diff options
Diffstat (limited to 'puppet')
30 files changed, 544 insertions, 38 deletions
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 9430a704..433b03a0 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -31,19 +31,23 @@ resources: {% if step > 0 %} depends_on: {% for dep in roles %} + {% if not dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}Upgrade_Step{{step -1}} + {% endif %} {% endfor %} {% endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} step: {{step}} - + {% if not role.disable_upgrade_deployment|default(false) %} {{role.name}}Upgrade_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup {% if step > 0 %} depends_on: {% for dep in roles %} + {% if not dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}Upgrade_Step{{step -1}} + {% endif %} {% endfor %} {% endif %} properties: @@ -53,6 +57,7 @@ resources: input_values: role: {{role.name}} update_identifier: {get_param: UpdateIdentifier} + {% endif %} {% endfor %} {% endfor %} diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml index 2a02ea19..83c32868 100644 --- a/puppet/post.j2.yaml +++ b/puppet/post.j2.yaml @@ -21,11 +21,10 @@ parameters: perform configuration on a Heat stack-update. resources: - -{% for role in roles %} # Post deployment steps for all roles # A single config is re-applied with an incrementing step number - # {{role.name}} Role steps +{% for role in roles %} + # {{role.name}} Role post deploy steps {{role.name}}ArtifactsConfig: type: deploy-artifacts.yaml @@ -58,8 +57,6 @@ resources: # Step through a series of configuration steps {% for step in range(1, 6) %} - {% for role in roles %} - {{role.name}}Deployment_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup {% if step == 1 %} @@ -77,8 +74,6 @@ resources: input_values: step: {{step}} update_identifier: {get_param: DeployIdentifier} - - {% endfor %} {% endfor %} {{role.name}}PostConfig: diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 4e735b45..2c44f4df 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -83,3 +83,5 @@ outputs: get_attr: [AodhBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::aodh::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml index 07ec1b3c..97d6ff8e 100644 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -21,6 +21,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + ApacheNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the Apache role. @@ -38,13 +54,12 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [ApacheNetworks, value]} + metadata_settings: + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2e95dcb0..82e0c5ff 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -64,3 +64,5 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + metadata_settings: + get_attr: [ApacheTLS, role_data, metadata_settings] diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index 000a744c..1f220e6b 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -144,3 +144,5 @@ outputs: get_param: [EndpointMap, BarbicanInternal, uri] cinder::api::keymgr_encryption_auth_url: get_param: [EndpointMap, KeystoneV3Internal, uri] + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 63e02d4f..f774167f 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -90,3 +90,5 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 6448387c..92536994 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -57,7 +57,11 @@ outputs: tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]} tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]} - ceph::params::user_radosgw: ceph + tripleo::profile::base::ceph::rgw::rgw_keystone_version: v3 + ceph::profile::params::rgw_keystone_admin_domain: default + ceph::profile::params::rgw_keystone_admin_project: service + ceph::profile::params::rgw_keystone_admin_user: swift + ceph::profile::params::rgw_keystone_admin_password: {get_param: SwiftPassword} tripleo.ceph_rgw.firewall_rules: '122 ceph rgw': dport: {get_param: [EndpointMap, CephRgwInternal, port]} @@ -68,7 +72,8 @@ outputs: ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} - ceph::rgw::keystone::auth::user: 'swift' - ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} - ceph::rgw::keystone::auth::tenant: 'service' + ceph::rgw::keystone::auth::roles: [ 'admin', 'member', '_member_' ] + ceph::rgw::keystone::auth::tenant: service + ceph::rgw::keystone::auth::user: swift + ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index b32c8185..a5c912ed 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -91,9 +91,6 @@ outputs: cinder::config: DEFAULT/swift_catalog_info: value: 'object-store:swift:internalURL' - # TODO(emilien) remove the next line when https://review.openstack.org/422915 - # is merged. - cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} tripleo.cinder_api.firewall_rules: '119 cinder': @@ -149,6 +146,8 @@ outputs: cinder::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: - name: check for cinder running under apache (post upgrade) tags: step2 diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml index 56d037e7..9f7eaf57 100644 --- a/puppet/services/database/mysql-internal-tls-certmonger.yaml +++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml @@ -41,3 +41,7 @@ outputs: template: "mysql/%{hiera('cloud_name_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + metadata_settings: + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: vip diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 7e12894f..8c4042d9 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -104,4 +104,6 @@ outputs: - name: Start service tags: step4 service: name=mariadb state=started + metadata_settings: + get_attr: [MySQLTLS, role_data, metadata_settings] diff --git a/puppet/services/disabled/glance-registry.yaml b/puppet/services/disabled/glance-registry.yaml new file mode 100644 index 00000000..4d22bddc --- /dev/null +++ b/puppet/services/disabled/glance-registry.yaml @@ -0,0 +1,30 @@ +heat_template_version: ocata + +description: > + OpenStack Glance Registry service, disabled since ocata + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the disabled Glance Registry role. + value: + service_name: glance_registry + upgrade_tasks: + - name: Stop and disable glance_registry service on upgrade + tags: step2 + service: name=openstack-glance-registry state=stopped enabled=no diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml new file mode 100644 index 00000000..7049d773 --- /dev/null +++ b/puppet/services/ec2-api.yaml @@ -0,0 +1,118 @@ +heat_template_version: ocata + +description: > + OpenStack EC2-API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Ec2ApiWorkers: + default: 0 + description: Number of workers for EC2-API service. + type: number + Ec2ApiPassword: + description: The password for the nova service and db account, used by nova-api. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + MonitoringSubscriptionEc2Api: + default: 'overcloud-ec2-api' + type: string + Ec2ApiLoggingSource: + type: json + default: + tag: openstack.ec2.api + path: /var/log/ec2api/ec2api.log + EnablePackageInstall: + default: 'false' + description: Set to true to enable package installation via Puppet + type: boolean + + +conditions: + nova_workers_zero: {equals : [{get_param: Ec2ApiWorkers}, 0]} + +outputs: + role_data: + description: Role data for the EC2-API service. + value: + service_name: ec2_api + monitoring_subscription: {get_param: MonitoringSubscriptionEc2Api} + logging_source: {get_param: Ec2ApiLoggingSource} + logging_groups: + - nova + config_settings: + map_merge: + - tripleo.ec2_api.firewall_rules: + '113 ec2_api': + dport: + - 8788 + - 13788 + ec2api::keystone::authtoken::project_name: 'service' + ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} + ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ec2api::api::enabled: true + ec2api::package_manage: {get_param: EnablePackageInstall} + ec2api::api::ec2api_listen: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, Ec2ApiNetwork]} + ec2api::metadata::metadata_listen: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, Ec2ApiMetadataNetwork]} + ec2api::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://ec2_api:' + - {get_param: Ec2ApiPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/ec2_api' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - + if: + - nova_workers_zero + - {} + - ec2api::api::ec2api_workers: {get_param: Ec2ApiWorkers} + ec2api::metadata::metadata_workers: {get_param: Ec2ApiWorkers} + step_config: | + include tripleo::profile::base::nova::ec2api + service_config_settings: + keystone: + ec2api::keystone::auth::tenant: 'service' + ec2api::keystone::auth::public_url: {get_param: [EndpointMap, Ec2ApiPublic, uri]} + ec2api::keystone::auth::internal_url: {get_param: [EndpointMap, Ec2ApiInternal, uri]} + ec2api::keystone::auth::admin_url: {get_param: [EndpointMap, Ec2ApiAdmin, uri]} + ec2api::keystone::auth::password: {get_param: Ec2ApiPassword} + ec2api::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + ec2api::db::mysql::password: {get_param: Ec2ApiPassword} + ec2api::db::mysql::user: ec2_api + ec2api::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ec2api::db::mysql::dbname: ec2_api + ec2api::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 3ddb1927..09ea5d22 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -45,8 +45,23 @@ parameters: default: tag: openstack.glance.api path: /var/log/glance/api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: + + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + GlanceBase: type: ./glance-base.yaml properties: @@ -66,6 +81,7 @@ outputs: config_settings: map_merge: - get_attr: [GlanceBase, role_data, config_settings] + - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: list_join: - '' @@ -100,7 +116,23 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_bind_ip: + get_param: [ServiceNetMap, GlanceApiNetwork] + tripleo::profile::base::glance::api::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_port: + get_param: [EndpointMap, GlanceInternal, port] + # Bind to localhost if internal TLS is enabled, since we put a TLs + # proxy in front. + glance::api::bind_host: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 3929e005..ae384ce0 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -131,3 +131,5 @@ outputs: gnocchi::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml index 77457593..ae226163 100644 --- a/puppet/services/haproxy-internal-tls-certmonger.yaml +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -19,6 +19,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + HAProxyNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the HAProxy internal TLS via certmonger role. @@ -39,13 +55,12 @@ outputs: postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [HAProxyNetworks, value]} + metadata_settings: + repeat: + template: + - service: haproxy + network: $NETWORK + type: vip + for_each: + $NETWORK: {get_attr: [HAProxyNetworks, value]} diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index 227697b9..6013b026 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -35,3 +35,7 @@ outputs: hostname: "%{hiera('cloud_name_external')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_external')}" + metadata_settings: + - service: haproxy + network: external + type: vip diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 9049c901..981a08d2 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -84,3 +84,9 @@ outputs: - name: Start haproxy service tags: step4 # Needed at step 4 for mysql service: name=haproxy state=started + metadata_settings: + yaql: + expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))' + data: + public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} + internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index cf35d202..2111021b 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -27,6 +27,14 @@ parameters: description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list + HorizonPasswordValidator: + description: Regex for password validation + type: string + default: '' + HorizonPasswordValidatorHelp: + description: Help text for password validation + type: string + default: '' HorizonSecret: description: Secret key for Django type: string @@ -71,6 +79,8 @@ outputs: options: ['FollowSymLinks','MultiViews'] horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::password_validator: {get_param: [HorizonPasswordValidator]} + horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: yaql: expression: $.data.passwords.where($ != '').first() diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 434f0a33..b989d502 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -313,3 +313,8 @@ outputs: - name: Sync keystone DB tags: step5 command: keystone-manage db_sync + - name: Start keystone service (running under httpd) + tags: step6 + service: name=httpd state=started + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 36ac3e08..892e63dd 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -165,3 +165,5 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml new file mode 100644 index 00000000..4c6f4c37 --- /dev/null +++ b/puppet/services/octavia-api.yaml @@ -0,0 +1,97 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia API service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaPassword: + description: The password for the Octavia's database account. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + MonitoringSubscriptionOctaviaApi: + default: 'overcloud-octavia-api' + type: string + OctaviaApiLoggingSource: + type: json + default: + tag: openstack.octavia.api + path: /var/log/octavia/api.log + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia API service. + value: + service_name: octavia_api + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi} + logging_source: {get_param: OctaviaApiLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + octavia::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://octavia:' + - {get_param: OctaviaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/octavia' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + octavia::keystone::authtoken::project_name: 'service' + octavia::api::sync_db: true + tripleo.octavia_api.firewall_rules: + '120 octavia api': + dport: + - 9876 + - 13876 + octavia::host: {get_param: [ServiceNetMap, OctaviaApiNetwork]} + step_config: | + include tripleo::profile::base::octavia::api + service_config_settings: + keystone: + octavia::keystone::auth::tenant: 'service' + octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]} + octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] } + octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] } + octavia::keystone::auth::password: {get_param: OctaviaPassword} + octavia::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + octavia::db::mysql::password: {get_param: OctaviaPassword} + octavia::db::mysql::user: octavia + octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + octavia::db::mysql::dbname: octavia + octavia::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml new file mode 100644 index 00000000..b537a2bc --- /dev/null +++ b/puppet/services/octavia-base.yaml @@ -0,0 +1,62 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia base service. Shared for all Octavia services + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Debug: + type: string + default: '' + description: Set to True to enable debugging on all services. + EnableConfigPurge: + type: boolean + default: true + description: > + Remove configuration that is not generated by TripleO. Setting + to false may result in configuration remnants after updates/upgrades. + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +outputs: + role_data: + description: Base role data for Octavia services + value: + service_name: octavia_base + config_settings: + octavia::debug: {get_param: Debug} + octavia::purge_config: {get_param: EnableConfigPurge} + octavia::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + tripleo::profile::base::octavia::rabbit_user: {get_param: RabbitUserName} + tripleo::profile::base::octavia::rabbit_password: {get_param: RabbitPassword} + tripleo::profile::base::octavia::rabbit_port: {get_param: RabbitClientPort} + diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 9adf1bdb..a8a9fb99 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -29,6 +29,11 @@ parameters: default: false description: Whether to enable fencing in Pacemaker or not. type: boolean + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' PcsdPassword: type: string description: The password for the 'pcsd' user for pacemaker. @@ -112,5 +117,6 @@ outputs: passwords: - {get_param: PcsdPassword} - {get_param: [DefaultPasswords, pcsd_password]} + tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey} step_config: | include ::tripleo::profile::base::pacemaker diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index 511a01ab..93bf5967 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -53,6 +53,8 @@ outputs: get_param: [ServiceNetMap, MysqlNetwork] step_config: | include ::tripleo::profile::pacemaker::database::mysql + metadata_settings: + get_attr: [MysqlBase, role_data, metadata_settings] upgrade_tasks: - name: Check for galera root password tags: step0 diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml index 50da4119..598deaef 100644 --- a/puppet/services/pacemaker/haproxy.yaml +++ b/puppet/services/pacemaker/haproxy.yaml @@ -40,3 +40,5 @@ outputs: tripleo::haproxy::mysql_clustercheck: true step_config: | include ::tripleo::profile::pacemaker::haproxy + metadata_settings: + get_attr: [LoadbalancerServiceBase, role_data, metadata_settings] diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml new file mode 100644 index 00000000..daee43e6 --- /dev/null +++ b/puppet/services/pacemaker_remote.yaml @@ -0,0 +1,57 @@ +heat_template_version: ocata + +description: > + Pacemaker remote service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' + MonitoringSubscriptionPacemakerRemote: + default: 'overcloud-pacemaker_remote' + type: string + PacemakerRemoteLoggingSource: + type: json + default: + tag: system.pacemaker_remote + path: /var/log/pacemaker.log + format: >- + /^(?<time>[^ ]*\s*[^ ]* [^ ]*) + \[(?<pid>[^ ]*)\] + (?<host>[^ ]*) + (?<message>.*)$/ + +outputs: + role_data: + description: Role data for the Pacemaker remote role. + value: + service_name: pacemaker_remote + monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote} + logging_groups: + - haclient + logging_source: {get_param: PacemakerRemoteLoggingSource} + config_settings: + tripleo.pacemaker_remote.firewall_rules: + '130 pacemaker_remote tcp': + proto: 'tcp' + dport: + - 3121 + tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey} + step_config: | + include ::tripleo::profile::base::pacemaker_remote diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index 06284fb2..4b74ad45 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -82,3 +82,5 @@ outputs: get_attr: [PankoBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::panko::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index a7ba7bad..2e3c818f 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -43,6 +43,16 @@ parameters: description: 'Use a local directory for Swift storage services when building rings' type: boolean +conditions: + swift_use_local_dir: + and: + - equals: + - get_param: SwiftUseLocalDir + - true + - equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for Swift Ringbuilder configuration. @@ -59,7 +69,7 @@ outputs: expression: $.data.raw_disk_lists.flatten() data: raw_disk_lists: - - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]} + - {if: [swift_use_local_dir, [':%PORT%/d1'], []]} - repeat: template: ':%PORT%/DEVICE' for_each: diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 08df928d..247b23ff 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -56,6 +56,17 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} +conditions: + swift_mount_check: + or: + - equals: + - get_param: SwiftMountCheck + - true + - not: + equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for the Swift Proxy role. @@ -65,7 +76,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - - swift::storage::all::mount_check: {get_param: SwiftMountCheck} + - swift::storage::all::mount_check: {if: [swift_mount_check, true, false]} tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} tripleo.swift_storage.firewall_rules: '123 swift storage': |