 +57,7 @@ outputs:
         heat::rabbit_port: {get_param: RabbitClientPort}
         heat::debug: {get_param: Debug}
         heat::enable_proxy_headers_parsing: true
+        heat::rpc_response_timeout: 600
         # We need this because the default heat policy.json no longer works on TripleO
         # https://git.openstack.org/cgit/openstack/heat/commit/?id=ac86702172ddf01f5bdc3f3cd99d2e32ad9b7024
         heat::policy::policies:
@@ -77,6 +78,8 @@ outputs:
         heat::cron::purge_deleted::destination: '/dev/null'
         heat::db::database_db_max_retries: -1
         heat::db::database_max_retries: -1
+        heat::yaql_memory_quota: 100000
+        heat::yaql_limit_iterators: 1000
       service_config_settings:
         keystone:
           tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'
diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml
index 1cf833d7..8faccd2b 100644
--- a/puppet/services/heat-engine.yaml
+++ b/puppet/services/heat-engine.yaml
@@ -48,6 +48,15 @@ parameters:
     default:
       tag: openstack.heat.engine
       path: /var/log/heat/heat-engine.log
+  HeatConvergenceEngine:
+    type: boolean
+    default: true
+    description: Enables the heat engine with the convergence architecture.
+  HeatMaxResourcesPerStack:
+    type: number
+    default: 1000
+    description: Maximum resources allowed per top-level stack. -1 stands for unlimited.
+
 
 resources:
   HeatBase:
@@ -72,6 +81,26 @@ outputs:
           - heat::engine::num_engine_workers: {get_param: HeatWorkers}
             heat::engine::configure_delegated_roles: false
             heat::engine::trusts_delegated_roles: []
+            heat::engine::max_nested_stack_depth: 6
+            heat::engine::max_resources_per_stack: {get_param: HeatMaxResourcesPerStack}
+            heat::engine::heat_metadata_server_url:
+              list_join:
+                - ''
+                - - {get_param: [EndpointMap, HeatCfnPublic, protocol]}
+                  - '://'
+                  - {get_param: [EndpointMap, HeatCfnPublic, host]}
+                  - ':'
+                  - {get_param: [EndpointMap, HeatCfnPublic, port]}
+            heat::engine::heat_waitcondition_server_url:
+              list_join:
+                - ''
+                - - {get_param: [EndpointMap, HeatCfnPublic, protocol]}
+                  - '://'
+                  - {get_param: [EndpointMap, HeatCfnPublic, host]}
+                  - ':'
+                  - {get_param: [EndpointMap, HeatCfnPublic, port]}
+                  - '/v1/waitcondition'
+            heat::engine::convergence_engine: {get_param: HeatConvergenceEngine}
             tripleo::profile::base::heat::manage_db_purge: {get_param: HeatEnableDBPurge}
             heat::database_connection:
               list_join:
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index a4a487cc..d2ca841f 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -112,14 +112,14 @@ outputs:
               params:
                 $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
           nova::api::service_name: 'httpd'
-          nova::wsgi::apache::ssl: {get_param: EnableInternalTLS}
+          nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
           # NOTE: bind IP is found in Heat replacing the network name with the local node IP
           # for the given network; replacement examples (eg. for internal_api):
           # internal_api -> IP
           # internal_api_uri -> [IP]
           # internal_api_subnet - > IP/CIDR
-          nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]}
-          nova::wsgi::apache::servername:
+          nova::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]}
+          nova::wsgi::apache_api::servername:
             str_replace:
               template:
                 "%{hiera('fqdn_$NETWORK')}"
@@ -133,10 +133,27 @@ outputs:
           - nova_workers_zero
           - {}
           - nova::api::osapi_compute_workers: {get_param: NovaWorkers}
-            nova::wsgi::apache::workers: {get_param: NovaWorkers}
+            nova::wsgi::apache_api::workers: {get_param: NovaWorkers}
       step_config: |
         include tripleo::profile::base::nova::api
       service_config_settings:
+        mysql:
+          map_merge:
+          - {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
+          - nova::db::mysql::password: {get_param: NovaPassword}
+            nova::db::mysql::user: nova
+            nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+            nova::db::mysql::dbname: nova
+            nova::db::mysql::allowed_hosts:
+              - '%'
+              - "%{hiera('mysql_bind_host')}"
+            nova::db::mysql_api::password: {get_param: NovaPassword}
+            nova::db::mysql_api::user: nova_api
+            nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+            nova::db::mysql_api::dbname: nova_api
+            nova::db::mysql_api::allowed_hosts:
+              - '%'
+              - "%{hiera('mysql_bind_host')}"
         keystone:
           nova::keystone::auth::tenant: 'service'
           nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
@@ -144,18 +161,3 @@ outputs:
           nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
           nova::keystone::auth::password: {get_param: NovaPassword}
           nova::keystone::auth::region: {get_param: KeystoneRegion}
-        mysql:
-          nova::db::mysql::password: {get_param: NovaPassword}
-          nova::db::mysql::user: nova
-          nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
-          nova::db::mysql::dbname: nova
-          nova::db::mysql::allowed_hosts:
-            - '%'
-            - "%{hiera('mysql_bind_host')}"
-          nova::db::mysql_api::password: {get_param: NovaPassword}
-          nova::db::mysql_api::user: nova_api
-          nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
-          nova::db::mysql_api::dbname: nova_api
-          nova::db::mysql_api::allowed_hosts:
-            - '%'
-            - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml
index 47b3b3fa..89842115 100644
--- a/puppet/services/opendaylight-api.yaml
+++ b/puppet/services/opendaylight-api.yaml
@@ -60,5 +60,11 @@ outputs:
         opendaylight::extra_features: {get_param: OpenDaylightFeatures}
         opendaylight::enable_dhcp: {get_param: OpenDaylightEnableDHCP}
         opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
+        tripleo.opendaylight_api.firewall_rules:
+              '137 opendaylight api':
+                dport:
+                  - {get_param: OpenDaylightPort}
+                  - 6640
+                  - 6653
       step_config: |
         include tripleo::profile::base::neutron::opendaylight
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index a32dec1e..5526a6f2 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -69,6 +69,7 @@ outputs:
         rabbitmq::delete_guest_user: false
         rabbitmq::wipe_db_on_cookie_change: true
         rabbitmq::port: '5672'
+        rabbitmq::package_provider: yum
         rabbitmq::package_source: undef
         rabbitmq::repos_ensure: false
         rabbitmq::tcp_keepalive: true