summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/blockstorage-role.yaml26
-rw-r--r--puppet/cephstorage-role.yaml26
-rw-r--r--puppet/compute-role.yaml26
-rw-r--r--puppet/controller-role.yaml26
-rw-r--r--puppet/objectstorage-role.yaml27
-rw-r--r--puppet/puppet-steps.j227
-rw-r--r--puppet/role.role.j2.yaml25
-rw-r--r--puppet/services/certmonger-user.yaml17
-rw-r--r--puppet/services/cinder-backend-dellsc.yaml4
-rw-r--r--puppet/services/cinder-backend-netapp.yaml8
-rw-r--r--puppet/services/cinder-volume.yaml16
-rw-r--r--puppet/services/disabled/ceilometer-expirer-disabled.yaml20
-rw-r--r--puppet/services/gnocchi-base.yaml10
-rw-r--r--puppet/services/haproxy.yaml6
-rw-r--r--puppet/services/horizon.yaml2
-rw-r--r--puppet/services/ironic-conductor.yaml6
-rw-r--r--puppet/services/keystone.yaml36
-rw-r--r--puppet/services/neutron-sriov-agent.yaml22
-rw-r--r--puppet/services/nova-compute.yaml26
-rw-r--r--puppet/services/pacemaker_remote.yaml38
-rw-r--r--puppet/services/panko-api.yaml4
21 files changed, 324 insertions, 74 deletions
diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml
index 7b6fbb71..25e509b5 100644
--- a/puppet/blockstorage-role.yaml
+++ b/puppet/blockstorage-role.yaml
@@ -376,12 +376,15 @@ resources:
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
depends_on: PreNetworkConfig
- condition: server_not_blacklisted
properties:
name: NetworkDeployment
config: {get_resource: NetworkConfig}
server: {get_resource: BlockStorage}
- actions: {get_param: NetworkDeploymentActions}
+ actions:
+ if:
+ - server_not_blacklisted
+ - {get_param: NetworkDeploymentActions}
+ - []
BlockStorageUpgradeInitConfig:
type: OS::Heat::SoftwareConfig
@@ -400,22 +403,30 @@ resources:
BlockStorageUpgradeInitDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
name: BlockStorageUpgradeInitDeployment
server: {get_resource: BlockStorage}
config: {get_resource: BlockStorageUpgradeInitConfig}
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
BlockStorageDeployment:
type: OS::Heat::StructuredDeployment
depends_on: BlockStorageUpgradeInitDeployment
- condition: server_not_blacklisted
properties:
name: BlockStorageDeployment
server: {get_resource: BlockStorage}
config: {get_resource: BlockStorageConfig}
input_values:
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
# Map heat metadata into hiera datafiles
BlockStorageConfig:
@@ -455,6 +466,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
@@ -477,7 +489,6 @@ resources:
UpdateDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
name: UpdateDeployment
config: {get_resource: UpdateConfig}
@@ -485,6 +496,11 @@ resources:
input_values:
update_identifier:
get_param: UpdateIdentifier
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml
index 8047e3dc..ca89be8a 100644
--- a/puppet/cephstorage-role.yaml
+++ b/puppet/cephstorage-role.yaml
@@ -382,12 +382,15 @@ resources:
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
depends_on: PreNetworkConfig
- condition: server_not_blacklisted
properties:
name: NetworkDeployment
config: {get_resource: NetworkConfig}
server: {get_resource: CephStorage}
- actions: {get_param: NetworkDeploymentActions}
+ actions:
+ if:
+ - server_not_blacklisted
+ - {get_param: NetworkDeploymentActions}
+ - []
CephStorageUpgradeInitConfig:
type: OS::Heat::SoftwareConfig
@@ -406,22 +409,30 @@ resources:
CephStorageUpgradeInitDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
name: CephStorageUpgradeInitDeployment
server: {get_resource: CephStorage}
config: {get_resource: CephStorageUpgradeInitConfig}
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
CephStorageDeployment:
type: OS::Heat::StructuredDeployment
depends_on: CephStorageUpgradeInitDeployment
- condition: server_not_blacklisted
properties:
name: CephStorageDeployment
config: {get_resource: CephStorageConfig}
server: {get_resource: CephStorage}
input_values:
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
CephStorageConfig:
type: OS::Heat::StructuredConfig
@@ -460,6 +471,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
@@ -489,13 +501,17 @@ resources:
UpdateDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
config: {get_resource: UpdateConfig}
server: {get_resource: CephStorage}
input_values:
update_identifier:
get_param: UpdateIdentifier
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml
index e453508a..abfacd36 100644
--- a/puppet/compute-role.yaml
+++ b/puppet/compute-role.yaml
@@ -396,12 +396,15 @@ resources:
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
depends_on: PreNetworkConfig
- condition: server_not_blacklisted
properties:
name: NetworkDeployment
+ actions:
+ if:
+ - server_not_blacklisted
+ - {get_param: NetworkDeploymentActions}
+ - []
config: {get_resource: NetworkConfig}
server: {get_resource: NovaCompute}
- actions: {get_param: NetworkDeploymentActions}
input_values:
bridge_name: {get_param: NeutronPhysicalBridge}
interface_name: {get_param: NeutronPublicInterface}
@@ -423,9 +426,13 @@ resources:
NovaComputeUpgradeInitDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
name: NovaComputeUpgradeInitDeployment
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
server: {get_resource: NovaCompute}
config: {get_resource: NovaComputeUpgradeInitConfig}
@@ -472,13 +479,18 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
NovaComputeDeployment:
type: OS::TripleO::SoftwareDeployment
depends_on: NovaComputeUpgradeInitDeployment
- condition: server_not_blacklisted
properties:
name: NovaComputeDeployment
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
config: {get_resource: NovaComputeConfig}
server: {get_resource: NovaCompute}
input_values:
@@ -512,9 +524,13 @@ resources:
UpdateDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
name: UpdateDeployment
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
config: {get_resource: UpdateConfig}
server: {get_resource: NovaCompute}
input_values:
diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml
index 4c0a70f6..396eda8d 100644
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@@ -415,13 +415,16 @@ resources:
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
- condition: server_not_blacklisted
depends_on: PreNetworkConfig
properties:
name: NetworkDeployment
config: {get_resource: NetworkConfig}
server: {get_resource: Controller}
- actions: {get_param: NetworkDeploymentActions}
+ actions:
+ if:
+ - server_not_blacklisted
+ - {get_param: NetworkDeploymentActions}
+ - []
input_values:
bridge_name: br-ex
interface_name: {get_param: NeutronPublicInterface}
@@ -457,19 +460,27 @@ resources:
# but https://bugs.launchpad.net/heat/+bug/1649900 needs fixing first
ControllerUpgradeInitDeployment:
type: OS::Heat::SoftwareDeployment
- condition: server_not_blacklisted
depends_on: NetworkDeployment
properties:
name: ControllerUpgradeInitDeployment
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
server: {get_resource: Controller}
config: {get_resource: ControllerUpgradeInitConfig}
ControllerDeployment:
type: OS::TripleO::SoftwareDeployment
- condition: server_not_blacklisted
depends_on: ControllerUpgradeInitDeployment
properties:
name: ControllerDeployment
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
config: {get_resource: ControllerConfig}
server: {get_resource: Controller}
input_values:
@@ -530,6 +541,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
# Hook for site-specific additional pre-deployment config, e.g extra hieradata
ControllerExtraConfigPre:
@@ -551,10 +563,14 @@ resources:
UpdateDeployment:
type: OS::Heat::SoftwareDeployment
- condition: server_not_blacklisted
depends_on: NetworkDeployment
properties:
name: UpdateDeployment
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
config: {get_resource: UpdateConfig}
server: {get_resource: Controller}
input_values:
diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml
index 5ab6669f..42b1a78a 100644
--- a/puppet/objectstorage-role.yaml
+++ b/puppet/objectstorage-role.yaml
@@ -376,12 +376,16 @@ resources:
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
depends_on: PreNetworkConfig
- condition: server_not_blacklisted
properties:
name: NetworkDeployment
config: {get_resource: NetworkConfig}
server: {get_resource: SwiftStorage}
- actions: {get_param: NetworkDeploymentActions}
+ actions:
+ if:
+ - server_not_blacklisted
+ - {get_param: NetworkDeploymentActions}
+ - []
+
SwiftStorageUpgradeInitConfig:
type: OS::Heat::SoftwareConfig
@@ -400,11 +404,15 @@ resources:
SwiftStorageUpgradeInitDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
name: SwiftStorageUpgradeInitDeployment
server: {get_resource: SwiftStorage}
config: {get_resource: SwiftStorageUpgradeInitConfig}
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
SwiftStorageHieraConfig:
type: OS::Heat::StructuredConfig
@@ -443,17 +451,22 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
SwiftStorageHieraDeploy:
type: OS::Heat::StructuredDeployment
depends_on: SwiftStorageUpgradeInitDeployment
- condition: server_not_blacklisted
properties:
name: SwiftStorageHieraDeploy
server: {get_resource: SwiftStorage}
config: {get_resource: SwiftStorageHieraConfig}
input_values:
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
# Resource for site-specific injection of root certificate
NodeTLSCAData:
@@ -476,13 +489,17 @@ resources:
UpdateDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
config: {get_resource: UpdateConfig}
server: {get_resource: SwiftStorage}
input_values:
update_identifier:
get_param: UpdateIdentifier
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2
index 360c633a..5567d65d 100644
--- a/puppet/puppet-steps.j2
+++ b/puppet/puppet-steps.j2
@@ -44,26 +44,31 @@
update_identifier: {get_param: DeployIdentifier}
{% endfor %}
- {{role.name}}PostConfig:
- type: OS::TripleO::Tasks::{{role.name}}PostConfig
+ # Note, this should be the last step to execute configuration changes.
+ # Ensure that all {{role.name}}ExtraConfigPost steps are executed
+ # after all the previous deployment steps.
+ {{role.name}}ExtraConfigPost:
depends_on:
{% for dep in roles %}
- {{dep.name}}Deployment_Step5
{% endfor %}
+ type: OS::TripleO::NodeExtraConfigPost
properties:
- servers: {get_param: servers}
- input_values:
- update_identifier: {get_param: DeployIdentifier}
+ servers: {get_param: [servers, {{role.name}}]}
- # Note, this should come last, so use depends_on to ensure
- # this is created after any other resources.
- {{role.name}}ExtraConfigPost:
+ # The {{role.name}}PostConfig steps are in charge of
+ # quiescing all services, i.e. in the Controller case,
+ # we should run a full service reload.
+ {{role.name}}PostConfig:
+ type: OS::TripleO::Tasks::{{role.name}}PostConfig
depends_on:
{% for dep in roles %}
- - {{dep.name}}PostConfig
+ - {{dep.name}}ExtraConfigPost
{% endfor %}
- type: OS::TripleO::NodeExtraConfigPost
properties:
- servers: {get_param: [servers, {{role.name}}]}
+ servers: {get_param: servers}
+ input_values:
+ update_identifier: {get_param: DeployIdentifier}
+
{% endfor %}
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index 570efb3a..409b0a33 100644
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -398,7 +398,6 @@ resources:
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
depends_on: PreNetworkConfig
- condition: server_not_blacklisted
properties:
name: NetworkDeployment
config: {get_resource: NetworkConfig}
@@ -407,6 +406,11 @@ resources:
input_values:
bridge_name: br-ex
interface_name: {get_param: NeutronPublicInterface}
+ actions:
+ if:
+ - server_not_blacklisted
+ - {get_param: NetworkDeploymentActions}
+ - []
{{role}}UpgradeInitConfig:
type: OS::Heat::SoftwareConfig
@@ -425,22 +429,30 @@ resources:
{{role}}UpgradeInitDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
name: {{role}}UpgradeInitDeployment
server: {get_resource: {{role}}}
config: {get_resource: {{role}}UpgradeInitConfig}
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
{{role}}Deployment:
type: OS::Heat::StructuredDeployment
depends_on: {{role}}UpgradeInitDeployment
- condition: server_not_blacklisted
properties:
name: {{role}}Deployment
config: {get_resource: {{role}}Config}
server: {get_resource: {{role}}}
input_values:
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
{{role}}Config:
type: OS::Heat::StructuredConfig
@@ -481,6 +493,7 @@ resources:
fqdn_tenant: {get_attr: [NetHostMap, value, tenant, fqdn]}
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
+ fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
@@ -510,7 +523,6 @@ resources:
UpdateDeployment:
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
- condition: server_not_blacklisted
properties:
name: UpdateDeployment
config: {get_resource: UpdateConfig}
@@ -518,6 +530,11 @@ resources:
input_values:
update_identifier:
get_param: UpdateIdentifier
+ actions:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
diff --git a/puppet/services/certmonger-user.yaml b/puppet/services/certmonger-user.yaml
index 6ad451a8..0508c557 100644
--- a/puppet/services/certmonger-user.yaml
+++ b/puppet/services/certmonger-user.yaml
@@ -26,11 +26,28 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ DefaultCRLURL:
+ default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
+ description: URI where to get the CRL to be configured in the nodes.
+ type: string
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
description: Role data for the certmonger-user service
value:
service_name: certmonger_user
+ config_settings:
+ tripleo::certmonger::ca::crl::crl_source:
+ if:
+ - internal_tls_enabled
+ - {get_param: DefaultCRLURL}
+ - null
step_config: |
include ::tripleo::profile::base::certmonger_user
diff --git a/puppet/services/cinder-backend-dellsc.yaml b/puppet/services/cinder-backend-dellsc.yaml
index a201134c..c0bffb18 100644
--- a/puppet/services/cinder-backend-dellsc.yaml
+++ b/puppet/services/cinder-backend-dellsc.yaml
@@ -61,6 +61,9 @@ parameters:
CinderDellScSecondaryScApiPort:
type: number
default: 3033
+ CinderDellScExcludedDomainIp:
+ type: string
+ default: ''
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
@@ -105,5 +108,6 @@ outputs:
cinder::backend::dellsc_iscsi::secondary_san_login: {get_param: CinderDellScSecondarySanLogin}
cinder::backend::dellsc_iscsi::secondary_san_password: {get_param: CinderDellScSecondarySanPassword}
cinder::backend::dellsc_iscsi::secondary_sc_api_port: {get_param: CinderDellScSecondaryScApiPort}
+ cinder::backend::dellsc_iscsi::excluded_domain_ip: {get_param: CinderDellScExcludedDomainIp}
step_config: |
include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/cinder-backend-netapp.yaml b/puppet/services/cinder-backend-netapp.yaml
index bddc8e1a..fbde4c0a 100644
--- a/puppet/services/cinder-backend-netapp.yaml
+++ b/puppet/services/cinder-backend-netapp.yaml
@@ -93,6 +93,12 @@ parameters:
CinderNetappWebservicePath:
type: string
default: '/devmgr/v2'
+ CinderNetappNasSecureFileOperations:
+ type: string
+ default: 'false'
+ CinderNetappNasSecureFilePermissions:
+ type: string
+ default: 'false'
# DEPRECATED options for compatibility with older versions
CinderNetappEseriesHostType:
type: string
@@ -133,5 +139,7 @@ outputs:
cinder::backend::netapp::netapp_storage_pools: {get_param: CinderNetappStoragePools}
cinder::backend::netapp::netapp_host_type: {get_param: CinderNetappHostType}
cinder::backend::netapp::netapp_webservice_path: {get_param: CinderNetappWebservicePath}
+ cinder::backend::netapp::nas_secure_file_operations: {get_param: CinderNetappNasSecureFileOperations}
+ cinder::backend::netapp::nas_secure_file_permissions: {get_param: CinderNetappNasSecureFilePermissions}
step_config: |
include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index fe95222b..1f8c345d 100644
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -40,6 +40,20 @@ parameters:
NFS servers used by Cinder NFS backend. Effective when
CinderEnableNfsBackend is true.
type: comma_delimited_list
+ CinderNasSecureFileOperations:
+ default: false
+ description: >
+ Controls whether security enhanced NFS file operations are enabled.
+ Valid values are 'auto', 'true' or 'false'. Effective when
+ CinderEnableNfsBackend is true.
+ type: string
+ CinderNasSecureFilePermissions:
+ default: false
+ description: >
+ Controls whether security enhanced NFS file permissions are enabled.
+ Valid values are 'auto', 'true' or 'false'. Effective when
+ CinderEnableNfsBackend is true.
+ type: string
CinderRbdPoolName:
default: volumes
type: string
@@ -105,6 +119,8 @@ outputs:
tripleo::profile::base::cinder::volume::cinder_enable_rbd_backend: {get_param: CinderEnableRbdBackend}
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_mount_options: {get_param: CinderNfsMountOptions}
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: {get_param: CinderNfsServers}
+ tripleo::profile::base::cinder::volume::nfs::cinder_nas_secure_file_operations: {get_param: CinderNasSecureFileOperations}
+ tripleo::profile::base::cinder::volume::nfs::cinder_nas_secure_file_permissions: {get_param: CinderNasSecureFilePermissions}
tripleo::profile::base::cinder::volume::iscsi::cinder_lvm_loop_device_size: {get_param: CinderLVMLoopDeviceSize}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_protocol: {get_param: CinderISCSIProtocol}
diff --git a/puppet/services/disabled/ceilometer-expirer-disabled.yaml b/puppet/services/disabled/ceilometer-expirer-disabled.yaml
index 9b7b47ef..7be394b6 100644
--- a/puppet/services/disabled/ceilometer-expirer-disabled.yaml
+++ b/puppet/services/disabled/ceilometer-expirer-disabled.yaml
@@ -27,24 +27,12 @@ parameters:
via parameter_defaults in the resource registry.
type: json
-resources:
- CeilometerServiceBase:
- type: ../ceilometer-base.yaml
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
- DefaultPasswords: {get_param: DefaultPasswords}
- EndpointMap: {get_param: EndpointMap}
- RoleName: {get_param: RoleName}
- RoleParameters: {get_param: RoleParameters}
-
outputs:
role_data:
description: Role data for the disabling Ceilometer Expirer role.
value:
service_name: ceilometer_expirer_disabled
- config_settings:
- map_merge:
- - get_attr: [CeilometerServiceBase, role_data, config_settings]
- - ceilometer::expirer::enable_cron: false
- step_config: |
- include ::tripleo::profile::base::ceilometer::expirer
+ upgrade_tasks:
+ - name: Remove ceilometer expirer cron tab on upgrade
+ tags: step1
+ shell: '/usr/bin/crontab -u ceilometer -r'
diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml
index f4067ef6..b4af7e85 100644
--- a/puppet/services/gnocchi-base.yaml
+++ b/puppet/services/gnocchi-base.yaml
@@ -34,6 +34,10 @@ parameters:
default: 30
description: Delay between processing metrics.
type: number
+ NumberOfStorageSacks:
+ default: 128
+ description: Number of storage sacks to create.
+ type: number
GnocchiPassword:
description: The password for the gnocchi service and db account.
type: string
@@ -87,7 +91,11 @@ outputs:
query:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
- gnocchi::db::sync::extra_opts: ''
+ gnocchi::db::sync::extra_opts:
+ str_replace:
+ template: " --sacks-number NUM_SACKS"
+ params:
+ NUM_SACKS: {get_param: NumberOfStorageSacks}
gnocchi::storage::metric_processing_delay: {get_param: MetricProcessingDelay}
gnocchi::storage::swift::swift_user: 'service:gnocchi'
gnocchi::storage::swift::swift_auth_version: 3
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index a71491c0..619cf131 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -50,6 +50,11 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
+ InternalTLSCRLPEMFile:
+ default: '/etc/pki/CA/crl/overcloud-crl.pem'
+ type: string
+ description: Specifies the default CRL PEM file to use for revocation if
+ TLS is used for services in the internal network.
resources:
@@ -89,6 +94,7 @@ outputs:
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
+ tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 93bced8b..092d0720 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -55,7 +55,7 @@ parameters:
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
- default: true
+ default: false
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml
index b1676715..0e8c8e12 100644
--- a/puppet/services/ironic-conductor.yaml
+++ b/puppet/services/ironic-conductor.yaml
@@ -164,6 +164,12 @@ outputs:
ironic::my_ip: {get_param: [ServiceNetMap, IronicNetwork]}
ironic::pxe::common::http_port: {get_param: IronicIPXEPort}
# Credentials to access other services
+ ironic::cinder::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ironic::cinder::username: 'ironic'
+ ironic::cinder::password: {get_param: IronicPassword}
+ ironic::cinder::project_name: 'service'
+ ironic::cinder::user_domain_name: 'Default'
+ ironic::cinder::project_domain_name: 'Default'
ironic::glance::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::glance::username: 'ironic'
ironic::glance::password: {get_param: IronicPassword}
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index f3a9cbc4..af494016 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -113,10 +113,23 @@ parameters:
description: The second Keystone credential key. Must be a valid key.
KeystoneFernetKey0:
type: string
- description: The first Keystone fernet key. Must be a valid key.
+ default: ''
+ description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
KeystoneFernetKey1:
type: string
- description: The second Keystone fernet key. Must be a valid key.
+ default: ''
+ description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
+ KeystoneFernetKeys:
+ type: json
+ description: Mapping containing keystone's fernet keys and their paths.
+ ManageKeystoneFernetKeys:
+ type: boolean
+ default: true
+ description: Whether TripleO should manage the keystone fernet keys or not.
+ If set to true, the fernet keys will get the values from the
+ saved keys repository in mistral (the KeystoneFernetKeys
+ variable). If set to false, only the stack creation
+ initializes the keys, but subsequent updates won't touch them.
KeystoneLoggingSource:
type: json
default:
@@ -187,6 +200,17 @@ parameters:
default: {}
hidden: true
+parameter_groups:
+- label: deprecated
+ description: |
+ The following parameters are deprecated and will be removed. They should not
+ be relied on for new deployments. If you have concerns regarding deprecated
+ parameters, please contact the TripleO development team on IRC or the
+ OpenStack mailing list.
+ parameters:
+ - KeystoneFernetKey0
+ - KeystoneFernetKey1
+
resources:
ApacheServiceBase:
@@ -241,12 +265,8 @@ outputs:
content: {get_param: KeystoneCredential0}
'/etc/keystone/credential-keys/1':
content: {get_param: KeystoneCredential1}
- keystone::fernet_keys:
- '/etc/keystone/fernet-keys/0':
- content: {get_param: KeystoneFernetKey0}
- '/etc/keystone/fernet-keys/1':
- content: {get_param: KeystoneFernetKey1}
- keystone::fernet_replace_keys: false
+ keystone::fernet_keys: {get_param: KeystoneFernetKeys}
+ keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
keystone::debug:
if:
- service_debug_unset
diff --git a/puppet/services/neutron-sriov-agent.yaml b/puppet/services/neutron-sriov-agent.yaml
index c124d1e6..090640ed 100644
--- a/puppet/services/neutron-sriov-agent.yaml
+++ b/puppet/services/neutron-sriov-agent.yaml
@@ -65,6 +65,24 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
+ # Merging role-specific parameters (RoleParameters) with the default parameters.
+ # RoleParameters will have the precedence over the default parameters.
+ RoleParametersValue:
+ type: OS::Heat::Value
+ properties:
+ type: json
+ value:
+ map_replace:
+ - map_replace:
+ - neutron::agents::ml2::sriov::physical_device_mappings: NeutronPhysicalDevMappings
+ neutron::agents::ml2::sriov::exclude_devices: NeutronExcludeDevices
+ tripleo::host::sriov::number_of_vfs: NeutronSriovNumVFs
+ - values: {get_param: [RoleParameters]}
+ - values:
+ NeutronPhysicalDevMappings: {get_param: NeutronPhysicalDevMappings}
+ NeutronExcludeDevices: {get_param: NeutronExcludeDevices}
+ NeutronSriovNumVFs: {get_param: NeutronSriovNumVFs}
+
outputs:
role_data:
description: Role data for the Neutron SR-IOV nic agent service.
@@ -73,8 +91,6 @@ outputs:
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- - neutron::agents::ml2::sriov::physical_device_mappings: {get_param: NeutronPhysicalDevMappings}
- neutron::agents::ml2::sriov::exclude_devices: {get_param: NeutronExcludeDevices}
- tripleo::host::sriov::number_of_vfs: {get_param: NeutronSriovNumVFs}
+ - get_attr: [RoleParametersValue, value]
step_config: |
include ::tripleo::profile::base::neutron::sriov
diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml
index e39e997a..68a71e42 100644
--- a/puppet/services/nova-compute.yaml
+++ b/puppet/services/nova-compute.yaml
@@ -105,6 +105,22 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
+ # Merging role-specific parameters (RoleParameters) with the default parameters.
+ # RoleParameters will have the precedence over the default parameters.
+ RoleParametersValue:
+ type: OS::Heat::Value
+ properties:
+ type: json
+ value:
+ map_replace:
+ - map_replace:
+ - nova::compute::vcpu_pin_set: NovaVcpuPinSet
+ nova::compute::reserved_host_memory: NovaReservedHostMemory
+ - values: {get_param: [RoleParameters]}
+ - values:
+ NovaVcpuPinSet: {get_param: NovaVcpuPinSet}
+ NovaReservedHostMemory: {get_param: NovaReservedHostMemory}
+
outputs:
role_data:
description: Role data for the Nova Compute service.
@@ -117,14 +133,18 @@ outputs:
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
+ - get_attr: [RoleParametersValue, value]
- nova::compute::libvirt::manage_libvirt_services: false
nova::compute::pci_passthrough:
str_replace:
template: "JSON_PARAM"
params:
- JSON_PARAM: {get_param: NovaPCIPassthrough}
- nova::compute::vcpu_pin_set: {get_param: NovaVcpuPinSet}
- nova::compute::reserved_host_memory: {get_param: NovaReservedHostMemory}
+ map_replace:
+ - map_replace:
+ - JSON_PARAM: NovaPCIPassthrough
+ - values: {get_param: [RoleParameters]}
+ - values:
+ NovaPCIPassthrough: {get_param: NovaPCIPassthrough}
# we manage migration in nova common puppet profile
nova::compute::libvirt::migration_support: false
tripleo::profile::base::nova::manage_migration: true
diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml
index 74aaf599..c49b0848 100644
--- a/puppet/services/pacemaker_remote.yaml
+++ b/puppet/services/pacemaker_remote.yaml
@@ -34,6 +34,42 @@ parameters:
MonitoringSubscriptionPacemakerRemote:
default: 'overcloud-pacemaker_remote'
type: string
+ EnableFencing:
+ default: false
+ description: Whether to enable fencing in Pacemaker or not.
+ type: boolean
+ FencingConfig:
+ default: {}
+ description: |
+ Pacemaker fencing configuration. The JSON should have
+ the following structure:
+ {
+ "devices": [
+ {
+ "agent": "AGENT_NAME",
+ "host_mac": "HOST_MAC_ADDRESS",
+ "params": {"PARAM_NAME": "PARAM_VALUE"}
+ }
+ ]
+ }
+ For instance:
+ {
+ "devices": [
+ {
+ "agent": "fence_xvm",
+ "host_mac": "52:54:00:aa:bb:cc",
+ "params": {
+ "multicast_address": "225.0.0.12",
+ "port": "baremetal_0",
+ "manage_fw": true,
+ "manage_key_file": true,
+ "key_file": "/etc/fence_xvm.key",
+ "key_file_password": "abcdef"
+ }
+ }
+ ]
+ }
+ type: json
PacemakerRemoteLoggingSource:
type: json
default:
@@ -60,6 +96,8 @@ outputs:
proto: 'tcp'
dport:
- 3121
+ tripleo::fencing::config: {get_param: FencingConfig}
+ enable_fencing: {get_param: EnableFencing}
tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey}
step_config: |
include ::tripleo::profile::base::pacemaker_remote
diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml
index a41e34f7..0289b7a7 100644
--- a/puppet/services/panko-api.yaml
+++ b/puppet/services/panko-api.yaml
@@ -84,8 +84,8 @@ outputs:
tripleo.panko_api.firewall_rules:
'140 panko-api':
dport:
- - 8779
- - 13779
+ - 8977
+ - 13977
panko::api::host:
str_replace:
template: