9 files changed, 112 insertions, 26 deletions
diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml
index f7414475..e74beb2d 100644
--- a/puppet/blockstorage-role.yaml
+++ b/puppet/blockstorage-role.yaml
@@ -152,6 +152,8 @@ resources:
         type: multipart
       - config: {get_resource: NodeUserData}
         type: multipart
+      - config: {get_resource: RoleUserData}
+        type: multipart
 
   # Creates the "heat-admin" user if configured via the environment
   # Should return a OS::Heat::MultipartMime reference via OS::stack_id
@@ -163,6 +165,11 @@ resources:
   NodeUserData:
     type: OS::TripleO::NodeUserData
 
+  # For optional operator role-specific userdata
+  # Should return a OS::Heat::MultipartMime reference via OS::stack_id
+  RoleUserData:
+    type: OS::TripleO::BlockStorage::NodeUserData
+
   ExternalPort:
     type: OS::TripleO::BlockStorage::Ports::ExternalPort
     properties:
diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml
index 05ecb181..75f58012 100644
--- a/puppet/cephstorage-role.yaml
+++ b/puppet/cephstorage-role.yaml
@@ -158,6 +158,8 @@ resources:
         type: multipart
       - config: {get_resource: NodeUserData}
         type: multipart
+      - config: {get_resource: RoleUserData}
+        type: multipart
 
   # Creates the "heat-admin" user if configured via the environment
   # Should return a OS::Heat::MultipartMime reference via OS::stack_id
@@ -169,6 +171,11 @@ resources:
   NodeUserData:
     type: OS::TripleO::NodeUserData
 
+  # For optional operator role-specific userdata
+  # Should return a OS::Heat::MultipartMime reference via OS::stack_id
+  RoleUserData:
+    type: OS::TripleO::CephStorage::NodeUserData
+
   ExternalPort:
     type: OS::TripleO::CephStorage::Ports::ExternalPort
     properties:
diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml
index bf580221..cedab0e6 100644
--- a/puppet/compute-role.yaml
+++ b/puppet/compute-role.yaml
@@ -172,6 +172,8 @@ resources:
         type: multipart
       - config: {get_resource: NodeUserData}
         type: multipart
+      - config: {get_resource: RoleUserData}
+        type: multipart
 
   # Creates the "heat-admin" user if configured via the environment
   # Should return a OS::Heat::MultipartMime reference via OS::stack_id
@@ -183,6 +185,11 @@ resources:
   NodeUserData:
     type: OS::TripleO::NodeUserData
 
+  # For optional operator role-specific userdata
+  # Should return a OS::Heat::MultipartMime reference via OS::stack_id
+  RoleUserData:
+    type: OS::TripleO::Compute::NodeUserData
+
   ExternalPort:
     type: OS::TripleO::Compute::Ports::ExternalPort
     properties:
diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml
index 221bfed7..05527b63 100644
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@@ -191,6 +191,8 @@ resources:
         type: multipart
       - config: {get_resource: NodeUserData}
         type: multipart
+      - config: {get_resource: RoleUserData}
+        type: multipart
 
   # Creates the "heat-admin" user if configured via the environment
   # Should return a OS::Heat::MultipartMime reference via OS::stack_id
@@ -202,6 +204,11 @@ resources:
   NodeUserData:
     type: OS::TripleO::NodeUserData
 
+  # For optional operator role-specific userdata
+  # Should return a OS::Heat::MultipartMime reference via OS::stack_id
+  RoleUserData:
+    type: OS::TripleO::Controller::NodeUserData
+
   ExternalPort:
     type: OS::TripleO::Controller::Ports::ExternalPort
     properties:
diff --git a/puppet/extraconfig/tls/freeipa-enroll.yaml b/puppet/extraconfig/tls/freeipa-enroll.yaml
index 44be7c65..84d431fb 100644
--- a/puppet/extraconfig/tls/freeipa-enroll.yaml
+++ b/puppet/extraconfig/tls/freeipa-enroll.yaml
@@ -13,10 +13,12 @@ parameters:
     type: string
 
   FreeIPAOTP:
+    default: ''
     description: 'OTP that will be used for FreeIPA enrollment'
     type: string
     hidden: true
   FreeIPAServer:
+    default: ''
     description: 'FreeIPA server DNS name'
     type: string
   FreeIPAIPAddress:
@@ -36,18 +38,27 @@ resources:
         - name: ipa_ip
       config: |
         #!/bin/sh
-        sed -i "/${ipa_server}/d" /etc/hosts
-        # Optionally add the FreeIPA server IP to /etc/hosts
-        if [ -n "${ipa_ip}" ]; then
-            echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
+        # If no IPA server was given as a parameter, it will be assumed from
+        # DNS.
+        if [ -n "${ipa_server}" ]; then
+            sed -i "/${ipa_server}/d" /etc/hosts
+            # Optionally add the FreeIPA server IP to /etc/hosts
+            if [ -n "${ipa_ip}" ]; then
+                echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
+            fi
         fi
         # Set the node's domain if needed
         if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
             hostnamectl set-hostname "$(hostname).${ipa_domain}"
         fi
         yum install -y ipa-client
-        # Enroll. If there is already keytab, we have already done this.
+        # Enroll. If there is already keytab, we have already done this. If
+        # this node hasn't enrolled and the OTP is missing, fail.
         if [ ! -f /etc/krb5.keytab ]; then
+            if [ -z "${otp}" ]; then
+                echo "OTP is missing"
+                exit 1
+            fi
             ipa-client-install --server ${ipa_server} -w ${otp} \
                 --domain=${ipa_domain} -U
         fi
diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml
index 640378c8..77a60510 100644
--- a/puppet/objectstorage-role.yaml
+++ b/puppet/objectstorage-role.yaml
@@ -152,6 +152,8 @@ resources:
         type: multipart
       - config: {get_resource: NodeUserData}
         type: multipart
+      - config: {get_resource: RoleUserData}
+        type: multipart
 
   # Creates the "heat-admin" user if configured via the environment
   # Should return a OS::Heat::MultipartMime reference via OS::stack_id
@@ -163,6 +165,11 @@ resources:
   NodeUserData:
     type: OS::TripleO::NodeUserData
 
+  # For optional operator role-specific userdata
+  # Should return a OS::Heat::MultipartMime reference via OS::stack_id
+  RoleUserData:
+    type: OS::TripleO::ObjectStorage::NodeUserData
+
   ExternalPort:
     type: OS::TripleO::SwiftStorage::Ports::ExternalPort
     properties:
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index 7b3d2d31..22370a7d 100644
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -175,6 +175,8 @@ resources:
         type: multipart
       - config: {get_resource: NodeUserData}
         type: multipart
+      - config: {get_resource: RoleUserData}
+        type: multipart
 
   # Creates the "heat-admin" user if configured via the environment
   # Should return a OS::Heat::MultipartMime reference via OS::stack_id
@@ -186,6 +188,11 @@ resources:
   NodeUserData:
     type: OS::TripleO::NodeUserData
 
+  # For optional operator role-specific userdata
+  # Should return a OS::Heat::MultipartMime reference via OS::stack_id
+  RoleUserData:
+    type: OS::TripleO::{{role}}::NodeUserData
+
   ExternalPort:
     type: OS::TripleO::{{role}}::Ports::ExternalPort
     properties:
diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml
index 907ecddc..63d12fe2 100644
--- a/puppet/services/opendaylight-ovs.yaml
+++ b/puppet/services/opendaylight-ovs.yaml
@@ -8,6 +8,15 @@ parameters:
     default: 8081
     description: Set opendaylight service port
     type: number
+  OpenDaylightUsername:
+    default: 'admin'
+    description: The username for the opendaylight server.
+    type: string
+  OpenDaylightPassword:
+    default: 'admin'
+    type: string
+    description: The password for the opendaylight server.
+    hidden: true
   OpenDaylightConnectionProtocol:
     description: L7 protocol used for REST access
     type: string
@@ -46,6 +55,8 @@ outputs:
       service_name: opendaylight_ovs
       config_settings:
         opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
+        opendaylight::username: {get_param: OpenDaylightUsername}
+        opendaylight::password: {get_param: OpenDaylightPassword}
         opendaylight_check_url: {get_param: OpenDaylightCheckURL}
         opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
         neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index ba184ab0..94db9e41 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
 
 description: >
   OpenStack Swift Proxy service configured with Puppet
@@ -49,6 +49,18 @@ parameters:
     default: guest
     description: The username for RabbitMQ
     type: string
+  SwiftCeilometerPipelineEnabled:
+    description: Set to False to disable the swift proxy ceilometer pipeline.
+    default: True
+    type: boolean
+  RabbitClientPort:
+    default: 5672
+    description: Set rabbit subscriber port, change this if using SSL
+    type: number
+
+conditions:
+
+  ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]}
 
 resources:
   SwiftBase:
@@ -78,6 +90,8 @@ outputs:
             swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
             swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
             swift::proxy::ceilometer::nonblocking_notify: true
+            tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort}
+            tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
             tripleo.swift_proxy.firewall_rules:
               '122 swift proxy':
                 dport:
@@ -89,26 +103,34 @@ outputs:
               - ResellerAdmin
             swift::proxy::versioned_writes::allow_versioned_writes: true
             swift::proxy::pipeline:
-              - 'catch_errors'
-              - 'healthcheck'
-              - 'proxy-logging'
-              - 'cache'
-              - 'ratelimit'
-              - 'bulk'
-              - 'tempurl'
-              - 'formpost'
-              - 'authtoken'
-              - 'keystone'
-              - 'staticweb'
-              - 'copy'
-              - 'container-quotas'
-              - 'account-quotas'
-              - 'slo'
-              - 'dlo'
-              - 'versioned_writes'
-              - 'ceilometer'
-              - 'proxy-logging'
-              - 'proxy-server'
+              yaql:
+                expression: $.data.pipeline.where($ != '')
+                data:
+                  pipeline:
+                  - 'catch_errors'
+                  - 'healthcheck'
+                  - 'proxy-logging'
+                  - 'cache'
+                  - 'ratelimit'
+                  - 'bulk'
+                  - 'tempurl'
+                  - 'formpost'
+                  - 'authtoken'
+                  - 'keystone'
+                  - 'staticweb'
+                  - 'copy'
+                  - 'container-quotas'
+                  - 'account-quotas'
+                  - 'slo'
+                  - 'dlo'
+                  - 'versioned_writes'
+                  -
+                    if:
+                    - ceilometer_pipeline_enabled
+                    - 'ceilometer'
+                    - ''
+                  - 'proxy-logging'
+                  - 'proxy-server'
             swift::proxy::account_autocreate: true
             # NOTE: bind IP is found in Heat replacing the network name with the
             # local node IP for the given network; replacement examples