diff options
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/compute-role.yaml | 744 | ||||
-rw-r--r-- | puppet/controller-role.yaml | 782 | ||||
-rw-r--r-- | puppet/extraconfig/tls/tls-cert-inject.yaml | 1 | ||||
-rw-r--r-- | puppet/role.role.j2.yaml | 240 | ||||
-rw-r--r-- | puppet/services/database/mongodb.yaml | 6 | ||||
-rw-r--r-- | puppet/services/haproxy-internal-tls-certmonger.yaml | 30 | ||||
-rw-r--r-- | puppet/services/haproxy-public-tls-certmonger.yaml | 36 | ||||
-rw-r--r-- | puppet/services/haproxy.yaml | 26 | ||||
-rw-r--r-- | puppet/services/keystone.yaml | 4 | ||||
-rw-r--r-- | puppet/services/neutron-base.yaml | 7 | ||||
-rw-r--r-- | puppet/services/neutron-plugin-ml2-nuage.yaml | 99 | ||||
-rw-r--r-- | puppet/services/neutron-plugin-ml2.yaml | 5 | ||||
-rw-r--r-- | puppet/services/nova-compute.yaml | 5 | ||||
-rw-r--r-- | puppet/services/nova-libvirt.yaml | 5 |
14 files changed, 370 insertions, 1620 deletions
diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml deleted file mode 100644 index af45793e..00000000 --- a/puppet/compute-role.yaml +++ /dev/null @@ -1,744 +0,0 @@ -heat_template_version: pike - -description: > - OpenStack hypervisor node configured via Puppet. - -parameters: - ExtraConfig: - default: {} - description: | - Additional hiera configuration to inject into the cluster. Note - that NovaComputeExtraConfig takes precedence over ExtraConfig. - type: json - OvercloudComputeFlavor: - description: Flavor for the nova compute node - default: baremetal - type: string - constraints: - - custom_constraint: nova.flavor - NovaImage: - type: string - default: overcloud-full - constraints: - - custom_constraint: glance.image - ImageUpdatePolicy: - default: 'REBUILD_PRESERVE_EPHEMERAL' - description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt. - type: string - KeyName: - description: Name of an existing Nova key pair to enable SSH access to the instances - type: string - default: default - constraints: - - custom_constraint: nova.keypair - NeutronPhysicalBridge: - default: 'br-ex' - description: An OVS bridge to create for accessing external networks. - type: string - NeutronPublicInterface: - default: nic1 - description: Which interface to add to the NeutronPhysicalBridge. - type: string - NodeIndex: - type: number - default: 0 - NovaComputeExtraConfig: - default: {} - description: | - NovaCompute specific configuration to inject into the cluster. Same - structure as ExtraConfig. - type: json - NovaComputeIPs: - default: {} - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - UpdateIdentifier: - default: '' - type: string - description: > - Setting to a previously unused value during stack-update will trigger - package update on all nodes - Hostname: - type: string - default: '' # Defaults to Heat created hostname - HostnameMap: - type: json - default: {} - description: Optional mapping to override hostnames - NetworkDeploymentActions: - type: comma_delimited_list - description: > - Heat action when to apply network configuration changes - default: ['CREATE'] - SoftwareConfigTransport: - default: POLL_SERVER_CFN - description: | - How the server should receive the metadata required for software configuration. - type: string - constraints: - - allowed_values: [POLL_SERVER_CFN, POLL_SERVER_HEAT, POLL_TEMP_URL, ZAQAR_MESSAGE] - CloudDomain: - default: 'localdomain' - type: string - description: > - The DNS domain used for the hosts. This must match the - overcloud_domain_name configured on the undercloud. - NovaComputeServerMetadata: - default: {} - description: > - Extra properties or metadata passed to Nova for the created nodes in - the overcloud. It's accessible via the Nova metadata API. This option is - role-specific and is merged with the values given to the ServerMetadata - parameter. - type: json - ServerMetadata: - default: {} - description: > - Extra properties or metadata passed to Nova for the created nodes in - the overcloud. It's accessible via the Nova metadata API. This applies to - all roles and is merged with a role-specific metadata parameter. - type: json - NovaComputeSchedulerHints: - type: json - description: Optional scheduler hints to pass to nova - default: {} - ServiceConfigSettings: - type: json - default: {} - ServiceNames: - type: comma_delimited_list - default: [] - MonitoringSubscriptions: - type: comma_delimited_list - default: [] - ServiceMetadataSettings: - type: json - default: {} - ConfigCommand: - type: string - description: Command which will be run whenever configuration data changes - default: os-refresh-config --timeout 14400 - ConfigCollectSplay: - type: number - default: 30 - description: | - Maximum amount of time to possibly to delay configuation collection - polling. Defaults to 30 seconds. Set to 0 to disable it which will cause - the configuration collection to occur as soon as the collection process - starts. This setting is used to prevent the configuration collection - processes from polling all at the exact same time. - UpgradeInitCommand: - type: string - description: | - Command or script snippet to run on all overcloud nodes to - initialize the upgrade process. E.g. a repository switch. - default: '' - UpgradeInitCommonCommand: - type: string - description: | - Common commands required by the upgrades process. This should not - normally be modified by the operator and is set and unset in the - major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml - environment files. - default: '' - DeploymentServerBlacklistDict: - default: {} - type: json - description: > - Map of server hostnames to blacklist from any triggered - deployments. If the value is 1, the server will be blacklisted. This - parameter is generated from the parent template. - RoleParameters: - type: json - description: Parameters specific to the role - default: {} - DeploymentSwiftDataMap: - type: json - description: | - Map of servers to Swift container and object for storing deployment data. - The keys are the Heat assigned hostnames, and the value is a map of the - container/object name in Swift. Example value: - overcloud-controller-0: - container: overcloud-controller - object: 0 - overcloud-controller-1: - container: overcloud-controller - object: 1 - overcloud-controller-2: - container: overcloud-controller - object: 2 - overcloud-novacompute-0: - container: overcloud-compute - object: 0 - default: {} - -conditions: - deployment_swift_data_map_unset: - equals: - - get_param: - - DeploymentSwiftDataMap - - {get_param: Hostname} - - "" - server_not_blacklisted: - not: - equals: - - {get_param: [DeploymentServerBlacklistDict, {get_param: Hostname}]} - - 1 - -resources: - - NovaCompute: - type: OS::TripleO::ComputeServer - metadata: - os-collect-config: - command: {get_param: ConfigCommand} - splay: {get_param: ConfigCollectSplay} - properties: - image: {get_param: NovaImage} - image_update_policy: - get_param: ImageUpdatePolicy - flavor: {get_param: OvercloudComputeFlavor} - key_name: {get_param: KeyName} - networks: - - network: ctlplane - user_data_format: SOFTWARE_CONFIG - user_data: {get_resource: UserData} - name: - str_replace: - template: {get_param: Hostname} - params: {get_param: HostnameMap} - software_config_transport: {get_param: SoftwareConfigTransport} - metadata: - map_merge: - - {get_param: ServerMetadata} - - {get_param: NovaComputeServerMetadata} - - {get_param: ServiceMetadataSettings} - scheduler_hints: {get_param: NovaComputeSchedulerHints} - deployment_swift_data: - if: - - deployment_swift_data_map_unset - - {} - - {get_param: [DeploymentSwiftDataMap, - {get_param: Hostname}]} - - # Combine the NodeAdminUserData and NodeUserData mime archives - UserData: - type: OS::Heat::MultipartMime - properties: - parts: - - config: {get_resource: NodeAdminUserData} - type: multipart - - config: {get_resource: NodeUserData} - type: multipart - - config: {get_resource: RoleUserData} - type: multipart - - # Creates the "heat-admin" user if configured via the environment - # Should return a OS::Heat::MultipartMime reference via OS::stack_id - NodeAdminUserData: - type: OS::TripleO::NodeAdminUserData - - # For optional operator additional userdata - # Should return a OS::Heat::MultipartMime reference via OS::stack_id - NodeUserData: - type: OS::TripleO::NodeUserData - - # For optional operator role-specific userdata - # Should return a OS::Heat::MultipartMime reference via OS::stack_id - RoleUserData: - type: OS::TripleO::Compute::NodeUserData - - ExternalPort: - type: OS::TripleO::Compute::Ports::ExternalPort - properties: - ControlPlaneIP: {get_attr: [NovaCompute, networks, ctlplane, 0]} - IPPool: {get_param: NovaComputeIPs} - NodeIndex: {get_param: NodeIndex} - - InternalApiPort: - type: OS::TripleO::Compute::Ports::InternalApiPort - properties: - ControlPlaneIP: {get_attr: [NovaCompute, networks, ctlplane, 0]} - IPPool: {get_param: NovaComputeIPs} - NodeIndex: {get_param: NodeIndex} - - StoragePort: - type: OS::TripleO::Compute::Ports::StoragePort - properties: - ControlPlaneIP: {get_attr: [NovaCompute, networks, ctlplane, 0]} - IPPool: {get_param: NovaComputeIPs} - NodeIndex: {get_param: NodeIndex} - - StorageMgmtPort: - type: OS::TripleO::Compute::Ports::StorageMgmtPort - properties: - ControlPlaneIP: {get_attr: [NovaCompute, networks, ctlplane, 0]} - IPPool: {get_param: NovaComputeIPs} - NodeIndex: {get_param: NodeIndex} - - TenantPort: - type: OS::TripleO::Compute::Ports::TenantPort - properties: - ControlPlaneIP: {get_attr: [NovaCompute, networks, ctlplane, 0]} - IPPool: {get_param: NovaComputeIPs} - NodeIndex: {get_param: NodeIndex} - - ManagementPort: - type: OS::TripleO::Compute::Ports::ManagementPort - properties: - ControlPlaneIP: {get_attr: [NovaCompute, networks, ctlplane, 0]} - IPPool: {get_param: NovaComputeIPs} - NodeIndex: {get_param: NodeIndex} - - NetIpMap: - type: OS::TripleO::Network::Ports::NetIpMap - properties: - ControlPlaneIp: {get_attr: [NovaCompute, networks, ctlplane, 0]} - ExternalIp: {get_attr: [ExternalPort, ip_address]} - ExternalIpSubnet: {get_attr: [ExternalPort, ip_subnet]} - ExternalIpUri: {get_attr: [ExternalPort, ip_address_uri]} - InternalApiIp: {get_attr: [InternalApiPort, ip_address]} - InternalApiIpSubnet: {get_attr: [InternalApiPort, ip_subnet]} - InternalApiIpUri: {get_attr: [InternalApiPort, ip_address_uri]} - StorageIp: {get_attr: [StoragePort, ip_address]} - StorageIpSubnet: {get_attr: [StoragePort, ip_subnet]} - StorageIpUri: {get_attr: [StoragePort, ip_address_uri]} - StorageMgmtIp: {get_attr: [StorageMgmtPort, ip_address]} - StorageMgmtIpSubnet: {get_attr: [StorageMgmtPort, ip_subnet]} - StorageMgmtIpUri: {get_attr: [StorageMgmtPort, ip_address_uri]} - TenantIp: {get_attr: [TenantPort, ip_address]} - TenantIpSubnet: {get_attr: [TenantPort, ip_subnet]} - TenantIpUri: {get_attr: [TenantPort, ip_address_uri]} - ManagementIp: {get_attr: [ManagementPort, ip_address]} - ManagementIpSubnet: {get_attr: [ManagementPort, ip_subnet]} - ManagementIpUri: {get_attr: [ManagementPort, ip_address_uri]} - - NetHostMap: - type: OS::Heat::Value - properties: - type: json - value: - external: - fqdn: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - external - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - external - internal_api: - fqdn: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - internalapi - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - internalapi - storage: - fqdn: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - storage - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - storage - storage_mgmt: - fqdn: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - storagemgmt - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - storagemgmt - tenant: - fqdn: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - tenant - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - tenant - management: - fqdn: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - management - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - management - ctlplane: - fqdn: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - ctlplane - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [NovaCompute, name]} - - ctlplane - - PreNetworkConfig: - type: OS::TripleO::Compute::PreNetworkConfig - properties: - server: {get_resource: NovaCompute} - RoleParameters: {get_param: RoleParameters} - ServiceNames: {get_param: ServiceNames} - deployment_actions: {get_attr: [DeploymentActions, value]} - - NetworkConfig: - type: OS::TripleO::Compute::Net::SoftwareConfig - properties: - ControlPlaneIp: {get_attr: [NovaCompute, networks, ctlplane, 0]} - ExternalIpSubnet: {get_attr: [ExternalPort, ip_subnet]} - InternalApiIpSubnet: {get_attr: [InternalApiPort, ip_subnet]} - StorageIpSubnet: {get_attr: [StoragePort, ip_subnet]} - StorageMgmtIpSubnet: {get_attr: [StorageMgmtPort, ip_subnet]} - TenantIpSubnet: {get_attr: [TenantPort, ip_subnet]} - ManagementIpSubnet: {get_attr: [ManagementPort, ip_subnet]} - - NetworkDeployment: - type: OS::TripleO::SoftwareDeployment - depends_on: PreNetworkConfig - properties: - name: NetworkDeployment - actions: - if: - - server_not_blacklisted - - {get_param: NetworkDeploymentActions} - - [] - config: {get_resource: NetworkConfig} - server: {get_resource: NovaCompute} - input_values: - bridge_name: {get_param: NeutronPhysicalBridge} - interface_name: {get_param: NeutronPublicInterface} - - NovaComputeUpgradeInitConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - "#!/bin/bash\n\n" - - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - - get_param: UpgradeInitCommand - - get_param: UpgradeInitCommonCommand - - # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty - # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first - NovaComputeUpgradeInitDeployment: - type: OS::Heat::SoftwareDeployment - depends_on: NetworkDeployment - properties: - name: NovaComputeUpgradeInitDeployment - actions: - if: - - server_not_blacklisted - - ['CREATE', 'UPDATE'] - - [] - server: {get_resource: NovaCompute} - config: {get_resource: NovaComputeUpgradeInitConfig} - - NovaComputeConfig: - type: OS::Heat::StructuredConfig - properties: - group: hiera - config: - hierarchy: - - '"%{::uuid}"' - - heat_config_%{::deploy_config_name} - - config_step - - compute_extraconfig - - extraconfig - - service_names - - service_configs - - compute - - bootstrap_node # provided by allNodesConfig - - all_nodes # provided by allNodesConfig - - vip_data # provided by allNodesConfig - - '"%{::osfamily}"' - - neutron_bigswitch_data # Optionally provided by ComputeExtraConfigPre - - cisco_n1kv_data # Optionally provided by ComputeExtraConfigPre - - nova_nuage_data # Optionally provided by ComputeExtraConfigPre - - midonet_data # Optionally provided by AllNodesExtraConfig - - neutron_opencontrail_data # Optionally provided by ComputeExtraConfigPre - - cisco_aci_data # Optionally provided by ComputeExtraConfigPre - merge_behavior: deeper - datafiles: - service_names: - service_names: {get_param: ServiceNames} - sensu::subscriptions: {get_param: MonitoringSubscriptions} - service_configs: - map_replace: - - {get_param: ServiceConfigSettings} - - values: {get_attr: [NetIpMap, net_ip_map]} - compute_extraconfig: {get_param: NovaComputeExtraConfig} - extraconfig: {get_param: ExtraConfig} - compute: - tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} - fqdn_internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]} - fqdn_storage: {get_attr: [NetHostMap, value, storage, fqdn]} - fqdn_storage_mgmt: {get_attr: [NetHostMap, value, storage_mgmt, fqdn]} - fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]} - fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]} - fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]} - fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]} - - NovaComputeDeployment: - type: OS::TripleO::SoftwareDeployment - depends_on: NovaComputeUpgradeInitDeployment - properties: - name: NovaComputeDeployment - actions: - if: - - server_not_blacklisted - - ['CREATE', 'UPDATE'] - - [] - config: {get_resource: NovaComputeConfig} - server: {get_resource: NovaCompute} - input_values: - enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} - - # Resource for site-specific injection of root certificate - NodeTLSCAData: - depends_on: NovaComputeDeployment - type: OS::TripleO::NodeTLSCAData - properties: - server: {get_resource: NovaCompute} - - # Hook for site-specific additional pre-deployment config, e.g extra hieradata - ComputeExtraConfigPre: - depends_on: NovaComputeDeployment - type: OS::TripleO::ComputeExtraConfigPre - # We have to use conditions here so that we don't break backwards - # compatibility with templates everywhere - condition: server_not_blacklisted - properties: - server: {get_resource: NovaCompute} - - # Hook for site-specific additional pre-deployment config, - # applying to all nodes, e.g node registration/unregistration - NodeExtraConfig: - depends_on: [ComputeExtraConfigPre, NodeTLSCAData] - type: OS::TripleO::NodeExtraConfig - # We have to use conditions here so that we don't break backwards - # compatibility with templates everywhere - condition: server_not_blacklisted - properties: - server: {get_resource: NovaCompute} - - UpdateConfig: - type: OS::TripleO::Tasks::PackageUpdate - - UpdateDeployment: - type: OS::Heat::SoftwareDeployment - depends_on: NetworkDeployment - properties: - name: UpdateDeployment - actions: - if: - - server_not_blacklisted - - ['CREATE', 'UPDATE'] - - [] - config: {get_resource: UpdateConfig} - server: {get_resource: NovaCompute} - input_values: - update_identifier: - get_param: UpdateIdentifier - - DeploymentActions: - type: OS::Heat::Value - properties: - value: - if: - - server_not_blacklisted - - ['CREATE', 'UPDATE'] - - [] - - SshHostPubKey: - type: OS::TripleO::Ssh::HostPubKey - depends_on: NovaComputeDeployment - properties: - server: {get_resource: NovaCompute} - deployment_actions: {get_attr: [DeploymentActions, value]} - -outputs: - ip_address: - description: IP address of the server in the ctlplane network - value: {get_attr: [NovaCompute, networks, ctlplane, 0]} - external_ip_address: - description: IP address of the server in the external network - value: {get_attr: [ExternalPort, ip_address]} - internal_api_ip_address: - description: IP address of the server in the internal_api network - value: {get_attr: [InternalApiPort, ip_address]} - storage_ip_address: - description: IP address of the server in the storage network - value: {get_attr: [StoragePort, ip_address]} - storage_mgmt_ip_address: - description: IP address of the server in the storage_mgmt network - value: {get_attr: [StorageMgmtPort, ip_address]} - tenant_ip_address: - description: IP address of the server in the tenant network - value: {get_attr: [TenantPort, ip_address]} - management_ip_address: - description: IP address of the server in the management network - value: {get_attr: [ManagementPort, ip_address]} - deployed_server_port_map: - description: | - Map of Heat created hostname of the server to ip address. This is the - hostname before it has been mapped with the HostnameMap parameter, and - the IP address from the ctlplane network. This map can be used to construct - the DeployedServerPortMap parameter when using split-stack. - value: - map_replace: - - hostname: - fixed_ips: - - ip_address: {get_attr: [NovaCompute, networks, ctlplane, 0]} - - keys: - hostname: - list_join: - - '-' - - - {get_param: Hostname} - - ctlplane - deployed_server_deployment_swift_data_map: - description: - Map of Heat created hostname of the server to the Swift container and object - used to created the temporary url for metadata polling with - os-collect-config. - value: - map_replace: - - hostname: - container: - str_split: - - '/' - - {get_attr: [NovaCompute, os_collect_config, request, metadata_url]} - - 5 - object: - str_split: - - '?' - - str_split: - - '/' - - {get_attr: [NovaCompute, os_collect_config, request, metadata_url]} - - 6 - - 0 - - keys: {hostname: {get_param: Hostname}} - hostname: - description: Hostname of the server - value: {get_attr: [NovaCompute, name]} - hostname_map: - description: Mapping of network names to hostnames - value: - external: {get_attr: [NetHostMap, value, external, fqdn]} - internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]} - storage: {get_attr: [NetHostMap, value, storage, fqdn]} - storage_mgmt: {get_attr: [NetHostMap, value, storage_mgmt, fqdn]} - tenant: {get_attr: [NetHostMap, value, tenant, fqdn]} - management: {get_attr: [NetHostMap, value, management, fqdn]} - ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]} - hosts_entry: - description: > - Server's IP address and hostname in the /etc/hosts format - value: - str_replace: - template: | - PRIMARYIP PRIMARYHOST.DOMAIN PRIMARYHOST - EXTERNALIP EXTERNALHOST.DOMAIN EXTERNALHOST - INTERNAL_APIIP INTERNAL_APIHOST.DOMAIN INTERNAL_APIHOST - STORAGEIP STORAGEHOST.DOMAIN STORAGEHOST - STORAGE_MGMTIP STORAGE_MGMTHOST.DOMAIN STORAGE_MGMTHOST - TENANTIP TENANTHOST.DOMAIN TENANTHOST - MANAGEMENTIP MANAGEMENTHOST.DOMAIN MANAGEMENTHOST - CTLPLANEIP CTLPLANEHOST.DOMAIN CTLPLANEHOST - params: - PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ComputeHostnameResolveNetwork]}]} - DOMAIN: {get_param: CloudDomain} - PRIMARYHOST: {get_attr: [NovaCompute, name]} - EXTERNALIP: {get_attr: [ExternalPort, ip_address]} - EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]} - INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]} - INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]} - STORAGEIP: {get_attr: [StoragePort, ip_address]} - STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]} - STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]} - STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]} - TENANTIP: {get_attr: [TenantPort, ip_address]} - TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]} - MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]} - MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]} - CTLPLANEIP: {get_attr: [NovaCompute, networks, ctlplane, 0]} - CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]} - known_hosts_entry: - description: Entry for ssh known hosts - value: - str_replace: - template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\ -EXTERNALIP,EXTERNALHOST.DOMAIN,EXTERNALHOST,\ -INTERNAL_APIIP,INTERNAL_APIHOST.DOMAIN,INTERNAL_APIHOST,\ -STORAGEIP,STORAGEHOST.DOMAIN,STORAGEHOST,\ -STORAGE_MGMTIP,STORAGE_MGMTHOST.DOMAIN,STORAGE_MGMTHOST,\ -TENANTIP,TENANTHOST.DOMAIN,TENANTHOST,\ -MANAGEMENTIP,MANAGEMENTHOST.DOMAIN,MANAGEMENTHOST,\ -CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY" - params: - PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ComputeHostnameResolveNetwork]}]} - DOMAIN: {get_param: CloudDomain} - PRIMARYHOST: {get_attr: [NovaCompute, name]} - EXTERNALIP: {get_attr: [ExternalPort, ip_address]} - EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]} - INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]} - INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]} - STORAGEIP: {get_attr: [StoragePort, ip_address]} - STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]} - STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]} - STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]} - TENANTIP: {get_attr: [TenantPort, ip_address]} - TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]} - MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]} - MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]} - CTLPLANEIP: {get_attr: [NovaCompute, networks, ctlplane, 0]} - CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]} - HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]} - nova_server_resource: - description: Heat resource handle for the Nova compute server - value: - {get_resource: NovaCompute} - condition: server_not_blacklisted - os_collect_config: - description: The os-collect-config configuration associated with this server resource - value: {get_attr: [NovaCompute, os_collect_config]} diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml deleted file mode 100644 index 38589a4e..00000000 --- a/puppet/controller-role.yaml +++ /dev/null @@ -1,782 +0,0 @@ -heat_template_version: pike - -description: > - OpenStack controller node configured by Puppet. - -parameters: - controllerExtraConfig: - default: {} - description: | - Deprecated. Use ControllerExtraConfig via parameter_defaults instead. - type: json - ControllerExtraConfig: - default: {} - description: | - Controller specific hiera configuration data to inject into the cluster. - type: json - ControllerIPs: - default: {} - description: > - A network mapped list of IPs to assign to Controllers in the following form: - { - "internal_api": ["a.b.c.d", "e.f.g.h"], - ... - } - type: json - Debug: - default: '' - description: Set to True to enable debugging on all services. - type: string - ExtraConfig: - default: {} - description: | - Additional hieradata to inject into the cluster, note that - ControllerExtraConfig takes precedence over ExtraConfig. - type: json - OvercloudControlFlavor: - description: Flavor for control nodes to request when deploying. - default: baremetal - type: string - constraints: - - custom_constraint: nova.flavor - controllerImage: - type: string - default: overcloud-full - constraints: - - custom_constraint: glance.image - ImageUpdatePolicy: - default: 'REBUILD_PRESERVE_EPHEMERAL' - description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt. - type: string - KeyName: - default: default - description: Name of an existing Nova key pair to enable SSH access to the instances - type: string - constraints: - - custom_constraint: nova.keypair - NeutronPhysicalBridge: - default: 'br-ex' - description: An OVS bridge to create for accessing external networks. - type: string - NeutronPublicInterface: - default: nic1 - description: Which interface to add to the NeutronPhysicalBridge. - type: string - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - UpdateIdentifier: - default: '' - type: string - description: > - Setting to a previously unused value during stack-update will trigger - package update on all nodes - Hostname: - type: string - default: '' # Defaults to Heat created hostname - HostnameMap: - type: json - default: {} - description: Optional mapping to override hostnames - NetworkDeploymentActions: - type: comma_delimited_list - description: > - Heat action when to apply network configuration changes - default: ['CREATE'] - NodeIndex: - type: number - default: 0 - SoftwareConfigTransport: - default: POLL_SERVER_CFN - description: | - How the server should receive the metadata required for software configuration. - type: string - constraints: - - allowed_values: [POLL_SERVER_CFN, POLL_SERVER_HEAT, POLL_TEMP_URL, ZAQAR_MESSAGE] - CloudDomain: - default: 'localdomain' - type: string - description: > - The DNS domain used for the hosts. This must match the - overcloud_domain_name configured on the undercloud. - ControllerServerMetadata: - default: {} - description: > - Extra properties or metadata passed to Nova for the created nodes in - the overcloud. It's accessible via the Nova metadata API. This option is - role-specific and is merged with the values given to the ServerMetadata - parameter. - type: json - ServerMetadata: - default: {} - description: > - Extra properties or metadata passed to Nova for the created nodes in - the overcloud. It's accessible via the Nova metadata API. This applies to - all roles and is merged with a role-specific metadata parameter. - type: json - ControllerSchedulerHints: - type: json - description: Optional scheduler hints to pass to nova - default: {} - ServiceConfigSettings: - type: json - default: {} - ServiceNames: - type: comma_delimited_list - default: [] - MonitoringSubscriptions: - type: comma_delimited_list - default: [] - ServiceMetadataSettings: - type: json - default: {} - ConfigCommand: - type: string - description: Command which will be run whenever configuration data changes - default: os-refresh-config --timeout 14400 - ConfigCollectSplay: - type: number - default: 30 - description: | - Maximum amount of time to possibly to delay configuation collection - polling. Defaults to 30 seconds. Set to 0 to disable it which will cause - the configuration collection to occur as soon as the collection process - starts. This setting is used to prevent the configuration collection - processes from polling all at the exact same time. - UpgradeInitCommand: - type: string - description: | - Command or script snippet to run on all overcloud nodes to - initialize the upgrade process. E.g. a repository switch. - default: '' - UpgradeInitCommonCommand: - type: string - description: | - Common commands required by the upgrades process. This should not - normally be modified by the operator and is set and unset in the - major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml - environment files. - default: '' - DeploymentServerBlacklistDict: - default: {} - type: json - description: > - Map of server hostnames to blacklist from any triggered - deployments. If the value is 1, the server will be blacklisted. This - parameter is generated from the parent template. - RoleParameters: - type: json - description: Parameters specific to the role - default: {} - DeploymentSwiftDataMap: - type: json - description: | - Map of servers to Swift container and object for storing deployment data. - The keys are the Heat assigned hostnames, and the value is a map of the - container/object name in Swift. Example value: - overcloud-controller-0: - container: overcloud-controller - object: 0 - overcloud-controller-1: - container: overcloud-controller - object: 1 - overcloud-controller-2: - container: overcloud-controller - object: 2 - overcloud-novacompute-0: - container: overcloud-compute - object: 0 - default: {} - -parameter_groups: -- label: deprecated - description: Do not use deprecated params, they will be removed. - parameters: - - controllerExtraConfig - -conditions: - server_not_blacklisted: - not: - equals: - - {get_param: [DeploymentServerBlacklistDict, {get_param: Hostname}]} - - 1 - deployment_swift_data_map_unset: - equals: - - get_param: - - DeploymentSwiftDataMap - - {get_param: Hostname} - - "" - -resources: - - Controller: - type: OS::TripleO::ControllerServer - metadata: - os-collect-config: - command: {get_param: ConfigCommand} - splay: {get_param: ConfigCollectSplay} - properties: - image: {get_param: controllerImage} - image_update_policy: {get_param: ImageUpdatePolicy} - flavor: {get_param: OvercloudControlFlavor} - key_name: {get_param: KeyName} - networks: - - network: ctlplane - user_data_format: SOFTWARE_CONFIG - user_data: {get_resource: UserData} - name: - str_replace: - template: {get_param: Hostname} - params: {get_param: HostnameMap} - software_config_transport: {get_param: SoftwareConfigTransport} - metadata: - map_merge: - - {get_param: ServerMetadata} - - {get_param: ControllerServerMetadata} - - {get_param: ServiceMetadataSettings} - scheduler_hints: {get_param: ControllerSchedulerHints} - deployment_swift_data: - if: - - deployment_swift_data_map_unset - - {} - - {get_param: [DeploymentSwiftDataMap, - {get_param: Hostname}]} - - # Combine the NodeAdminUserData and NodeUserData mime archives - UserData: - type: OS::Heat::MultipartMime - properties: - parts: - - config: {get_resource: NodeAdminUserData} - type: multipart - - config: {get_resource: NodeUserData} - type: multipart - - config: {get_resource: RoleUserData} - type: multipart - - # Creates the "heat-admin" user if configured via the environment - # Should return a OS::Heat::MultipartMime reference via OS::stack_id - NodeAdminUserData: - type: OS::TripleO::NodeAdminUserData - - # For optional operator additional userdata - # Should return a OS::Heat::MultipartMime reference via OS::stack_id - NodeUserData: - type: OS::TripleO::NodeUserData - - # For optional operator role-specific userdata - # Should return a OS::Heat::MultipartMime reference via OS::stack_id - RoleUserData: - type: OS::TripleO::Controller::NodeUserData - - ExternalPort: - type: OS::TripleO::Controller::Ports::ExternalPort - properties: - IPPool: {get_param: ControllerIPs} - NodeIndex: {get_param: NodeIndex} - ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]} - - InternalApiPort: - type: OS::TripleO::Controller::Ports::InternalApiPort - properties: - IPPool: {get_param: ControllerIPs} - NodeIndex: {get_param: NodeIndex} - ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]} - - StoragePort: - type: OS::TripleO::Controller::Ports::StoragePort - properties: - IPPool: {get_param: ControllerIPs} - NodeIndex: {get_param: NodeIndex} - ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]} - - StorageMgmtPort: - type: OS::TripleO::Controller::Ports::StorageMgmtPort - properties: - IPPool: {get_param: ControllerIPs} - NodeIndex: {get_param: NodeIndex} - ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]} - - TenantPort: - type: OS::TripleO::Controller::Ports::TenantPort - properties: - IPPool: {get_param: ControllerIPs} - NodeIndex: {get_param: NodeIndex} - ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]} - - ManagementPort: - type: OS::TripleO::Controller::Ports::ManagementPort - properties: - IPPool: {get_param: ControllerIPs} - NodeIndex: {get_param: NodeIndex} - ControlPlaneIP: {get_attr: [Controller, networks, ctlplane, 0]} - - NetIpMap: - type: OS::TripleO::Network::Ports::NetIpMap - properties: - ControlPlaneIp: {get_attr: [Controller, networks, ctlplane, 0]} - ExternalIp: {get_attr: [ExternalPort, ip_address]} - ExternalIpSubnet: {get_attr: [ExternalPort, ip_subnet]} - ExternalIpUri: {get_attr: [ExternalPort, ip_address_uri]} - InternalApiIp: {get_attr: [InternalApiPort, ip_address]} - InternalApiIpSubnet: {get_attr: [InternalApiPort, ip_subnet]} - InternalApiIpUri: {get_attr: [InternalApiPort, ip_address_uri]} - StorageIp: {get_attr: [StoragePort, ip_address]} - StorageIpSubnet: {get_attr: [StoragePort, ip_subnet]} - StorageIpUri: {get_attr: [StoragePort, ip_address_uri]} - StorageMgmtIp: {get_attr: [StorageMgmtPort, ip_address]} - StorageMgmtIpSubnet: {get_attr: [StorageMgmtPort, ip_subnet]} - StorageMgmtIpUri: {get_attr: [StorageMgmtPort, ip_address_uri]} - TenantIp: {get_attr: [TenantPort, ip_address]} - TenantIpSubnet: {get_attr: [TenantPort, ip_subnet]} - TenantIpUri: {get_attr: [TenantPort, ip_address_uri]} - ManagementIp: {get_attr: [ManagementPort, ip_address]} - ManagementIpSubnet: {get_attr: [ManagementPort, ip_subnet]} - ManagementIpUri: {get_attr: [ManagementPort, ip_address_uri]} - - NetHostMap: - type: OS::Heat::Value - properties: - type: json - value: - external: - fqdn: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - external - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - external - internal_api: - fqdn: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - internalapi - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - internalapi - storage: - fqdn: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - storage - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - storage - storage_mgmt: - fqdn: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - storagemgmt - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - storagemgmt - tenant: - fqdn: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - tenant - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - tenant - management: - fqdn: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - management - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - management - ctlplane: - fqdn: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - ctlplane - - {get_param: CloudDomain} - short: - list_join: - - '.' - - - {get_attr: [Controller, name]} - - ctlplane - - PreNetworkConfig: - type: OS::TripleO::Controller::PreNetworkConfig - properties: - server: {get_resource: Controller} - RoleParameters: {get_param: RoleParameters} - ServiceNames: {get_param: ServiceNames} - deployment_actions: {get_attr: [DeploymentActions, value]} - - NetworkConfig: - type: OS::TripleO::Controller::Net::SoftwareConfig - properties: - ControlPlaneIp: {get_attr: [Controller, networks, ctlplane, 0]} - ExternalIpSubnet: {get_attr: [ExternalPort, ip_subnet]} - InternalApiIpSubnet: {get_attr: [InternalApiPort, ip_subnet]} - StorageIpSubnet: {get_attr: [StoragePort, ip_subnet]} - StorageMgmtIpSubnet: {get_attr: [StorageMgmtPort, ip_subnet]} - TenantIpSubnet: {get_attr: [TenantPort, ip_subnet]} - ManagementIpSubnet: {get_attr: [ManagementPort, ip_subnet]} - - NetworkDeployment: - type: OS::TripleO::SoftwareDeployment - depends_on: PreNetworkConfig - properties: - name: NetworkDeployment - config: {get_resource: NetworkConfig} - server: {get_resource: Controller} - actions: - if: - - server_not_blacklisted - - {get_param: NetworkDeploymentActions} - - [] - input_values: - bridge_name: {get_param: NeutronPhysicalBridge} - interface_name: {get_param: NeutronPublicInterface} - - # Resource for site-specific injection of root certificate - NodeTLSCAData: - depends_on: NetworkDeployment - type: OS::TripleO::NodeTLSCAData - properties: - server: {get_resource: Controller} - - # Resource for site-specific passing of private keys/certificates - NodeTLSData: - depends_on: NodeTLSCAData - type: OS::TripleO::NodeTLSData - properties: - server: {get_resource: Controller} - NodeIndex: {get_param: NodeIndex} - - ControllerUpgradeInitConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - "#!/bin/bash\n\n" - - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - - get_param: UpgradeInitCommand - - get_param: UpgradeInitCommonCommand - - # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty - # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first - ControllerUpgradeInitDeployment: - type: OS::Heat::SoftwareDeployment - depends_on: NetworkDeployment - properties: - name: ControllerUpgradeInitDeployment - actions: - if: - - server_not_blacklisted - - ['CREATE', 'UPDATE'] - - [] - server: {get_resource: Controller} - config: {get_resource: ControllerUpgradeInitConfig} - - ControllerDeployment: - type: OS::TripleO::SoftwareDeployment - depends_on: ControllerUpgradeInitDeployment - properties: - name: ControllerDeployment - actions: - if: - - server_not_blacklisted - - ['CREATE', 'UPDATE'] - - [] - config: {get_resource: ControllerConfig} - server: {get_resource: Controller} - input_values: - enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} - - # Map heat metadata into hiera datafiles - ControllerConfig: - type: OS::Heat::StructuredConfig - properties: - group: hiera - config: - hierarchy: - - '"%{::uuid}"' - - heat_config_%{::deploy_config_name} - - config_step - - controller_extraconfig - - extraconfig - - service_configs - - service_names - - controller - - bootstrap_node # provided by BootstrapNodeConfig - - all_nodes # provided by allNodesConfig - - vip_data # provided by allNodesConfig - - '"%{::osfamily}"' - - neutron_bigswitch_data # Optionally provided by ControllerExtraConfigPre - - neutron_cisco_data # Optionally provided by ControllerExtraConfigPre - - cisco_n1kv_data # Optionally provided by ControllerExtraConfigPre - - midonet_data #Optionally provided by AllNodesExtraConfig - - cisco_aci_data # Optionally provided by ControllerExtraConfigPre - merge_behavior: deeper - datafiles: - service_names: - service_names: {get_param: ServiceNames} - sensu::subscriptions: {get_param: MonitoringSubscriptions} - service_configs: - map_replace: - - {get_param: ServiceConfigSettings} - - values: {get_attr: [NetIpMap, net_ip_map]} - controller_extraconfig: - map_merge: - - {get_param: controllerExtraConfig} - - {get_param: ControllerExtraConfig} - extraconfig: {get_param: ExtraConfig} - controller: - # Misc - tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} - tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} - fqdn_internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]} - fqdn_storage: {get_attr: [NetHostMap, value, storage, fqdn]} - fqdn_storage_mgmt: {get_attr: [NetHostMap, value, storage_mgmt, fqdn]} - fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]} - fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]} - fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]} - fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]} - - # Hook for site-specific additional pre-deployment config, e.g extra hieradata - ControllerExtraConfigPre: - depends_on: ControllerDeployment - type: OS::TripleO::ControllerExtraConfigPre - # We have to use conditions here so that we don't break backwards - # compatibility with templates everywhere - condition: server_not_blacklisted - properties: - server: {get_resource: Controller} - - # Hook for site-specific additional pre-deployment config, - # applying to all nodes, e.g node registration/unregistration - NodeExtraConfig: - depends_on: [ControllerExtraConfigPre, NodeTLSData] - type: OS::TripleO::NodeExtraConfig - # We have to use conditions here so that we don't break backwards - # compatibility with templates everywhere - condition: server_not_blacklisted - properties: - server: {get_resource: Controller} - - UpdateConfig: - type: OS::TripleO::Tasks::PackageUpdate - - UpdateDeployment: - type: OS::Heat::SoftwareDeployment - depends_on: NetworkDeployment - properties: - name: UpdateDeployment - actions: - if: - - server_not_blacklisted - - ['CREATE', 'UPDATE'] - - [] - config: {get_resource: UpdateConfig} - server: {get_resource: Controller} - input_values: - update_identifier: - get_param: UpdateIdentifier - - DeploymentActions: - type: OS::Heat::Value - properties: - value: - if: - - server_not_blacklisted - - ['CREATE', 'UPDATE'] - - [] - - SshHostPubKey: - type: OS::TripleO::Ssh::HostPubKey - depends_on: ControllerDeployment - properties: - server: {get_resource: Controller} - deployment_actions: {get_attr: [DeploymentActions, value]} - -outputs: - ip_address: - description: IP address of the server in the ctlplane network - value: {get_attr: [Controller, networks, ctlplane, 0]} - external_ip_address: - description: IP address of the server in the external network - value: {get_attr: [ExternalPort, ip_address]} - internal_api_ip_address: - description: IP address of the server in the internal_api network - value: {get_attr: [InternalApiPort, ip_address]} - storage_ip_address: - description: IP address of the server in the storage network - value: {get_attr: [StoragePort, ip_address]} - storage_mgmt_ip_address: - description: IP address of the server in the storage_mgmt network - value: {get_attr: [StorageMgmtPort, ip_address]} - tenant_ip_address: - description: IP address of the server in the tenant network - value: {get_attr: [TenantPort, ip_address]} - management_ip_address: - description: IP address of the server in the management network - value: {get_attr: [ManagementPort, ip_address]} - deployed_server_port_map: - description: - Map of Heat created hostname of the server to ip address. This is the - hostname before it has been mapped with the HostnameMap parameter, and - the IP address from the ctlplane network. This map can be used to construct - the DeployedServerPortMap parameter when using split-stack. - value: - map_replace: - - hostname: - fixed_ips: - - ip_address: {get_attr: [Controller, networks, ctlplane, 0]} - - keys: - hostname: - list_join: - - '-' - - - {get_param: Hostname} - - ctlplane - deployed_server_deployment_swift_data_map: - description: - Map of Heat created hostname of the server to the Swift container and object - used to created the temporary url for metadata polling with - os-collect-config. - value: - map_replace: - - hostname: - container: - str_split: - - '/' - - {get_attr: [Controller, os_collect_config, request, metadata_url]} - - 5 - object: - str_split: - - '?' - - str_split: - - '/' - - {get_attr: [Controller, os_collect_config, request, metadata_url]} - - 6 - - 0 - - keys: {hostname: {get_param: Hostname}} - hostname: - description: Hostname of the server - value: {get_attr: [Controller, name]} - hostname_map: - description: Mapping of network names to hostnames - value: - external: {get_attr: [NetHostMap, value, external, fqdn]} - internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]} - storage: {get_attr: [NetHostMap, value, storage, fqdn]} - storage_mgmt: {get_attr: [NetHostMap, value, storage_mgmt, fqdn]} - tenant: {get_attr: [NetHostMap, value, tenant, fqdn]} - management: {get_attr: [NetHostMap, value, management, fqdn]} - ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]} - hosts_entry: - description: > - Server's IP address and hostname in the /etc/hosts format - value: - str_replace: - template: | - PRIMARYIP PRIMARYHOST.DOMAIN PRIMARYHOST - EXTERNALIP EXTERNALHOST.DOMAIN EXTERNALHOST - INTERNAL_APIIP INTERNAL_APIHOST.DOMAIN INTERNAL_APIHOST - STORAGEIP STORAGEHOST.DOMAIN STORAGEHOST - STORAGE_MGMTIP STORAGE_MGMTHOST.DOMAIN STORAGE_MGMTHOST - TENANTIP TENANTHOST.DOMAIN TENANTHOST - MANAGEMENTIP MANAGEMENTHOST.DOMAIN MANAGEMENTHOST - CTLPLANEIP CTLPLANEHOST.DOMAIN CTLPLANEHOST - params: - PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ControllerHostnameResolveNetwork]}]} - DOMAIN: {get_param: CloudDomain} - PRIMARYHOST: {get_attr: [Controller, name]} - EXTERNALIP: {get_attr: [ExternalPort, ip_address]} - EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]} - INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]} - INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]} - STORAGEIP: {get_attr: [StoragePort, ip_address]} - STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]} - STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]} - STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]} - TENANTIP: {get_attr: [TenantPort, ip_address]} - TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]} - MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]} - MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]} - CTLPLANEIP: {get_attr: [Controller, networks, ctlplane, 0]} - CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]} - known_hosts_entry: - description: Entry for ssh known hosts - value: - str_replace: - template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\ -EXTERNALIP,EXTERNALHOST.DOMAIN,EXTERNALHOST,\ -INTERNAL_APIIP,INTERNAL_APIHOST.DOMAIN,INTERNAL_APIHOST,\ -STORAGEIP,STORAGEHOST.DOMAIN,STORAGEHOST,\ -STORAGE_MGMTIP,STORAGE_MGMTHOST.DOMAIN,STORAGE_MGMTHOST,\ -TENANTIP,TENANTHOST.DOMAIN,TENANTHOST,\ -MANAGEMENTIP,MANAGEMENTHOST.DOMAIN,MANAGEMENTHOST,\ -CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY" - params: - PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, ControllerHostnameResolveNetwork]}]} - DOMAIN: {get_param: CloudDomain} - PRIMARYHOST: {get_attr: [Controller, name]} - EXTERNALIP: {get_attr: [ExternalPort, ip_address]} - EXTERNALHOST: {get_attr: [NetHostMap, value, external, short]} - INTERNAL_APIIP: {get_attr: [InternalApiPort, ip_address]} - INTERNAL_APIHOST: {get_attr: [NetHostMap, value, internal_api, short]} - STORAGEIP: {get_attr: [StoragePort, ip_address]} - STORAGEHOST: {get_attr: [NetHostMap, value, storage, short]} - STORAGE_MGMTIP: {get_attr: [StorageMgmtPort, ip_address]} - STORAGE_MGMTHOST: {get_attr: [NetHostMap, value, storage_mgmt, short]} - TENANTIP: {get_attr: [TenantPort, ip_address]} - TENANTHOST: {get_attr: [NetHostMap, value, tenant, short]} - MANAGEMENTIP: {get_attr: [ManagementPort, ip_address]} - MANAGEMENTHOST: {get_attr: [NetHostMap, value, management, short]} - CTLPLANEIP: {get_attr: [Controller, networks, ctlplane, 0]} - CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]} - HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]} - nova_server_resource: - description: Heat resource handle for the Nova compute server - value: - {get_resource: Controller} - condition: server_not_blacklisted - tls_key_modulus_md5: - description: MD5 checksum of the TLS Key Modulus - value: {get_attr: [NodeTLSData, key_modulus_md5]} - tls_cert_modulus_md5: - description: MD5 checksum of the TLS Certificate Modulus - value: {get_attr: [NodeTLSData, cert_modulus_md5]} - os_collect_config: - description: The os-collect-config configuration associated with this server resource - value: {get_attr: [Controller, os_collect_config]} diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml index 8cba4351..e81b1142 100644 --- a/puppet/extraconfig/tls/tls-cert-inject.yaml +++ b/puppet/extraconfig/tls/tls-cert-inject.yaml @@ -7,6 +7,7 @@ description: > parameters: # Can be overridden via parameter_defaults in the environment SSLCertificate: + default: '' description: > The content of the SSL certificate (without Key) in PEM format. type: string diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml index 23d8896e..5453e65c 100644 --- a/puppet/role.role.j2.yaml +++ b/puppet/role.role.j2.yaml @@ -1,27 +1,40 @@ -{# ## Some variables are set to enable rendering backwards compatible templates #} -{# ## where a few parameter/resource names don't match the expected pattern #} -{# ## FIXME: we need some way to deprecate the old inconsistent parameters #} -{%- if role.name == 'Controller' -%} - {%- set deprecated_extraconfig_param = 'controllerExtraConfig' -%} -{% endif %} +{#- ## Some variables are set to enable rendering backwards compatible templates #} +{#- ## where a few parameter/resource names don't match the expected pattern #} +{#- ## FIXME: we need some way to deprecate the old inconsistent parameters #} +{%- set server_resource_name = role.deprecated_server_resource_name|default(role.name) -%} heat_template_version: pike description: 'OpenStack {{role.name}} node configured by Puppet' parameters: +{%- set default_flavor_name = 'baremetal' %} +{%- if role.deprecated_param_flavor is defined %} + {{role.deprecated_param_flavor}}: + description: DEPRECATED Use Overcloud{{role.name}}Flavor instead. + default: {{default_flavor_name}} + type: string +{%- endif %} Overcloud{{role.name}}Flavor: description: Flavor for the {{role.name}} node. - default: baremetal + default: {{default_flavor_name}} type: string -{% if role.disable_constraints is not defined %} +{%- if role.disable_constraints is not defined %} constraints: - custom_constraint: nova.flavor -{% endif %} +{%- endif %} +{%- set default_image_name = 'overcloud-full' %} +{%- if role.deprecated_param_image is defined %} + {{role.deprecated_param_image}}: + type: string + default: {{default_image_name}} + description: DEPRECATED Use {{role.name}}Image instead +{%- endif %} {{role.name}}Image: type: string - default: overcloud-full -{% if role.disable_constraints is not defined %} + default: {{default_image_name}} + description: The disk image file to use for the role. +{%- if role.disable_constraints is not defined %} constraints: - custom_constraint: glance.image -{% endif %} +{%- endif %} ImageUpdatePolicy: default: 'REBUILD_PRESERVE_EPHEMERAL' description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt. @@ -30,13 +43,13 @@ parameters: description: Name of an existing Nova key pair to enable SSH access to the instances type: string default: default -{% if role.disable_constraints is not defined %} +{%- if role.disable_constraints is not defined %} constraints: - custom_constraint: nova.keypair -{% endif %} +{%- endif %} NeutronPhysicalBridge: default: 'br-ex' - description: An OVS bridge to create for accessing tenant networks. + description: An OVS bridge to create for accessing external networks. type: string NeutronPublicInterface: default: nic1 @@ -76,8 +89,8 @@ parameters: description: | Role specific additional hiera configuration to inject into the cluster. type: json -{%- if deprecated_extraconfig_param is defined %} - {{deprecated_extraconfig_param}}: +{%- if role.deprecated_param_extraconfig is defined %} + {{role.deprecated_param_extraconfig}}: default: {} description: | DEPRECATED use {{role.name}}ExtraConfig instead @@ -86,6 +99,12 @@ parameters: {{role.name}}IPs: default: {} type: json +{%- if role.deprecated_param_ips is defined %} + {{role.deprecated_param_ips}}: + default: {} + description: DEPRECATED - use {{role.name}}IPs instead + type: json +{%- endif %} NetworkDeploymentActions: type: comma_delimited_list description: > @@ -112,6 +131,12 @@ parameters: role-specific and is merged with the values given to the ServerMetadata parameter. type: json +{%- if role.deprecated_param_metadata is defined %} + {{role.deprecated_param_metadata}}: + default: {} + description: DEPRECATED - use {{role.name}}ServerMetadata instead + type: json +{%- endif %} ServerMetadata: default: {} description: > @@ -123,6 +148,12 @@ parameters: type: json description: Optional scheduler hints to pass to nova default: {} +{%- if role.deprecated_param_scheduler_hints is defined %} + {{role.deprecated_param_scheduler_hints}}: + type: json + description: DEPRECATED - use {{role.name}}SchedulerHints instead + default: {} +{%- endif %} NodeIndex: type: number default: 0 @@ -202,12 +233,16 @@ parameters: object: 0 default: {} -{% if deprecated_extraconfig_param is defined %} +{% if role.uses_deprecated_params is defined %} parameter_groups: - label: deprecated description: Do not use deprecated params, they will be removed. parameters: - - {{deprecated_extraconfig_param}} +{%- for property in role %} +{%- if property.startswith('deprecated_param_') %} + - {{role[property]}} +{%- endif %} +{%- endfor %} {%- endif %} conditions: @@ -222,18 +257,48 @@ conditions: - DeploymentSwiftDataMap - {get_param: Hostname} - "" +{%- if role.deprecated_param_image is defined %} + deprecated_param_image_set: + not: + equals: + - {get_param: {{role.deprecated_param_image}}} + - {{default_image_name}} +{%- endif %} +{%- if role.deprecated_param_flavor is defined %} + deprecated_param_flavor_set: + not: + equals: + - {get_param: {{role.deprecated_param_flavor}}} + - {{default_flavor_name}} +{%- endif %} resources: - {{role.name}}: + {{server_resource_name}}: type: OS::TripleO::{{role.name}}Server metadata: os-collect-config: command: {get_param: ConfigCommand} splay: {get_param: ConfigCollectSplay} properties: - image: {get_param: {{role.name}}Image} + image: +{%- if role.deprecated_param_image is defined %} + if: + - deprecated_param_image_set + - {get_param: {{role.deprecated_param_image}}} + - {get_param: {{role.name}}Image} +{%- else %} + get_param: {{role.name}}Image +{%- endif %} image_update_policy: {get_param: ImageUpdatePolicy} - flavor: {get_param: Overcloud{{role.name}}Flavor} + flavor: +{%- if role.deprecated_param_flavor is defined %} + if: + - deprecated_param_flavor_set + - {get_param: {{role.deprecated_param_flavor}}} + - {get_param: Overcloud{{role.name}}Flavor} +{%- else %} + get_param: Overcloud{{role.name}}Flavor +{%- endif %} key_name: {get_param: KeyName} networks: - network: ctlplane @@ -247,9 +312,17 @@ resources: metadata: map_merge: - {get_param: ServerMetadata} +{%- if role.deprecated_param_metadata is defined %} + - {get_param: {{role.deprecated_param_metadata}}} +{%- endif %} - {get_param: {{role.name}}ServerMetadata} - {get_param: ServiceMetadataSettings} - scheduler_hints: {get_param: {{role.name}}SchedulerHints} + scheduler_hints: + map_merge: +{%- if role.deprecated_param_scheduler_hints is defined %} + - {get_param: {{role.deprecated_param_scheduler_hints}}} +{%- endif %} + - {get_param: {{role.name}}SchedulerHints} deployment_swift_data: if: - deployment_swift_data_map_unset @@ -288,15 +361,20 @@ resources: {{network.name}}Port: type: OS::TripleO::{{role.name}}::Ports::{{network.name}}Port properties: - ControlPlaneIP: {get_attr: [{{role.name}}, networks, ctlplane, 0]} - IPPool: {get_param: {{role.name}}IPs} + ControlPlaneIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} + IPPool: + map_merge: +{%- if role.deprecated_param_ips is defined %} + - {get_param: {{role.deprecated_param_ips}}} +{%- endif %} + - {get_param: {{role.name}}IPs} NodeIndex: {get_param: NodeIndex} {%- endfor %} NetworkConfig: type: OS::TripleO::{{role.name}}::Net::SoftwareConfig properties: - ControlPlaneIp: {get_attr: [{{role.name}}, networks, ctlplane, 0]} + ControlPlaneIp: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} {%- for network in networks %} {{network.name}}IpSubnet: {get_attr: [{{network.name}}Port, ip_subnet]} {%- endfor %} @@ -304,7 +382,7 @@ resources: NetIpMap: type: OS::TripleO::Network::Ports::NetIpMap properties: - ControlPlaneIp: {get_attr: [{{role.name}}, networks, ctlplane, 0]} + ControlPlaneIp: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} {%- for network in networks %} {{network.name}}Ip: {get_attr: [{{network.name}}Port, ip_address]} {{network.name}}IpSubnet: {get_attr: [{{network.name}}Port, ip_subnet]} @@ -320,91 +398,91 @@ resources: fqdn: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - external - {get_param: CloudDomain} short: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - external internal_api: fqdn: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - internalapi - {get_param: CloudDomain} short: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - internalapi storage: fqdn: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - storage - {get_param: CloudDomain} short: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - storage storage_mgmt: fqdn: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - storagemgmt - {get_param: CloudDomain} short: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - storagemgmt tenant: fqdn: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - tenant - {get_param: CloudDomain} short: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - tenant management: fqdn: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - management - {get_param: CloudDomain} short: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - management ctlplane: fqdn: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - ctlplane - {get_param: CloudDomain} short: list_join: - '.' - - - {get_attr: [{{role.name}}, name]} + - - {get_attr: [{{server_resource_name}}, name]} - ctlplane PreNetworkConfig: type: OS::TripleO::{{role.name}}::PreNetworkConfig properties: - server: {get_resource: {{role.name}}} + server: {get_resource: {{server_resource_name}}} RoleParameters: {get_param: RoleParameters} ServiceNames: {get_param: ServiceNames} deployment_actions: {get_attr: [DeploymentActions, value]} @@ -415,7 +493,7 @@ resources: properties: name: NetworkDeployment config: {get_resource: NetworkConfig} - server: {get_resource: {{role.name}}} + server: {get_resource: {{server_resource_name}}} actions: {get_param: NetworkDeploymentActions} input_values: bridge_name: {get_param: NeutronPhysicalBridge} @@ -426,7 +504,7 @@ resources: - {get_param: NetworkDeploymentActions} - [] - {{role.name}}UpgradeInitConfig: + {{server_resource_name}}UpgradeInitConfig: type: OS::Heat::SoftwareConfig properties: group: script @@ -440,26 +518,26 @@ resources: # Note we may be able to make this conditional on UpgradeInitCommandNotEmpty # but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first - {{role.name}}UpgradeInitDeployment: + {{server_resource_name}}UpgradeInitDeployment: type: OS::Heat::SoftwareDeployment depends_on: NetworkDeployment properties: - name: {{role.name}}UpgradeInitDeployment - server: {get_resource: {{role.name}}} - config: {get_resource: {{role.name}}UpgradeInitConfig} + name: {{server_resource_name}}UpgradeInitDeployment + server: {get_resource: {{server_resource_name}}} + config: {get_resource: {{server_resource_name}}UpgradeInitConfig} actions: if: - server_not_blacklisted - ['CREATE', 'UPDATE'] - [] - {{role.name}}Deployment: + {{server_resource_name}}Deployment: type: OS::Heat::StructuredDeployment - depends_on: {{role.name}}UpgradeInitDeployment + depends_on: {{server_resource_name}}UpgradeInitDeployment properties: - name: {{role.name}}Deployment - config: {get_resource: {{role.name}}Config} - server: {get_resource: {{role.name}}} + name: {{server_resource_name}}Deployment + config: {get_resource: {{server_resource_name}}Config} + server: {get_resource: {{server_resource_name}}} input_values: enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} actions: @@ -468,7 +546,7 @@ resources: - ['CREATE', 'UPDATE'] - [] - {{role.name}}Config: + {{server_resource_name}}Config: type: OS::Heat::StructuredConfig properties: group: hiera @@ -486,6 +564,13 @@ resources: - all_nodes # provided by allNodesConfig - vip_data # provided by allNodesConfig - '"%{::osfamily}"' + # The following are required for compatibility with the Controller role + # where some vendor integrations added hieradata via ExtraConfigPre + - neutron_bigswitch_data # Optionally provided by Controller/ComputeExtraConfigPre + - neutron_cisco_data # Optionally provided by Controller/ComputeExtraConfigPre + - cisco_n1kv_data # Optionally provided by Controller/ComputeExtraConfigPre + - midonet_data #Optionally provided by AllNodesExtraConfig + - cisco_aci_data # Optionally provided by Controller/ComputeExtraConfigPre merge_behavior: deeper datafiles: service_names: @@ -497,10 +582,10 @@ resources: - values: {get_attr: [NetIpMap, net_ip_map]} {{role.name.lower()}}_extraconfig: map_merge: -{%- if deprecated_extraconfig_param is defined %} - - {get_param: {{deprecated_extraconfig_param}}} +{%- if role.deprecated_param_extraconfig is defined %} + - {get_param: {{role.deprecated_param_extraconfig}}} {%- endif %} - - {get_param: {{role.name}}ExtraConfig} + - {get_param: {{server_resource_name}}ExtraConfig} extraconfig: {get_param: ExtraConfig} {{role.name.lower()}}: tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} @@ -513,16 +598,13 @@ resources: fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]} fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]} fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]} - {%- if 'primary' in role.tags and 'controller' in role.tags %} - tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} - {%- endif -%} # Resource for site-specific injection of root certificate NodeTLSCAData: depends_on: NetworkDeployment type: OS::TripleO::NodeTLSCAData properties: - server: {get_resource: {{role.name}}} + server: {get_resource: {{server_resource_name}}} {%- if 'primary' in role.tags and 'controller' in role.tags %} # Resource for site-specific passing of private keys/certificates @@ -530,19 +612,19 @@ resources: depends_on: NodeTLSCAData type: OS::TripleO::NodeTLSData properties: - server: {get_resource: {{role.name}}} + server: {get_resource: {{server_resource_name}}} NodeIndex: {get_param: NodeIndex} {%- endif -%} # Hook for site-specific additional pre-deployment config, e.g extra hieradata {{role.name}}ExtraConfigPre: - depends_on: {{role.name}}Deployment + depends_on: {{server_resource_name}}Deployment type: OS::TripleO::{{role.name}}ExtraConfigPre # We have to use conditions here so that we don't break backwards # compatibility with templates everywhere condition: server_not_blacklisted properties: - server: {get_resource: {{role.name}}} + server: {get_resource: {{server_resource_name}}} # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration @@ -559,7 +641,7 @@ resources: # compatibility with templates everywhere condition: server_not_blacklisted properties: - server: {get_resource: {{role.name}}} + server: {get_resource: {{server_resource_name}}} UpdateConfig: type: OS::TripleO::Tasks::PackageUpdate @@ -570,7 +652,7 @@ resources: properties: name: UpdateDeployment config: {get_resource: UpdateConfig} - server: {get_resource: {{role.name}}} + server: {get_resource: {{server_resource_name}}} input_values: update_identifier: get_param: UpdateIdentifier @@ -591,18 +673,18 @@ resources: SshHostPubKey: type: OS::TripleO::Ssh::HostPubKey - depends_on: {{role.name}}Deployment + depends_on: {{server_resource_name}}Deployment properties: - server: {get_resource: {{role.name}}} + server: {get_resource: {{server_resource_name}}} deployment_actions: {get_attr: [DeploymentActions, value]} outputs: ip_address: description: IP address of the server in the ctlplane network - value: {get_attr: [{{role.name}}, networks, ctlplane, 0]} + value: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} hostname: description: Hostname of the server - value: {get_attr: [{{role.name}}, name]} + value: {get_attr: [{{server_resource_name}}, name]} hostname_map: description: Mapping of network names to hostnames value: @@ -622,12 +704,12 @@ outputs: params: PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]} DOMAIN: {get_param: CloudDomain} - PRIMARYHOST: {get_attr: [{{role.name}}, name]} + PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]} {%- for network in networks %} {{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]} {{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]} {%- endfor %} - CTLPLANEIP: {get_attr: [{{role.name}}, networks, ctlplane, 0]} + CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]} known_hosts_entry: description: Entry for ssh known hosts @@ -641,18 +723,18 @@ CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY" params: PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]} DOMAIN: {get_param: CloudDomain} - PRIMARYHOST: {get_attr: [{{role.name}}, name]} + PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]} {%- for network in networks %} {{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]} {{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]} {%- endfor %} - CTLPLANEIP: {get_attr: [{{role.name}}, networks, ctlplane, 0]} + CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]} HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]} nova_server_resource: description: Heat resource handle for {{role.name}} server value: - {get_resource: {{role.name}}} + {get_resource: {{server_resource_name}}} condition: server_not_blacklisted deployed_server_port_map: description: | @@ -664,7 +746,7 @@ CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY" map_replace: - hostname: fixed_ips: - - ip_address: {get_attr: [{{role.name}}, networks, ctlplane, 0]} + - ip_address: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} - keys: hostname: list_join: @@ -682,14 +764,14 @@ CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY" container: str_split: - '/' - - {get_attr: [{{role.name}}, os_collect_config, request, metadata_url]} + - {get_attr: [{{server_resource_name}}, os_collect_config, request, metadata_url]} - 5 object: str_split: - '?' - str_split: - '/' - - {get_attr: [{{role.name}}, os_collect_config, request, metadata_url]} + - {get_attr: [{{server_resource_name}}, os_collect_config, request, metadata_url]} - 6 - 0 - keys: {hostname: {get_param: Hostname}} @@ -703,7 +785,7 @@ CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY" {%- endif %} os_collect_config: description: The os-collect-config configuration associated with this server resource - value: {get_attr: [{{role.name}}, os_collect_config]} + value: {get_attr: [{{server_resource_name}}, os_collect_config]} {%- for network in networks %} {{network.name_lower|default(network.name.lower())}}_ip_address: description: IP address of the server in the {{network.name}} network diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 04f34e24..dcead0f7 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -47,6 +47,11 @@ parameters: EnableInternalTLS: type: boolean default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. conditions: @@ -98,6 +103,7 @@ outputs: generate_service_certificates: true mongodb::server::ssl: true mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem' + mongodb::server::ssl_ca: {get_param: InternalTLSCAFile} mongodb_certificate_specs: service_pem: '/etc/pki/tls/certs/mongodb.pem' service_certificate: '/etc/pki/tls/certs/mongodb.crt' diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml index 3355a0d3..642685a8 100644 --- a/puppet/services/haproxy-internal-tls-certmonger.yaml +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -30,6 +30,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HAProxyInternalTLSCertsDirectory: + default: '/etc/pki/tls/certs/haproxy' + type: string + HAProxyInternalTLSKeysDirectory: + default: '/etc/pki/tls/private/haproxy' + type: string resources: @@ -55,16 +61,30 @@ outputs: config_settings: generate_service_certificates: true tripleo::haproxy::use_internal_certificates: true - tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy' - tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy' + tripleo::certmonger::haproxy_dirs::certificate_dir: + get_param: HAProxyInternalTLSCertsDirectory + tripleo::certmonger::haproxy_dirs::key_dir: + get_param: HAProxyInternalTLSKeysDirectory certificates_specs: map_merge: repeat: template: haproxy-NETWORK: - service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.pem' - service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.crt' - service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-NETWORK.key' + service_pem: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-NETWORK.pem' + service_certificate: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-NETWORK.crt' + service_key: + list_join: + - '' + - - {get_param: HAProxyInternalTLSKeysDirectory} + - '/overcloud-haproxy-NETWORK.key' hostname: "%{hiera('cloud_name_NETWORK')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_NETWORK')}" diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index f1739f78..b2766c44 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -30,6 +30,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HAProxyInternalTLSCertsDirectory: + default: '/etc/pki/tls/certs/haproxy' + type: string + HAProxyInternalTLSKeysDirectory: + default: '/etc/pki/tls/private/haproxy' + type: string outputs: role_data: @@ -38,14 +44,32 @@ outputs: service_name: haproxy_public_tls_certmonger config_settings: generate_service_certificates: true - tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem' - tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy' - tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy' + tripleo::haproxy::service_certificate: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-external.pem' + tripleo::certmonger::haproxy_dirs::certificate_dir: + get_param: HAProxyInternalTLSCertsDirectory + tripleo::certmonger::haproxy_dirs::key_dir: + get_param: HAProxyInternalTLSKeysDirectory certificates_specs: haproxy-external: - service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem' - service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt' - service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key' + service_pem: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-external.pem' + service_certificate: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/overcloud-haproxy-external.crt' + service_key: + list_join: + - '' + - - {get_param: HAProxyInternalTLSKeysDirectory} + - '/overcloud-haproxy-external.key' hostname: "%{hiera('cloud_name_external')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_external')}" diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index a37135da..6b2d028f 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -57,6 +57,16 @@ parameters: MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string + SSLCertificate: + default: '' + description: > + The content of the SSL certificate (without Key) in PEM format. + type: string + DeployedSSLCertificatePath: + default: '/etc/pki/tls/private/overcloud_endpoint.pem' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string @@ -68,6 +78,14 @@ parameters: description: Specifies the default CRL PEM file to use for revocation if TLS is used for services in the internal network. +conditions: + + public_tls_enabled: + not: + equals: + - {get_param: SSLCertificate} + - "" + resources: HAProxyPublicTLS: @@ -98,8 +116,6 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: map_merge: - - get_attr: [HAProxyPublicTLS, role_data, config_settings] - - get_attr: [HAProxyInternalTLS, role_data, config_settings] - tripleo.haproxy.firewall_rules: '107 haproxy stats': dport: 1993 @@ -115,6 +131,12 @@ outputs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] + - if: + - public_tls_enabled + - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} + - {} + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] step_config: | include ::tripleo::profile::base::haproxy upgrade_tasks: diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 8796209b..218ba740 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -178,10 +178,10 @@ parameters: Cron to purge expired tokens - Week Day default: '*' KeystoneCronTokenFlushMaxDelay: - type: string + type: number description: > Cron to purge expired tokens - Max Delay - default: '0' + default: 0 KeystoneCronTokenFlushDestination: type: string description: > diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index b9556890..b6980045 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -69,6 +69,12 @@ parameters: networks, neutron uses this value without modification. For overlay networks such as VXLAN, neutron automatically subtracts the overlay protocol overhead from this value. + NeutronDBSyncExtraParams: + default: '' + description: | + String of extra command line parameters to append to the neutron-db-manage + upgrade head command. + type: string ServiceData: default: {} description: Dictionary packing service data @@ -134,6 +140,7 @@ outputs: neutron::db::database_max_retries: -1 neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu} + neutron::db::sync::extra_params: {get_param: NeutronDBSyncExtraParams} - if: - dhcp_agents_zero - {} diff --git a/puppet/services/neutron-plugin-ml2-nuage.yaml b/puppet/services/neutron-plugin-ml2-nuage.yaml new file mode 100644 index 00000000..a7dc2e8b --- /dev/null +++ b/puppet/services/neutron-plugin-ml2-nuage.yaml @@ -0,0 +1,99 @@ +heat_template_version: pike + +description: > + OpenStack Neutron ML2/Nuage plugin configured with Puppet + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + # Config specific parameters, to be provided via parameter_defaults + NeutronNuageNetPartitionName: + description: Specifies the title that you will see on the VSD + type: string + default: 'default_name' + + NeutronNuageVSDIp: + description: IP address and port of the Virtual Services Directory + type: string + + NeutronNuageVSDUsername: + description: Username to be used to log into VSD + type: string + + NeutronNuageVSDPassword: + description: Password to be used to log into VSD + type: string + + NeutronNuageVSDOrganization: + description: Organization parameter required to log into VSD + type: string + default: 'organization' + + NeutronNuageBaseURIVersion: + description: URI version to be used based on the VSD release + type: string + default: 'default_uri_version' + + NeutronNuageCMSId: + description: Cloud Management System ID (CMS ID) to distinguish between OS instances on the same VSD + type: string + + UseForwardedFor: + description: Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy. + type: boolean + default: false + +resources: + + NeutronML2Base: + type: ./neutron-plugin-ml2.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Neutron ML2/Nuage plugin + value: + service_name: neutron_plugin_ml2_nuage + config_settings: + map_merge: + - get_attr: [NeutronML2Base, role_data, config_settings] + - neutron::plugins::ml2::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName} + neutron::plugins::ml2::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp} + neutron::plugins::ml2::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername} + neutron::plugins::ml2::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword} + neutron::plugins::ml2::nuage::nuage_vsd_organization: {get_param: NeutronNuageVSDOrganization} + neutron::plugins::ml2::nuage::nuage_base_uri_version: {get_param: NeutronNuageBaseURIVersion} + neutron::plugins::ml2::nuage::nuage_cms_id: {get_param: NeutronNuageCMSId} + nova::api::use_forwarded_for: {get_param: UseForwardedFor} + step_config: | + include tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index dd757b5d..bc91374a 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -72,6 +72,10 @@ parameters: default: 'vxlan' description: The tenant network type for Neutron. type: comma_delimited_list + NeutronFirewallDriver: + description: Firewall driver for realizing neutron security group function + type: string + default: 'openvswitch' resources: NeutronBase: @@ -100,6 +104,7 @@ outputs: neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges} neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges} neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType} + neutron::plugins::ml2::firewall_driver: {get_param: NeutronFirewallDriver} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index 6e1f3f56..36866a3a 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -170,6 +170,11 @@ outputs: tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort} nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName} nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} + nova::compute::rbd::rbd_keyring: + list_join: + - '.' + - - 'client' + - {get_param: CephClientUserName} tripleo::profile::base::nova::compute::cinder_nfs_backend: {get_param: CinderEnableNfsBackend} rbd_persistent_storage: {get_param: CinderEnableRbdBackend} nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey} diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index e2ae7260..04936c33 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -139,6 +139,11 @@ outputs: # we manage migration in nova common puppet profile nova::compute::libvirt::migration_support: false nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} + nova::compute::rbd::rbd_keyring: + list_join: + - '.' + - - 'client' + - {get_param: CephClientUserName} nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey} nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID} tripleo::profile::base::nova::migration::client::libvirt_enabled: true |