aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/services/apache-internal-tls-certmonger.yaml50
-rw-r--r--puppet/services/apache.yaml46
-rw-r--r--puppet/services/cinder-api.yaml30
-rw-r--r--puppet/services/horizon.yaml3
-rw-r--r--puppet/services/keystone.yaml26
-rw-r--r--puppet/services/monitoring/sensu-client.yaml17
-rw-r--r--puppet/services/nova-libvirt.yaml4
-rw-r--r--puppet/services/opendaylight-api.yaml5
-rw-r--r--puppet/services/opendaylight-ovs.yaml1
-rw-r--r--puppet/services/swift-proxy.yaml12
10 files changed, 165 insertions, 29 deletions
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..87e53f13
--- /dev/null
+++ b/puppet/services/apache-internal-tls-certmonger.yaml
@@ -0,0 +1,50 @@
+heat_template_version: 2016-10-14
+
+description: >
+ Apache service TLS configurations.
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ # The following parameters are not needed by the template but are
+ # required to pass the pep8 tests
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: Role data for the Apache role.
+ value:
+ service_name: apache_internal_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ apache_certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ httpd-NETWORK:
+ service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+ hostname: "%{::fqdn_NETWORK}"
+ principal: "HTTP/%{::fqdn_NETWORK}"
+ for_each:
+ NETWORK:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # network will be handled in another template.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index c9792019..382e0ff9 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -27,6 +27,17 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+
+resources:
+
+ ApacheTLS:
+ type: OS::TripleO::Services::ApacheTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
outputs:
role_data:
@@ -34,19 +45,22 @@ outputs:
value:
service_name: apache
config_settings:
- # for the given network; replacement examples (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
- apache::server_signature: 'Off'
- apache::server_tokens: 'Prod'
- apache_remote_proxy_ips_network:
- str_replace:
- template: "NETWORK_subnet"
- params:
- NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
- apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
- apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
- apache::mod::remoteip::proxy_ips:
- - "%{hiera('apache_remote_proxy_ips_network')}"
+ map_merge:
+ - get_attr: [ApacheTLS, role_data, config_settings]
+ -
+ # for the given network; replacement examples (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
+ apache::server_signature: 'Off'
+ apache::server_tokens: 'Prod'
+ apache_remote_proxy_ips_network:
+ str_replace:
+ template: "NETWORK_subnet"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
+ apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
+ apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
+ apache::mod::remoteip::proxy_ips:
+ - "%{hiera('apache_remote_proxy_ips_network')}"
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 9c96acc4..3c624e3a 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
description: >
OpenStack Cinder API service configured with Puppet
@@ -39,9 +39,23 @@ parameters:
default:
tag: openstack.cinder.api
path: /var/log/cinder/cinder-api.log
+ CinderWorkers:
+ type: string
+ description: Set the number of workers for cinder::wsgi::apache
+ default: '"%{::os_workers}"'
+
+conditions:
+ cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
resources:
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+
CinderBase:
type: ./cinder-base.yaml
properties:
@@ -61,6 +75,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
- cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
cinder::keystone::authtoken::password: {get_param: CinderPassword}
@@ -85,6 +100,19 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
cinder::api::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ cinder::wsgi::apache::ssl: false
+ cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
+ cinder::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ -
+ if:
+ - cinder_workers_zero
+ - {}
+ - cinder::wsgi::apache::workers: {get_param: CinderWorkers}
step_config: |
include ::tripleo::profile::base::cinder::api
service_config_settings:
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 6ea5ec4e..1e08415c 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -24,7 +24,8 @@ parameters:
type: json
HorizonAllowedHosts:
default: '*'
- description: A list of IP/Hostname allowed to connect to horizon
+ description: A list of IP/Hostname for the server Horizonis running on.
+ Used for header checks.
type: comma_delimited_list
HorizonSecret:
description: Secret key for Django
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index e3531636..1f83b680 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -83,7 +83,7 @@ parameters:
KeystoneWorkers:
type: string
description: Set the number of workers for keystone::wsgi::apache
- default: '"%{::processorcount}"'
+ default: '"%{::os_workers}"'
MonitoringSubscriptionKeystone:
default: 'overcloud-kestone'
type: string
@@ -98,6 +98,9 @@ parameters:
default:
tag: openstack.keystone
path: /var/log/keystone/keystone.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
@@ -107,6 +110,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -130,6 +134,7 @@ outputs:
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/keystone'
keystone::admin_token: {get_param: AdminToken}
+ keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
@@ -163,7 +168,8 @@ outputs:
ec2/driver:
value: 'keystone.contrib.ec2.backends.sql.Ec2'
keystone::service_name: 'httpd'
- keystone::wsgi::apache::ssl: false
+ keystone::enable_ssl: {get_param: EnableInternalTLS}
+ keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::servername:
str_replace:
template:
@@ -188,15 +194,25 @@ outputs:
- 13000
- 35357
- 13357
+ keystone::admin_bind_host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+ keystone::public_bind_host:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
# NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- # NOTE: this applies to all 4 bind IP settings below...
- keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
- keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+ # NOTE: this applies to all 2 bind IP settings below...
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
step_config: |
diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml
index 3f37e750..a26c7458 100644
--- a/puppet/services/monitoring/sensu-client.yaml
+++ b/puppet/services/monitoring/sensu-client.yaml
@@ -18,6 +18,13 @@ parameters:
Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ AdminPassword:
+ description: Keystone admin user password
+ type: string
+ KeystoneRegion:
+ default: 'regionOne'
+ description: Keystone region for endpoint
+ type: string
SensuClientCustomConfig:
default: {}
description: Hash containing custom sensu-client variables.
@@ -44,6 +51,14 @@ outputs:
- sensu::api: false
sensu::client: true
sensu::server: false
- sensu::client_custom: {get_param: SensuClientCustomConfig}
+ sensu::client_custom:
+ map_merge:
+ - {get_param: SensuClientCustomConfig}
+ - openstack:
+ username: 'admin'
+ password: {get_param: AdminPassword}
+ auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ tenant_name: 'admin'
+ region: {get_param: KeystoneRegion}
step_config: |
include ::tripleo::profile::base::monitoring::sensu
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index b5ca2437..31732580 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -50,6 +50,10 @@ outputs:
tripleo::profile::base::nova::libvirt_enabled: true
nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
+ tripleo.nova_libvirt.firewall_rules:
+ '200 nova_libvirt':
+ dport:
+ - 16509
step_config: |
include tripleo::profile::base::nova::libvirt
diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml
index 30351dfb..318c898e 100644
--- a/puppet/services/opendaylight-api.yaml
+++ b/puppet/services/opendaylight-api.yaml
@@ -8,10 +8,6 @@ parameters:
default: 8081
description: Set opendaylight service port
type: number
- EnableOpenDaylightOnController:
- default: false
- description: Whether to install OpenDaylight on control nodes.
- type: boolean
OpenDaylightUsername:
default: 'admin'
description: The username for the opendaylight server.
@@ -58,7 +54,6 @@ outputs:
service_name: opendaylight_api
config_settings:
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
- odl_on_controller: {get_param: EnableOpenDaylightOnController}
opendaylight::username: {get_param: OpenDaylightUsername}
opendaylight::password: {get_param: OpenDaylightPassword}
opendaylight::enable_l3: {get_param: OpenDaylightEnableL3}
diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml
index ea7410ca..268ca244 100644
--- a/puppet/services/opendaylight-ovs.yaml
+++ b/puppet/services/opendaylight-ovs.yaml
@@ -48,6 +48,7 @@ outputs:
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
+ neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
neutron::plugins::ovs::opendaylight::provider_mappings:
str_replace:
template: MAPPINGS
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index ed0d12cf..de8daea5 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -41,6 +41,14 @@ parameters:
MonitoringSubscriptionSwiftProxy:
default: 'overcloud-swift-proxy'
type: string
+ RabbitPassword:
+ description: The password for RabbitMQ
+ type: string
+ hidden: true
+ RabbitUserName:
+ default: guest
+ description: The username for RabbitMQ
+ type: string
resources:
SwiftBase:
@@ -66,6 +74,9 @@ outputs:
swift::proxy::authtoken::project_name: 'service'
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
swift::proxy::workers: {get_param: SwiftWorkers}
+ swift::proxy::ceilometer::rabbit_host: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
+ swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
tripleo.swift_proxy.firewall_rules:
'122 swift proxy':
dport:
@@ -77,6 +88,7 @@ outputs:
- ResellerAdmin
swift::proxy::versioned_writes::allow_versioned_writes: true
swift::proxy::pipeline:
+ - 'ceilometer'
- 'catch_errors'
- 'healthcheck'
- 'proxy-logging'