summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/major_upgrade_steps.j2.yaml225
-rw-r--r--puppet/post-upgrade.j2.yaml30
-rw-r--r--puppet/post.j2.yaml31
-rw-r--r--puppet/puppet-steps.j2156
-rw-r--r--puppet/services/database/mongodb.yaml6
5 files changed, 6 insertions, 442 deletions
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
deleted file mode 100644
index 11113eec..00000000
--- a/puppet/major_upgrade_steps.j2.yaml
+++ /dev/null
@@ -1,225 +0,0 @@
-{% set enabled_roles = roles|rejectattr('disable_upgrade_deployment')|list -%}
-{% set batch_upgrade_steps_max = 3 -%}
-{% set upgrade_steps_max = 6 -%}
-{% set deliver_script = {'deliver': False} -%}
-heat_template_version: pike
-description: 'Upgrade steps for all roles'
-
-parameters:
- servers:
- type: json
- stack_name:
- type: string
- description: Name of the topmost stack
- role_data:
- type: json
- description: Mapping of Role name e.g Controller to the per-role data
- ctlplane_service_ips:
- type: json
- UpdateIdentifier:
- type: string
- default: ''
- description: >
- Setting to a previously unused value during stack-update will trigger
- the Upgrade resources to re-run on all roles.
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
- KeystoneRegion:
- type: string
- default: 'regionOne'
- description: Keystone region for endpoint
- NovaPassword:
- description: The password for the nova service and db account
- type: string
- hidden: true
-
-resources:
-
-{% for role in roles if role.disable_upgrade_deployment|default(false) %}
- {{role.name}}DeliverUpgradeScriptConfig:
- type: OS::Heat::SoftwareConfig
- properties:
- group: script
- config:
- list_join:
- - ''
- - - "#!/bin/bash\n\n"
- - "set -eu\n\n"
- - str_replace:
- template: |
- ROLE='ROLE_NAME'
- params:
- ROLE_NAME: {{role.name}}
- - get_file: ../extraconfig/tasks/pacemaker_common_functions.sh
- - get_file: ../extraconfig/tasks/run_puppet.sh
- - get_file: ../extraconfig/tasks/tripleo_upgrade_node.sh
-
- {{role.name}}DeliverUpgradeScriptDeployment:
- type: OS::Heat::SoftwareDeploymentGroup
- properties:
- servers: {get_param: [servers, {{role.name}}]}
- config: {get_resource: {{role.name}}DeliverUpgradeScriptConfig}
-{% endfor %}
-
-# Upgrade Steps for all roles, batched updates
-# The UpgradeConfig resources could actually be created without
-# serialization, but the event output is easier to follow if we
-# do, and there should be minimal performance hit (creating the
-# config is cheap compared to the time to apply the deployment).
-{% for step in range(0, batch_upgrade_steps_max) %}
- # Batch config resources step {{step}}
- {%- for role in roles %}
- {{role.name}}UpgradeBatchConfig_Step{{step}}:
- type: OS::TripleO::UpgradeConfig
- {%- if step > 0 %}
- depends_on:
- {%- for role_inside in enabled_roles %}
- - {{role_inside.name}}UpgradeBatch_Step{{step -1}}
- {%- endfor %}
- {% else %}
- {% for role in roles if role.disable_upgrade_deployment|default(false) %}
- {% if deliver_script.update({'deliver': True}) %} {% endif %}
- {% endfor %}
- {% if deliver_script.deliver %}
- depends_on:
- {% for dep in roles if dep.disable_upgrade_deployment|default(false) %}
- - {{dep.name}}DeliverUpgradeScriptDeployment
- {% endfor %}
- {% endif %}
- {% endif %}
- properties:
- UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]}
- step: {{step}}
- {%- endfor %}
-
- # Batch deployment resources for step {{step}} (only for enabled roles)
- {%- for role in enabled_roles %}
- {{role.name}}UpgradeBatch_Step{{step}}:
- type: OS::Heat::SoftwareDeploymentGroup
- {%- if step > 0 %}
- depends_on:
- {%- for role_inside in enabled_roles %}
- - {{role_inside.name}}UpgradeBatch_Step{{step -1}}
- {%- endfor %}
- {% else %}
- {% for role in roles if role.disable_upgrade_deployment|default(false) %}
- {% if deliver_script.update({'deliver': True}) %} {% endif %}
- {% endfor %}
- {% if deliver_script.deliver %}
- depends_on:
- {% for dep in roles if dep.disable_upgrade_deployment|default(false) %}
- - {{dep.name}}DeliverUpgradeScriptDeployment
- {% endfor %}
- {% endif %}
- {% endif %}
- update_policy:
- batch_create:
- max_batch_size: {{role.upgrade_batch_size|default(1)}}
- rolling_update:
- max_batch_size: {{role.upgrade_batch_size|default(1)}}
- properties:
- servers: {get_param: [servers, {{role.name}}]}
- config: {get_resource: {{role.name}}UpgradeBatchConfig_Step{{step}}}
- input_values:
- role: {{role.name}}
- update_identifier: {get_param: UpdateIdentifier}
- {%- endfor %}
-{%- endfor %}
-
-# Dump the puppet manifests to be apply later when disable_upgrade_deployment
-# is to true
-{% for role in roles if role.disable_upgrade_deployment|default(false) %}
- {{role.name}}DeliverPuppetConfig:
- type: OS::Heat::SoftwareConfig
- properties:
- group: script
- config:
- list_join:
- - ''
- - - str_replace:
- template: |
- #!/bin/bash
- cat > /root/{{role.name}}_puppet_config.pp << ENDOFCAT
- PUPPET_CLASSES
- ENDOFCAT
- params:
- PUPPET_CLASSES: {get_param: [role_data, {{role.name}}, step_config]}
-
- {{role.name}}DeliverPuppetDeployment:
- type: OS::Heat::SoftwareDeploymentGroup
- properties:
- servers: {get_param: [servers, {{role.name}}]}
- config: {get_resource: {{role.name}}DeliverPuppetConfig}
-{% endfor %}
-
-# Upgrade Steps for all roles
-{%- for step in range(0, upgrade_steps_max) %}
- # Config resources for step {{step}}
- {%- for role in roles %}
- {{role.name}}UpgradeConfig_Step{{step}}:
- type: OS::TripleO::UpgradeConfig
- # The UpgradeConfig resources could actually be created without
- # serialization, but the event output is easier to follow if we
- # do, and there should be minimal performance hit (creating the
- # config is cheap compared to the time to apply the deployment).
- depends_on:
- {%- for role_inside in enabled_roles %}
- {%- if step > 0 %}
- - {{role_inside.name}}Upgrade_Step{{step -1}}
- {%- else %}
- - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}}
- {%- endif %}
- {%- endfor %}
- properties:
- UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]}
- step: {{step}}
- {%- endfor %}
-
- # Deployment resources for step {{step}} (only for enabled roles)
- {%- for role in enabled_roles %}
- {{role.name}}Upgrade_Step{{step}}:
- type: OS::Heat::SoftwareDeploymentGroup
- depends_on:
- {%- for role_inside in enabled_roles %}
- {%- if step > 0 %}
- - {{role_inside.name}}Upgrade_Step{{step -1}}
- {%- else %}
- - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}}
- {%- endif %}
- {%- endfor %}
- properties:
- servers: {get_param: [servers, {{role.name}}]}
- config: {get_resource: {{role.name}}UpgradeConfig_Step{{step}}}
- input_values:
- role: {{role.name}}
- update_identifier: {get_param: UpdateIdentifier}
- {%- endfor %}
-{%- endfor %}
-
- # Post upgrade deployment steps for all roles
- # This runs the normal configuration (e.g puppet) steps unless upgrade
- # is disabled for the role
- AllNodesPostUpgradeSteps:
- type: OS::TripleO::PostUpgradeSteps
- depends_on:
-{%- for dep in enabled_roles %}
- - {{dep.name}}Upgrade_Step{{upgrade_steps_max - 1}}
-{%- endfor %}
- properties:
- servers: {get_param: servers}
- stack_name: {get_param: stack_name}
- role_data: {get_param: role_data}
- ctlplane_service_ips: {get_param: ctlplane_service_ips}
-
-outputs:
- # Output the config for each role, just use Step1 as the config should be
- # the same for all steps (only the tag provided differs)
- upgrade_configs:
- description: The per-role upgrade configuration used
- value:
-{% for role in roles %}
- {{role.name.lower()}}: {get_attr: [{{role.name}}UpgradeConfig_Step1, upgrade_config]}
-{% endfor %}
diff --git a/puppet/post-upgrade.j2.yaml b/puppet/post-upgrade.j2.yaml
deleted file mode 100644
index bdd1e613..00000000
--- a/puppet/post-upgrade.j2.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-heat_template_version: pike
-
-description: >
- Post-upgrade configuration steps via puppet for all roles
- where upgrade is not disabled as defined in ../roles_data.yaml
-
-parameters:
- servers:
- type: json
- description: Mapping of Role name e.g Controller to a list of servers
- stack_name:
- type: string
- description: Name of the topmost stack
- role_data:
- type: json
- description: Mapping of Role name e.g Controller to the per-role data
- DeployIdentifier:
- default: ''
- type: string
- description: >
- Setting this to a unique value will re-run any deployment tasks which
- perform configuration on a Heat stack-update.
- ctlplane_service_ips:
- type: json
-
-resources:
-# Note the include here is the same as post.j2.yaml but the data used at
-# the time of rendering is different if any roles disable upgrades
-{% set roles = roles|rejectattr('disable_upgrade_deployment')|list -%}
-{% include 'puppet-steps.j2' %}
diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml
deleted file mode 100644
index 67e1ecfd..00000000
--- a/puppet/post.j2.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-heat_template_version: pike
-
-description: >
- Post-deploy configuration steps via puppet for all roles,
- as defined in ../roles_data.yaml
-
-parameters:
- servers:
- type: json
- description: Mapping of Role name e.g Controller to a list of servers
- stack_name:
- type: string
- description: Name of the topmost stack
- role_data:
- type: json
- description: Mapping of Role name e.g Controller to the per-role data
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
- DeployIdentifier:
- default: ''
- type: string
- description: >
- Setting this to a unique value will re-run any deployment tasks which
- perform configuration on a Heat stack-update.
- ctlplane_service_ips:
- type: json
-
-{% include 'puppet-steps.j2' %}
diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2
deleted file mode 100644
index f7651a57..00000000
--- a/puppet/puppet-steps.j2
+++ /dev/null
@@ -1,156 +0,0 @@
-{% set deploy_steps_max = 6 %}
-conditions:
-{% for step in range(1, deploy_steps_max) %}
- WorkflowTasks_Step{{step}}_Enabled:
- or:
- {%- for role in roles %}
- - not:
- equals:
- - get_param: [role_data, {{role.name}}, service_workflow_tasks, step{{step}}]
- - ''
- - False
- {%- endfor %}
-{% endfor %}
-
-resources:
- # Post deployment steps for all roles
- # A single config is re-applied with an incrementing step number
-{% for role in roles %}
- # {{role.name}} Role post-deploy steps
- {{role.name}}ArtifactsConfig:
- type: deploy-artifacts.yaml
-
- {{role.name}}ArtifactsDeploy:
- type: OS::Heat::StructuredDeployments
- properties:
- name: {{role.name}}ArtifactsDeploy
- servers: {get_param: [servers, {{role.name}}]}
- config: {get_resource: {{role.name}}ArtifactsConfig}
-
- {{role.name}}PreConfig:
- type: OS::TripleO::Tasks::{{role.name}}PreConfig
- properties:
- servers: {get_param: [servers, {{role.name}}]}
- input_values:
- update_identifier: {get_param: DeployIdentifier}
-
- {{role.name}}Config:
- type: OS::TripleO::{{role.name}}Config
- properties:
- StepConfig: {get_param: [role_data, {{role.name}}, step_config]}
-
- # Step through a series of configuration steps
-{% for step in range(1, deploy_steps_max) %}
- {{role.name}}Deployment_Step{{step}}:
- type: OS::Heat::StructuredDeploymentGroup
- depends_on:
- - WorkflowTasks_Step{{step}}_Execution
- # TODO(gfidente): the following if/else condition
- # replicates what is already defined for the
- # WorkflowTasks_StepX resource and can be remove
- # if https://bugs.launchpad.net/heat/+bug/1700569
- # is fixed.
- {%- if step == 1 %}
- {%- for dep in roles %}
- - {{dep.name}}PreConfig
- - {{dep.name}}ArtifactsDeploy
- {%- endfor %}
- {%- else %}
- {%- for dep in roles %}
- - {{dep.name}}Deployment_Step{{step -1}}
- {%- endfor %}
- {%- endif %}
- properties:
- name: {{role.name}}Deployment_Step{{step}}
- servers: {get_param: [servers, {{role.name}}]}
- config: {get_resource: {{role.name}}Config}
- input_values:
- step: {{step}}
- update_identifier: {get_param: DeployIdentifier}
-{% endfor %}
-
- # Note, this should be the last step to execute configuration changes.
- # Ensure that all {{role.name}}ExtraConfigPost steps are executed
- # after all the previous deployment steps.
- {{role.name}}ExtraConfigPost:
- depends_on:
- {%- for dep in roles %}
- - {{dep.name}}Deployment_Step5
- {%- endfor %}
- type: OS::TripleO::NodeExtraConfigPost
- properties:
- servers: {get_param: [servers, {{role.name}}]}
-
- # The {{role.name}}PostConfig steps are in charge of
- # quiescing all services, i.e. in the Controller case,
- # we should run a full service reload.
- {{role.name}}PostConfig:
- type: OS::TripleO::Tasks::{{role.name}}PostConfig
- depends_on:
- {%- for dep in roles %}
- - {{dep.name}}ExtraConfigPost
- {%- endfor %}
- properties:
- servers: {get_param: servers}
- input_values:
- update_identifier: {get_param: DeployIdentifier}
-
-
-{% endfor %}
-
-# BEGIN service_workflow_tasks handling
-{% for step in range(1, deploy_steps_max) %}
- WorkflowTasks_Step{{step}}:
- type: OS::Mistral::Workflow
- condition: WorkflowTasks_Step{{step}}_Enabled
- depends_on:
- {%- if step == 1 %}
- {%- for dep in roles %}
- - {{dep.name}}PreConfig
- - {{dep.name}}ArtifactsDeploy
- {%- endfor %}
- {%- else %}
- {%- for dep in roles %}
- - {{dep.name}}Deployment_Step{{step -1}}
- {%- endfor %}
- {%- endif %}
- properties:
- name: {list_join: [".", ["tripleo", {get_param: stack_name}, "workflowtasks", "step{{step}}"]]}
- type: direct
- tasks:
- yaql:
- expression: $.data.where($ != '').select($.get('step{{step}}')).where($ != null).flatten()
- data:
- {%- for role in roles %}
- - get_param: [role_data, {{role.name}}, service_workflow_tasks]
- {%- endfor %}
-
- WorkflowTasks_Step{{step}}_Execution:
- type: OS::Mistral::ExternalResource
- condition: WorkflowTasks_Step{{step}}_Enabled
- depends_on: WorkflowTasks_Step{{step}}
- properties:
- actions:
- CREATE:
- workflow: { get_resource: WorkflowTasks_Step{{step}} }
- params:
- env:
- service_ips: { get_param: ctlplane_service_ips }
- role_merged_configs:
- {%- for r in roles %}
- {{r.name}}: {get_param: [role_data, {{r.name}}, merged_config_settings]}
- {%- endfor %}
- evaluate_env: false
- UPDATE:
- workflow: { get_resource: WorkflowTasks_Step{{step}} }
- params:
- env:
- service_ips: { get_param: ctlplane_service_ips }
- role_merged_configs:
- {%- for r in roles %}
- {{r.name}}: {get_param: [role_data, {{r.name}}, merged_config_settings]}
- {%- endfor %}
- evaluate_env: false
- always_update: true
-{% endfor %}
-# END service_workflow_tasks handling
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
index 04f34e24..dcead0f7 100644
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@@ -47,6 +47,11 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
conditions:
@@ -98,6 +103,7 @@ outputs:
generate_service_certificates: true
mongodb::server::ssl: true
mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem'
+ mongodb::server::ssl_ca: {get_param: InternalTLSCAFile}
mongodb_certificate_specs:
service_pem: '/etc/pki/tls/certs/mongodb.pem'
service_certificate: '/etc/pki/tls/certs/mongodb.crt'