diff options
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/all-nodes-config.yaml | 18 | ||||
| -rw-r--r-- | puppet/blockstorage-role.yaml | 18 | ||||
| -rw-r--r-- | puppet/cephstorage-role.yaml | 21 | ||||
| -rw-r--r-- | puppet/compute-role.yaml | 21 | ||||
| -rw-r--r-- | puppet/controller-role.yaml | 21 | ||||
| -rw-r--r-- | puppet/objectstorage-role.yaml | 18 | ||||
| -rw-r--r-- | puppet/role.role.j2.yaml | 21 | ||||
| -rw-r--r-- | puppet/services/database/mysql.yaml | 13 | ||||
| -rw-r--r-- | puppet/services/database/redis.yaml | 20 | ||||
| -rw-r--r-- | puppet/services/ironic-api.yaml | 31 | ||||
| -rw-r--r-- | puppet/services/ironic-inspector.yaml | 151 | ||||
| -rw-r--r-- | puppet/services/keystone.yaml | 5 | ||||
| -rw-r--r-- | puppet/services/nova-api.yaml | 2 | ||||
| -rw-r--r-- | puppet/services/ovn-dbs.yaml | 1 | ||||
| -rw-r--r-- | puppet/services/pacemaker/database/mysql.yaml | 7 | ||||
| -rw-r--r-- | puppet/services/pacemaker/ovn-dbs.yaml | 61 | ||||
| -rw-r--r-- | puppet/services/services.yaml | 129 |
17 files changed, 404 insertions, 154 deletions
diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml index baafe03d..b1284452 100644 --- a/puppet/all-nodes-config.yaml +++ b/puppet/all-nodes-config.yaml @@ -12,10 +12,8 @@ parameters: type: string cloud_name_ctlplane: type: string - # FIXME(shardy) this can be comma_delimited_list when - # https://bugs.launchpad.net/heat/+bug/1617019 is fixed enabled_services: - type: string + type: comma_delimited_list controller_ips: type: comma_delimited_list logging_groups: @@ -118,7 +116,10 @@ resources: map_merge: - tripleo::profile::base::logging::fluentd::fluentd_sources: {get_param: logging_sources} - tripleo::profile::base::logging::fluentd::fluentd_groups: {get_param: logging_groups} - - enabled_services: {get_param: enabled_services} + - enabled_services: + yaql: + expression: $.data.distinct() + data: {get_param: enabled_services} # This writes out a mapping of service_name_enabled: 'true' # For any services not enabled, hiera foo_enabled will # return nil, as it's undefined @@ -129,8 +130,7 @@ resources: # https://bugs.launchpad.net/heat/+bug/1617203 SERVICE_enabled: 'true' for_each: - SERVICE: - str_split: [',', {get_param: enabled_services}] + SERVICE: {get_param: enabled_services} # Dynamically generate per-service network data # This works as follows (outer->inner functions) # yaql - filters services where no mapping exists in ServiceNetMap @@ -150,8 +150,7 @@ resources: template: SERVICE_network: SERVICE_network for_each: - SERVICE: - str_split: [',', {get_param: enabled_services}] + SERVICE: {get_param: enabled_services} - values: {get_param: ServiceNetMap} # Keystone doesn't provide separate entries for the public # and admin endpoints, so we need to add them here manually @@ -203,8 +202,7 @@ resources: template: SERVICE_vip: SERVICE_network for_each: - SERVICE: - str_split: [',', {get_param: enabled_services}] + SERVICE: {get_param: enabled_services} - values: {get_param: ServiceNetMap} - values: {get_param: NetVipMap} - keystone_admin_api_vip: diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml index 08bc03a5..95dcf0b5 100644 --- a/puppet/blockstorage-role.yaml +++ b/puppet/blockstorage-role.yaml @@ -69,8 +69,8 @@ parameters: default: 'localdomain' type: string description: > - The DNS domain used for the hosts. This should match the dhcp_domain - configured in the Undercloud neutron. Defaults to localdomain. + The DNS domain used for the hosts. This must match the + overcloud_domain_name configured on the undercloud. BlockStorageServerMetadata: default: {} description: > @@ -377,6 +377,7 @@ resources: properties: server: {get_resource: BlockStorage} RoleParameters: {get_param: RoleParameters} + deployment_actions: {get_attr: [DeploymentActions, value]} NetworkDeployment: type: OS::TripleO::SoftwareDeployment @@ -485,6 +486,9 @@ resources: NodeExtraConfig: depends_on: NodeTLSCAData type: OS::TripleO::NodeExtraConfig + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: BlockStorage} @@ -507,11 +511,21 @@ resources: - ['CREATE', 'UPDATE'] - [] + DeploymentActions: + type: OS::Heat::Value + properties: + value: + if: + - server_not_blacklisted + - ['CREATE', 'UPDATE'] + - [] + SshHostPubKey: type: OS::TripleO::Ssh::HostPubKey depends_on: BlockStorageDeployment properties: server: {get_resource: BlockStorage} + deployment_actions: {get_attr: [DeploymentActions, value]} outputs: ip_address: diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml index 3f596423..6674a8ac 100644 --- a/puppet/cephstorage-role.yaml +++ b/puppet/cephstorage-role.yaml @@ -75,8 +75,8 @@ parameters: default: 'localdomain' type: string description: > - The DNS domain used for the hosts. This should match the dhcp_domain - configured in the Undercloud neutron. Defaults to localdomain. + The DNS domain used for the hosts. This must match the + overcloud_domain_name configured on the undercloud. CephStorageServerMetadata: default: {} description: > @@ -383,6 +383,7 @@ resources: properties: server: {get_resource: CephStorage} RoleParameters: {get_param: RoleParameters} + deployment_actions: {get_attr: [DeploymentActions, value]} NetworkDeployment: type: OS::TripleO::SoftwareDeployment @@ -489,6 +490,9 @@ resources: CephStorageExtraConfigPre: depends_on: CephStorageDeployment type: OS::TripleO::CephStorageExtraConfigPre + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: CephStorage} @@ -497,6 +501,9 @@ resources: NodeExtraConfig: depends_on: [CephStorageExtraConfigPre, NodeTLSCAData] type: OS::TripleO::NodeExtraConfig + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: CephStorage} @@ -518,11 +525,21 @@ resources: - ['CREATE', 'UPDATE'] - [] + DeploymentActions: + type: OS::Heat::Value + properties: + value: + if: + - server_not_blacklisted + - ['CREATE', 'UPDATE'] + - [] + SshHostPubKey: type: OS::TripleO::Ssh::HostPubKey depends_on: CephStorageDeployment properties: server: {get_resource: CephStorage} + deployment_actions: {get_attr: [DeploymentActions, value]} outputs: ip_address: diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml index 8a3c487a..37eb98d1 100644 --- a/puppet/compute-role.yaml +++ b/puppet/compute-role.yaml @@ -90,8 +90,8 @@ parameters: default: 'localdomain' type: string description: > - The DNS domain used for the hosts. This should match the dhcp_domain - configured in the Undercloud neutron. Defaults to localdomain. + The DNS domain used for the hosts. This must match the + overcloud_domain_name configured on the undercloud. NovaComputeServerMetadata: default: {} description: > @@ -386,6 +386,7 @@ resources: properties: server: {get_resource: NovaCompute} RoleParameters: {get_param: RoleParameters} + deployment_actions: {get_attr: [DeploymentActions, value]} NetworkConfig: type: OS::TripleO::Compute::Net::SoftwareConfig @@ -512,6 +513,9 @@ resources: ComputeExtraConfigPre: depends_on: NovaComputeDeployment type: OS::TripleO::ComputeExtraConfigPre + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: NovaCompute} @@ -520,6 +524,9 @@ resources: NodeExtraConfig: depends_on: [ComputeExtraConfigPre, NodeTLSCAData] type: OS::TripleO::NodeExtraConfig + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: NovaCompute} @@ -542,11 +549,21 @@ resources: update_identifier: get_param: UpdateIdentifier + DeploymentActions: + type: OS::Heat::Value + properties: + value: + if: + - server_not_blacklisted + - ['CREATE', 'UPDATE'] + - [] + SshHostPubKey: type: OS::TripleO::Ssh::HostPubKey depends_on: NovaComputeDeployment properties: server: {get_resource: NovaCompute} + deployment_actions: {get_attr: [DeploymentActions, value]} outputs: ip_address: diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml index 6bc23669..01f54df0 100644 --- a/puppet/controller-role.yaml +++ b/puppet/controller-role.yaml @@ -104,8 +104,8 @@ parameters: default: 'localdomain' type: string description: > - The DNS domain used for the hosts. This should match the dhcp_domain - configured in the Undercloud neutron. Defaults to localdomain. + The DNS domain used for the hosts. This must match the + overcloud_domain_name configured on the undercloud. ControllerServerMetadata: default: {} description: > @@ -406,6 +406,7 @@ resources: properties: server: {get_resource: Controller} RoleParameters: {get_param: RoleParameters} + deployment_actions: {get_attr: [DeploymentActions, value]} NetworkConfig: type: OS::TripleO::Controller::Net::SoftwareConfig @@ -552,6 +553,9 @@ resources: ControllerExtraConfigPre: depends_on: ControllerDeployment type: OS::TripleO::ControllerExtraConfigPre + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: Controller} @@ -560,6 +564,9 @@ resources: NodeExtraConfig: depends_on: [ControllerExtraConfigPre, NodeTLSData] type: OS::TripleO::NodeExtraConfig + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: Controller} @@ -582,11 +589,21 @@ resources: update_identifier: get_param: UpdateIdentifier + DeploymentActions: + type: OS::Heat::Value + properties: + value: + if: + - server_not_blacklisted + - ['CREATE', 'UPDATE'] + - [] + SshHostPubKey: type: OS::TripleO::Ssh::HostPubKey depends_on: ControllerDeployment properties: server: {get_resource: Controller} + deployment_actions: {get_attr: [DeploymentActions, value]} outputs: ip_address: diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml index c35bb250..e6348420 100644 --- a/puppet/objectstorage-role.yaml +++ b/puppet/objectstorage-role.yaml @@ -69,8 +69,8 @@ parameters: default: 'localdomain' type: string description: > - The DNS domain used for the hosts. This should match the dhcp_domain - configured in the Undercloud neutron. Defaults to localdomain. + The DNS domain used for the hosts. This must match the + overcloud_domain_name configured on the undercloud. SwiftStorageServerMetadata: default: {} description: > @@ -377,6 +377,7 @@ resources: properties: server: {get_resource: SwiftStorage} RoleParameters: {get_param: RoleParameters} + deployment_actions: {get_attr: [DeploymentActions, value]} NetworkDeployment: type: OS::TripleO::SoftwareDeployment @@ -485,6 +486,9 @@ resources: NodeExtraConfig: depends_on: NodeTLSCAData type: OS::TripleO::NodeExtraConfig + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: SwiftStorage} @@ -506,11 +510,21 @@ resources: - ['CREATE', 'UPDATE'] - [] + DeploymentActions: + type: OS::Heat::Value + properties: + value: + if: + - server_not_blacklisted + - ['CREATE', 'UPDATE'] + - [] + SshHostPubKey: type: OS::TripleO::Ssh::HostPubKey depends_on: SwiftStorageHieraDeploy properties: server: {get_resource: SwiftStorage} + deployment_actions: {get_attr: [DeploymentActions, value]} outputs: ip_address: diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml index b7f47594..4911fbe9 100644 --- a/puppet/role.role.j2.yaml +++ b/puppet/role.role.j2.yaml @@ -85,8 +85,8 @@ parameters: default: 'localdomain' type: string description: > - The DNS domain used for the hosts. This should match the dhcp_domain - configured in the Undercloud neutron. Defaults to localdomain. + The DNS domain used for the hosts. This must match the + overcloud_domain_name configured on the undercloud. {{role}}ServerMetadata: default: {} description: > @@ -399,6 +399,7 @@ resources: properties: server: {get_resource: {{role}}} RoleParameters: {get_param: RoleParameters} + deployment_actions: {get_attr: [DeploymentActions, value]} NetworkDeployment: type: OS::TripleO::SoftwareDeployment @@ -511,6 +512,9 @@ resources: {{role}}ExtraConfigPre: depends_on: {{role}}Deployment type: OS::TripleO::{{role}}ExtraConfigPre + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: {{role}}} @@ -519,6 +523,9 @@ resources: NodeExtraConfig: depends_on: [{{role}}ExtraConfigPre, NodeTLSCAData] type: OS::TripleO::NodeExtraConfig + # We have to use conditions here so that we don't break backwards + # compatibility with templates everywhere + condition: server_not_blacklisted properties: server: {get_resource: {{role}}} @@ -541,11 +548,21 @@ resources: - ['CREATE', 'UPDATE'] - [] + DeploymentActions: + type: OS::Heat::Value + properties: + value: + if: + - server_not_blacklisted + - ['CREATE', 'UPDATE'] + - [] + SshHostPubKey: type: OS::TripleO::Ssh::HostPubKey depends_on: {{role}}Deployment properties: server: {get_resource: {{role}}} + deployment_actions: {get_attr: [DeploymentActions, value]} outputs: ip_address: diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 2bde9033..882ba299 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -118,6 +118,16 @@ outputs: template: "%{hiera('cloud_name_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + dnsnames: + - str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + - str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} principal: str_replace: template: "mysql/%{hiera('cloud_name_NETWORK')}" @@ -132,6 +142,9 @@ outputs: - service: mysql network: {get_param: [ServiceNetMap, MysqlNetwork]} type: vip + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: node - null upgrade_tasks: - name: Check for galera root password diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml index df406a8c..9567a73f 100644 --- a/puppet/services/database/redis.yaml +++ b/puppet/services/database/redis.yaml @@ -52,3 +52,23 @@ outputs: - 26379 step_config: | include ::tripleo::profile::base::database::redis + upgrade_tasks: + - name: Check if redis is deployed + command: systemctl is-enabled redis + tags: common + ignore_errors: True + register: redis_enabled + - name: "PreUpgrade step0,validation: Check if redis is running" + shell: > + /usr/bin/systemctl show 'redis' --property ActiveState | + grep '\bactive\b' + when: redis_enabled.rc == 0 + tags: step0,validation + - name: Stop redis service + tags: step1 + when: redis_enabled.rc == 0 + service: name=redis state=stopped + - name: Install redis package if it was disabled + tags: step3 + yum: name=redis state=latest + when: redis_enabled.rc != 0 diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index 945033a1..0e8eacf1 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -43,8 +43,21 @@ parameters: e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json + EnableInternalTLS: + type: boolean + default: false resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} + IronicBase: type: ./ironic-base.yaml properties: @@ -63,6 +76,7 @@ outputs: config_settings: map_merge: - get_attr: [IronicBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - ironic::api::authtoken::password: {get_param: IronicPassword} ironic::api::authtoken::project_name: 'service' ironic::api::authtoken::user_domain_name: 'Default' @@ -80,7 +94,17 @@ outputs: ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]} # This is used to build links in responses ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + ironic::api::service_name: 'httpd' ironic::policy::policies: {get_param: IronicApiPolicies} + ironic::wsgi::apache::bind_host: {get_param: [ServiceNetMap, IronicApiNetwork]} + ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]} + ironic::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]} + ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS} tripleo.ironic_api.firewall_rules: '133 ironic api': dport: @@ -106,6 +130,9 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" upgrade_tasks: - - name: Stop ironic_api service + - name: Stop ironic_api service (before httpd support) + tags: step1 + service: name=openstack-ironic-api state=stopped enabled=no + - name: Stop ironic_api service (running under httpd) tags: step1 - service: name=openstack-ironic-api state=stopped + service: name=httpd state=stopped diff --git a/puppet/services/ironic-inspector.yaml b/puppet/services/ironic-inspector.yaml new file mode 100644 index 00000000..e8537a29 --- /dev/null +++ b/puppet/services/ironic-inspector.yaml @@ -0,0 +1,151 @@ +heat_template_version: ocata + +description: > + OpenStack Ironic Inspector configured with Puppet (EXPERIMENTAL) + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionIronicInspector: + default: 'overcloud-ironic-inspector' + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + IronicInspectorInterface: + default: br-ex + description: | + Network interface on which inspection dnsmasq will listen. Should allow + access to untagged traffic from nodes booted for inspection. The default + value only makes sense if you don't modify any networking configuration. + type: string + IronicInspectorIPXEEnabled: + default: true + description: Whether to use iPXE for inspection. + type: boolean + IronicInspectorIpRange: + description: | + Temporary IP range that will be given to nodes during the inspection + process. This should not overlap with any range that Neutron's DHCP + gives away, but it has to be routeable back to ironic-inspector API. + This option has no meaningful defaults, and thus is required. + type: string + IronicInspectorUseSwift: + default: true + description: Whether to use Swift for storing introspection data. + type: boolean + IronicIPXEPort: + default: 8088 + description: Port to use for serving images when iPXE is used. + type: string + IronicPassword: + description: The password for the Ironic service and db account, used by the Ironic services + type: string + hidden: true + +conditions: + enable_ipxe: {equals : [{get_param: IronicInspectorIPXEEnabled}, true]} + use_swift: {equals : [{get_param: IronicInspectorUseSwift}, true]} + +outputs: + role_data: + description: Role data for the Ironic Inspector role. + value: + service_name: ironic_inspector + monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector} + config_settings: + map_merge: + - ironic::inspector::listen_address: {get_param: [ServiceNetMap, IronicInspectorNetwork]} + ironic::inspector::dnsmasq_local_ip: {get_param: [ServiceNetMap, IronicInspectorNetwork]} + ironic::inspector::dnsmasq_ip_range: {get_param: IronicInspectorIpRange} + ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface} + ironic::inspector::debug: {get_param: Debug} + ironic::inspector::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ironic::inspector::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::inspector::authtoken::username: 'ironic' + ironic::inspector::authtoken::password: {get_param: IronicPassword} + ironic::inspector::authtoken::project_name: 'service' + ironic::inspector::authtoken::user_domain_name: 'Default' + ironic::inspector::authtoken::project_domain_name: 'Default' + tripleo.ironic_inspector.firewall_rules: + '137 ironic-inspector': + dport: + - 5050 + ironic::inspector::ironic_username: 'ironic' + ironic::inspector::ironic_password: {get_param: IronicPassword} + ironic::inspector::ironic_tenant_name: 'service' + ironic::inspector::ironic_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::inspector::ironic_max_retries: 6 + ironic::inspector::ironic_retry_interval: 10 + ironic::inspector::ironic_user_domain_name: 'Default' + ironic::inspector::ironic_project_domain_name: 'Default' + ironic::inspector::http_port: {get_param: IronicIPXEPort} + ironic::inspector::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://ironic-inspector:' + - {get_param: IronicPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/ironic-inspector' + - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo' + - + if: + - enable_ipxe + - ironic::inspector::pxe_transfer_protocol: 'http' + - {} + - + if: + - use_swift + - ironic::inspector::store_data: 'swift' + ironic::inspector::swift_username: 'ironic' + ironic::inspector::swift_password: {get_param: IronicPassword} + ironic::inspector::swift_tenant_name: 'service' + ironic::inspector::swift_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::inspector::swift_user_domain_name: 'Default' + ironic::inspector::swift_project_domain_name: 'Default' + - {} + step_config: | + include ::tripleo::profile::base::ironic_inspector + service_config_settings: + keystone: + ironic::keystone::auth_inspector::tenant: 'service' + ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]} + ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]} + ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]} + ironic::keystone::auth_inspector::password: {get_param: IronicPassword} + ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion} + mysql: + ironic::inspector::db::mysql::password: {get_param: IronicPassword} + ironic::inspector::db::mysql::user: ironic-inspector + ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ironic::inspector::db::mysql::dbname: ironic-inspector + ironic::inspector::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index af494016..60d194bc 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -122,6 +122,10 @@ parameters: KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. + KeystoneFernetMaxActiveKeys: + type: number + description: The maximum active keys in the keystone fernet key repository. + default: 5 ManageKeystoneFernetKeys: type: boolean default: true @@ -258,6 +262,7 @@ outputs: keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} + keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 835edf0a..fe2f2946 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -210,7 +210,7 @@ outputs: register: bootstrap_node - name: set is_bootstrap_node fact tags: common - set_fact: is_bootstrap_node={{bootstrap_node.stdout == ansible_hostname}} + set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} - name: Extra migration for nova tripleo/+bug/1656791 tags: step0,pre-upgrade when: is_bootstrap_node diff --git a/puppet/services/ovn-dbs.yaml b/puppet/services/ovn-dbs.yaml index 20c38d8a..df234c77 100644 --- a/puppet/services/ovn-dbs.yaml +++ b/puppet/services/ovn-dbs.yaml @@ -44,6 +44,7 @@ outputs: ovn::northbound::port: {get_param: OVNNorthboundServerPort} ovn::southbound::port: {get_param: OVNSouthboundServerPort} ovn::northd::dbs_listen_ip: {get_param: [ServiceNetMap, OvnDbsNetwork]} + tripleo::haproxy::ovn_dbs_manage_lb: true tripleo.ovn_dbs.firewall_rules: '121 OVN DB server ports': proto: 'tcp' diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index d8e942d0..0a7659e0 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -27,6 +27,11 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. resources: @@ -61,6 +66,8 @@ outputs: # internal_api_subnet - > IP/CIDR tripleo::profile::pacemaker::database::mysql::gmcast_listen_addr: get_param: [ServiceNetMap, MysqlNetwork] + tripleo::profile::pacemaker::database::mysql::ca_file: + get_param: InternalTLSCAFile step_config: | include ::tripleo::profile::pacemaker::database::mysql metadata_settings: diff --git a/puppet/services/pacemaker/ovn-dbs.yaml b/puppet/services/pacemaker/ovn-dbs.yaml new file mode 100644 index 00000000..1cbb4763 --- /dev/null +++ b/puppet/services/pacemaker/ovn-dbs.yaml @@ -0,0 +1,61 @@ +heat_template_version: ocata + +description: > + OVN databases configured with puppet in HA mode + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OVNNorthboundServerPort: + description: Port of the OVN Northbound DB server + type: number + default: 6641 + OVNSouthboundServerPort: + description: Port of the OVN Southbound DB server + type: number + default: 6642 + +resources: + + OVNDBsBase: + type: ../ovn-dbs.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the OVN northd service + value: + service_name: ovn_dbs + config_settings: + map_merge: + - get_attr: [OVNDBsBase, role_data, config_settings] + - tripleo::haproxy::ovn_dbs_manage_lb: false + tripleo::profile::pacemaker::ovn_northd::nb_db_port: {get_param: OVNNorthboundServerPort} + tripleo::profile::pacemaker::ovn_northd::sb_db_port: {get_param: OVNSouthboundServerPort} + step_config: | + include ::tripleo::profile::pacemaker::ovn_northd diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml deleted file mode 100644 index 0e7b6d2b..00000000 --- a/puppet/services/services.yaml +++ /dev/null @@ -1,129 +0,0 @@ -heat_template_version: pike - -description: > - Utility stack to convert an array of services into a set of combined - role configs. - -parameters: - Services: - default: [] - description: | - List nested stack service templates. - type: comma_delimited_list - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - DefaultPasswords: - default: {} - description: Mapping of service -> default password. Used to help - pass top level passwords managed by Heat into services. - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - description: Role Specific parameters to be provided to service - default: {} - type: json - -resources: - - ServiceChain: - type: OS::Heat::ResourceChain - properties: - resources: {get_param: Services} - concurrent: true - resource_properties: - ServiceNetMap: {get_param: ServiceNetMap} - EndpointMap: {get_param: EndpointMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - - LoggingConfiguration: - type: OS::TripleO::LoggingConfiguration - - ServiceServerMetadataHook: - type: OS::TripleO::ServiceServerMetadataHook - properties: - RoleData: {get_attr: [ServiceChain, role_data]} - -outputs: - role_data: - description: Combined Role data for this set of services. - value: - service_names: - {get_attr: [ServiceChain, role_data, service_name]} - monitoring_subscriptions: - yaql: - expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null)) - data: {role_data: {get_attr: [ServiceChain, role_data]}} - logging_sources: - # Transform the individual logging_source configuration from - # each service in the chain into a global list, adding some - # default configuration at the same time. - yaql: - expression: > - let( - default_format => $.data.default_format, - pos_file_path => $.data.pos_file_path, - sources => $.data.sources.flatten() - ) -> - $sources.where($ != null).select({ - 'type' => 'tail', - 'tag' => $.tag, - 'path' => $.path, - 'format' => $.get('format', $default_format), - 'pos_file' => $.get('pos_file', $pos_file_path + '/' + $.tag + '.pos') - }) - data: - sources: - - {get_attr: [LoggingConfiguration, LoggingDefaultSources]} - - yaql: - expression: list($.data.role_data.where($ != null).select($.get('logging_source')).where($ != null)) - data: {role_data: {get_attr: [ServiceChain, role_data]}} - - - {get_attr: [LoggingConfiguration, LoggingExtraSources]} - default_format: {get_attr: [LoggingConfiguration, LoggingDefaultFormat]} - pos_file_path: {get_attr: [LoggingConfiguration, LoggingPosFilePath]} - logging_groups: - # Build a list of unique groups to which we should add the - # fluentd user. - yaql: - expression: > - set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($) - data: - default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]} - extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]} - role_data: {get_attr: [ServiceChain, role_data]} - config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}} - global_config_settings: - map_merge: - yaql: - expression: list($.data.role_data.where($ != null).select($.get('global_config_settings')).where($ != null)) - data: {role_data: {get_attr: [ServiceChain, role_data]}} - service_config_settings: - yaql: - expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {}) - data: {role_data: {get_attr: [ServiceChain, role_data]}} - step_config: {get_attr: [ServiceChain, role_data, step_config]} - upgrade_tasks: - yaql: - # Note we use distinct() here to filter any identical tasks, e.g yum update for all services - expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() - data: {get_attr: [ServiceChain, role_data]} - upgrade_batch_tasks: - yaql: - # Note we use distinct() here to filter any identical tasks, e.g yum update for all services - expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() - data: {get_attr: [ServiceChain, role_data]} - service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} |