6 files changed, 58 insertions, 6 deletions

diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml
index 761e6bd6..6e909097 100644
--- a/puppet/services/ceilometer-base.yaml
+++ b/puppet/services/ceilometer-base.yaml
@@ -65,6 +65,14 @@ parameters:
     description: Whether to create or skip API endpoint. Set this to
         false, if you choose to disable Ceilometer API service.
     type: boolean
+  SnmpdReadonlyUserName:
+    default: ro_snmp_user
+    description: The user name for SNMPd with readonly rights running on all Overcloud nodes
+    type: string
+  SnmpdReadonlyUserPassword:
+    description: The user password for SNMPd with readonly rights running on all Overcloud nodes
+    type: string
+    hidden: true
 
 outputs:
   role_data:
@@ -97,6 +105,8 @@ outputs:
         ceilometer::rabbit_port: {get_param: RabbitClientPort}
         ceilometer::rabbit_heartbeat_timeout_threshold: 60
         ceilometer::telemetry_secret: {get_param: CeilometerMeteringSecret}
+        ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
+        ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
       service_config_settings:
         keystone:
           ceilometer_auth_enabled: true
diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml
index dfc844be..111b3e8b 100644
--- a/puppet/services/ceilometer-collector.yaml
+++ b/puppet/services/ceilometer-collector.yaml
@@ -51,7 +51,16 @@ parameters:
     type: comma_delimited_list
     constraints:
     - allowed_values: ['panko', 'gnocchi', 'database']
-
+  CeilometerEventTTL:
+    default: '86400'
+    description: Number of seconds that events are kept in the database for
+                 (<= 0 means forever)
+    type: string
+  CeilometerMeteringTTL:
+    default: '86400'
+    description: Number of seconds that samples are kept in the database for
+                 (<= 0 means forever)
+    type: string
 resources:
   CeilometerServiceBase:
     type: ./ceilometer-base.yaml
@@ -91,6 +100,8 @@ outputs:
                   - '/ceilometer'
                   - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
             ceilometer_backend: {get_param: CeilometerBackend}
+            ceilometer::event_time_to_live: {get_param: CeilometerEventTTL}
+            ceilometer::metering_time_to_live: {get_param: CeilometerMeteringTTL}
             # we include db_sync class in puppet-tripleo
             ceilometer::db::sync_db: false
             ceilometer::db::database_db_max_retries: -1
diff --git a/puppet/services/database/mysql-client.yaml b/puppet/services/database/mysql-client.yaml
index 78456e28..b6bd060e 100644
--- a/puppet/services/database/mysql-client.yaml
+++ b/puppet/services/database/mysql-client.yaml
@@ -21,6 +21,11 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 outputs:
   role_data:
@@ -30,5 +35,6 @@ outputs:
       config_settings:
         tripleo::profile::base::database::mysql::client::mysql_client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]}
         tripleo::profile::base::database::mysql::client::enable_ssl: {get_param: EnableInternalTLS}
+        tripleo::profile::base::database::mysql::client::ssl_ca: {get_param: InternalTLSCAFile}
       step_config: |
         include ::tripleo::profile::base::database::mysql::client
diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml
index dc6daece..24f4157b 100644
--- a/puppet/services/gnocchi-base.yaml
+++ b/puppet/services/gnocchi-base.yaml
@@ -22,6 +22,10 @@ parameters:
     default: 'mysql'
     description: The short name of the Gnocchi indexer backend to use.
     type: string
+  MetricProcessingDelay:
+    default: 60
+    description: Delay between processing metrics.
+    type: number
   GnocchiPassword:
     description: The password for the gnocchi service and db account.
     type: string
@@ -65,6 +69,7 @@ outputs:
               - '/gnocchi'
               - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
         gnocchi::db::sync::extra_opts: '--skip-storage'
+        gnocchi::storage::metric_processing_delay: {get_param: MetricProcessingDelay}
         gnocchi::storage::swift::swift_user: 'service:gnocchi'
         gnocchi::storage::swift::swift_auth_version: 3
         gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword}
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 21a5e78a..c3e6f4e4 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -41,16 +41,23 @@ parameters:
     description: If set to true and if EnableInternalTLS is enabled, it will
                  set the libvirt URI's transport to tls and configure the
                  relevant keys for libvirt.
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
   LibvirtCACert:
     type: string
-    default: '/etc/ipa/ca.crt'
+    default: ''
     description: This specifies the CA certificate to use for TLS in libvirt.
                  This file will be symlinked to the default CA path in libvirt,
                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
                  GNU TLS, which is the TLS backend for libvirt, the file must
-                 be less than 65K (so we can't use the system's CA bundle). The
-                 current default reflects TripleO's default CA, which is
-                 FreeIPA. It will only be used if internal TLS is enabled.
+                 be less than 65K (so we can't use the system's CA bundle).
+                 This parameter should be used if the default (which comes from
+                 the InternalTLSCAFile parameter) is not desired. The current
+                 default reflects TripleO's default CA, which is FreeIPA.
+                 It will only be used if internal TLS is enabled.
 
 conditions:
 
@@ -63,6 +70,11 @@ conditions:
       - {get_param: UseTLSTransportForLiveMigration}
       - true
 
+  libvirt_specific_ca_unset:
+    equals:
+      - {get_param: LibvirtCACert}
+      - ''
+
 resources:
   NovaBase:
     type: ./nova-base.yaml
@@ -113,7 +125,10 @@ outputs:
                     params:
                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
-                  get_param: LibvirtCACert
+                  if:
+                    - libvirt_specific_ca_unset
+                    - get_param: InternalTLSCAFile
+                    - get_param: LibvirtCACert
                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
                 libvirt_certificates_specs:
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index 80c29f95..072ccc1a 100644
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -28,6 +28,10 @@ parameters:
     description: The user password for SNMPd with readonly rights running on all Overcloud nodes
     type: string
     hidden: true
+  SnmpdBindHost:
+    description: An array of bind host addresses on which SNMP daemon will listen.
+    type: comma_delimited_list
+    default: ['udp:161','udp6:[::1]:161']
 
 outputs:
   role_data:
@@ -37,6 +41,7 @@ outputs:
       config_settings:
         tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
         tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
+        snmp::agentaddress: {get_param: SnmpdBindHost}
         tripleo.snmp.firewall_rules:
           '127 snmp':
             dport: 161