summaryrefslogtreecommitdiffstats
path: root/puppet/extraconfig
AgeCommit message (Collapse)AuthorFilesLines
2017-08-11Move HAProxy's public TLS logic from controller to service templateJuan Antonio Osorio Robles1-0/+1
This de-couples public TLS from controllers to now run wherever HAProxy is deployed. Partially-Implements: blueprint composable-networks Change-Id: I9e84a25a363899acf103015527787bdd8248949f
2017-07-24Modifying Cisco templates to support composable rolesSandhya Dasu1-50/+14
Change-Id: I21fee832aeeb9780f818ae869ea8714f28bbe4a0 Closes-bug: #1704853
2017-05-19Update the template_version alias for all the templates to pike.Carlos Camacho12-12/+12
Master is now the development branch for pike changing the release alias name. Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
2017-04-12Merge "Add composable role support for NetApp Cinder back end"Jenkins1-157/+0
2017-04-10Add composable role support for NetApp Cinder back endAlan Bishop1-157/+0
Convert NetApp Cinder back end to support composable roles via new "CinderBackendNetApp" service. Closes-Bug: #1680568 Change-Id: Ia3a78a48c32997c9d3cbe1629c2043cfc5249e1c
2017-04-10Replace references to the 192.0.2 networkGiulio Fidente1-2/+2
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane network will be 192.168.24 by default and not 192.0.2 anymore. This change removes old references left to 192.0.2 network from the overcloud templates. Change-Id: I1986721d339887741038b6cd050a46171a4d8022
2017-03-17Re-Add bigswitch agent supportAlex Schultz2-0/+21
The agent configuration was lost in newton during the puppet-tripleo and THT role conversion. This change adds support for including the bigswitch agent service for composable roles. Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908 Closes-Bug: #1673126
2017-03-06Use the new hiera hook in all remaining templatesmarios7-160/+153
The new hiera hook in I21639f6aadabf9e49f40d1bb0b1d0edcfc4dbc5e was added to most of the tripleo-heat-templates in Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1 The new hook is installed by default if you use tripleo-common Ia1864933235152b7e899c4442534879f8e22240d and will be installed as part of the Newton to Ocata upgrades workflow in I0c7a32194c0069b63a501a913c17907b47c9cc16 In order to use the new hiera data as part of the upgrade we need to remove the old hieradata which will break anyone still defining and using it. This change updates the remaining vendor plugin manifests to use the new hiera hook. The pre-requisite is that the new hook is installed on their overcloud (as above it comes if you follow the N..O upgrade) Change-Id: Ic95154734cb21e6b941c7f1569295b413963831d
2017-02-09Merge "Re-organizes Contrail services to the correct roles"Jenkins1-59/+0
2017-02-08Re-organizes Contrail services to the correct rolesMichael Henkel1-59/+0
In current setup some Contrail services belong to the wrong roles. The Contrail control plane can be impacted if the Analytics database has problems. Change-Id: I0d57a2324c38b5b20cc687c6217a7a364941f7e6 Depends-On: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818 Closes-Bug: #1659560
2017-02-08Merge "Composable service support for Cinder Dell EMC Storage Center"Jenkins1-87/+0
2017-02-07Composable services support for Cinder Dell EMC PS Seriesrajinir1-86/+0
Updated the heat templates for Cinder Dell EMC PS Series backend to use composable services and rebranding of EQLX to Dell EMC PS Series Closes-Bug: #1661313 Change-Id: Id9d6f172f3f79a31788b26c7776d738fda5a30fa
2017-02-03Composable service support for Cinder Dell EMC Storage Centerrajinir1-87/+0
Updated the heat templates for Cinder Dell EMC Storage Center Backend to use composable services Closes-Bug: #1661314 Change-Id: I454549c45da7388f0e42975c9f4637dde9ec51e3
2017-02-02Merge "Temporary UCSM mapping files should be opened with write mode"Jenkins1-2/+6
2016-12-23Bump template version for all templates to "ocata"Steven Hardy16-16/+16
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-20FreeIPA: Make OTP and FreeIPA server parameters optionalJuan Antonio Osorio Robles1-5/+16
In the freeipa-enroll.yaml, it can be the case that the node has been enrolled (via a cloud-init script); in this case, the OTP and the FreeIPA server are optional. However, we still need to get a kerberos ticket, which is the last step of this script, since this ticket is what certmonger will use to request the certificates in subsequent steps. Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
2016-12-09Add FreeIPA enrollment templateJuan Antonio Osorio Robles1-0/+72
This is based on previous work [1] and it's what I've been using to test the TLS-everywhere work. This introduces a template that will run on every node to enroll them to FreeIPA and acquire a ticket (authenticate) in order to be able to request certificates. Enrollment is done via the ipa-client-install command and it does the following: * Get FreeIPA's CA certificate and trust it. * Authenticate to FreeIPA using an OTP and get a kerberos keytab. * Set up several configurations that are needed for FreeIPA (sssd, kerberos, certmonger) The keytab is then used to authenticate and get an actual TGT (Ticket-Granting-Ticket) from Kerberos The previous implementation used a PreConfig hook, however, here it was modified to use NodeTLSCAData. This has the advantage that it runs on every node as opposed to the PreConfig hook where we had to specify the role type so it's a usability improvement. And, on the other hand, this does set up necessary things for the usage of FreeIPA as a CA, such as getting the certificate and enrolling to the CA. [1] https://github.com/JAORMX/freeipa-tripleo-incubator bp tls-via-certmonger Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-11-08Temporary UCSM mapping files should be opened with write modekrogon-intel1-2/+6
Change-Id: I965f0ec21075cd540de061ec96a52dd919762368 Closes-Bug: #1636542 Signed-off-by: krogon-intel <kamil.rogon@intel.com>
2016-10-04Merge "Use netapp_host_type instead of netapp_eseries_host_type"Jenkins1-4/+14
2016-10-03reload HAProxy config in HA setups when certificate is updatedJuan Antonio Osorio Robles1-4/+2
When updating a certificate for HAProxy, we only do a reload of the configuration on non-HA setups. This means that if we try the same in an HA setup, the cloud will still serve the old certificate and that leads to several issues, such as serving a revoked or even a compromised certificate for some time, or just SSL issues that the certificate doesn't match. This enables a reload for HA cases too. Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a Closes-Bug: #1629886
2016-09-29Use netapp_host_type instead of netapp_eseries_host_typeGiulio Fidente1-4/+14
This patch deprecates netapp_eseries_host_type in favor of netapp_host_type. Change-Id: I113c770ca2e4dc54526d4262bacae48e223c54f4 Closes-Bug: 1579161
2016-09-25get_param calls with multiple arguments need brackets around themMichele Baldessari2-8/+8
This issue was spotted during major upgrade where we had calls like this: servers: {get_param: servers, Controller} These get_param calls are hanging indefinitely and make the whole upgrade end in a timeout. We need to put brackets around the get_param function when there are multiple arguments: http://docs.openstack.org/developer/heat/template_guide/hot_spec.html#get-param This is already done in most of the tree, and the few places where this was not happening were parts not under CI. After this change the following grep returns only one false positive: grep -ir get_param: |grep -v -- '\[' |grep ',' Change-Id: I65b23bb44f37b93e017dd15a5212939ffac76614 Closes-Bug: #1626628
2016-09-17Merge "Convert AllNodesExtraConfig to support composable roles"Jenkins2-28/+12
2016-09-16Convert AllNodesExtraConfig to support composable rolesSteven Hardy2-28/+12
This adjusts the interface to OS::TripleO::AllNodesExtraConfig so it supports custom/composable/optional roles. Note this does break backwards compatibility, and I can't see any way to avoid that. I've converted the in-tree templates, and we'll have to document carefully and or provide a script (or automated conversion via mistral perhaps?) to allow folks to easily adjust any out of tree templates to the new format. Basically you just have to: 1. Remove all the *_servers parameters, replace with one "servers" json parameter 2. Replace references to e.g "controller_servers" with "servers, Controller" which does a path-based lookup into the json map provided by overcloud.yaml Change-Id: I5eebf853646b2f6300d6b542fcd4f43e82d3b413 Partially-Implements: blueprint custom-roles
2016-09-08Populate vnc_api_lib.ini on compute nodes with OpenContrailJiri Stransky1-0/+12
This is setting sane defaults for vnc_api_lib.ini as requested from the field. The settings still can be overriden using NovaComputeExtraConfig if needed. Change-Id: I6a823c0b34f6ea21aa16939577ac0e1563483557 Closes-Bug: #1620647
2016-07-05Remove config_identifier from all_nodes extraconfig examplesSteven Hardy2-16/+0
Since https://review.openstack.org/#/c/315616 this is no longer required. Change-Id: I0452d1577a25d19b4351bfe7830a6c7bbe485e67
2016-07-04Switch Ceph Monitor/OSD/Client/External to composable rolesGiulio Fidente1-120/+0
Change-Id: I1921115cb6218c7554348636c404245c79937673 Depends-On: I7ac096feb9f5655003becd79d2eea355a047c90b Depends-On: I871ef420700e6d0ee5c1e444e019d58b3a9a45a6
2016-06-23Merge "Drop extraconfig for neutron-opencontrail.yaml"Jenkins1-62/+0
2016-06-23Merge "Drop extraconfig for neutron-nuage.yaml"Jenkins1-91/+0
2016-06-20Create Cinder backup pool in CephBoris Kreitchman1-1/+6
Creates pool in Ceph for Cinder backups and adds proper access permissions. To be used with https://review.openstack.org/#/c/311218 Change-Id: Ibf84f78aff92dbd83c6e254ceb7a80e86c15036d
2016-06-16Drop extraconfig for neutron-opencontrail.yamlDan Prince1-62/+0
This patch drops the extraconfig interface in favor of using the composable services nested stack instead. The benefit is that it is easier to enable multiple services (like network and storage backends at the same time) and all of the opencontrail settings get to live in the same file. Partially-implements: blueprint composable-services-within-roles Change-Id: I0edbd86a8c981bd6e8a547cd2a6ebed18ecdbb31
2016-06-16Drop extraconfig for neutron-nuage.yamlDan Prince1-91/+0
This patch drops the extraconfig interface in favor of using the composable services nested stack instead. The benefit is that it is easier to enable multiple services (like network and storage backends at the same time) and all of the nuage settings get to live in the same file. Partially-implements: blueprint composable-services-within-roles Change-Id: I15fe14e9d6881bc408eb6bb10d9293bd914ef858
2016-06-13Drop extraconfig for neutron-plumgrid.yamlDan Prince1-113/+0
This patch drops the extraconfig interface in favor of using the composable services nested stack instead. The benefit is that it is easier to enable multiple services (like network and storage backends at the same time) and all of the plumgrid settings get to live in the same file. Partially-implements: blueprint composable-services-within-roles Change-Id: I1c5827e3650a29f7a0258531f84ae0f50f22343d
2016-06-09Replace no-op TLS stacks with OS::Heat::NoneJuan Antonio Osorio Robles2-51/+0
These stacks effectively do nothing. So better replace them with the None resource. Change-Id: If1fc759ca7f03f66229c27560cc4b8e10baa0f11
2016-06-02Switch Cinder Api/Scheduler/Volume to composable rolesGiulio Fidente4-5/+5
Uses a shared cinder-base resource to do the database and messaging configuration for all three services. Depends-On: I3c6d5226eed5f0f852b0ad9476c7cd9a959fda69 Change-Id: I47c5fd190efca5f02e73fd22aba6cda573daf5cc
2016-05-30loadbalancer: update hiera parameters for HAproxy/keepalived splitEmilien Macchi1-1/+1
In puppet-tripleo, we split loadbalancer.pp in 2 classes to be more composable: haproxy & keepalived. This patch is just updating all hiera parameters related to HAproxy & keepalived. Depends-On: I46ed8348dc990d9aa0d896e1abea3b30a8292634 Change-Id: Ibf56184cd10af1d0dcae773c02b0f31a6204badf
2016-05-26Fix ceph keyring setting for gnocchiPradeep Kilambi1-1/+3
The ceph_keyring value is expected to be a full path to the keyring. But we currently only pass in client.<cephuser>. This patch fixes the value to be full path. Closes-Bug: #1586010 Change-Id: I5666c44bb35b6ae109c68506704eff776f5dceda
2016-04-18Merge "Reload haproxy after injecting certs w/o pcmk too"Jenkins1-0/+8
2016-04-11Deploy Gnocchi as a Ceilometer metrics storage backendPradeep Kilambi1-1/+13
* Deploy Gnocchi API. * Storage backends: swift, rbd and file. * Indexer backend default to mysql * Configure Ceilometer to send metrics datas to Gnocchi * Pacemaker config Depends-On: Ic8778a3104e0ed0460423e4bf857682220dc5802 Depends-On: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2 Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com> Change-Id: Ifde17b1ab8fa2b30544633e455e1c7eb475705aa
2016-04-05Reload haproxy after injecting certs w/o pcmk tooBen Nemec1-0/+8
This was accidentally dropped from Id5ed05b3a20d06af8ae7a3d6f859b03399b0d77d but we should handle the non-pacemaker case as well. Change-Id: Ia06746f9c536159cd7b62259e450b3dec331cdb0
2016-03-18PLUMgrid Neutron integrationQasim Sarfraz1-0/+113
Enable PLUMgrid neutron liberty plugin in a TripleO overcloud environment. Change-Id: I07025f67ec3f3399aac4dcd10cc37e857772548b Signed-off-by: Qasim Sarfraz <qasims@plumgrid.com>
2016-03-15Merge "Fix typos"Jenkins2-3/+3
2016-03-10Support the deployment of Ceph over IPv6Giulio Fidente1-1/+7
To deploy Ceph on IPv6, we need to enable ms_bind_ipv6 in addition to passing the list of MON IPs in brackets. Change-Id: I3644b8fc06458e68574afa5573f07442f0a09190
2016-03-08Fix typosSwapnil Kulkarni (coolsvap)2-3/+3
Multiple files in t-h-t were having small typos. Fixed in this patchset. . Change-Id: I82d7071747f47544990ed46e2be22931190406b3
2016-03-03Updated the heat_template_versionrajinir2-2/+2
Fixed the heat_template_version of these YAML files to the liberty release version according to HOT template specs. Change-Id: Ic5e0d843f7e164c59fb1737e52ef4cf6ad4df77f
2016-02-29Cisco nexus config template - obsolete parameter (replay count).Leon Zachery1-2/+9
Due to fix: https://bugs.launchpad.net/networking-cisco/+bug/1469839, the replay count parameter is no longer used. This needs to be reflected in the Triple O templates. Change-Id: I666c4394108287adcb4989e897ab3936667a602b Closes-bug: #1551387
2016-02-29Merge "OpenContrail heat templates"Jenkins2-0/+109
2016-02-22Add extra config yaml files for big switch agents.xinwu2-1/+45
This change adds extra config yaml files for big switch agent and big switch lldp. This change is mainly for compute nodes. The changes related to controller nodes are landed at e78e1c8d9b5a7ebf327987b22091bff3ed42d1c1 This change also removes the neutron_enable_bigswitch_ml2 flag. Instead, User needs to specify NeutronMechanismDrivers: bsn_ml2 in environment file. Previous discussion about this change can be found at an abandoned review request https://review.openstack.org/#/c/271940/ Depends-On: Iefcfe698691234490504b6747ced7bb9147118de Change-Id: I81341a4b123dc4a8312a9a00f4b663c7cca63d7c
2016-02-18Merge "Make injected CA file readable by others"Jenkins1-1/+1
2016-02-17Make injected CA file readable by othersJuan Antonio Osorio Robles1-1/+1
Currently the permissions for the CA file that is injected (if the environment is set), doesn't permit users that don't belong to the group that owns the file to read it. This is too restrictive and isn't necessary, as the certificate should be public. This is useful in the case where we want a service that can't read the certificate chain (or bundle) to be able to read that CA certificate. This is the case for the MariaDB version that is being used in CentOS 7.1 for example. Change-Id: I6ff59326a5570670c031b448fb0ffd8dfbd8b025