diff options
Diffstat (limited to 'puppet/services')
28 files changed, 375 insertions, 258 deletions
diff --git a/puppet/services/README.rst b/puppet/services/README.rst index 8fe51fa3..3accff36 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -48,9 +48,3 @@ are re-asserted when applying latter ones. 4) General OpenStack Services 5) Service activation (Pacemaker) - - 6) Fencing (Pacemaker) - -Note: Not all roles currently support all steps: - - * ObjectStorage role only supports steps 2, 3 and 4 diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index daed1665..347a8c13 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -55,7 +55,7 @@ outputs: aodh::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} aodh::api::service_name: 'httpd' @@ -68,7 +68,7 @@ outputs: aodh::api::host: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index ab6b0ec7..1a5e9134 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -24,7 +24,7 @@ parameters: hidden: true BarbicanWorkers: description: Set the number of workers for barbican::wsgi::apache - default: '"%{::processorcount}"' + default: '%{::processorcount}' type: string Debug: default: '' @@ -93,7 +93,7 @@ outputs: barbican::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]} barbican::db::database_connection: @@ -128,3 +128,17 @@ outputs: barbican::keystone::auth::password: {get_param: BarbicanPassword} barbican::keystone::auth::region: {get_param: KeystoneRegion} barbican::keystone::auth::tenant: 'service' + nova_compute: + nova::compute::keymgr_api_class: > + castellan.key_manager.barbican_key_manager.BarbicanKeyManager + nova::compute::barbican_endpoint: + get_param: [EndpointMap, BarbicanInternal, uri] + nova::compute::barbican_auth_endpoint: + get_param: [EndpointMap, KeystoneV3Internal, uri] + cinder_api: + cinder::api::keymgr_api_class: > + castellan.key_manager.barbican_key_manager.BarbicanKeyManager + cinder::api::keymgr_encryption_api_url: + get_param: [EndpointMap, BarbicanInternal, uri] + cinder::api::keymgr_encryption_auth_url: + get_param: [EndpointMap, KeystoneV3Internal, uri] diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 97b255a9..2f34f248 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -75,7 +75,7 @@ outputs: ceilometer::api::host: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} @@ -83,7 +83,7 @@ outputs: ceilometer::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]} service_config_settings: diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index 4ace7526..ded1bc03 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -36,6 +36,12 @@ parameters: type: string constraints: - allowed_values: ['gnocchi', 'database'] + CeilometerEventDispatcher: + default: ['gnocchi'] + description: Comma-separated list of Dispatchers to process events data + type: comma_delimited_list + constraints: + - allowed_values: ['panko', 'gnocchi', 'database'] CeilometerWorkers: default: 0 description: Number of workers for Ceilometer service. @@ -102,6 +108,7 @@ outputs: ceilometer::agent::auth::auth_tenant_name: 'service' ceilometer::agent::auth::auth_endpoint_type: 'internalURL' ceilometer::collector::meter_dispatcher: {get_param: CeilometerMeterDispatcher} + ceilometer::collector::event_dispatcher: {get_param: CeilometerEventDispatcher} ceilometer::dispatcher::gnocchi::url: {get_param: [EndpointMap, GnocchiInternal, uri]} ceilometer::dispatcher::gnocchi::filter_project: 'service' ceilometer::dispatcher::gnocchi::archive_policy: 'low' diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml index 786e9ddd..8faf5640 100644 --- a/puppet/services/ceph-base.yaml +++ b/puppet/services/ceph-base.yaml @@ -119,36 +119,33 @@ outputs: NETWORK: {get_param: [ServiceNetMap, CephMonNetwork]} ceph::profile::params::public_addr: {get_param: [ServiceNetMap, CephMonNetwork]} ceph::profile::params::client_keys: - str_replace: - template: "{ - client.admin: { - secret: 'ADMIN_KEY', - mode: '0600', - cap_mon: 'allow *', - cap_osd: 'allow *', + map_replace: + - client.admin: + secret: {get_param: CephAdminKey} + mode: '0600' + cap_mon: 'allow *' + cap_osd: 'allow *' cap_mds: 'allow *' - }, - client.bootstrap-osd: { - secret: 'ADMIN_KEY', - keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring', + client.bootstrap-osd: + secret: {get_param: CephAdminKey} + keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring' cap_mon: 'allow profile bootstrap-osd' - }, - client.CLIENT_USER: { - secret: 'CLIENT_KEY', - mode: '0644', - cap_mon: 'allow r', - cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' - } - }" - params: - CLIENT_USER: {get_param: CephClientUserName} - CLIENT_KEY: {get_param: CephClientKey} - ADMIN_KEY: {get_param: CephAdminKey} - NOVA_POOL: {get_param: NovaRbdPoolName} - CINDER_POOL: {get_param: CinderRbdPoolName} - CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} - GLANCE_POOL: {get_param: GlanceRbdPoolName} - GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + CEPH_CLIENT_KEY: + secret: {get_param: CephClientKey} + mode: '0644' + cap_mon: 'allow r' + cap_osd: + str_replace: + template: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' + params: + NOVA_POOL: {get_param: NovaRbdPoolName} + CINDER_POOL: {get_param: CinderRbdPoolName} + CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} + GLANCE_POOL: {get_param: GlanceRbdPoolName} + GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + - keys: + CEPH_CLIENT_KEY: + list_join: ['.', ['client', {get_param: CephClientUserName}]] service_config_settings: glance_api: glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 803d8b83..8d57418e 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -42,7 +42,7 @@ parameters: CinderWorkers: type: string description: Set the number of workers for cinder::wsgi::apache - default: '"%{::os_workers}"' + default: '%{::os_workers}' EnableInternalTLS: type: boolean default: false @@ -101,7 +101,7 @@ outputs: cinder::api::bind_host: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS} @@ -115,7 +115,7 @@ outputs: cinder::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} - diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml new file mode 100644 index 00000000..3ba51fb6 --- /dev/null +++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml @@ -0,0 +1,43 @@ +heat_template_version: 2016-10-14 + +description: > + MySQL configurations for using TLS via certmonger. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + # The following parameters are not needed by the template but are + # required to pass the pep8 tests + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: MySQL configurations for using TLS via certmonger. + value: + service_name: mysql_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::profile::base::database::mysql::certificate_specs: + service_certificate: '/etc/pki/tls/certs/mysql.crt' + service_key: '/etc/pki/tls/private/mysql.key' + hostname: + str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + principal: + str_replace: + template: "mysql/%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 094a7c9f..bed8f7d3 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -35,50 +35,60 @@ parameters: description: Whether to use Galera instead of regular MariaDB. type: boolean +resources: + + MySQLTLS: + type: OS::TripleO::Services::MySQLTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + outputs: role_data: description: Service MySQL using composable services. value: service_name: mysql config_settings: - # The Galera package should work in cluster and - # non-cluster modes based on the config file. - # We set the package name here explicitly so - # that it matches what we pre-install - # in tripleo-puppet-elements. - mysql::server::package_name: 'mariadb-galera-server' - mysql::server::manage_config_file: true - tripleo.mysql.firewall_rules: - '104 mysql galera': - dport: - - 873 - - 3306 - - 4444 - - 4567 - - 4568 - - 9200 - mysql_max_connections: {get_param: MysqlMaxConnections} - mysql::server::root_password: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: MysqlRootPassword} - - {get_param: [DefaultPasswords, mysql_root_password]} - mysql_clustercheck_password: {get_param: MysqlClustercheckPassword} - enable_galera: {get_param: EnableGalera} - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]} - tripleo::profile::base::database::mysql::bind_address: - str_replace: - template: - '"%{::fqdn_$NETWORK}"' - params: - $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + map_merge: + - get_attr: [MySQLTLS, role_data, config_settings] + - + # The Galera package should work in cluster and + # non-cluster modes based on the config file. + # We set the package name here explicitly so + # that it matches what we pre-install + # in tripleo-puppet-elements. + mysql::server::package_name: 'mariadb-galera-server' + mysql::server::manage_config_file: true + tripleo.mysql.firewall_rules: + '104 mysql galera': + dport: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 + mysql_max_connections: {get_param: MysqlMaxConnections} + mysql::server::root_password: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: MysqlRootPassword} + - {get_param: [DefaultPasswords, mysql_root_password]} + mysql_clustercheck_password: {get_param: MysqlClustercheckPassword} + enable_galera: {get_param: EnableGalera} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]} + tripleo::profile::base::database::mysql::bind_address: + str_replace: + template: + '%{::fqdn_$NETWORK}' + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml index 4ed3c007..2fab0eb6 100644 --- a/puppet/services/database/redis-base.yaml +++ b/puppet/services/database/redis-base.yaml @@ -39,6 +39,6 @@ outputs: # internal_api_subnet - > IP/CIDR redis::bind: {get_param: [ServiceNetMap, RedisNetwork]} redis::port: 6379 - redis::sentinel::master_name: '"%{hiera(\"bootstrap_nodeid\")}"' - redis::sentinel::redis_host: '"%{hiera(\"bootstrap_nodeid_ip\")}"' + redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}" + redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}" redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index ac15de4f..d5f8e62d 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -91,7 +91,7 @@ outputs: gnocchi::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend} @@ -105,7 +105,7 @@ outputs: gnocchi::api::host: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index 4ac9fc30..f173aa63 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -68,7 +68,7 @@ outputs: list_join: - '' - - 'http://' - - '%{hiera("ironic_conductor_http_host")}:' + - "%{hiera('ironic_conductor_http_host')}:" - {get_param: IronicIPXEPort} ironic::drivers::pxe::ipxe_enabled: {get_param: IronicIPXEEnabled} ironic::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml index fb0d32b6..6f2c44ec 100644 --- a/puppet/services/keepalived.yaml +++ b/puppet/services/keepalived.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > Keepalived service configured with Puppet @@ -36,6 +36,11 @@ parameters: default: 'overcloud-keepalived' type: string +conditions: + + control_iface_empty: {equals : [{get_param: ControlVirtualInterface}, '']} + public_iface_empty: {equals : [{get_param: PublicVirtualInterface}, '']} + outputs: role_data: description: Role data for the Keepalived role. @@ -43,10 +48,19 @@ outputs: service_name: keepalived monitoring_subscription: {get_param: MonitoringSubscriptionKeepalived} config_settings: - tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} - tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface} - tripleo.keepalived.firewall_rules: - '106 keepalived vrrp': - proto: vrrp + map_merge: + - tripleo.keepalived.firewall_rules: + '106 keepalived vrrp': + proto: vrrp + - + if: + - control_iface_empty + - {} + - tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface} + - + if: + - public_iface_empty + - {} + - tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface} step_config: | include ::tripleo::profile::base::keepalived diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index fe023a6a..c2a282d4 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -89,7 +89,7 @@ parameters: KeystoneWorkers: type: string description: Set the number of workers for keystone::wsgi::apache - default: '"%{::os_workers}"' + default: '%{::os_workers}' MonitoringSubscriptionKeystone: default: 'overcloud-keystone' type: string @@ -195,13 +195,13 @@ outputs: keystone::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::servername_admin: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} @@ -219,13 +219,13 @@ outputs: keystone::admin_bind_host: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} keystone::public_bind_host: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the diff --git a/puppet/services/monitoring/sensu-base.yaml b/puppet/services/monitoring/sensu-base.yaml index e5762328..ea23b8b6 100644 --- a/puppet/services/monitoring/sensu-base.yaml +++ b/puppet/services/monitoring/sensu-base.yaml @@ -45,7 +45,7 @@ parameters: default: '/sensu' SensuRedactVariables: description: Variables from Sensu configuration, which have to be redacted. - type: array + type: comma_delimited_list default: - password - passwd diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 408eb795..5fd9d7a2 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -57,26 +57,20 @@ parameters: default: tag: openstack.neutron.api path: /var/log/neutron/server.log - ControllerCount: - description: | - Under normal conditions, this should not be overridden manually and is - set at deployment time. The default value is present to allow the - template to be used in environments that do not override it. - default: 1 - type: number # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. NeutronL3HA: - default: false + default: '' + type: string description: | - Whether to enable HA for virtual routers. While the default value is - 'false', L3 HA will be automatically enabled if the number of nodes - hosting controller configurations and DVR is disabled. This parameter is - being deprecated in Newton and is scheduled to be removed in Ocata. - Future releases will enable L3 HA by default if it is appropriate for the - deployment type. Alternate mechanisms will be available to override. - type: boolean + Whether to enable HA for virtual routers. When not set, L3 HA will be + automatically enabled if the number of nodes hosting controller + configurations and DVR is disabled. Valid values are 'true' or 'false' + This parameter is being deprecated in Newton and is scheduled to be + removed in Ocata. Future releases will enable L3 HA by default if it is + appropriate for the deployment type. Alternate mechanisms will be + available to override. parameter_groups: - label: deprecated @@ -97,18 +91,6 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} -conditions: - - auto_enable_l3_ha: - and: - - not: - equals: - - get_param: ControllerCount - - 1 - - equals: - - get_param: NeutronEnableDVR - - false - outputs: role_data: description: Role data for the Neutron Server agent service. @@ -135,7 +117,6 @@ outputs: neutron::server::api_workers: {get_param: NeutronWorkers} neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} - neutron::server::l3_ha: {if: ["auto_enable_l3_ha", true, {get_param: NeutronL3HA}]} neutron::server::enable_proxy_headers_parsing: true neutron::keystone::authtoken::password: {get_param: NeutronPassword} @@ -158,6 +139,7 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} step_config: | include tripleo::profile::base::neutron::server service_config_settings: diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index 0b2cef07..3d03c313 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -84,16 +84,12 @@ outputs: neutron::rabbit_port: {get_param: RabbitClientPort} neutron::dhcp_agents_per_network: {get_param: NeutronDhcpAgentsPerNetwork} neutron::core_plugin: {get_param: NeutronCorePlugin} - neutron::service_plugins: - str_replace: - template: PLUGINS - params: - PLUGINS: {get_param: NeutronServicePlugins} + neutron::service_plugins: {get_param: NeutronServicePlugins} neutron::debug: {get_param: Debug} neutron::purge_config: {get_param: EnableConfigPurge} neutron::allow_overlapping_ips: true neutron::rabbit_heartbeat_timeout_threshold: 60 - neutron::host: '"%{::fqdn}"' #NOTE: extra quoting is needed + neutron::host: '%{::fqdn}' neutron::db::database_db_max_retries: -1 neutron::db::database_max_retries: -1 neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu} diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 8be4c6d6..c87de285 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -72,6 +72,6 @@ outputs: neutron::agents::metadata::auth_password: {get_param: NeutronPassword} neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' - neutron::agents::metadata::metadata_ip: '"%{hiera(\"nova_metadata_vip\")}"' + neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}" step_config: | include tripleo::profile::base::neutron::metadata diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index cca0deee..e2b90b7b 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -94,21 +94,9 @@ outputs: - neutron::agents::ml2::ovs::l2_population: {get_param: NeutronEnableL2Pop} neutron::agents::ml2::ovs::enable_distributed_routing: {get_param: NeutronEnableDVR} neutron::agents::ml2::ovs::arp_responder: {get_param: NeutronEnableARPResponder} - neutron::agents::ml2::ovs::bridge_mappings: - str_replace: - template: MAPPINGS - params: - MAPPINGS: {get_param: NeutronBridgeMappings} - neutron::agents::ml2::ovs::tunnel_types: - str_replace: - template: TYPES - params: - TYPES: {get_param: NeutronTunnelTypes} - neutron::agents::ml2::ovs::extensions: - str_replace: - template: AGENT_EXTENSIONS - params: - AGENT_EXTENSIONS: {get_param: NeutronAgentExtensions} + neutron::agents::ml2::ovs::bridge_mappings: {get_param: NeutronBridgeMappings} + neutron::agents::ml2::ovs::tunnel_types: {get_param: NeutronTunnelTypes} + neutron::agents::ml2::ovs::extensions: {get_param: NeutronAgentExtensions} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index 5dbae3dc..88b5064c 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -83,46 +83,14 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - - neutron::plugins::ml2::mechanism_drivers: - str_replace: - template: MECHANISMS - params: - MECHANISMS: {get_param: NeutronMechanismDrivers} - neutron::plugins::ml2::type_drivers: - str_replace: - template: DRIVERS - params: - DRIVERS: {get_param: NeutronTypeDrivers} - neutron::plugins::ml2::flat_networks: - str_replace: - template: NETWORKS - params: - NETWORKS: {get_param: NeutronFlatNetworks} - neutron::plugins::ml2::extension_drivers: - str_replace: - template: PLUGIN_EXTENSIONS - params: - PLUGIN_EXTENSIONS: {get_param: NeutronPluginExtensions} - neutron::plugins::ml2::network_vlan_ranges: - str_replace: - template: RANGES - params: - RANGES: {get_param: NeutronNetworkVLANRanges} - neutron::plugins::ml2::tunnel_id_ranges: - str_replace: - template: RANGES - params: - RANGES: {get_param: NeutronTunnelIdRanges} - neutron::plugins::ml2::vni_ranges: - str_replace: - template: RANGES - params: - RANGES: {get_param: NeutronVniRanges} - neutron::plugins::ml2::tenant_network_types: - str_replace: - template: TYPES - params: - TYPES: {get_param: NeutronNetworkType} + - neutron::plugins::ml2::mechanism_drivers: {get_param: NeutronMechanismDrivers} + neutron::plugins::ml2::type_drivers: {get_param: NeutronTypeDrivers} + neutron::plugins::ml2::flat_networks: {get_param: NeutronFlatNetworks} + neutron::plugins::ml2::extension_drivers: {get_param: NeutronPluginExtensions} + neutron::plugins::ml2::network_vlan_ranges: {get_param: NeutronNetworkVLANRanges} + neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges} + neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges} + neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType} neutron::plugins::ml2::supported_pci_vendor_devs: {get_param: NeutronSupportedPCIVendorDevs} step_config: | diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 49bd84bc..c4d5c6bb 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -87,8 +87,8 @@ outputs: map_merge: - get_attr: [NovaBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - - nova::cron::archive_deleted_rows::hour: '"*/12"' - nova::cron::archive_deleted_rows::destination: '"/dev/null"' + - nova::cron::archive_deleted_rows::hour: '*/12' + nova::cron::archive_deleted_rows::destination: '/dev/null' tripleo.nova_api.firewall_rules: '113 nova_api': dport: @@ -108,7 +108,7 @@ outputs: nova::api::api_bind_address: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} nova::api::service_name: 'httpd' @@ -122,7 +122,7 @@ outputs: nova::wsgi::apache::servername: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 74a95d20..20bf2e42 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -109,7 +109,7 @@ outputs: nova::network::neutron::neutron_auth_url: {get_param: [EndpointMap, KeystoneV3Admin, uri]} nova::rabbit_heartbeat_timeout_threshold: 60 nova::cinder_catalog_info: 'volumev2:cinderv2:internalURL' - nova::host: '"%{::fqdn}"' # NOTE: extra quoting is needed. + nova::host: '%{::fqdn}' nova::notify_on_state_change: 'vm_and_task_state' nova::notification_driver: messagingv2 nova::network::neutron::neutron_auth_type: 'v3password' diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index f7f2510e..908b676e 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -52,7 +52,7 @@ parameters: For different formats, refer to the nova.conf documentation for pci_passthrough_whitelist configuration type: json - default: '' + default: {} NovaVcpuPinSet: description: > A list or range of physical CPU cores to reserve for virtual machine @@ -97,11 +97,7 @@ outputs: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::compute::libvirt::manage_libvirt_services: false - nova::compute::pci_passthrough: - str_replace: - template: "'JSON_PARAM'" - params: - JSON_PARAM: {get_param: NovaPCIPassthrough} + nova::compute::pci_passthrough: {get_param: NovaPCIPassthrough} nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet} nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory} # we manage migration in nova common puppet profile @@ -117,7 +113,7 @@ outputs: - '.' - - 'client' - {get_param: CephClientUserName} - nova::compute::rbd::libvirt_rbd_secret_uuid: '"%{hiera(\"ceph::profile::params::fsid\")}"' + nova::compute::rbd::libvirt_rbd_secret_uuid: "%{hiera('ceph::profile::params::fsid')}" nova::compute::instance_usage_audit: true nova::compute::instance_usage_audit_period: 'hour' nova::compute::rbd::ephemeral_storage: {get_param: NovaEnableRbdBackend} diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index 7deaf0ca..ea3d8abd 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -40,7 +40,7 @@ outputs: - tripleo::profile::pacemaker::database::mysql::bind_address: str_replace: template: - '"%{::fqdn_$NETWORK}"' + '%{::fqdn_$NETWORK}' params: $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} # NOTE: bind IP is found in Heat replacing the network name with the diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml new file mode 100644 index 00000000..700edc7f --- /dev/null +++ b/puppet/services/panko-api.yaml @@ -0,0 +1,84 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Panko API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionPankoApi: + default: 'overcloud-ceilometer-panko-api' + type: string + EnableInternalTLS: + type: boolean + default: false + +resources: + PankoBase: + type: ./panko-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + +outputs: + role_data: + description: Role data for the Panko API service. + value: + service_name: panko_api + monitoring_subscription: {get_param: MonitoringSubscriptionPankoApi} + config_settings: + map_merge: + - get_attr: [PankoBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - panko::wsgi::apache::ssl: {get_param: EnableInternalTLS} + panko::wsgi::apache::servername: + str_replace: + template: + '%{::fqdn_$NETWORK}' + params: + $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + panko::api::service_name: 'httpd' + panko::api::enable_proxy_headers_parsing: true + tripleo.panko_api.firewall_rules: + '140 panko-api': + dport: + - 8779 + - 13779 + panko::api::host: + str_replace: + template: + '%{::fqdn_$NETWORK}' + params: + $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + panko::wsgi::apache::bind_host: {get_param: [ServiceNetMap, PankoApiNetwork]} + service_config_settings: + get_attr: [PankoBase, role_data, service_config_settings] + step_config: | + include tripleo::profile::base::panko::api diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml new file mode 100644 index 00000000..32754a55 --- /dev/null +++ b/puppet/services/panko-base.yaml @@ -0,0 +1,74 @@ +heat_template_version: 2016-04-08 + +description: > + OpenStack Panko service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PankoPassword: + description: The password for the panko services. + type: string + hidden: true + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Role data for the Panko role. + value: + service_name: panko_base + config_settings: + panko_redis_password: {get_param: RedisPassword} + panko::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://panko:' + - {get_param: PankoPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/panko' + panko::debug: {get_param: Debug} + panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } + panko::keystone::authtoken::project_name: 'service' + panko::keystone::authtoken::password: {get_param: PankoPassword} + panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + panko::auth::auth_password: {get_param: PankoPassword} + panko::auth::auth_region: 'regionOne' + panko::auth::auth_tenant_name: 'service' + service_config_settings: + keystone: + panko::keystone::auth::public_url: {get_param: [EndpointMap, PankoPublic, uri]} + panko::keystone::auth::internal_url: {get_param: [EndpointMap, PankoInternal, uri]} + panko::keystone::auth::admin_url: {get_param: [EndpointMap, PankoAdmin, uri]} + panko::keystone::auth::password: {get_param: PankoPassword} + panko::keystone::auth::region: {get_param: KeystoneRegion} + panko::keystone::auth::tenant: 'service' + mysql: + panko::db::mysql::user: panko + panko::db::mysql::password: {get_param: PankoPassword} + panko::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + panko::db::mysql::dbname: panko + panko::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index ba1d99f1..ba184ab0 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -77,6 +77,7 @@ outputs: swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName} swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword} swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} + swift::proxy::ceilometer::nonblocking_notify: true tripleo.swift_proxy.firewall_rules: '122 swift proxy': dport: @@ -99,6 +100,11 @@ outputs: - 'authtoken' - 'keystone' - 'staticweb' + - 'copy' + - 'container-quotas' + - 'account-quotas' + - 'slo' + - 'dlo' - 'versioned_writes' - 'ceilometer' - 'proxy-logging' diff --git a/puppet/services/vip-hosts.yaml b/puppet/services/vip-hosts.yaml deleted file mode 100644 index a9d757ee..00000000 --- a/puppet/services/vip-hosts.yaml +++ /dev/null @@ -1,56 +0,0 @@ -heat_template_version: 2016-04-08 - -description: > - If the deployer doesn't have a DNS server for the overcloud nodes. This will - populate the node-names and IPs for the VIPs of the overcloud. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -outputs: - role_data: - description: role data for the VIP hosts role - value: - service_name: vip_hosts - config_settings: - tripleo::vip_hosts::hosts_spec: - external: - name: "%{hiera('cloud_name_external')}" - ip: "%{hiera('public_virtual_ip')}" - ensure: present - comment: FQDN of the external VIP - internal_api: - name: "%{hiera('cloud_name_internal_api')}" - ip: "%{hiera('internal_api_virtual_ip')}" - ensure: present - comment: FQDN of the internal api VIP - storage: - name: "%{hiera('cloud_name_storage')}" - ip: "%{hiera('storage_virtual_ip')}" - ensure: present - comment: FQDN of the storage VIP - storage_mgmt: - name: "%{hiera('cloud_name_storage_mgmt')}" - ip: "%{hiera('storage_mgmt_virtual_ip')}" - ensure: present - comment: FQDN of the storage mgmt VIP - ctlplane: - name: "%{hiera('cloud_name_ctlplane')}" - ip: "%{hiera('controller_virtual_ip')}" - ensure: present - comment: FQDN of the ctlplane VIP - step_config: | - include ::tripleo::vip_hosts |