aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/controller.yaml
AgeCommit message (Collapse)AuthorFilesLines
2015-12-03Merge "Minor fixes to TLS related resources"Jenkins1-1/+1
2015-12-03Merge "Introduce domain configuration through parameter"Jenkins1-1/+8
2015-12-02Merge "Make enabling of controller services configurable."Jenkins1-0/+24
2015-12-02Introduce domain configuration through parameterJuan Antonio Osorio Robles1-1/+8
Introduce configuration of the nodes' domains through a parameter. Change-Id: Ie012f9f2a402b0333bebecb5b59565c26a654297
2015-11-30Changes for configuring NuageLokesh Jain1-0/+1
Added ExtraConfig templates and environment files for Nuage specific parameters. Modified overcloud_compute.pp and overcloud_controller.pp to conditionally include Nuage plugin and agents. Change-Id: I95510c753b0a262c73566481f9e94279970f4a4f
2015-11-26Merge "Make load balancer deployment optional via template param"Jenkins1-0/+6
2015-11-26Minor fixes to TLS related resourcesJuan Antonio Osorio Robles1-1/+1
* Fixed a comment to avoid ambiguity with concepts in Heat * Removed default values from necessary parameters in the TLS environment * Simplified setting of the cert/key into a file. Change-Id: I351778150a6fbf7affe1a0fddb1abb9869324dfc
2015-11-25Make enabling of controller services configurable.vinayrao1231-0/+24
Following parameters will be user configurable: 1. enable_dhcp_agent 2. enable_metadta_agent 3. enable_l3_agent 4. enable_ovs_agent This change was made as the Nuage plugin does not require these services to come up as a part of the installation. Now, a user can explicitly disable these services using a heat template. Change-Id: Ic132ecbb2e81a3746f304da1cecdc66d0342db72
2015-11-25Merge "Output the SSL Certificate and Key modulus"Jenkins1-0/+6
2015-11-25Merge "Enable trust anchor injection"Jenkins1-2/+10
2015-11-25Merge "Inject TLS certificate and keys for the Overcloud"Jenkins1-14/+18
2015-11-25Output the SSL Certificate and Key modulusMark Chappell1-0/+6
Provides a simple mechanism to verify the correct certificates landed. A quick and simple way to verify SSL certificates were generated for a given key is by comparing the modulus of the two. By outputing the key modulus and certificate modulus we offer a way to verify that the right cert and key have been deployed without compromising any of the secrets. Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
2015-11-25Enable trust anchor injectionJuan Antonio Osorio Robles1-2/+10
This commit enables the injection of a trust anchor or root certificate into every node in the overcloud. This is in case that the TLS certificates for the controllers are signed with a self-signed CA or if the deployer would like to inject a relevant root certificate for other purposes. In this case the other nodes might need to have the root certificate in their trust chain in order to do proper validation Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
2015-11-24Make load balancer deployment optional via template paramGiulio Fidente1-0/+6
Adds control over the load balancer deployment via template param. Change-Id: I5625083ff323a87712a5fd3f9a64dd66d2838468
2015-11-23Merge "Implement Advanced Firewalling support"Jenkins1-0/+13
2015-11-23Inject TLS certificate and keys for the OvercloudJuan Antonio Osorio Robles1-14/+18
This is a first implementation of adding TLS termination to the load balancer in the controllers. The implementation was made so that the appropriate certificate/private key in PEM format is copied to the appropriate controller(s) via a software deployment resource. And the path is then referenced on the HAProxy configuration, but this part was left commented out because we need to be able to configure the keystone endpoints in order for this to work properly. Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
2015-11-20Allows for customization of NetworkDeployment actionsGiulio Fidente1-0/+6
We don't necessarily want the network configuration to be reapplied with every template update so we add a param to configure on which action the NetworkDeployment resource should be executed. Change-Id: I0e86318eb5521e540cc567ce9d77e1060086d48b Co-Authored-By: Dan Sneddon <dsneddon@redhat.com> Co-Authored-By: James Slagle <jslagle@redhat.com> Co-Authored-By: Jiri Stransky <jstransk@redhat.com> Co-Authored-By: Steven Hardy <shardy@redhat.com>
2015-11-19Implement Advanced Firewalling supportEmilien Macchi1-0/+13
Consume puppet-tripleo to create/manage IPtables from Heat templates. This review put in place the logic to enable and setup firewall rules. A known set of rules are applied. More to come. Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22 Co-Authored-By: Yanis Guenane <yguenane@redhat.com> Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
2015-11-18Merge "Implement Neutron enable_isolated_metadata parameters"Jenkins1-0/+6
2015-11-17neutron: enable nova-event-callback by defaultEmilien Macchi1-0/+10
* Add NovaApiVirtualIP string parameter. * Compute nova_url and nova_admin_auth_url parameters. * Configure in Hiera neutron::server::notifications::* parameters. * non-ha: include ::neutron::server::notifications * ha: include ::neutron::server::notifications and create orchestration * Set vif_plugging_is_fatal to True so we actually fail if Neutron is not able to create the VIF during Nova server creation workflow. Depends-On: I21dc10396e92906eab4651c318aa2ee62a8e03c7 Change-Id: I02e41f87404e0030d488476680af2f6d45af94ff
2015-11-17Implement Neutron enable_isolated_metadata parametersCyril Lopez1-0/+6
* Use the parameter in Puppet configuration (Hiera) to configure neutron BZ-1273303 Change-Id: Ic5a7a1f13fd2bc800cadc3a78b1daadbc0394787 Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2015-11-17Merge "Add support for enabling L2 population in Neutron"Jenkins1-0/+7
2015-11-16Add support for enabling L2 population in NeutronBrent Eagles1-0/+7
This change adds support for enabling/disabling L2 population in Neutron agents. It currently defaults to false. Change-Id: I3dd19feb4acb1046bc560b35e5a7a111364ea0d7
2015-11-13Merge "honor the rabbit user and password provided"Jenkins1-1/+3
2015-11-13Merge "Refacter Endpoints into EndpointMap"Jenkins1-63/+19
2015-11-12Enable Equallogic Backends in Cinderrajinir1-0/+1
Enables support for configuring Cinder with a Dell Equallogic storage backend. This change adds all relevant parameters for: - Equallogic PS-Series (iSCSI) Change-Id: Ia0f71863cfb12f2cdda43dcf707a9a7145963001
2015-11-11Merge "Allow a user to specify a comma separated list of ntp servers"Jenkins1-6/+3
2015-11-11Refacter Endpoints into EndpointMapMark Chappell1-63/+19
Because many of the service endpoints URLs use the same patterns for generating the URLs it makes sense to use the same templates to reduce the copy and paste. In the process also adds support for explicitly specifying hostnames for use in the endpoints. Note: DNS must be pre-configured. The Heat templates do not directly configure DNS. Change-Id: Ie3270909beca3d63f2d7e4bcb04c559380ddc54d Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
2015-11-10honor the rabbit user and password providedMike Burns1-1/+3
Currently rabbit username and password are defaulted and attempting to use anything else would result in a failure during deployment. Change-Id: I8a2e240a19f915309eee45ea3c3368d131af6c1b Related: rhbz#1261303
2015-11-04Revert "Manage keystone initialization directly in t-h-t manifests"Ben Nemec1-247/+2
This reverts commit 86d6c1ddc76bad423194e789ffb5474e4e12960e. This likely has an impact on upgrades, and since we don't have an upgrade CI job yet I'm concerned that we may have just broken ourselves. I would prefer to wait to merge this until the CI job is in place. Change-Id: Ib2366cb4b40471a28122f6e9955da9bdb31a53fb
2015-11-03Manage keystone initialization directly in t-h-t manifestsYanis Guenane1-2/+247
This is the second change of a servies of two, it creates the user, user_role, service and endpoint for: * glance * nova * neutron * cinder * horizon * swift * ceilometer * heat Change-Id: I50e792d98a2ba516ff498c58ad402f463c5f7e76
2015-11-03Create keystone roles and admin user from t-h-t manifestsYanis Guenane1-2/+31
Currently keystone initialization happens via os-cloud-config [1]. This commit moves some of that directly into the manifests. This is the first in a series of two changes to migrate it entirely into t-h-t. This change focus on implementing what keystone.initialize() was doing on the tripleoclient [2], creates the admin tenant, user and roles. It also creates the keystone endpoint itself. 1. https://github.com/openstack/os-cloud-config/blob/master/os_cloud_config/keystone.py#L128-L158 2. https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/overcloud_deploy.py#L462-L527 Change-Id: I98555b707ff9b91c6e218de5dca68106ea05c8ea Depends-On: Ia4b3244f114dcff746ab89d355ad4933f8fdbddf
2015-11-02Merge "Support NFS backend for Glance (via Pacemaker)"Jenkins1-0/+32
2015-10-23Fix password issue with mysql address for ceilometerJuan Antonio Osorio Robles1-1/+3
The password was being passed incorrectly to the mysql address used for ceilometer. Change-Id: I36d92e199d6d75b58ef8c1b66a2dfbcb7052f948
2015-10-19Support NFS backend for Glance (via Pacemaker)Jiri Stransky1-0/+32
Adds support for NFS backend in Glance by allowing the storage directory for the 'file' backend to be a mount managed by Pacemaker. Default behavior is unchanged. Since the Pacemaker-related parameters are not exposed on top level, change storage-environment.yaml to use parameter_defaults instead of parameters. Depends on a Heat fix for environment file's parameter_defaults to work well with JSONs and comma delimited lists (see Depends-On). Change-Id: I6e7e2eaf6919b955650c0b32e1629a4067602c89 Depends-On: I85b13a79dbc97a77e20c0d5df8eaf05b3000815e
2015-10-16Merge "Allow a deployer to specify HAProxy syslog server address"Jenkins1-0/+6
2015-10-15Allow a user to specify a comma separated list of ntp serversYanis Guenane1-6/+3
This commits aims to allow a user to specify several ntp servers and not just one. Example: openstack overcloud deploy --templates --ntp-server 0.centos.pool.org,1.centos.pool.org Change-Id: I4925ef1cf1e565d789981e609c88a07b6e9b28de
2015-10-14Merge "Set shared secrets, keys and passwords as hidden"Jenkins1-0/+4
2015-10-13Merge "Parameterize RabbitMQ FD limit"Jenkins1-0/+13
2015-10-13Add more components virtual ip mapping into controller.Yanis Guenane1-0/+12
Currently only Glance and Heat have their virtual IP passed to the contrller directly. This commit adds the same feature for : * Ceilometer * Cinder * Nova * Swift Change-Id: I295d15d7a0aa33175a5530e3b155b0c61983b6ae
2015-10-13Parameterize RabbitMQ FD limitGiulio Fidente1-0/+13
Together with [1] this change permits to parameterize the file descriptor limit for RabbitMQ for both the Systemd startup script and the Pacemaker resource agent. 1. https://github.com/puppetlabs/puppetlabs-rabbitmq/commit/20325325b977c508b151ef8036107dcfefdf990b Closes-Bug: 1474586 Change-Id: I62d31e483641ccb5cf489df81146ecb31d0c423f
2015-10-13Allow a deployer to specify HAProxy syslog server addressYanis Guenane1-0/+6
This commit aims to allow a deployer to specify where to send haproxy's logs. It is backward compatible with what is already in place and send the logs to the UNIX socket /dev/log The value specified here will be written in the haproxy.cfg file with the following behavior HAProxySyslogAddress: 127.0.0.1 -> log 127.0.0.1 local0 HAProxySyslogAddress: ::1 -> log ::1 local0 HAProxySyslogAddress: /dev/log -> log /dev/log local0 (default) Change-Id: I46c489a1f424e2219d129f332e64c64019aef850 Depends-On: If7f7c8154e544e5d8a49f79f642e1ad01644a66d
2015-10-12Set shared secrets, keys and passwords as hiddenJuan Antonio Osorio Robles1-0/+4
Change-Id: Ieb27729c6b33ffc849d07200ec0d42508214956e Closes-Bug: #1399793
2015-10-12Allow one to specify horizon ALLOWED_HOSTSYanis Guenane1-0/+6
If horizon is running in production (DEBUG is False), it will answer only to the IPs/hostnames specified in the ALLOWED_HOSTS variable in the local_settings.py configuration file. The puppet-horizon module offer the feature to customize that, tripleo-heat-teamplates was missing the link between the top-level parameter and the puppet parameter, hence this commit. More info : * https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts * https://github.com/openstack/puppet-horizon/blob/master/templates/local_settings.py.erb#L14-L24 Change-Id: I5faede8b74a0318e15baa761dc502b95b051ae0d
2015-10-09Merge "Wire in NodeExtraConfig interface"Jenkins1-0/+8
2015-10-08Ensure Glance API reaches Registry using the service VIPGiulio Fidente1-2/+6
Previously the Registry service was reached using the local IP. Change-Id: I8f2b7275cd39d8a5358d8ce69f4f7e5bc7758b62
2015-10-07Merge "Enable Cisco N1KV driver"Jenkins1-0/+1
2015-10-01Wire in NodeExtraConfig interfaceSteven Hardy1-0/+8
It's become apparent that some actions are required in the pre-deploy phase for all nodes, for example applying common hieradata overrides, or also as a place to hook in logic which must happen for all nodes prior to their removal on scale down (such as unregistration from a satellite server, which currently doesn't work via the *NodesPostDeployment for scale-down usage). So, add a new interface that enables ExtraConfig per-node (inside the scaled unit, vs AllNodes which is used for the cluster-wide config outside of the ResourceGroup) Change-Id: Ic865908e97483753e58bc18e360ebe50557ab93c
2015-10-01Ensure present/latest for puppet driven package updatesSteve Baker1-3/+6
This change updates yum_update.sh so that we set set a boolean output when "managed" packages should get updated. The output is named 'update_managed_packages' and for the puppet implementation it is wired up so that it directly sets tripleo::packages::enable_upgrade to control whether packages are updated. It also modifies yum_update.sh to build a yum update excludes list for packages managed by puppet. The exclude lists are being generated via puppet-tripleo as well via the new 'write_package_names' function that is now wired into all the role manifests. This change does not actually trigger the puppet apply. The fix for Related-Bug: #1463092 will be used to trigger the puppet run when the hiera changes. As a minor tweak to this logic we append the UpdateIdentifier to the config_identifier so that we ensure puppet gets executed on an update where other (non-related) hiera changes also occur. Co-Authored-By: Dan Prince <dprince@redhat.com> Change-Id: I343c3959517eae38bbcd43648ed56f610272864d
2015-09-30Enable Cisco N1KV driverShiva Prasad Rao1-0/+1
This enables support for the Cisco N1kv driver for the ML2 plugin. It also configures the Nexus 1000v switch. Co-Authored-By: Steven Hillman <sthillma@cisco.com> Depends-On: I02dda0685c7df9013693db5eeacb2f47745d05b5 Depends-On: I3f14cdce9b9bf278aa9b107b2d313e1e82a20709 Change-Id: Idf23ed11a53509c00aa5fea4c87a515f42ad744f