3 files changed, 55 insertions, 10 deletions

diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
index 5aba90e8..e4d1e2a0 100644
--- a/puppet/major_upgrade_steps.j2.yaml
+++ b/puppet/major_upgrade_steps.j2.yaml
@@ -40,11 +40,6 @@ conditions:
       equals:
         - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]}
         - []
-  {{role.name}}UpgradeConfigEnabled:
-    not:
-      equals:
-        - {get_param: [role_data, {{role.name}}, upgrade_tasks]}
-        - []
 {%- endfor %}
 
 resources:
@@ -188,7 +183,6 @@ resources:
   # do, and there should be minimal performance hit (creating the
   # config is cheap compared to the time to apply the deployment).
   {%- if step > 0 %}
-    condition: {{role.name}}UpgradeConfigEnabled
     {% if role.name in enabled_roles %}
     depends_on:
       - {{role.name}}Upgrade_Step{{step -1}}
@@ -204,9 +198,13 @@ resources:
   {{role.name}}Upgrade_Step{{step}}:
     type: OS::Heat::SoftwareDeploymentGroup
     {%- if step > 0 %}
-    condition: {{role.name}}UpgradeConfigEnabled
+    # Make sure we wait that all roles have finished their own
+    # previous step before going to the next, so we can guarantee
+    # state for each steps.
     depends_on:
-      - {{role.name}}Upgrade_Step{{step -1}}
+      {%- for role_inside in enabled_roles %}
+      - {{role_inside.name}}Upgrade_Step{{step -1}}
+      {%- endfor %}
     {%- endif %}
     properties:
       name: {{role.name}}Upgrade_Step{{step}}
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index bc4380a5..9b314b2a 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -39,6 +39,20 @@ outputs:
             value: 5
           net.ipv4.tcp_keepalive_time:
             value: 5
+          net.ipv4.conf.default.send_redirects:
+            value: 0
+          net.ipv4.conf.all.send_redirects:
+            value: 0
+          net.ipv4.conf.default.accept_redirects:
+            value: 0
+          net.ipv4.conf.default.secure_redirects:
+            value: 0
+          net.ipv4.conf.all.secure_redirects:
+            value: 0
+          net.ipv4.conf.default.log_martians:
+            value: 1
+          net.ipv4.conf.all.log_martians:
+            value: 1
           net.nf_conntrack_max:
             value: 500000
           net.netfilter.nf_conntrack_max:
@@ -52,6 +66,10 @@ outputs:
             value: 0
           net.ipv6.conf.default.autoconf:
             value: 0
+          net.ipv6.conf.default.accept_redirects:
+            value: 0
+          net.ipv6.conf.all.accept_redirects:
+            value: 0
           net.core.netdev_max_backlog:
             value: 10000
           kernel.pid_max:
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 0c3cc1ec..0ecc942c 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -63,10 +63,14 @@ parameters:
         Rabbit client subscriber parameter to specify
         an SSL connection to the RabbitMQ host.
     type: string
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 conditions:
 
   ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]}
+  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
 
 resources:
   SwiftBase:
@@ -76,6 +80,14 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
 
+  TLSProxyBase:
+    type: OS::TripleO::Services::TLSProxyBase
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
+
 outputs:
   role_data:
     description: Role data for the Swift proxy service.
@@ -85,7 +97,7 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [SwiftBase, role_data, config_settings]
-
+          - get_attr: [TLSProxyBase, role_data, config_settings]
           - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
             swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             swift::proxy::authtoken::password: {get_param: SwiftPassword}
@@ -146,7 +158,22 @@ outputs:
             # internal_api -> IP
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
-            swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
+            tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
+              get_param: [ServiceNetMap, SwiftProxyNetwork]
+            tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
+            tripleo::profile::base::swift::proxy::tls_proxy_port:
+              get_param: [EndpointMap, SwiftInternal, port]
+            swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
+            swift::proxy::proxy_local_net_ip:
+              if:
+              - use_tls_proxy
+              - 'localhost'
+              - {get_param: [ServiceNetMap, SwiftProxyNetwork]}
       step_config: |
         include ::tripleo::profile::base::swift::proxy
       service_config_settings:
@@ -169,3 +196,5 @@ outputs:
         - name: Stop swift_proxy service
           tags: step1
           service: name=openstack-swift-proxy state=stopped
+      metadata_settings:
+        get_attr: [TLSProxyBase, role_data, metadata_settings]