diff options
Diffstat (limited to 'puppet')
24 files changed, 234 insertions, 36 deletions
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 9430a704..433b03a0 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -31,19 +31,23 @@ resources: {% if step > 0 %} depends_on: {% for dep in roles %} + {% if not dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}Upgrade_Step{{step -1}} + {% endif %} {% endfor %} {% endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} step: {{step}} - + {% if not role.disable_upgrade_deployment|default(false) %} {{role.name}}Upgrade_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup {% if step > 0 %} depends_on: {% for dep in roles %} + {% if not dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}Upgrade_Step{{step -1}} + {% endif %} {% endfor %} {% endif %} properties: @@ -53,6 +57,7 @@ resources: input_values: role: {{role.name}} update_identifier: {get_param: UpdateIdentifier} + {% endif %} {% endfor %} {% endfor %} diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml index 2a02ea19..83c32868 100644 --- a/puppet/post.j2.yaml +++ b/puppet/post.j2.yaml @@ -21,11 +21,10 @@ parameters: perform configuration on a Heat stack-update. resources: - -{% for role in roles %} # Post deployment steps for all roles # A single config is re-applied with an incrementing step number - # {{role.name}} Role steps +{% for role in roles %} + # {{role.name}} Role post deploy steps {{role.name}}ArtifactsConfig: type: deploy-artifacts.yaml @@ -58,8 +57,6 @@ resources: # Step through a series of configuration steps {% for step in range(1, 6) %} - {% for role in roles %} - {{role.name}}Deployment_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup {% if step == 1 %} @@ -77,8 +74,6 @@ resources: input_values: step: {{step}} update_identifier: {get_param: DeployIdentifier} - - {% endfor %} {% endfor %} {{role.name}}PostConfig: diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 4e735b45..2c44f4df 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -83,3 +83,5 @@ outputs: get_attr: [AodhBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::aodh::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml index 07ec1b3c..97d6ff8e 100644 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -21,6 +21,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + ApacheNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the Apache role. @@ -38,13 +54,12 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [ApacheNetworks, value]} + metadata_settings: + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2e95dcb0..82e0c5ff 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -64,3 +64,5 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + metadata_settings: + get_attr: [ApacheTLS, role_data, metadata_settings] diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index 000a744c..1f220e6b 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -144,3 +144,5 @@ outputs: get_param: [EndpointMap, BarbicanInternal, uri] cinder::api::keymgr_encryption_auth_url: get_param: [EndpointMap, KeystoneV3Internal, uri] + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 63e02d4f..f774167f 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -90,3 +90,5 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 6448387c..92536994 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -57,7 +57,11 @@ outputs: tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]} tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]} - ceph::params::user_radosgw: ceph + tripleo::profile::base::ceph::rgw::rgw_keystone_version: v3 + ceph::profile::params::rgw_keystone_admin_domain: default + ceph::profile::params::rgw_keystone_admin_project: service + ceph::profile::params::rgw_keystone_admin_user: swift + ceph::profile::params::rgw_keystone_admin_password: {get_param: SwiftPassword} tripleo.ceph_rgw.firewall_rules: '122 ceph rgw': dport: {get_param: [EndpointMap, CephRgwInternal, port]} @@ -68,7 +72,8 @@ outputs: ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} - ceph::rgw::keystone::auth::user: 'swift' - ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} - ceph::rgw::keystone::auth::tenant: 'service' + ceph::rgw::keystone::auth::roles: [ 'admin', 'member', '_member_' ] + ceph::rgw::keystone::auth::tenant: service + ceph::rgw::keystone::auth::user: swift + ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index b32c8185..a5c912ed 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -91,9 +91,6 @@ outputs: cinder::config: DEFAULT/swift_catalog_info: value: 'object-store:swift:internalURL' - # TODO(emilien) remove the next line when https://review.openstack.org/422915 - # is merged. - cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} tripleo.cinder_api.firewall_rules: '119 cinder': @@ -149,6 +146,8 @@ outputs: cinder::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - name: check for cinder running under apache (post upgrade) tags: step2 diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml index 56d037e7..9f7eaf57 100644 --- a/puppet/services/database/mysql-internal-tls-certmonger.yaml +++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml @@ -41,3 +41,7 @@ outputs: template: "mysql/%{hiera('cloud_name_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + metadata_settings: + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: vip diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 7e12894f..8c4042d9 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -104,4 +104,6 @@ outputs: - name: Start service tags: step4 service: name=mariadb state=started + metadata_settings: + get_attr: [MySQLTLS, role_data, metadata_settings] diff --git a/puppet/services/disabled/glance-registry.yaml b/puppet/services/disabled/glance-registry.yaml new file mode 100644 index 00000000..4d22bddc --- /dev/null +++ b/puppet/services/disabled/glance-registry.yaml @@ -0,0 +1,30 @@ +heat_template_version: ocata + +description: > + OpenStack Glance Registry service, disabled since ocata + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the disabled Glance Registry role. + value: + service_name: glance_registry + upgrade_tasks: + - name: Stop and disable glance_registry service on upgrade + tags: step2 + service: name=openstack-glance-registry state=stopped enabled=no diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 3ddb1927..09ea5d22 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -45,8 +45,23 @@ parameters: default: tag: openstack.glance.api path: /var/log/glance/api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: + + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + GlanceBase: type: ./glance-base.yaml properties: @@ -66,6 +81,7 @@ outputs: config_settings: map_merge: - get_attr: [GlanceBase, role_data, config_settings] + - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: list_join: - '' @@ -100,7 +116,23 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_bind_ip: + get_param: [ServiceNetMap, GlanceApiNetwork] + tripleo::profile::base::glance::api::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_port: + get_param: [EndpointMap, GlanceInternal, port] + # Bind to localhost if internal TLS is enabled, since we put a TLs + # proxy in front. + glance::api::bind_host: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 3929e005..ae384ce0 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -131,3 +131,5 @@ outputs: gnocchi::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml index 77457593..ae226163 100644 --- a/puppet/services/haproxy-internal-tls-certmonger.yaml +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -19,6 +19,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + HAProxyNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the HAProxy internal TLS via certmonger role. @@ -39,13 +55,12 @@ outputs: postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [HAProxyNetworks, value]} + metadata_settings: + repeat: + template: + - service: haproxy + network: $NETWORK + type: vip + for_each: + $NETWORK: {get_attr: [HAProxyNetworks, value]} diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index 227697b9..6013b026 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -35,3 +35,7 @@ outputs: hostname: "%{hiera('cloud_name_external')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_external')}" + metadata_settings: + - service: haproxy + network: external + type: vip diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 9049c901..981a08d2 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -84,3 +84,9 @@ outputs: - name: Start haproxy service tags: step4 # Needed at step 4 for mysql service: name=haproxy state=started + metadata_settings: + yaql: + expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))' + data: + public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} + internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 434f0a33..b989d502 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -313,3 +313,8 @@ outputs: - name: Sync keystone DB tags: step5 command: keystone-manage db_sync + - name: Start keystone service (running under httpd) + tags: step6 + service: name=httpd state=started + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 36ac3e08..892e63dd 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -165,3 +165,5 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 9adf1bdb..a8a9fb99 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -29,6 +29,11 @@ parameters: default: false description: Whether to enable fencing in Pacemaker or not. type: boolean + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' PcsdPassword: type: string description: The password for the 'pcsd' user for pacemaker. @@ -112,5 +117,6 @@ outputs: passwords: - {get_param: PcsdPassword} - {get_param: [DefaultPasswords, pcsd_password]} + tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey} step_config: | include ::tripleo::profile::base::pacemaker diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index 511a01ab..93bf5967 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -53,6 +53,8 @@ outputs: get_param: [ServiceNetMap, MysqlNetwork] step_config: | include ::tripleo::profile::pacemaker::database::mysql + metadata_settings: + get_attr: [MysqlBase, role_data, metadata_settings] upgrade_tasks: - name: Check for galera root password tags: step0 diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml index 50da4119..598deaef 100644 --- a/puppet/services/pacemaker/haproxy.yaml +++ b/puppet/services/pacemaker/haproxy.yaml @@ -40,3 +40,5 @@ outputs: tripleo::haproxy::mysql_clustercheck: true step_config: | include ::tripleo::profile::pacemaker::haproxy + metadata_settings: + get_attr: [LoadbalancerServiceBase, role_data, metadata_settings] diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml new file mode 100644 index 00000000..daee43e6 --- /dev/null +++ b/puppet/services/pacemaker_remote.yaml @@ -0,0 +1,57 @@ +heat_template_version: ocata + +description: > + Pacemaker remote service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' + MonitoringSubscriptionPacemakerRemote: + default: 'overcloud-pacemaker_remote' + type: string + PacemakerRemoteLoggingSource: + type: json + default: + tag: system.pacemaker_remote + path: /var/log/pacemaker.log + format: >- + /^(?<time>[^ ]*\s*[^ ]* [^ ]*) + \[(?<pid>[^ ]*)\] + (?<host>[^ ]*) + (?<message>.*)$/ + +outputs: + role_data: + description: Role data for the Pacemaker remote role. + value: + service_name: pacemaker_remote + monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote} + logging_groups: + - haclient + logging_source: {get_param: PacemakerRemoteLoggingSource} + config_settings: + tripleo.pacemaker_remote.firewall_rules: + '130 pacemaker_remote tcp': + proto: 'tcp' + dport: + - 3121 + tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey} + step_config: | + include ::tripleo::profile::base::pacemaker_remote diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index 06284fb2..4b74ad45 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -82,3 +82,5 @@ outputs: get_attr: [PankoBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::panko::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] |