aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-08-11Enable TLS for nova api and placement containersJuan Antonio Osorio Robles2-0/+34
With these two services running over httpd in the containers, we can now enable TLS for them. bp tls-via-certmonger-containers Change-Id: Ib8fc37a391e3b32feef0ac6492492c0088866d21
2017-08-11Make containerized nova-api run with httpdJuan Antonio Osorio Robles2-12/+8
The non-containerized version will run over httpd [1], and for the containerized TLS work, it is needed in the container version as well. [1] Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3 bp tls-via-certmonger-containers Depends-On: I1c5f13039414f17312f91a5e0fd02019aa08e00e Change-Id: I2c39a2957fd95dd261b5b8c4df5e66e00a68d2f7
2017-08-11Enable TLS configuration for containerized GaleraDamien Ciabrini1-0/+35
In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the metadata service definition and update the Kolla configuration to make gcomm use TLS in containers, if configured. bp tls-via-certmonger-containers Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Closes-Bug: #1708135 Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814
2017-08-11Move HAProxy's public TLS logic from controller to service templateJuan Antonio Osorio Robles4-6/+25
This de-couples public TLS from controllers to now run wherever HAProxy is deployed. Partially-Implements: blueprint composable-networks Change-Id: I9e84a25a363899acf103015527787bdd8248949f
2017-08-10Merge "Noop controller pre and post config resources."Jenkins1-0/+2
2017-08-10Merge "Fix cidr get_attr in custom networks"Jenkins13-14/+13
2017-08-10Merge "Create parameters for haproxy TLS certs and keys"Jenkins2-11/+55
2017-08-10Accept multiple registries in DockerInsecureRegistryAddressJiri Stransky1-5/+5
We allow using multiple registries (e.g. for OpenStack vs. Ceph container images). We should allow it also in the insecure registry configuration. Change-Id: Icf4a51baf2a230b3fa0d5ced0e9cd1983cd93fb0 Closes-Bug: #1709310 Depends-On: I5cddd20a123a85516577bde1b793a30d43171285
2017-08-10Remove duplicate Iscsid service in resource registryOliver Walsh1-1/+0
I forgot to remove the existing entry in I11232fc412adcc18087928c281ba82546388376e. Change-Id: I40b12e857dc40881f5fe9cf73963ac90caacb17d
2017-08-10Mount NFS volume to docker container.Pranali Deore1-0/+11
After creating glance image successfully, share location was remaining empty because the NFS volume on controller was not mounted to docker container. Now, connecting NFS volume to the docker container. Change-Id: Ib45f117cbbf2b7b2c0faf024e9a8b049c440d872 Closes-Bug: 1708629
2017-08-10Merge "Docker/TLS everywhere: Add telemetry and neutron services to environment"Jenkins1-4/+9
2017-08-09Enable TLS configuration for containerized HAProxyDamien Ciabrini1-5/+52
In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files are all passed as configuration files and must be copied by Kolla at container startup. For the time being, disable the use of the CRL file until we find a means of restarting the containerized HAProxy service when that file expires. Change-Id: If307e3357dccb7e96bdb80c9c06d66a09b55f3bd Depends-On: I4b72739446c63f0f0ac9f859314a4d6746e20255 Closes-Bug: #1709563
2017-08-09Merge "Addition of Nuage as mechanism driver for ML2"Jenkins6-7/+134
2017-08-09Set virsh secret with an init step when using CephGiulio Fidente3-4/+62
Run virsh secret-define and secret-set-value in an init step instead of relying on the puppet-nova exec. Co-Authored-By: Jiri Stransky <jistr@redhat.com> Change-Id: Ic950e290af1c66d34b40791defbdf4f8afaa11da Closes-Bug: #1709583
2017-08-09Enable TLS configuration for containerized RabbitMQDamien Ciabrini1-0/+15
In non-containerized deployments, RabbitMQ can be configured to use TLS for serving and mirroring traffic. Fix the creation of the rabbitmq bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: I8af63a1cb710e687a593505c0202d717842d5496 Depends-On: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9 Closes-Bug: #1709558
2017-08-09Make network-isolation-v6 environment rendered for all rolesMichele Baldessari5-57/+71
In change If3989f24f077738845d2edbee405bd9198e7b7db we moved to jinja2 templating to render the networks. This change aims at doing so for the IPv6 network isolation environment. Change-Id: Ieebcff3db3f5756a5d23080ea3d09ce78de69e21
2017-08-09Merge "Use number for KeystoneCronTokenFlushMaxDelay instead of string"Jenkins1-2/+2
2017-08-09Merge "Don't curl metadata server in userdata example"Jenkins1-2/+1
2017-08-08Merge "MariaDB: create clustercheck user at container bootstrap"Jenkins1-1/+22
2017-08-08Make HA container bundle work on remote nodesMichele Baldessari1-0/+13
Right now when we deploy an HA bundle on a pacemaker remote node, the deploy will fail due to the fact that the bundle includes tripleo::profile::base::pacemaker which makes a call to hiera('hacluster_pwd') which will fail on pcmk remote nodes. While we could noop the profile on pcmk nodes, it's much simpler to just make sure this hiera key exists on pcmk remote nodes. Also make sure that pacemaker::corosync::manage_fw is set to false on remote nodes, otherwise the mere inclusion of the pacemaker profile will cause iptables-save to run in a container and thus failing. Change-Id: I09b3e54a470cc2d600a701d23463962501c5c9d6
2017-08-08Fix cidr get_attr in custom networksGiulio Fidente13-14/+13
We were missing the square brackets around the list of arguments for get_attr when building the networks cidr output. This passed CI because Heat does not fail validation and Ceph (which is consuming the cidr output) is tested with a single network (ctlplane) which does not build the output using the same templates. Change-Id: I40bba0784a30295cb0d4eda1fbff20ebac85db99 Closes-Bug: #1709464
2017-08-08Make cinder-manage db sync run on only one controller during upgradeSofer Athlan-Guyot1-7/+13
We got to ensure that the cinder-manage db sync is run on only one controller. Change-Id: I88a6aa4c49d893b95a26795fbfcf163a780fd0bc Closes-Bug: #1709315
2017-08-08Docker/TLS everywhere: Add telemetry and neutron services to environmentJuan Antonio Osorio Robles1-4/+9
some resources were missing, so this syncs up what's working right now. bp tls-via-certmonger-containers Change-Id: Ic8fe20d0240f1ad8f18218d66634029d522d4d5a
2017-08-08Keep dynamic network creation backward compatible.Sofer Athlan-Guyot2-3/+7
We had an history mapping for InternalApi to InternalNetwork. If we remove it then heat will want to destroy InternalNetwork and create InternalApi which cannot work during upgrade. This adds compat name parameters to network_data.yaml. Closes-Bug: #1709105 Change-Id: I8ce6419a5e13a13ee6e991db5ca2196763f52d7a
2017-08-08Add script to create tripleo-admin on deployed serversJiri Stransky1-0/+60
When using deployed servers, we want to create a standard tripleo-admin user for Mistral's ssh tasks (e.g. running Ansible on overcloud). This script wraps the respective Mistral workflow. Change-Id: I2de698b4aae07f74569243a9e7c1c56eb578e700 Related-Bug: #1708180 Depends-On: Ibe8e54f7b38d8c6c8d944d2b13f0eed004c34c4c
2017-08-07Create parameters for haproxy TLS certs and keysJuan Antonio Osorio Robles2-11/+55
this removes the hardcoded paths for the haproxy certs and keys and will enable re-use. We'll use this in a further commit in the containterized TLS work. Change-Id: I602e5a569e2e7e60835deb80532abcedd7a1f63d
2017-08-07Use number for KeystoneCronTokenFlushMaxDelay instead of stringJuan Antonio Osorio Robles1-2/+2
Using a string results in an erroneous check in puppet-keystone, which sets up a zero where it shouldn't. So we change it to number to avoid that. Note that there will also be a puppet-keystone fix for this. Changing the value here assures that deployers only give valid values to this parameter. Change-Id: I00823e23358df91ce54f421c12636f05d4196e15 Closes-Bug: #1708584
2017-08-05Merge "Add Telemetry services to scenario002"Jenkins2-4/+17
2017-08-05Merge "Start redis service after upgrade"Jenkins1-0/+3
2017-08-04Merge "Stop and disable openstack-nova-compute service on compute nodes"Jenkins1-0/+3
2017-08-04Merge "Run gnocchi upgrade with sacks in docker template"Jenkins1-1/+9
2017-08-04Merge "Change the directory for haproxy certs/keys to be service-specific"Jenkins2-7/+11
2017-08-04Render VIPs dynamically based on network_data.yamlDan Sneddon6-266/+227
This change modifies the templates to dynamically define the VIPs based on network_data.yaml. If a network is defined and marked with "vip: true" in network_data.yaml, it will be included in the overcloud.yaml which defines the deployment-level resources. This should make it possible to create custom networks and use them for services which use high-availability through VIPs. Also, extraconfig/nova_metadata/krb-service-pricipals.yaml was modified to dynamically produce the FQDN map for VIPs on isolated networks, to match overcloud.j2.yaml. Depends-On: If074f87494a46305c990a0ea332c7b576d3c6ed8 Depends-On: Iab8aca2f1fcaba0c8f109717a4b3068f629c9aab Partially-implements: blueprint composable-networks Closes-bug: 1667104 Change-Id: I71339a6ac41133e95dbc3f93abb7a9fdeb0f2da0
2017-08-04Merge "Copy scheduler configuration from service/ironic to ↵Jenkins1-0/+2
services-docker/ironic"
2017-08-04Merge "Fix up multipath docker indentation"Jenkins1-5/+5
2017-08-04Change the directory for haproxy certs/keys to be service-specificJuan Antonio Osorio Robles2-7/+11
This moves the directories containing the certs/keys for haproxy one step further inside the hierarchy. This way we will be able to bind-mount this certificate into the container without bind-mounting any other certs/keys from other services. bp tls-via-certmonger-containers Depends-On: Iba3adb9464a755e67c6f87d1233b3affa8be565a Change-Id: I73df8d442b361cb5ef4e343b4ea2a198a5b95da9
2017-08-04Merge "Adds environment file for ODL + SRIOV"Jenkins2-0/+32
2017-08-04Merge "Changing the default port-binding configuration"Jenkins3-2/+55
2017-08-03Update EventPipelinePublisher param description to include zaqarPradeep Kilambi1-0/+2
Since we now support zaqar:// publisher, Enhance the description to indicate how to set the zaqar publisher. Change-Id: Ib7eba98d199fade2346620672e33b74686d4685b
2017-08-03Merge "Make UpgradeLevelNovaCompute parameters consistent"Jenkins3-3/+2
2017-08-03Merge "Add environment for setting a custom domain name"Jenkins4-4/+54
2017-08-03Addition of Nuage as mechanism driver for ML2lokesh-jain6-7/+134
Adding composable services for Nuage mechanism driver for ML2. This is separate from Nuage as the core plugin and intentional duplication of Nuage under puppet services. Parameters required for working of Nuage as mechanism driver are also added. Change-Id: I2b564610721152c4f4dab9da79442256ba8d0b33
2017-08-03Merge "Update capabilities map to match latest environments"Jenkins1-263/+239
2017-08-03Remove baremetal cron jobs on docker upgradeDan Prince4-0/+16
Change-Id: I072a3f582cdb978187d14233ea1ba636d12a1293 Closes-bug: #1708466
2017-08-03Merge "Make many networking parameters consistent"Jenkins39-77/+67
2017-08-03Stop and disable openstack-nova-compute service on compute nodesMarius Cornea1-0/+3
This change stops and disables the openstack-nova-compute service on the compute nodes during the upgrade to the containers architecture. Closes-bug: 1708371 Change-Id: I9ca909d4e91d0a0e4de15572f727f959d9185c64
2017-08-03Merge "Fix CA file bind mounting in containers"Jenkins1-1/+5
2017-08-03Merge "Render isolated network templates using jinja2"Jenkins7-17/+337
2017-08-03Merge "Make RoleParameters and key_name descriptions consistent"Jenkins12-12/+12
2017-08-03Merge "Set redis password hiera value in compute agent"Jenkins1-0/+5