6 files changed, 167 insertions, 9 deletions

diff --git a/puppet/services/cinder-backend-dellemc-unity.yaml b/puppet/services/cinder-backend-dellemc-unity.yaml
new file mode 100644
index 00000000..c8b8bd8f
--- /dev/null
+++ b/puppet/services/cinder-backend-dellemc-unity.yaml
@@ -0,0 +1,85 @@
+# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+heat_template_version: pike
+
+description: >
+  Openstack Cinder Dell EMC Unity backend
+
+parameters:
+  CinderEnableDellEMCUnityBackend:
+    type: boolean
+    default: true
+  CinderDellEMCUnityBackendName:
+    type: string
+    default: 'tripleo_dellemc_unity'
+  CinderDellEMCUnitySanIp:
+    type: string
+  CinderDellEMCUnitySanLogin:
+    type: string
+    default: 'Admin'
+  CinderDellEMCUnitySanPassword:
+    type: string
+    hidden: true
+  CinderDellEMCUnityStorageProtocol:
+    type: string
+    default: 'iSCSI'
+  CinderDellEMCUnityIoPorts:
+    type: string
+    default: ''
+  CinderDellEMCUnityStoragePoolNames:
+    type: string
+    default: ''
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    type: json
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+
+outputs:
+  role_data:
+    description: Role data for the Cinder Dell EMC Storage Center backend.
+    value:
+      service_name: cinder_backend_dellemc_unity
+      config_settings:
+                tripleo::profile::base::cinder::volume::cinder_enable_dellemc_unity_backend: {get_param: CinderEnableDellEMCUnityBackend}
+                cinder::backend::dellemc_unity::volume_backend_name: {get_param: CinderDellEMCUnityBackendName}
+                cinder::backend::dellemc_unity::san_ip: {get_param: CinderDellEMCUnitySanIp}
+                cinder::backend::dellemc_unity::san_login: {get_param: CinderDellEMCUnitySanLogin}
+                cinder::backend::dellemc_unity::san_password: {get_param: CinderDellEMCUnitySanPassword}
+                cinder::backend::dellemc_unity::storage_protocol: {get_param: CinderDellEMCUnityStorageProtocol}
+                cinder::backend::dellemc_unity::unity_io_ports: {get_param: CinderDellEMCUnityIoPorts}
+                cinder::backend::dellemc_unity::unity_storage_pool_names: {get_param: CinderDellEMCUnityStoragePoolNames}
+      step_config: |
+        include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 63ab92eb..642a0f09 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -67,6 +67,14 @@ parameters:
   MonitoringSubscriptionHorizon:
     default: 'overcloud-horizon'
     type: string
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 conditions:
 
@@ -109,6 +117,14 @@ outputs:
                   - {get_param: [DefaultPasswords, horizon_secret]}
           horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
           memcached_ipv6: {get_param: MemcachedIPv6}
+          horizon::servername:
+            str_replace:
+              template:
+                "%{hiera('fqdn_$NETWORK')}"
+              params:
+                $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
+          horizon::listen_ssl: {get_param: EnableInternalTLS}
+          horizon::horizon_ca: {get_param: InternalTLSCAFile}
         -
           if:
           - debug_unset
diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml
index 81f12f01..30f34777 100644
--- a/puppet/services/neutron-metadata.yaml
+++ b/puppet/services/neutron-metadata.yaml
@@ -57,10 +57,15 @@ parameters:
     default:
       tag: openstack.neutron.agent.metadata
       path: /var/log/neutron/metadata-agent.log
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 conditions:
   neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
 
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 resources:
 
   NeutronBase:
@@ -90,6 +95,17 @@ outputs:
             neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             neutron::agents::metadata::auth_tenant: 'service'
             neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}"
+            neutron::agents::metadata::metadata_host:
+              str_replace:
+                template:
+                  "%{hiera('cloud_name_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+            neutron::agents::metadata::metadata_protocol:
+              if:
+              - internal_tls_enabled
+              - 'https'
+              - 'http'
           -
             if:
             - neutron_workers_unset
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 04936c33..e1fe5aa9 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -162,7 +162,7 @@ outputs:
                 dport:
                   - 16514
                   - '49152-49215'
-                  - '5900-5999'
+                  - '5900-6923'
 
           -
             if:
diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml
index ca9eed09..3ac5f300 100644
--- a/puppet/services/nova-metadata.yaml
+++ b/puppet/services/nova-metadata.yaml
@@ -34,10 +34,26 @@ parameters:
     default: 0
     description: Number of workers for Nova services.
     type: number
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 conditions:
   nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
 
+  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+
+resources:
+
+  TLSProxyBase:
+    type: OS::TripleO::Services::TLSProxyBase
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
+
 outputs:
   role_data:
     description: Role data for the Nova Metadata service.
@@ -45,10 +61,29 @@ outputs:
       service_name: nova_metadata
       config_settings:
         map_merge:
-        - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+        - get_attr: [TLSProxyBase, role_data, config_settings]
+        - nova::api::metadata_listen:
+            if:
+            - use_tls_proxy
+            - 'localhost'
+            - {get_param: [ServiceNetMap, NovaMetadataNetwork]}
         -
           if:
           - nova_workers_zero
           - {}
           - nova::api::metadata_workers: {get_param: NovaWorkers}
+        -
+          if:
+          - use_tls_proxy
+          - tripleo::profile::base::nova::api::metadata_tls_proxy_bind_ip:
+              get_param: [ServiceNetMap, NovaMetadataNetwork]
+            tripleo::profile::base::nova::api::metadata_tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+          - {}
       step_config: ""
+      metadata_settings:
+        get_attr: [TLSProxyBase, role_data, metadata_settings]
diff --git a/puppet/services/pacemaker/cinder-volume.yaml b/puppet/services/pacemaker/cinder-volume.yaml
index a1134f3e..f4675875 100644
--- a/puppet/services/pacemaker/cinder-volume.yaml
+++ b/puppet/services/pacemaker/cinder-volume.yaml
@@ -66,11 +66,17 @@ outputs:
             resource: openstack-cinder-volume
             state: disable
             wait_for_resource: true
-        - name: Sync cinder DB
+        - name: get bootstrap nodeid
           tags: step5
-          command: cinder-manage db sync
-        - name: Start cinder_volume service (pacemaker)
-          tags: step5
-          pacemaker_resource:
-            resource: openstack-cinder-volume
-            state: enable
+          command: hiera bootstrap_nodeid
+          register: bootstrap_node
+        - block:
+          - name: Sync cinder DB
+            tags: step5
+            command: cinder-manage db sync
+          - name: Start cinder_volume service (pacemaker)
+            tags: step5
+            pacemaker_resource:
+              resource: openstack-cinder-volume
+              state: enable
+          when: bootstrap_node.stdout == ansible_hostname