diff options
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/all-nodes-config.yaml | 16 | ||||
| -rw-r--r-- | puppet/services/aodh-api.yaml | 1 | ||||
| -rw-r--r-- | puppet/services/ceilometer-api.yaml | 1 | ||||
| -rw-r--r-- | puppet/services/glance-api.yaml | 150 | ||||
| -rw-r--r-- | puppet/services/glance-base.yaml | 110 | ||||
| -rw-r--r-- | puppet/services/glance-registry.yaml | 76 | ||||
| -rw-r--r-- | puppet/services/gnocchi-api.yaml | 1 | ||||
| -rw-r--r-- | puppet/services/haproxy-internal-tls-certmonger.yaml | 51 | ||||
| -rw-r--r-- | puppet/services/haproxy-public-tls-certmonger.yaml | 37 | ||||
| -rw-r--r-- | puppet/services/haproxy.yaml | 43 | ||||
| -rw-r--r-- | puppet/services/kernel.yaml | 4 | ||||
| -rw-r--r-- | puppet/services/nova-api.yaml | 90 | ||||
| -rw-r--r-- | puppet/services/nova-conductor.yaml | 11 | ||||
| -rw-r--r-- | puppet/services/nova-metadata.yaml | 14 | ||||
| -rw-r--r-- | puppet/services/swift-proxy.yaml | 2 |
15 files changed, 407 insertions, 200 deletions
diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml index cae60aab..cc5e4eac 100644 --- a/puppet/all-nodes-config.yaml +++ b/puppet/all-nodes-config.yaml @@ -12,8 +12,6 @@ parameters: type: string cloud_name_ctlplane: type: string - hosts: - type: comma_delimited_list # FIXME(shardy) this can be comma_delimited_list when # https://bugs.launchpad.net/heat/+bug/1617019 is fixed enabled_services: @@ -64,6 +62,9 @@ parameters: CertmongerCA: type: string default: 'IPA' + EnableInternalTLS: + type: boolean + default: false resources: @@ -72,10 +73,6 @@ resources: properties: group: os-apply-config config: - hosts: - list_join: - - "\n" - - {get_param: hosts} hiera: datafiles: bootstrap_node: @@ -207,15 +204,10 @@ resources: cloud_name_ctlplane: {get_param: cloud_name_ctlplane} # TLS parameters certmonger_ca: {get_param: CertmongerCA} + enable_internal_tls: {get_param: EnableInternalTLS} outputs: config_id: description: The ID of the allNodesConfigImpl resource. value: {get_resource: allNodesConfigImpl} - hosts_entries: - description: | - The content that should be appended to your /etc/hosts if you want to get - hostname-based access to the deployed nodes (useful for testing without - setting up a DNS). - value: {get_attr: [allNodesConfigImpl, config, hosts]} diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index f4f5bad8..da043c80 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -60,6 +60,7 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, AodhApiNetwork]} aodh::api::service_name: 'httpd' + aodh::api::enable_proxy_headers_parsing: true tripleo.aodh_api.firewall_rules: '128 aodh-api': dport: diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index ecea38b2..27c32bfd 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -68,6 +68,7 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - ceilometer::api::service_name: 'httpd' + ceilometer::api::enable_proxy_headers_parsing: true ceilometer::api::host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]} ceilometer::wsgi::apache::ssl: false diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 80ba9aef..33abdbf9 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -18,32 +18,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - CephClientUserName: - default: openstack - type: string Debug: default: '' description: Set to True to enable debugging on all services. type: string - GlanceNotifierStrategy: - description: Strategy to use for Glance notification queue - type: string - default: noop - GlanceLogFile: - description: The filepath of the file to use for logging messages from Glance. - type: string - default: '' GlancePassword: description: The password for the glance service and db account, used by the glance services. type: string hidden: true - GlanceBackend: - default: swift - description: The short name of the Glance backend to use. Should be one - of swift, rbd, or file - type: string - constraints: - - allowed_values: ['swift', 'file', 'rbd'] GlanceWorkers: default: '' description: | @@ -55,31 +37,6 @@ parameters: memory consumption. It is recommended that a suitable non-default value be selected on such systems. type: string - GlanceRbdPoolName: - default: images - type: string - RabbitPassword: - description: The password for RabbitMQ - type: string - hidden: true - RabbitUserName: - default: guest - description: The username for RabbitMQ - type: string - RabbitClientPort: - default: 5672 - description: Set rabbit subscriber port, change this if using SSL - type: number - RabbitClientUseSSL: - default: false - description: > - Rabbit client subscriber parameter to specify - an SSL connection to the RabbitMQ host. - type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint MonitoringSubscriptionGlanceApi: default: 'overcloud-glance-api' type: string @@ -89,6 +46,14 @@ parameters: tag: openstack.glance.api path: /var/log/glance/api.log +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Glance API role. @@ -99,65 +64,46 @@ outputs: logging_groups: - glance config_settings: - glance::api::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} - glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::api::registry_host: - str_replace: - template: "'REGISTRY_HOST'" - params: - REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} - glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } - glance::api::authtoken::password: {get_param: GlancePassword} - glance::api::enable_proxy_headers_parsing: true - glance::api::debug: {get_param: Debug} - glance::api::workers: {get_param: GlanceWorkers} - glance_notifier_strategy: {get_param: GlanceNotifierStrategy} - glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::backend::swift::swift_store_user: service:glance - glance::backend::swift::swift_store_key: {get_param: GlancePassword} - glance::backend::swift::swift_store_create_container_on_put: true - glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} - glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} - glance_backend: {get_param: GlanceBackend} - glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} - glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} - glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} - glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_api.firewall_rules: - '112 glance_api': - dport: - - 9292 - - 13292 - glance::api::authtoken::project_name: 'service' - glance::api::pipeline: 'keystone' - glance::api::show_image_direct_url: true - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + - glance::api::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} + glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::api::registry_host: + str_replace: + template: "'REGISTRY_HOST'" + params: + REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} + glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } + glance::api::authtoken::password: {get_param: GlancePassword} + glance::api::enable_proxy_headers_parsing: true + glance::api::debug: {get_param: Debug} + glance::api::workers: {get_param: GlanceWorkers} + tripleo.glance_api.firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 + glance::api::authtoken::project_name: 'service' + glance::api::pipeline: 'keystone' + glance::api::show_image_direct_url: true + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: - keystone: - glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} - glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} - glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} - glance::keystone::auth::password: {get_param: GlancePassword } - glance::keystone::auth::region: {get_param: KeystoneRegion} - glance::keystone::auth::tenant: 'service' + get_attr: [GlanceBase, role_data, service_config_settings] diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml new file mode 100644 index 00000000..3294fc0f --- /dev/null +++ b/puppet/services/glance-base.yaml @@ -0,0 +1,110 @@ +heat_template_version: 2016-10-14 + +description: > + OpenStack Glance Common settings with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephClientUserName: + default: openstack + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + GlanceNotifierStrategy: + description: Strategy to use for Glance notification queue + type: string + default: noop + GlanceLogFile: + description: The filepath of the file to use for logging messages from Glance. + type: string + default: '' + GlancePassword: + description: The password for the glance service and db account, used by the glance services. + type: string + hidden: true + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] + GlanceRbdPoolName: + default: images + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Role data for the Glance common role. + value: + service_name: glance_base + config_settings: + glance_notifier_strategy: {get_param: GlanceNotifierStrategy} + glance_log_file: {get_param: GlanceLogFile} + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::backend::swift::swift_store_user: service:glance + glance::backend::swift::swift_store_key: {get_param: GlancePassword} + glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} + glance_backend: {get_param: GlanceBackend} + glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} + glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} + glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} + glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + glance::notify::rabbitmq::notification_driver: messagingv2 + glance::registry::db::database_db_max_retries: -1 + glance::registry::db::database_max_retries: -1 + service_config_settings: + keystone: + glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} + glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} + glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} + glance::keystone::auth::password: {get_param: GlancePassword } + glance::keystone::auth::region: {get_param: KeystoneRegion} + glance::keystone::auth::tenant: 'service' + mysql: + glance::db::mysql::password: {get_param: GlancePassword} + glance::db::mysql::user: glance + glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + glance::db::mysql::dbname: glance + glance::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index 30df67fe..c45582d4 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -46,6 +46,14 @@ parameters: tag: openstack.glance.registry path: /var/log/glance/registry.log +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Glance Registry role. @@ -56,43 +64,37 @@ outputs: logging_groups: - glance config_settings: - glance::registry::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::registry::authtoken::password: {get_param: GlancePassword} - glance::registry::authtoken::project_name: 'service' - glance::registry::pipeline: 'keystone' - glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::registry::debug: {get_param: Debug} - glance::registry::workers: {get_param: GlanceWorkers} - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_registry.firewall_rules: - '112 glance_registry': - dport: - - 9191 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + + - glance::registry::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::registry::authtoken::password: {get_param: GlancePassword} + glance::registry::authtoken::project_name: 'service' + glance::registry::pipeline: 'keystone' + glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::registry::debug: {get_param: Debug} + glance::registry::workers: {get_param: GlanceWorkers} + tripleo.glance_registry.firewall_rules: + '112 glance_registry': + dport: + - 9191 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} step_config: | include ::tripleo::profile::base::glance::registry service_config_settings: - mysql: - glance::db::mysql::password: {get_param: GlancePassword} - glance::db::mysql::user: glance - glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - glance::db::mysql::dbname: glance - glance::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" + get_attr: [GlanceBase, role_data, config_settings] diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 15121790..e3397769 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -77,6 +77,7 @@ outputs: - 8041 - 13041 gnocchi::api::enabled: true + gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml new file mode 100644 index 00000000..c6d53542 --- /dev/null +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -0,0 +1,51 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy internal TLS via certmonger role. + value: + service_name: haproxy_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::use_internal_certificates: true + certificates_specs: + map_merge: + repeat: + template: + haproxy-NETWORK: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key' + hostname: "%{hiera('cloud_name_NETWORK')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_NETWORK')}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml new file mode 100644 index 00000000..1551d16a --- /dev/null +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -0,0 +1,37 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy public TLS via certmonger role. + value: + service_name: haproxy_public_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + certificates_specs: + haproxy-external: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-external.key' + hostname: "%{hiera('cloud_name_external')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_external')}" diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 974928c5..0813cb7e 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > HAproxy service configured with Puppet @@ -48,6 +48,22 @@ parameters: default: 'overcloud-haproxy' type: string +resources: + + HAProxyPublicTLS: + type: OS::TripleO::Services::HAProxyPublicTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + + HAProxyInternalTLS: + type: OS::TripleO::Services::HAProxyInternalTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the HAproxy role. @@ -55,14 +71,21 @@ outputs: service_name: haproxy monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: - tripleo.haproxy.firewall_rules: - '107 haproxy stats': - dport: 1993 - tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} - tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} - tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} - tripleo::haproxy::redis_password: {get_param: RedisPassword} - tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} - tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] + - tripleo.haproxy.firewall_rules: + '107 haproxy stats': + dport: 1993 + tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} + tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} + tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} + tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} + tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} + tripleo::profile::base::haproxy::certificates_specs: + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] + - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] step_config: | include ::tripleo::profile::base::haproxy diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 2f01578e..1fc88bf1 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -39,8 +39,12 @@ outputs: net.netfilter.nf_conntrack_max: value: 500000 # prevent neutron bridges from autoconfiguring ipv6 addresses + net.ipv6.conf.all.accept_ra: + value: 0 net.ipv6.conf.default.accept_ra: value: 0 + net.ipv6.conf.all.autoconf: + value: 0 net.ipv6.conf.default.autoconf: value: 0 net.core.netdev_max_backlog: diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index b2ec0038..a12742ff 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova API service configured with Puppet @@ -52,7 +52,17 @@ parameters: tag: openstack.nova.api path: /var/log/nova/nova-api.log +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + NovaBase: type: ./nova-base.yaml properties: @@ -71,40 +81,52 @@ outputs: - nova config_settings: map_merge: - - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - nova::cron::archive_deleted_rows::hour: '"*/12"' + nova::cron::archive_deleted_rows::destination: '"/dev/null"' + tripleo.nova_api.firewall_rules: + '113 nova_api': + dport: + - 6080 + - 13080 + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 + nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::password: {get_param: NovaPassword} + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::api::enabled: true + nova::api::default_floating_pool: 'public' + nova::api::sync_db_api: true + nova::api::enable_proxy_headers_parsing: true + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::wsgi::apache::ssl: false + nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + nova::wsgi::apache::workers: {get_param: NovaWorkers} + nova::wsgi::apache::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + nova::api::instance_name_template: {get_param: InstanceNameTemplate} + nova_enable_db_purge: {get_param: NovaEnableDBPurge} + - + if: + - nova_workers_zero + - {} - nova::api::osapi_compute_workers: {get_param: NovaWorkers} - nova::api::metadata_workers: {get_param: NovaWorkers} - nova::cron::archive_deleted_rows::hour: '"*/12"' - nova::cron::archive_deleted_rows::destination: '"/dev/null"' - tripleo.nova_api.firewall_rules: - '113 nova_api': - dport: - - 6080 - - 13080 - - 8773 - - 3773 - - 8774 - - 13774 - - 8775 - nova::keystone::authtoken::project_name: 'service' - nova::keystone::authtoken::password: {get_param: NovaPassword} - nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - nova::api::enabled: true - nova::api::default_floating_pool: 'public' - nova::api::sync_db_api: true - nova::api::enable_proxy_headers_parsing: true - # NOTE: bind IP is found in Heat replacing the network name with the local node IP - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} - nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - nova::api::instance_name_template: {get_param: InstanceNameTemplate} - nova_enable_db_purge: {get_param: NovaEnableDBPurge} - step_config: | include tripleo::profile::base::nova::api service_config_settings: diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index 2671cdd3..a10d9560 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova Conductor service configured with Puppet @@ -31,6 +31,9 @@ parameters: tag: openstack.nova.scheduler path: /var/log/nova/nova-scheduler.log +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + resources: NovaBase: type: ./nova-base.yaml @@ -50,7 +53,11 @@ outputs: - nova config_settings: map_merge: - - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - + if: + - nova_workers_zero + - {} - nova::conductor::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::conductor diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml index 92373c56..40931da6 100644 --- a/puppet/services/nova-metadata.yaml +++ b/puppet/services/nova-metadata.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > OpenStack Nova API service configured with Puppet @@ -23,12 +23,20 @@ parameters: description: Number of workers for Nova API service. type: number +conditions: + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + outputs: role_data: description: Role data for the Nova Metadata service. value: service_name: nova_metadata config_settings: - nova::api::metadata_workers: {get_param: NovaWorkers} - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + map_merge: + - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + - + if: + - nova_workers_zero + - {} + - nova::api::metadata_workers: {get_param: NovaWorkers} step_config: "" diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 8b990bcd..ed0d12cf 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -75,6 +75,7 @@ outputs: - admin - swiftoperator - ResellerAdmin + swift::proxy::versioned_writes::allow_versioned_writes: true swift::proxy::pipeline: - 'catch_errors' - 'healthcheck' @@ -87,6 +88,7 @@ outputs: - 'authtoken' - 'keystone' - 'staticweb' + - 'versioned_writes' - 'proxy-logging' - 'proxy-server' swift::proxy::account_autocreate: true |