diff options
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/major_upgrade_steps.j2.yaml | 225 | ||||
-rw-r--r-- | puppet/post-upgrade.j2.yaml | 30 | ||||
-rw-r--r-- | puppet/post.j2.yaml | 31 | ||||
-rw-r--r-- | puppet/puppet-steps.j2 | 156 | ||||
-rw-r--r-- | puppet/services/database/mongodb.yaml | 6 |
5 files changed, 6 insertions, 442 deletions
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml deleted file mode 100644 index 11113eec..00000000 --- a/puppet/major_upgrade_steps.j2.yaml +++ /dev/null @@ -1,225 +0,0 @@ -{% set enabled_roles = roles|rejectattr('disable_upgrade_deployment')|list -%} -{% set batch_upgrade_steps_max = 3 -%} -{% set upgrade_steps_max = 6 -%} -{% set deliver_script = {'deliver': False} -%} -heat_template_version: pike -description: 'Upgrade steps for all roles' - -parameters: - servers: - type: json - stack_name: - type: string - description: Name of the topmost stack - role_data: - type: json - description: Mapping of Role name e.g Controller to the per-role data - ctlplane_service_ips: - type: json - UpdateIdentifier: - type: string - default: '' - description: > - Setting to a previously unused value during stack-update will trigger - the Upgrade resources to re-run on all roles. - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint - NovaPassword: - description: The password for the nova service and db account - type: string - hidden: true - -resources: - -{% for role in roles if role.disable_upgrade_deployment|default(false) %} - {{role.name}}DeliverUpgradeScriptConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - "#!/bin/bash\n\n" - - "set -eu\n\n" - - str_replace: - template: | - ROLE='ROLE_NAME' - params: - ROLE_NAME: {{role.name}} - - get_file: ../extraconfig/tasks/pacemaker_common_functions.sh - - get_file: ../extraconfig/tasks/run_puppet.sh - - get_file: ../extraconfig/tasks/tripleo_upgrade_node.sh - - {{role.name}}DeliverUpgradeScriptDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}DeliverUpgradeScriptConfig} -{% endfor %} - -# Upgrade Steps for all roles, batched updates -# The UpgradeConfig resources could actually be created without -# serialization, but the event output is easier to follow if we -# do, and there should be minimal performance hit (creating the -# config is cheap compared to the time to apply the deployment). -{% for step in range(0, batch_upgrade_steps_max) %} - # Batch config resources step {{step}} - {%- for role in roles %} - {{role.name}}UpgradeBatchConfig_Step{{step}}: - type: OS::TripleO::UpgradeConfig - {%- if step > 0 %} - depends_on: - {%- for role_inside in enabled_roles %} - - {{role_inside.name}}UpgradeBatch_Step{{step -1}} - {%- endfor %} - {% else %} - {% for role in roles if role.disable_upgrade_deployment|default(false) %} - {% if deliver_script.update({'deliver': True}) %} {% endif %} - {% endfor %} - {% if deliver_script.deliver %} - depends_on: - {% for dep in roles if dep.disable_upgrade_deployment|default(false) %} - - {{dep.name}}DeliverUpgradeScriptDeployment - {% endfor %} - {% endif %} - {% endif %} - properties: - UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} - step: {{step}} - {%- endfor %} - - # Batch deployment resources for step {{step}} (only for enabled roles) - {%- for role in enabled_roles %} - {{role.name}}UpgradeBatch_Step{{step}}: - type: OS::Heat::SoftwareDeploymentGroup - {%- if step > 0 %} - depends_on: - {%- for role_inside in enabled_roles %} - - {{role_inside.name}}UpgradeBatch_Step{{step -1}} - {%- endfor %} - {% else %} - {% for role in roles if role.disable_upgrade_deployment|default(false) %} - {% if deliver_script.update({'deliver': True}) %} {% endif %} - {% endfor %} - {% if deliver_script.deliver %} - depends_on: - {% for dep in roles if dep.disable_upgrade_deployment|default(false) %} - - {{dep.name}}DeliverUpgradeScriptDeployment - {% endfor %} - {% endif %} - {% endif %} - update_policy: - batch_create: - max_batch_size: {{role.upgrade_batch_size|default(1)}} - rolling_update: - max_batch_size: {{role.upgrade_batch_size|default(1)}} - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}UpgradeBatchConfig_Step{{step}}} - input_values: - role: {{role.name}} - update_identifier: {get_param: UpdateIdentifier} - {%- endfor %} -{%- endfor %} - -# Dump the puppet manifests to be apply later when disable_upgrade_deployment -# is to true -{% for role in roles if role.disable_upgrade_deployment|default(false) %} - {{role.name}}DeliverPuppetConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - str_replace: - template: | - #!/bin/bash - cat > /root/{{role.name}}_puppet_config.pp << ENDOFCAT - PUPPET_CLASSES - ENDOFCAT - params: - PUPPET_CLASSES: {get_param: [role_data, {{role.name}}, step_config]} - - {{role.name}}DeliverPuppetDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}DeliverPuppetConfig} -{% endfor %} - -# Upgrade Steps for all roles -{%- for step in range(0, upgrade_steps_max) %} - # Config resources for step {{step}} - {%- for role in roles %} - {{role.name}}UpgradeConfig_Step{{step}}: - type: OS::TripleO::UpgradeConfig - # The UpgradeConfig resources could actually be created without - # serialization, but the event output is easier to follow if we - # do, and there should be minimal performance hit (creating the - # config is cheap compared to the time to apply the deployment). - depends_on: - {%- for role_inside in enabled_roles %} - {%- if step > 0 %} - - {{role_inside.name}}Upgrade_Step{{step -1}} - {%- else %} - - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}} - {%- endif %} - {%- endfor %} - properties: - UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} - step: {{step}} - {%- endfor %} - - # Deployment resources for step {{step}} (only for enabled roles) - {%- for role in enabled_roles %} - {{role.name}}Upgrade_Step{{step}}: - type: OS::Heat::SoftwareDeploymentGroup - depends_on: - {%- for role_inside in enabled_roles %} - {%- if step > 0 %} - - {{role_inside.name}}Upgrade_Step{{step -1}} - {%- else %} - - {{role_inside.name}}UpgradeBatch_Step{{batch_upgrade_steps_max -1}} - {%- endif %} - {%- endfor %} - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}UpgradeConfig_Step{{step}}} - input_values: - role: {{role.name}} - update_identifier: {get_param: UpdateIdentifier} - {%- endfor %} -{%- endfor %} - - # Post upgrade deployment steps for all roles - # This runs the normal configuration (e.g puppet) steps unless upgrade - # is disabled for the role - AllNodesPostUpgradeSteps: - type: OS::TripleO::PostUpgradeSteps - depends_on: -{%- for dep in enabled_roles %} - - {{dep.name}}Upgrade_Step{{upgrade_steps_max - 1}} -{%- endfor %} - properties: - servers: {get_param: servers} - stack_name: {get_param: stack_name} - role_data: {get_param: role_data} - ctlplane_service_ips: {get_param: ctlplane_service_ips} - -outputs: - # Output the config for each role, just use Step1 as the config should be - # the same for all steps (only the tag provided differs) - upgrade_configs: - description: The per-role upgrade configuration used - value: -{% for role in roles %} - {{role.name.lower()}}: {get_attr: [{{role.name}}UpgradeConfig_Step1, upgrade_config]} -{% endfor %} diff --git a/puppet/post-upgrade.j2.yaml b/puppet/post-upgrade.j2.yaml deleted file mode 100644 index bdd1e613..00000000 --- a/puppet/post-upgrade.j2.yaml +++ /dev/null @@ -1,30 +0,0 @@ -heat_template_version: pike - -description: > - Post-upgrade configuration steps via puppet for all roles - where upgrade is not disabled as defined in ../roles_data.yaml - -parameters: - servers: - type: json - description: Mapping of Role name e.g Controller to a list of servers - stack_name: - type: string - description: Name of the topmost stack - role_data: - type: json - description: Mapping of Role name e.g Controller to the per-role data - DeployIdentifier: - default: '' - type: string - description: > - Setting this to a unique value will re-run any deployment tasks which - perform configuration on a Heat stack-update. - ctlplane_service_ips: - type: json - -resources: -# Note the include here is the same as post.j2.yaml but the data used at -# the time of rendering is different if any roles disable upgrades -{% set roles = roles|rejectattr('disable_upgrade_deployment')|list -%} -{% include 'puppet-steps.j2' %} diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml deleted file mode 100644 index 67e1ecfd..00000000 --- a/puppet/post.j2.yaml +++ /dev/null @@ -1,31 +0,0 @@ -heat_template_version: pike - -description: > - Post-deploy configuration steps via puppet for all roles, - as defined in ../roles_data.yaml - -parameters: - servers: - type: json - description: Mapping of Role name e.g Controller to a list of servers - stack_name: - type: string - description: Name of the topmost stack - role_data: - type: json - description: Mapping of Role name e.g Controller to the per-role data - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - DeployIdentifier: - default: '' - type: string - description: > - Setting this to a unique value will re-run any deployment tasks which - perform configuration on a Heat stack-update. - ctlplane_service_ips: - type: json - -{% include 'puppet-steps.j2' %} diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2 deleted file mode 100644 index f7651a57..00000000 --- a/puppet/puppet-steps.j2 +++ /dev/null @@ -1,156 +0,0 @@ -{% set deploy_steps_max = 6 %} -conditions: -{% for step in range(1, deploy_steps_max) %} - WorkflowTasks_Step{{step}}_Enabled: - or: - {%- for role in roles %} - - not: - equals: - - get_param: [role_data, {{role.name}}, service_workflow_tasks, step{{step}}] - - '' - - False - {%- endfor %} -{% endfor %} - -resources: - # Post deployment steps for all roles - # A single config is re-applied with an incrementing step number -{% for role in roles %} - # {{role.name}} Role post-deploy steps - {{role.name}}ArtifactsConfig: - type: deploy-artifacts.yaml - - {{role.name}}ArtifactsDeploy: - type: OS::Heat::StructuredDeployments - properties: - name: {{role.name}}ArtifactsDeploy - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}ArtifactsConfig} - - {{role.name}}PreConfig: - type: OS::TripleO::Tasks::{{role.name}}PreConfig - properties: - servers: {get_param: [servers, {{role.name}}]} - input_values: - update_identifier: {get_param: DeployIdentifier} - - {{role.name}}Config: - type: OS::TripleO::{{role.name}}Config - properties: - StepConfig: {get_param: [role_data, {{role.name}}, step_config]} - - # Step through a series of configuration steps -{% for step in range(1, deploy_steps_max) %} - {{role.name}}Deployment_Step{{step}}: - type: OS::Heat::StructuredDeploymentGroup - depends_on: - - WorkflowTasks_Step{{step}}_Execution - # TODO(gfidente): the following if/else condition - # replicates what is already defined for the - # WorkflowTasks_StepX resource and can be remove - # if https://bugs.launchpad.net/heat/+bug/1700569 - # is fixed. - {%- if step == 1 %} - {%- for dep in roles %} - - {{dep.name}}PreConfig - - {{dep.name}}ArtifactsDeploy - {%- endfor %} - {%- else %} - {%- for dep in roles %} - - {{dep.name}}Deployment_Step{{step -1}} - {%- endfor %} - {%- endif %} - properties: - name: {{role.name}}Deployment_Step{{step}} - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}Config} - input_values: - step: {{step}} - update_identifier: {get_param: DeployIdentifier} -{% endfor %} - - # Note, this should be the last step to execute configuration changes. - # Ensure that all {{role.name}}ExtraConfigPost steps are executed - # after all the previous deployment steps. - {{role.name}}ExtraConfigPost: - depends_on: - {%- for dep in roles %} - - {{dep.name}}Deployment_Step5 - {%- endfor %} - type: OS::TripleO::NodeExtraConfigPost - properties: - servers: {get_param: [servers, {{role.name}}]} - - # The {{role.name}}PostConfig steps are in charge of - # quiescing all services, i.e. in the Controller case, - # we should run a full service reload. - {{role.name}}PostConfig: - type: OS::TripleO::Tasks::{{role.name}}PostConfig - depends_on: - {%- for dep in roles %} - - {{dep.name}}ExtraConfigPost - {%- endfor %} - properties: - servers: {get_param: servers} - input_values: - update_identifier: {get_param: DeployIdentifier} - - -{% endfor %} - -# BEGIN service_workflow_tasks handling -{% for step in range(1, deploy_steps_max) %} - WorkflowTasks_Step{{step}}: - type: OS::Mistral::Workflow - condition: WorkflowTasks_Step{{step}}_Enabled - depends_on: - {%- if step == 1 %} - {%- for dep in roles %} - - {{dep.name}}PreConfig - - {{dep.name}}ArtifactsDeploy - {%- endfor %} - {%- else %} - {%- for dep in roles %} - - {{dep.name}}Deployment_Step{{step -1}} - {%- endfor %} - {%- endif %} - properties: - name: {list_join: [".", ["tripleo", {get_param: stack_name}, "workflowtasks", "step{{step}}"]]} - type: direct - tasks: - yaql: - expression: $.data.where($ != '').select($.get('step{{step}}')).where($ != null).flatten() - data: - {%- for role in roles %} - - get_param: [role_data, {{role.name}}, service_workflow_tasks] - {%- endfor %} - - WorkflowTasks_Step{{step}}_Execution: - type: OS::Mistral::ExternalResource - condition: WorkflowTasks_Step{{step}}_Enabled - depends_on: WorkflowTasks_Step{{step}} - properties: - actions: - CREATE: - workflow: { get_resource: WorkflowTasks_Step{{step}} } - params: - env: - service_ips: { get_param: ctlplane_service_ips } - role_merged_configs: - {%- for r in roles %} - {{r.name}}: {get_param: [role_data, {{r.name}}, merged_config_settings]} - {%- endfor %} - evaluate_env: false - UPDATE: - workflow: { get_resource: WorkflowTasks_Step{{step}} } - params: - env: - service_ips: { get_param: ctlplane_service_ips } - role_merged_configs: - {%- for r in roles %} - {{r.name}}: {get_param: [role_data, {{r.name}}, merged_config_settings]} - {%- endfor %} - evaluate_env: false - always_update: true -{% endfor %} -# END service_workflow_tasks handling diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 04f34e24..dcead0f7 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -47,6 +47,11 @@ parameters: EnableInternalTLS: type: boolean default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. conditions: @@ -98,6 +103,7 @@ outputs: generate_service_certificates: true mongodb::server::ssl: true mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem' + mongodb::server::ssl_ca: {get_param: InternalTLSCAFile} mongodb_certificate_specs: service_pem: '/etc/pki/tls/certs/mongodb.pem' service_certificate: '/etc/pki/tls/certs/mongodb.crt' |