aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/services/apache-internal-tls-certmonger.yaml75
-rw-r--r--puppet/services/apache.yaml44
-rw-r--r--puppet/services/database/mysql-internal-tls-certmonger.yaml47
-rw-r--r--puppet/services/database/mysql.yaml33
-rw-r--r--puppet/services/kernel.yaml2
-rw-r--r--puppet/services/rabbitmq-internal-tls-certmonger.yaml47
-rw-r--r--puppet/services/rabbitmq.yaml37
7 files changed, 94 insertions, 191 deletions
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
deleted file mode 100644
index 4c94f440..00000000
--- a/puppet/services/apache-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,75 +0,0 @@
-heat_template_version: ocata
-
-description: >
- Apache service TLS configurations.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-resources:
-
- ApacheNetworks:
- type: OS::Heat::Value
- properties:
- value:
- # NOTE(jaosorior) Get unique network names to create
- # certificates for those. We skip the tenant network since
- # we don't need a certificate for that, and the external
- # network will be handled in another template.
- yaql:
- expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
- data:
- map:
- get_param: ServiceNetMap
-
-outputs:
- role_data:
- description: Role data for the Apache role.
- value:
- service_name: apache_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- apache_certificates_specs:
- map_merge:
- repeat:
- template:
- httpd-NETWORK:
- service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
- service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
- hostname: "%{hiera('fqdn_NETWORK')}"
- principal: "HTTP/%{hiera('fqdn_NETWORK')}"
- for_each:
- NETWORK: {get_attr: [ApacheNetworks, value]}
- metadata_settings:
- repeat:
- template:
- - service: HTTP
- network: $NETWORK
- type: node
- for_each:
- $NETWORK: {get_attr: [ApacheNetworks, value]}
- upgrade_tasks:
- - name: Check if httpd is deployed
- command: systemctl is-enabled httpd
- tags: common
- ignore_errors: True
- register: httpd_enabled
- - name: "PreUpgrade step0,validation: Check service httpd is running"
- shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
- when: httpd_enabled.rc == 0
- tags: step0,validation
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index 2d950151..9bd282f8 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -31,13 +31,25 @@ parameters:
type: boolean
default: false
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
- ApacheTLS:
- type: OS::TripleO::Services::ApacheTLS
+ ApacheNetworks:
+ type: OS::Heat::Value
properties:
- ServiceNetMap: {get_param: ServiceNetMap}
+ value:
+ # NOTE(jaosorior) Get unique network names to create
+ # certificates for those. We skip the tenant network since
+ # we don't need a certificate for that, and the external
+ # is for HAProxy so it isn't used for apache either.
+ yaql:
+ expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+ data:
+ map:
+ get_param: ServiceNetMap
outputs:
role_data:
@@ -46,7 +58,6 @@ outputs:
service_name: apache
config_settings:
map_merge:
- - get_attr: [ApacheTLS, role_data, config_settings]
-
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
@@ -64,8 +75,31 @@ outputs:
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
+ -
+ generate_service_certificates: true
+ apache_certificates_specs:
+ map_merge:
+ repeat:
+ template:
+ httpd-NETWORK:
+ service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+ hostname: "%{hiera('fqdn_NETWORK')}"
+ principal: "HTTP/%{hiera('fqdn_NETWORK')}"
+ for_each:
+ NETWORK: {get_attr: [ApacheNetworks, value]}
metadata_settings:
- get_attr: [ApacheTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ repeat:
+ template:
+ - service: HTTP
+ network: $NETWORK
+ type: node
+ for_each:
+ $NETWORK: {get_attr: [ApacheNetworks, value]}
+ - null
upgrade_tasks:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
deleted file mode 100644
index 9f7eaf57..00000000
--- a/puppet/services/database/mysql-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
- MySQL configurations for using TLS via certmonger.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-outputs:
- role_data:
- description: MySQL configurations for using TLS via certmonger.
- value:
- service_name: mysql_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- tripleo::profile::base::database::mysql::certificate_specs:
- service_certificate: '/etc/pki/tls/certs/mysql.crt'
- service_key: '/etc/pki/tls/private/mysql.key'
- hostname:
- str_replace:
- template: "%{hiera('cloud_name_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- principal:
- str_replace:
- template: "mysql/%{hiera('cloud_name_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- metadata_settings:
- - service: mysql
- network: {get_param: [ServiceNetMap, MysqlNetwork]}
- type: vip
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 7078b60f..da55da3c 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -42,13 +42,13 @@ parameters:
description: The password for the nova db account
type: string
hidden: true
+ EnableInternalTLS:
+ type: boolean
+ default: false
-resources:
+conditions:
- MySQLTLS:
- type: OS::TripleO::Services::MySQLTLS
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -57,7 +57,6 @@ outputs:
service_name: mysql
config_settings:
map_merge:
- - get_attr: [MySQLTLS, role_data, config_settings]
-
# The Galera package should work in cluster and
# non-cluster modes based on the config file.
@@ -102,10 +101,30 @@ outputs:
{get_param: [ServiceNetMap, MysqlNetwork]}
tripleo::profile::base::database::mysql::generate_dropin_file_limit:
{get_param: MysqlIncreaseFileLimit}
+ - generate_service_certificates: true
+ tripleo::profile::base::database::mysql::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/mysql.crt'
+ service_key: '/etc/pki/tls/private/mysql.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ principal:
+ str_replace:
+ template: "mysql/%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
step_config: |
include ::tripleo::profile::base::database::mysql
metadata_settings:
- get_attr: [MySQLTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ - service: mysql
+ network: {get_param: [ServiceNetMap, MysqlNetwork]}
+ type: vip
+ - null
upgrade_tasks:
- name: Check for galera root password
tags: step0
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index fec455d1..ee4c771f 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -56,5 +56,7 @@ outputs:
value: 10000
kernel.pid_max:
value: {get_param: KernelPidMax}
+ kernel.dmesg_restrict:
+ value: 1
step_config: |
include ::tripleo::profile::base::kernel
diff --git a/puppet/services/rabbitmq-internal-tls-certmonger.yaml b/puppet/services/rabbitmq-internal-tls-certmonger.yaml
deleted file mode 100644
index 39d6b903..00000000
--- a/puppet/services/rabbitmq-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
- RabbitMQ configurations for using TLS via certmonger.
-
-parameters:
- ServiceNetMap:
- default: {}
- description: Mapping of service_name -> network name. Typically set
- via parameter_defaults in the resource registry. This
- mapping overrides those in ServiceNetMapDefaults.
- type: json
- # The following parameters are not needed by the template but are
- # required to pass the pep8 tests
- DefaultPasswords:
- default: {}
- type: json
- EndpointMap:
- default: {}
- description: Mapping of service endpoint -> protocol. Typically set
- via parameter_defaults in the resource registry.
- type: json
-
-outputs:
- role_data:
- description: RabbitMQ configurations for using TLS via certmonger.
- value:
- service_name: rabbitmq_internal_tls_certmonger
- config_settings:
- generate_service_certificates: true
- tripleo::profile::base::rabbitmq::certificate_specs:
- service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
- service_key: '/etc/pki/tls/private/rabbitmq.key'
- hostname:
- str_replace:
- template: "%{hiera('fqdn_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- principal:
- str_replace:
- template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
- params:
- NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- metadata_settings:
- - service: rabbitmq
- network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- type: node
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 92a0015a..47479783 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -52,14 +52,8 @@ parameters:
type: boolean
default: false
-resources:
-
- RabbitMQTLS:
- type: OS::TripleO::Services::RabbitMQTLS
- properties:
- ServiceNetMap: {get_param: ServiceNetMap}
- DefaultPasswords: {get_param: DefaultPasswords}
- EndpointMap: {get_param: EndpointMap}
+conditions:
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -69,7 +63,6 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
config_settings:
map_merge:
- - get_attr: [RabbitMQTLS, role_data, config_settings]
-
rabbitmq::file_limit: {get_param: RabbitFDLimit}
rabbitmq::default_user: {get_param: RabbitUserName}
@@ -124,6 +117,24 @@ outputs:
# TODO(jaosorior): Remove this once we set a proper default in
# puppet-tripleo
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
+ -
+ if:
+ - internal_tls_enabled
+ - generate_service_certificates: true
+ tripleo::profile::base::rabbitmq::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
+ service_key: '/etc/pki/tls/private/rabbitmq.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ principal:
+ str_replace:
+ template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ - {}
step_config: |
include ::tripleo::profile::base::rabbitmq
upgrade_tasks:
@@ -134,4 +145,10 @@ outputs:
tags: step4
service: name=rabbitmq-server state=started
metadata_settings:
- get_attr: [RabbitMQTLS, role_data, metadata_settings]
+ if:
+ - internal_tls_enabled
+ -
+ - service: rabbitmq
+ network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ type: node
+ - null