aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/all-nodes-config.yaml18
-rw-r--r--puppet/blockstorage-role.yaml18
-rw-r--r--puppet/cephstorage-role.yaml21
-rw-r--r--puppet/compute-role.yaml21
-rw-r--r--puppet/controller-role.yaml21
-rw-r--r--puppet/objectstorage-role.yaml18
-rw-r--r--puppet/role.role.j2.yaml21
-rw-r--r--puppet/services/database/mysql.yaml13
-rw-r--r--puppet/services/database/redis.yaml20
-rw-r--r--puppet/services/ironic-api.yaml31
-rw-r--r--puppet/services/ironic-inspector.yaml151
-rw-r--r--puppet/services/keystone.yaml5
-rw-r--r--puppet/services/nova-api.yaml2
-rw-r--r--puppet/services/ovn-dbs.yaml1
-rw-r--r--puppet/services/pacemaker/database/mysql.yaml7
-rw-r--r--puppet/services/pacemaker/ovn-dbs.yaml61
-rw-r--r--puppet/services/services.yaml129
17 files changed, 404 insertions, 154 deletions
diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml
index baafe03d..b1284452 100644
--- a/puppet/all-nodes-config.yaml
+++ b/puppet/all-nodes-config.yaml
@@ -12,10 +12,8 @@ parameters:
type: string
cloud_name_ctlplane:
type: string
- # FIXME(shardy) this can be comma_delimited_list when
- # https://bugs.launchpad.net/heat/+bug/1617019 is fixed
enabled_services:
- type: string
+ type: comma_delimited_list
controller_ips:
type: comma_delimited_list
logging_groups:
@@ -118,7 +116,10 @@ resources:
map_merge:
- tripleo::profile::base::logging::fluentd::fluentd_sources: {get_param: logging_sources}
- tripleo::profile::base::logging::fluentd::fluentd_groups: {get_param: logging_groups}
- - enabled_services: {get_param: enabled_services}
+ - enabled_services:
+ yaql:
+ expression: $.data.distinct()
+ data: {get_param: enabled_services}
# This writes out a mapping of service_name_enabled: 'true'
# For any services not enabled, hiera foo_enabled will
# return nil, as it's undefined
@@ -129,8 +130,7 @@ resources:
# https://bugs.launchpad.net/heat/+bug/1617203
SERVICE_enabled: 'true'
for_each:
- SERVICE:
- str_split: [',', {get_param: enabled_services}]
+ SERVICE: {get_param: enabled_services}
# Dynamically generate per-service network data
# This works as follows (outer->inner functions)
# yaql - filters services where no mapping exists in ServiceNetMap
@@ -150,8 +150,7 @@ resources:
template:
SERVICE_network: SERVICE_network
for_each:
- SERVICE:
- str_split: [',', {get_param: enabled_services}]
+ SERVICE: {get_param: enabled_services}
- values: {get_param: ServiceNetMap}
# Keystone doesn't provide separate entries for the public
# and admin endpoints, so we need to add them here manually
@@ -203,8 +202,7 @@ resources:
template:
SERVICE_vip: SERVICE_network
for_each:
- SERVICE:
- str_split: [',', {get_param: enabled_services}]
+ SERVICE: {get_param: enabled_services}
- values: {get_param: ServiceNetMap}
- values: {get_param: NetVipMap}
- keystone_admin_api_vip:
diff --git a/puppet/blockstorage-role.yaml b/puppet/blockstorage-role.yaml
index 08bc03a5..95dcf0b5 100644
--- a/puppet/blockstorage-role.yaml
+++ b/puppet/blockstorage-role.yaml
@@ -69,8 +69,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
BlockStorageServerMetadata:
default: {}
description: >
@@ -377,6 +377,7 @@ resources:
properties:
server: {get_resource: BlockStorage}
RoleParameters: {get_param: RoleParameters}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
@@ -485,6 +486,9 @@ resources:
NodeExtraConfig:
depends_on: NodeTLSCAData
type: OS::TripleO::NodeExtraConfig
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: BlockStorage}
@@ -507,11 +511,21 @@ resources:
- ['CREATE', 'UPDATE']
- []
+ DeploymentActions:
+ type: OS::Heat::Value
+ properties:
+ value:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
+
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
depends_on: BlockStorageDeployment
properties:
server: {get_resource: BlockStorage}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
outputs:
ip_address:
diff --git a/puppet/cephstorage-role.yaml b/puppet/cephstorage-role.yaml
index 3f596423..6674a8ac 100644
--- a/puppet/cephstorage-role.yaml
+++ b/puppet/cephstorage-role.yaml
@@ -75,8 +75,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
CephStorageServerMetadata:
default: {}
description: >
@@ -383,6 +383,7 @@ resources:
properties:
server: {get_resource: CephStorage}
RoleParameters: {get_param: RoleParameters}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
@@ -489,6 +490,9 @@ resources:
CephStorageExtraConfigPre:
depends_on: CephStorageDeployment
type: OS::TripleO::CephStorageExtraConfigPre
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: CephStorage}
@@ -497,6 +501,9 @@ resources:
NodeExtraConfig:
depends_on: [CephStorageExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: CephStorage}
@@ -518,11 +525,21 @@ resources:
- ['CREATE', 'UPDATE']
- []
+ DeploymentActions:
+ type: OS::Heat::Value
+ properties:
+ value:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
+
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
depends_on: CephStorageDeployment
properties:
server: {get_resource: CephStorage}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
outputs:
ip_address:
diff --git a/puppet/compute-role.yaml b/puppet/compute-role.yaml
index 8a3c487a..37eb98d1 100644
--- a/puppet/compute-role.yaml
+++ b/puppet/compute-role.yaml
@@ -90,8 +90,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
NovaComputeServerMetadata:
default: {}
description: >
@@ -386,6 +386,7 @@ resources:
properties:
server: {get_resource: NovaCompute}
RoleParameters: {get_param: RoleParameters}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
NetworkConfig:
type: OS::TripleO::Compute::Net::SoftwareConfig
@@ -512,6 +513,9 @@ resources:
ComputeExtraConfigPre:
depends_on: NovaComputeDeployment
type: OS::TripleO::ComputeExtraConfigPre
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: NovaCompute}
@@ -520,6 +524,9 @@ resources:
NodeExtraConfig:
depends_on: [ComputeExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: NovaCompute}
@@ -542,11 +549,21 @@ resources:
update_identifier:
get_param: UpdateIdentifier
+ DeploymentActions:
+ type: OS::Heat::Value
+ properties:
+ value:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
+
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
depends_on: NovaComputeDeployment
properties:
server: {get_resource: NovaCompute}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
outputs:
ip_address:
diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml
index 6bc23669..01f54df0 100644
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@@ -104,8 +104,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
ControllerServerMetadata:
default: {}
description: >
@@ -406,6 +406,7 @@ resources:
properties:
server: {get_resource: Controller}
RoleParameters: {get_param: RoleParameters}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
NetworkConfig:
type: OS::TripleO::Controller::Net::SoftwareConfig
@@ -552,6 +553,9 @@ resources:
ControllerExtraConfigPre:
depends_on: ControllerDeployment
type: OS::TripleO::ControllerExtraConfigPre
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: Controller}
@@ -560,6 +564,9 @@ resources:
NodeExtraConfig:
depends_on: [ControllerExtraConfigPre, NodeTLSData]
type: OS::TripleO::NodeExtraConfig
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: Controller}
@@ -582,11 +589,21 @@ resources:
update_identifier:
get_param: UpdateIdentifier
+ DeploymentActions:
+ type: OS::Heat::Value
+ properties:
+ value:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
+
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
depends_on: ControllerDeployment
properties:
server: {get_resource: Controller}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
outputs:
ip_address:
diff --git a/puppet/objectstorage-role.yaml b/puppet/objectstorage-role.yaml
index c35bb250..e6348420 100644
--- a/puppet/objectstorage-role.yaml
+++ b/puppet/objectstorage-role.yaml
@@ -69,8 +69,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
SwiftStorageServerMetadata:
default: {}
description: >
@@ -377,6 +377,7 @@ resources:
properties:
server: {get_resource: SwiftStorage}
RoleParameters: {get_param: RoleParameters}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
@@ -485,6 +486,9 @@ resources:
NodeExtraConfig:
depends_on: NodeTLSCAData
type: OS::TripleO::NodeExtraConfig
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: SwiftStorage}
@@ -506,11 +510,21 @@ resources:
- ['CREATE', 'UPDATE']
- []
+ DeploymentActions:
+ type: OS::Heat::Value
+ properties:
+ value:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
+
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
depends_on: SwiftStorageHieraDeploy
properties:
server: {get_resource: SwiftStorage}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
outputs:
ip_address:
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index b7f47594..4911fbe9 100644
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -85,8 +85,8 @@ parameters:
default: 'localdomain'
type: string
description: >
- The DNS domain used for the hosts. This should match the dhcp_domain
- configured in the Undercloud neutron. Defaults to localdomain.
+ The DNS domain used for the hosts. This must match the
+ overcloud_domain_name configured on the undercloud.
{{role}}ServerMetadata:
default: {}
description: >
@@ -399,6 +399,7 @@ resources:
properties:
server: {get_resource: {{role}}}
RoleParameters: {get_param: RoleParameters}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
NetworkDeployment:
type: OS::TripleO::SoftwareDeployment
@@ -511,6 +512,9 @@ resources:
{{role}}ExtraConfigPre:
depends_on: {{role}}Deployment
type: OS::TripleO::{{role}}ExtraConfigPre
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: {{role}}}
@@ -519,6 +523,9 @@ resources:
NodeExtraConfig:
depends_on: [{{role}}ExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
+ # We have to use conditions here so that we don't break backwards
+ # compatibility with templates everywhere
+ condition: server_not_blacklisted
properties:
server: {get_resource: {{role}}}
@@ -541,11 +548,21 @@ resources:
- ['CREATE', 'UPDATE']
- []
+ DeploymentActions:
+ type: OS::Heat::Value
+ properties:
+ value:
+ if:
+ - server_not_blacklisted
+ - ['CREATE', 'UPDATE']
+ - []
+
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
depends_on: {{role}}Deployment
properties:
server: {get_resource: {{role}}}
+ deployment_actions: {get_attr: [DeploymentActions, value]}
outputs:
ip_address:
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 2bde9033..882ba299 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -118,6 +118,16 @@ outputs:
template: "%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ dnsnames:
+ - str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ - str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/%{hiera('cloud_name_NETWORK')}"
@@ -132,6 +142,9 @@ outputs:
- service: mysql
network: {get_param: [ServiceNetMap, MysqlNetwork]}
type: vip
+ - service: mysql
+ network: {get_param: [ServiceNetMap, MysqlNetwork]}
+ type: node
- null
upgrade_tasks:
- name: Check for galera root password
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
index df406a8c..9567a73f 100644
--- a/puppet/services/database/redis.yaml
+++ b/puppet/services/database/redis.yaml
@@ -52,3 +52,23 @@ outputs:
- 26379
step_config: |
include ::tripleo::profile::base::database::redis
+ upgrade_tasks:
+ - name: Check if redis is deployed
+ command: systemctl is-enabled redis
+ tags: common
+ ignore_errors: True
+ register: redis_enabled
+ - name: "PreUpgrade step0,validation: Check if redis is running"
+ shell: >
+ /usr/bin/systemctl show 'redis' --property ActiveState |
+ grep '\bactive\b'
+ when: redis_enabled.rc == 0
+ tags: step0,validation
+ - name: Stop redis service
+ tags: step1
+ when: redis_enabled.rc == 0
+ service: name=redis state=stopped
+ - name: Install redis package if it was disabled
+ tags: step3
+ yum: name=redis state=latest
+ when: redis_enabled.rc != 0
diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml
index 945033a1..0e8eacf1 100644
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@@ -43,8 +43,21 @@ parameters:
e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
IronicBase:
type: ./ironic-base.yaml
properties:
@@ -63,6 +76,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [IronicBase, role_data, config_settings]
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
- ironic::api::authtoken::password: {get_param: IronicPassword}
ironic::api::authtoken::project_name: 'service'
ironic::api::authtoken::user_domain_name: 'Default'
@@ -80,7 +94,17 @@ outputs:
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
# This is used to build links in responses
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
+ ironic::api::service_name: 'httpd'
ironic::policy::policies: {get_param: IronicApiPolicies}
+ ironic::wsgi::apache::bind_host: {get_param: [ServiceNetMap, IronicApiNetwork]}
+ ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]}
+ ironic::wsgi::apache::servername:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
+ ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS}
tripleo.ironic_api.firewall_rules:
'133 ironic api':
dport:
@@ -106,6 +130,9 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
upgrade_tasks:
- - name: Stop ironic_api service
+ - name: Stop ironic_api service (before httpd support)
+ tags: step1
+ service: name=openstack-ironic-api state=stopped enabled=no
+ - name: Stop ironic_api service (running under httpd)
tags: step1
- service: name=openstack-ironic-api state=stopped
+ service: name=httpd state=stopped
diff --git a/puppet/services/ironic-inspector.yaml b/puppet/services/ironic-inspector.yaml
new file mode 100644
index 00000000..e8537a29
--- /dev/null
+++ b/puppet/services/ironic-inspector.yaml
@@ -0,0 +1,151 @@
+heat_template_version: ocata
+
+description: >
+ OpenStack Ironic Inspector configured with Puppet (EXPERIMENTAL)
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ MonitoringSubscriptionIronicInspector:
+ default: 'overcloud-ironic-inspector'
+ type: string
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+ Debug:
+ default: ''
+ description: Set to True to enable debugging on all services.
+ type: string
+ IronicInspectorInterface:
+ default: br-ex
+ description: |
+ Network interface on which inspection dnsmasq will listen. Should allow
+ access to untagged traffic from nodes booted for inspection. The default
+ value only makes sense if you don't modify any networking configuration.
+ type: string
+ IronicInspectorIPXEEnabled:
+ default: true
+ description: Whether to use iPXE for inspection.
+ type: boolean
+ IronicInspectorIpRange:
+ description: |
+ Temporary IP range that will be given to nodes during the inspection
+ process. This should not overlap with any range that Neutron's DHCP
+ gives away, but it has to be routeable back to ironic-inspector API.
+ This option has no meaningful defaults, and thus is required.
+ type: string
+ IronicInspectorUseSwift:
+ default: true
+ description: Whether to use Swift for storing introspection data.
+ type: boolean
+ IronicIPXEPort:
+ default: 8088
+ description: Port to use for serving images when iPXE is used.
+ type: string
+ IronicPassword:
+ description: The password for the Ironic service and db account, used by the Ironic services
+ type: string
+ hidden: true
+
+conditions:
+ enable_ipxe: {equals : [{get_param: IronicInspectorIPXEEnabled}, true]}
+ use_swift: {equals : [{get_param: IronicInspectorUseSwift}, true]}
+
+outputs:
+ role_data:
+ description: Role data for the Ironic Inspector role.
+ value:
+ service_name: ironic_inspector
+ monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
+ config_settings:
+ map_merge:
+ - ironic::inspector::listen_address: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
+ ironic::inspector::dnsmasq_local_ip: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
+ ironic::inspector::dnsmasq_ip_range: {get_param: IronicInspectorIpRange}
+ ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
+ ironic::inspector::debug: {get_param: Debug}
+ ironic::inspector::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+ ironic::inspector::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ironic::inspector::authtoken::username: 'ironic'
+ ironic::inspector::authtoken::password: {get_param: IronicPassword}
+ ironic::inspector::authtoken::project_name: 'service'
+ ironic::inspector::authtoken::user_domain_name: 'Default'
+ ironic::inspector::authtoken::project_domain_name: 'Default'
+ tripleo.ironic_inspector.firewall_rules:
+ '137 ironic-inspector':
+ dport:
+ - 5050
+ ironic::inspector::ironic_username: 'ironic'
+ ironic::inspector::ironic_password: {get_param: IronicPassword}
+ ironic::inspector::ironic_tenant_name: 'service'
+ ironic::inspector::ironic_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ironic::inspector::ironic_max_retries: 6
+ ironic::inspector::ironic_retry_interval: 10
+ ironic::inspector::ironic_user_domain_name: 'Default'
+ ironic::inspector::ironic_project_domain_name: 'Default'
+ ironic::inspector::http_port: {get_param: IronicIPXEPort}
+ ironic::inspector::db::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://ironic-inspector:'
+ - {get_param: IronicPassword}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/ironic-inspector'
+ - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
+ -
+ if:
+ - enable_ipxe
+ - ironic::inspector::pxe_transfer_protocol: 'http'
+ - {}
+ -
+ if:
+ - use_swift
+ - ironic::inspector::store_data: 'swift'
+ ironic::inspector::swift_username: 'ironic'
+ ironic::inspector::swift_password: {get_param: IronicPassword}
+ ironic::inspector::swift_tenant_name: 'service'
+ ironic::inspector::swift_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ ironic::inspector::swift_user_domain_name: 'Default'
+ ironic::inspector::swift_project_domain_name: 'Default'
+ - {}
+ step_config: |
+ include ::tripleo::profile::base::ironic_inspector
+ service_config_settings:
+ keystone:
+ ironic::keystone::auth_inspector::tenant: 'service'
+ ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
+ ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
+ ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
+ ironic::keystone::auth_inspector::password: {get_param: IronicPassword}
+ ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion}
+ mysql:
+ ironic::inspector::db::mysql::password: {get_param: IronicPassword}
+ ironic::inspector::db::mysql::user: ironic-inspector
+ ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ ironic::inspector::db::mysql::dbname: ironic-inspector
+ ironic::inspector::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index af494016..60d194bc 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -122,6 +122,10 @@ parameters:
KeystoneFernetKeys:
type: json
description: Mapping containing keystone's fernet keys and their paths.
+ KeystoneFernetMaxActiveKeys:
+ type: number
+ description: The maximum active keys in the keystone fernet key repository.
+ default: 5
ManageKeystoneFernetKeys:
type: boolean
default: true
@@ -258,6 +262,7 @@ outputs:
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::token_provider: {get_param: KeystoneTokenProvider}
keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
+ keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
keystone::enable_proxy_headers_parsing: true
keystone::enable_credential_setup: true
keystone::credential_keys:
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index 835edf0a..fe2f2946 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -210,7 +210,7 @@ outputs:
register: bootstrap_node
- name: set is_bootstrap_node fact
tags: common
- set_fact: is_bootstrap_node={{bootstrap_node.stdout == ansible_hostname}}
+ set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}}
- name: Extra migration for nova tripleo/+bug/1656791
tags: step0,pre-upgrade
when: is_bootstrap_node
diff --git a/puppet/services/ovn-dbs.yaml b/puppet/services/ovn-dbs.yaml
index 20c38d8a..df234c77 100644
--- a/puppet/services/ovn-dbs.yaml
+++ b/puppet/services/ovn-dbs.yaml
@@ -44,6 +44,7 @@ outputs:
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
ovn::northd::dbs_listen_ip: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+ tripleo::haproxy::ovn_dbs_manage_lb: true
tripleo.ovn_dbs.firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml
index d8e942d0..0a7659e0 100644
--- a/puppet/services/pacemaker/database/mysql.yaml
+++ b/puppet/services/pacemaker/database/mysql.yaml
@@ -27,6 +27,11 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
resources:
@@ -61,6 +66,8 @@ outputs:
# internal_api_subnet - > IP/CIDR
tripleo::profile::pacemaker::database::mysql::gmcast_listen_addr:
get_param: [ServiceNetMap, MysqlNetwork]
+ tripleo::profile::pacemaker::database::mysql::ca_file:
+ get_param: InternalTLSCAFile
step_config: |
include ::tripleo::profile::pacemaker::database::mysql
metadata_settings:
diff --git a/puppet/services/pacemaker/ovn-dbs.yaml b/puppet/services/pacemaker/ovn-dbs.yaml
new file mode 100644
index 00000000..1cbb4763
--- /dev/null
+++ b/puppet/services/pacemaker/ovn-dbs.yaml
@@ -0,0 +1,61 @@
+heat_template_version: ocata
+
+description: >
+ OVN databases configured with puppet in HA mode
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ OVNNorthboundServerPort:
+ description: Port of the OVN Northbound DB server
+ type: number
+ default: 6641
+ OVNSouthboundServerPort:
+ description: Port of the OVN Southbound DB server
+ type: number
+ default: 6642
+
+resources:
+
+ OVNDBsBase:
+ type: ../ovn-dbs.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+
+outputs:
+ role_data:
+ description: Role data for the OVN northd service
+ value:
+ service_name: ovn_dbs
+ config_settings:
+ map_merge:
+ - get_attr: [OVNDBsBase, role_data, config_settings]
+ - tripleo::haproxy::ovn_dbs_manage_lb: false
+ tripleo::profile::pacemaker::ovn_northd::nb_db_port: {get_param: OVNNorthboundServerPort}
+ tripleo::profile::pacemaker::ovn_northd::sb_db_port: {get_param: OVNSouthboundServerPort}
+ step_config: |
+ include ::tripleo::profile::pacemaker::ovn_northd
diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml
deleted file mode 100644
index 0e7b6d2b..00000000
--- a/puppet/services/services.yaml
+++ /dev/null
@@ -1,129 +0,0 @@
-heat_template_version: pike
-
-description: >
- Utility stack to convert an array of services into a set of combined
- role configs.
-
-parameters:
- Services:
- default: []
- description: |
- List nested stack service templates.
- type: comma_delimited_list
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
- DefaultPasswords:
- default: {}
- description: Mapping of service -> default password. Used to help
- pass top level passwords managed by Heat into services.
- type: json
- RoleName:
- default: ''
- description: Role name on which the service is applied
- type: string
- RoleParameters:
- description: Role Specific parameters to be provided to service
- default: {}
- type: json
-
-resources:
-
- ServiceChain:
- type: OS::Heat::ResourceChain
- properties:
- resources: {get_param: Services}
- concurrent: true
- resource_properties:
- ServiceNetMap: {get_param: ServiceNetMap}
- EndpointMap: {get_param: EndpointMap}
- DefaultPasswords: {get_param: DefaultPasswords}
- RoleName: {get_param: RoleName}
- RoleParameters: {get_param: RoleParameters}
-
- LoggingConfiguration:
- type: OS::TripleO::LoggingConfiguration
-
- ServiceServerMetadataHook:
- type: OS::TripleO::ServiceServerMetadataHook
- properties:
- RoleData: {get_attr: [ServiceChain, role_data]}
-
-outputs:
- role_data:
- description: Combined Role data for this set of services.
- value:
- service_names:
- {get_attr: [ServiceChain, role_data, service_name]}
- monitoring_subscriptions:
- yaql:
- expression: list($.data.role_data.where($ != null).select($.get('monitoring_subscription')).where($ != null))
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
- logging_sources:
- # Transform the individual logging_source configuration from
- # each service in the chain into a global list, adding some
- # default configuration at the same time.
- yaql:
- expression: >
- let(
- default_format => $.data.default_format,
- pos_file_path => $.data.pos_file_path,
- sources => $.data.sources.flatten()
- ) ->
- $sources.where($ != null).select({
- 'type' => 'tail',
- 'tag' => $.tag,
- 'path' => $.path,
- 'format' => $.get('format', $default_format),
- 'pos_file' => $.get('pos_file', $pos_file_path + '/' + $.tag + '.pos')
- })
- data:
- sources:
- - {get_attr: [LoggingConfiguration, LoggingDefaultSources]}
- - yaql:
- expression: list($.data.role_data.where($ != null).select($.get('logging_source')).where($ != null))
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
-
- - {get_attr: [LoggingConfiguration, LoggingExtraSources]}
- default_format: {get_attr: [LoggingConfiguration, LoggingDefaultFormat]}
- pos_file_path: {get_attr: [LoggingConfiguration, LoggingPosFilePath]}
- logging_groups:
- # Build a list of unique groups to which we should add the
- # fluentd user.
- yaql:
- expression: >
- set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($)
- data:
- default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]}
- extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]}
- role_data: {get_attr: [ServiceChain, role_data]}
- config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}}
- global_config_settings:
- map_merge:
- yaql:
- expression: list($.data.role_data.where($ != null).select($.get('global_config_settings')).where($ != null))
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
- service_config_settings:
- yaql:
- expression: $.data.role_data.where($ != null).select($.get('service_config_settings')).where($ != null).reduce($1.mergeWith($2), {})
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
- step_config: {get_attr: [ServiceChain, role_data, step_config]}
- upgrade_tasks:
- yaql:
- # Note we use distinct() here to filter any identical tasks, e.g yum update for all services
- expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct()
- data: {get_attr: [ServiceChain, role_data]}
- upgrade_batch_tasks:
- yaql:
- # Note we use distinct() here to filter any identical tasks, e.g yum update for all services
- expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct()
- data: {get_attr: [ServiceChain, role_data]}
- service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]}