Age | Commit message (Collapse) | Author | Files | Lines |
|
This de-couples public TLS from controllers to now run wherever HAProxy
is deployed.
Partially-Implements: blueprint composable-networks
Change-Id: I9e84a25a363899acf103015527787bdd8248949f
|
|
Change-Id: I21fee832aeeb9780f818ae869ea8714f28bbe4a0
Closes-bug: #1704853
|
|
Master is now the development branch for pike
changing the release alias name.
Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
|
|
|
|
Convert NetApp Cinder back end to support composable roles via new
"CinderBackendNetApp" service.
Closes-Bug: #1680568
Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
|
|
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane
network will be 192.168.24 by default and not 192.0.2 anymore.
This change removes old references left to 192.0.2 network from the
overcloud templates.
Change-Id: I1986721d339887741038b6cd050a46171a4d8022
|
|
The agent configuration was lost in newton during the puppet-tripleo and
THT role conversion. This change adds support for including the bigswitch
agent service for composable roles.
Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908
Closes-Bug: #1673126
|
|
The new hiera hook in I21639f6aadabf9e49f40d1bb0b1d0edcfc4dbc5e
was added to most of the tripleo-heat-templates in
Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
The new hook is installed by default if you use tripleo-common
Ia1864933235152b7e899c4442534879f8e22240d and will be installed
as part of the Newton to Ocata upgrades workflow in
I0c7a32194c0069b63a501a913c17907b47c9cc16
In order to use the new hiera data as part of the upgrade we
need to remove the old hieradata which will break anyone still
defining and using it. This change updates the remaining vendor
plugin manifests to use the new hiera hook. The pre-requisite
is that the new hook is installed on their overcloud (as above
it comes if you follow the N..O upgrade)
Change-Id: Ic95154734cb21e6b941c7f1569295b413963831d
|
|
|
|
In current setup some Contrail services belong to the wrong roles.
The Contrail control plane can be impacted if the Analytics database has
problems.
Change-Id: I0d57a2324c38b5b20cc687c6217a7a364941f7e6
Depends-On: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
Closes-Bug: #1659560
|
|
|
|
Updated the heat templates for Cinder Dell EMC PS Series backend
to use composable services and rebranding of EQLX to Dell EMC PS Series
Closes-Bug: #1661313
Change-Id: Id9d6f172f3f79a31788b26c7776d738fda5a30fa
|
|
Updated the heat templates for Cinder Dell EMC Storage Center
Backend to use composable services
Closes-Bug: #1661314
Change-Id: I454549c45da7388f0e42975c9f4637dde9ec51e3
|
|
|
|
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
|
|
In the freeipa-enroll.yaml, it can be the case that the node has been
enrolled (via a cloud-init script); in this case, the OTP and the
FreeIPA server are optional. However, we still need to get a kerberos
ticket, which is the last step of this script, since this ticket is what
certmonger will use to request the certificates in subsequent steps.
Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
|
|
This is based on previous work [1] and it's what I've been using to
test the TLS-everywhere work.
This introduces a template that will run on every node to enroll
them to FreeIPA and acquire a ticket (authenticate) in order to be
able to request certificates.
Enrollment is done via the ipa-client-install command and it does
the following:
* Get FreeIPA's CA certificate and trust it.
* Authenticate to FreeIPA using an OTP and get a kerberos keytab.
* Set up several configurations that are needed for FreeIPA (sssd,
kerberos, certmonger)
The keytab is then used to authenticate and get an actual TGT
(Ticket-Granting-Ticket) from Kerberos
The previous implementation used a PreConfig hook, however, here it
was modified to use NodeTLSCAData. This has the advantage that it
runs on every node as opposed to the PreConfig hook where we had to
specify the role type so it's a usability improvement. And, on the
other hand, this does set up necessary things for the usage of
FreeIPA as a CA, such as getting the certificate and enrolling to the
CA.
[1] https://github.com/JAORMX/freeipa-tripleo-incubator
bp tls-via-certmonger
Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
|
|
Change-Id: I965f0ec21075cd540de061ec96a52dd919762368
Closes-Bug: #1636542
Signed-off-by: krogon-intel <kamil.rogon@intel.com>
|
|
|
|
When updating a certificate for HAProxy, we only do a reload of the
configuration on non-HA setups. This means that if we try the same in
an HA setup, the cloud will still serve the old certificate and that
leads to several issues, such as serving a revoked or even a
compromised certificate for some time, or just SSL issues that the
certificate doesn't match. This enables a reload for HA cases too.
Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a
Closes-Bug: #1629886
|
|
This patch deprecates netapp_eseries_host_type in favor of netapp_host_type.
Change-Id: I113c770ca2e4dc54526d4262bacae48e223c54f4
Closes-Bug: 1579161
|
|
This issue was spotted during major upgrade where we had calls like
this:
servers: {get_param: servers, Controller}
These get_param calls are hanging indefinitely and make the whole
upgrade end in a timeout. We need to put brackets around the get_param
function when there are multiple arguments:
http://docs.openstack.org/developer/heat/template_guide/hot_spec.html#get-param
This is already done in most of the tree, and the few places where this
was not happening were parts not under CI. After this change the
following grep returns only one false positive:
grep -ir get_param: |grep -v -- '\[' |grep ','
Change-Id: I65b23bb44f37b93e017dd15a5212939ffac76614
Closes-Bug: #1626628
|
|
|
|
This adjusts the interface to OS::TripleO::AllNodesExtraConfig so
it supports custom/composable/optional roles.
Note this does break backwards compatibility, and I can't see any way
to avoid that. I've converted the in-tree templates, and we'll have
to document carefully and or provide a script (or automated conversion
via mistral perhaps?) to allow folks to easily adjust any out of tree
templates to the new format.
Basically you just have to:
1. Remove all the *_servers parameters, replace with one "servers"
json parameter
2. Replace references to e.g "controller_servers" with "servers, Controller"
which does a path-based lookup into the json map provided by overcloud.yaml
Change-Id: I5eebf853646b2f6300d6b542fcd4f43e82d3b413
Partially-Implements: blueprint custom-roles
|
|
This is setting sane defaults for vnc_api_lib.ini as requested from the
field. The settings still can be overriden using NovaComputeExtraConfig
if needed.
Change-Id: I6a823c0b34f6ea21aa16939577ac0e1563483557
Closes-Bug: #1620647
|
|
Since https://review.openstack.org/#/c/315616 this is no longer
required.
Change-Id: I0452d1577a25d19b4351bfe7830a6c7bbe485e67
|
|
Change-Id: I1921115cb6218c7554348636c404245c79937673
Depends-On: I7ac096feb9f5655003becd79d2eea355a047c90b
Depends-On: I871ef420700e6d0ee5c1e444e019d58b3a9a45a6
|
|
|
|
|
|
Creates pool in Ceph for Cinder backups and
adds proper access permissions.
To be used with https://review.openstack.org/#/c/311218
Change-Id: Ibf84f78aff92dbd83c6e254ceb7a80e86c15036d
|
|
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the opencontrail settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I0edbd86a8c981bd6e8a547cd2a6ebed18ecdbb31
|
|
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the nuage settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I15fe14e9d6881bc408eb6bb10d9293bd914ef858
|
|
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the plumgrid settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I1c5827e3650a29f7a0258531f84ae0f50f22343d
|
|
These stacks effectively do nothing. So better replace them with
the None resource.
Change-Id: If1fc759ca7f03f66229c27560cc4b8e10baa0f11
|
|
Uses a shared cinder-base resource to do the database
and messaging configuration for all three services.
Depends-On: I3c6d5226eed5f0f852b0ad9476c7cd9a959fda69
Change-Id: I47c5fd190efca5f02e73fd22aba6cda573daf5cc
|
|
In puppet-tripleo, we split loadbalancer.pp in 2 classes to be more
composable: haproxy & keepalived.
This patch is just updating all hiera parameters related to HAproxy &
keepalived.
Depends-On: I46ed8348dc990d9aa0d896e1abea3b30a8292634
Change-Id: Ibf56184cd10af1d0dcae773c02b0f31a6204badf
|
|
The ceph_keyring value is expected to be a full path
to the keyring. But we currently only pass in
client.<cephuser>. This patch fixes the value
to be full path.
Closes-Bug: #1586010
Change-Id: I5666c44bb35b6ae109c68506704eff776f5dceda
|
|
|
|
* Deploy Gnocchi API.
* Storage backends: swift, rbd and file.
* Indexer backend default to mysql
* Configure Ceilometer to send metrics datas to Gnocchi
* Pacemaker config
Depends-On: Ic8778a3104e0ed0460423e4bf857682220dc5802
Depends-On: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2
Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com>
Change-Id: Ifde17b1ab8fa2b30544633e455e1c7eb475705aa
|
|
This was accidentally dropped from
Id5ed05b3a20d06af8ae7a3d6f859b03399b0d77d but we should handle the
non-pacemaker case as well.
Change-Id: Ia06746f9c536159cd7b62259e450b3dec331cdb0
|
|
Enable PLUMgrid neutron liberty plugin in a TripleO overcloud environment.
Change-Id: I07025f67ec3f3399aac4dcd10cc37e857772548b
Signed-off-by: Qasim Sarfraz <qasims@plumgrid.com>
|
|
|
|
To deploy Ceph on IPv6, we need to enable ms_bind_ipv6 in addition
to passing the list of MON IPs in brackets.
Change-Id: I3644b8fc06458e68574afa5573f07442f0a09190
|
|
Multiple files in t-h-t were having small typos.
Fixed in this patchset.
.
Change-Id: I82d7071747f47544990ed46e2be22931190406b3
|
|
Fixed the heat_template_version of these YAML files to the liberty
release version according to HOT template specs.
Change-Id: Ic5e0d843f7e164c59fb1737e52ef4cf6ad4df77f
|
|
Due to fix: https://bugs.launchpad.net/networking-cisco/+bug/1469839,
the replay count parameter is no longer used. This needs to be
reflected in the Triple O templates.
Change-Id: I666c4394108287adcb4989e897ab3936667a602b
Closes-bug: #1551387
|
|
|
|
This change adds extra config yaml files for big switch agent
and big switch lldp.
This change is mainly for compute nodes. The changes related
to controller nodes are landed at e78e1c8d9b5a7ebf327987b22091bff3ed42d1c1
This change also removes the neutron_enable_bigswitch_ml2 flag. Instead,
User needs to specify NeutronMechanismDrivers: bsn_ml2 in environment file.
Previous discussion about this change can be found at an abandoned
review request https://review.openstack.org/#/c/271940/
Depends-On: Iefcfe698691234490504b6747ced7bb9147118de
Change-Id: I81341a4b123dc4a8312a9a00f4b663c7cca63d7c
|
|
|
|
Currently the permissions for the CA file that is injected (if the
environment is set), doesn't permit users that don't belong to the group
that owns the file to read it. This is too restrictive and isn't
necessary, as the certificate should be public.
This is useful in the case where we want a service that can't read the
certificate chain (or bundle) to be able to read that CA certificate.
This is the case for the MariaDB version that is being used in CentOS
7.1 for example.
Change-Id: I6ff59326a5570670c031b448fb0ffd8dfbd8b025
|