Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
|
|
In the freeipa-enroll.yaml, it can be the case that the node has been
enrolled (via a cloud-init script); in this case, the OTP and the
FreeIPA server are optional. However, we still need to get a kerberos
ticket, which is the last step of this script, since this ticket is what
certmonger will use to request the certificates in subsequent steps.
Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
|
|
This is based on previous work [1] and it's what I've been using to
test the TLS-everywhere work.
This introduces a template that will run on every node to enroll
them to FreeIPA and acquire a ticket (authenticate) in order to be
able to request certificates.
Enrollment is done via the ipa-client-install command and it does
the following:
* Get FreeIPA's CA certificate and trust it.
* Authenticate to FreeIPA using an OTP and get a kerberos keytab.
* Set up several configurations that are needed for FreeIPA (sssd,
kerberos, certmonger)
The keytab is then used to authenticate and get an actual TGT
(Ticket-Granting-Ticket) from Kerberos
The previous implementation used a PreConfig hook, however, here it
was modified to use NodeTLSCAData. This has the advantage that it
runs on every node as opposed to the PreConfig hook where we had to
specify the role type so it's a usability improvement. And, on the
other hand, this does set up necessary things for the usage of
FreeIPA as a CA, such as getting the certificate and enrolling to the
CA.
[1] https://github.com/JAORMX/freeipa-tripleo-incubator
bp tls-via-certmonger
Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
|
|
Change-Id: I965f0ec21075cd540de061ec96a52dd919762368
Closes-Bug: #1636542
Signed-off-by: krogon-intel <kamil.rogon@intel.com>
|
|
|
|
When updating a certificate for HAProxy, we only do a reload of the
configuration on non-HA setups. This means that if we try the same in
an HA setup, the cloud will still serve the old certificate and that
leads to several issues, such as serving a revoked or even a
compromised certificate for some time, or just SSL issues that the
certificate doesn't match. This enables a reload for HA cases too.
Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a
Closes-Bug: #1629886
|
|
This patch deprecates netapp_eseries_host_type in favor of netapp_host_type.
Change-Id: I113c770ca2e4dc54526d4262bacae48e223c54f4
Closes-Bug: 1579161
|
|
This issue was spotted during major upgrade where we had calls like
this:
servers: {get_param: servers, Controller}
These get_param calls are hanging indefinitely and make the whole
upgrade end in a timeout. We need to put brackets around the get_param
function when there are multiple arguments:
http://docs.openstack.org/developer/heat/template_guide/hot_spec.html#get-param
This is already done in most of the tree, and the few places where this
was not happening were parts not under CI. After this change the
following grep returns only one false positive:
grep -ir get_param: |grep -v -- '\[' |grep ','
Change-Id: I65b23bb44f37b93e017dd15a5212939ffac76614
Closes-Bug: #1626628
|
|
|
|
This adjusts the interface to OS::TripleO::AllNodesExtraConfig so
it supports custom/composable/optional roles.
Note this does break backwards compatibility, and I can't see any way
to avoid that. I've converted the in-tree templates, and we'll have
to document carefully and or provide a script (or automated conversion
via mistral perhaps?) to allow folks to easily adjust any out of tree
templates to the new format.
Basically you just have to:
1. Remove all the *_servers parameters, replace with one "servers"
json parameter
2. Replace references to e.g "controller_servers" with "servers, Controller"
which does a path-based lookup into the json map provided by overcloud.yaml
Change-Id: I5eebf853646b2f6300d6b542fcd4f43e82d3b413
Partially-Implements: blueprint custom-roles
|
|
This is setting sane defaults for vnc_api_lib.ini as requested from the
field. The settings still can be overriden using NovaComputeExtraConfig
if needed.
Change-Id: I6a823c0b34f6ea21aa16939577ac0e1563483557
Closes-Bug: #1620647
|
|
Since https://review.openstack.org/#/c/315616 this is no longer
required.
Change-Id: I0452d1577a25d19b4351bfe7830a6c7bbe485e67
|
|
Change-Id: I1921115cb6218c7554348636c404245c79937673
Depends-On: I7ac096feb9f5655003becd79d2eea355a047c90b
Depends-On: I871ef420700e6d0ee5c1e444e019d58b3a9a45a6
|
|
|
|
|
|
Creates pool in Ceph for Cinder backups and
adds proper access permissions.
To be used with https://review.openstack.org/#/c/311218
Change-Id: Ibf84f78aff92dbd83c6e254ceb7a80e86c15036d
|
|
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the opencontrail settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I0edbd86a8c981bd6e8a547cd2a6ebed18ecdbb31
|
|
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the nuage settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I15fe14e9d6881bc408eb6bb10d9293bd914ef858
|
|
This patch drops the extraconfig interface in favor
of using the composable services nested stack instead.
The benefit is that it is easier to enable multiple services
(like network and storage backends at the same time) and all
of the plumgrid settings get to live in the same file.
Partially-implements: blueprint composable-services-within-roles
Change-Id: I1c5827e3650a29f7a0258531f84ae0f50f22343d
|
|
These stacks effectively do nothing. So better replace them with
the None resource.
Change-Id: If1fc759ca7f03f66229c27560cc4b8e10baa0f11
|
|
Uses a shared cinder-base resource to do the database
and messaging configuration for all three services.
Depends-On: I3c6d5226eed5f0f852b0ad9476c7cd9a959fda69
Change-Id: I47c5fd190efca5f02e73fd22aba6cda573daf5cc
|
|
In puppet-tripleo, we split loadbalancer.pp in 2 classes to be more
composable: haproxy & keepalived.
This patch is just updating all hiera parameters related to HAproxy &
keepalived.
Depends-On: I46ed8348dc990d9aa0d896e1abea3b30a8292634
Change-Id: Ibf56184cd10af1d0dcae773c02b0f31a6204badf
|
|
The ceph_keyring value is expected to be a full path
to the keyring. But we currently only pass in
client.<cephuser>. This patch fixes the value
to be full path.
Closes-Bug: #1586010
Change-Id: I5666c44bb35b6ae109c68506704eff776f5dceda
|
|
|
|
* Deploy Gnocchi API.
* Storage backends: swift, rbd and file.
* Indexer backend default to mysql
* Configure Ceilometer to send metrics datas to Gnocchi
* Pacemaker config
Depends-On: Ic8778a3104e0ed0460423e4bf857682220dc5802
Depends-On: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2
Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com>
Change-Id: Ifde17b1ab8fa2b30544633e455e1c7eb475705aa
|
|
This was accidentally dropped from
Id5ed05b3a20d06af8ae7a3d6f859b03399b0d77d but we should handle the
non-pacemaker case as well.
Change-Id: Ia06746f9c536159cd7b62259e450b3dec331cdb0
|
|
Enable PLUMgrid neutron liberty plugin in a TripleO overcloud environment.
Change-Id: I07025f67ec3f3399aac4dcd10cc37e857772548b
Signed-off-by: Qasim Sarfraz <qasims@plumgrid.com>
|
|
|
|
To deploy Ceph on IPv6, we need to enable ms_bind_ipv6 in addition
to passing the list of MON IPs in brackets.
Change-Id: I3644b8fc06458e68574afa5573f07442f0a09190
|
|
Multiple files in t-h-t were having small typos.
Fixed in this patchset.
.
Change-Id: I82d7071747f47544990ed46e2be22931190406b3
|
|
Fixed the heat_template_version of these YAML files to the liberty
release version according to HOT template specs.
Change-Id: Ic5e0d843f7e164c59fb1737e52ef4cf6ad4df77f
|
|
Due to fix: https://bugs.launchpad.net/networking-cisco/+bug/1469839,
the replay count parameter is no longer used. This needs to be
reflected in the Triple O templates.
Change-Id: I666c4394108287adcb4989e897ab3936667a602b
Closes-bug: #1551387
|
|
|
|
This change adds extra config yaml files for big switch agent
and big switch lldp.
This change is mainly for compute nodes. The changes related
to controller nodes are landed at e78e1c8d9b5a7ebf327987b22091bff3ed42d1c1
This change also removes the neutron_enable_bigswitch_ml2 flag. Instead,
User needs to specify NeutronMechanismDrivers: bsn_ml2 in environment file.
Previous discussion about this change can be found at an abandoned
review request https://review.openstack.org/#/c/271940/
Depends-On: Iefcfe698691234490504b6747ced7bb9147118de
Change-Id: I81341a4b123dc4a8312a9a00f4b663c7cca63d7c
|
|
|
|
Currently the permissions for the CA file that is injected (if the
environment is set), doesn't permit users that don't belong to the group
that owns the file to read it. This is too restrictive and isn't
necessary, as the certificate should be public.
This is useful in the case where we want a service that can't read the
certificate chain (or bundle) to be able to read that CA certificate.
This is the case for the MariaDB version that is being used in CentOS
7.1 for example.
Change-Id: I6ff59326a5570670c031b448fb0ffd8dfbd8b025
|
|
We were incorrectly wiring the rbd user to the relevant glance
module parameter, making it was impossible to customize the
rbd user when using an external Ceph.
Change-Id: Ibe4eaedf986a9077f869c6530381e69ee0281f5b
|
|
Deploy a TripleO overcloud with OpenContrail Vrouter plugin configured
to interact with an existing OpenContrail Server Manager.
OpenContrail is an Apache 2.0-licensed project that is built using
standards-based protocols and provides all the necessary components for
network virtualization–SDN controller, virtual router, analytics engine,
and published northbound APIs. It has an extensive REST API to configure
and gather operational and analytics data from the system.
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Change-Id: I699a7c4ea09d024fe4d70c6a507c524f0a7aafd5
|
|
|
|
Enables support for configuring Cinder with a Dell
Storage Center iscsi storage backend.
This change adds all relevant parameters for:
- Dell Storage Center SC Series (iSCSI)
Change-Id: I3b1a4346f494139ab123c7dc1a62f81d03c9e728
|
|
|
|
Deploy a TripleO overcloud with networking midonet. MidoNet is a
monolithic plugin and quite changes on the puppet manifest must be done.
Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b
Depends-On: I6f1ac659297b8cf6671e11ad23284f8f543568b0
Depends-On: Icea9bd96e4c80a26b9e813d383f84099c736d7bf
Change-Id: I9692e2ef566ea37e0235a6059b1ae1ceeb9725ba
|
|
There are two reasons the name property should always be set for deployment
resources:
- The name often shows up in logs, files and API calls, the default
derived name is long and unhelpful
- Sorting by name determines the merge order of os-apply-config, and the
execution order of puppet/shell scripts (note this is different to
resource dependency order) so leaving the default name results in an
undetermined order which could lead to unpredictable deployment of
configs
This change simply sets the name to the resource name, but a future change
should prepend each name with a run-parts style 2 digit prefix so that the
order is explicitly stated. Documentation for extraconfig needs to clearly
state what prefix is needed to override which merge/execution order.
For existing overcloud stacks, heat currently replaces deployment resources
when the name changes, so this change
Depends-On: I95037191915ccd32b2efb72203b146897a4edbc9
Change-Id: Ic4bcd56aa65b981275c3d4214588bfc4de63b3b0
|
|
Added a parameter to Nuage ExtraConfig template for setting
use_forwarded_for value required by Nuage metadata agent
Change-Id: I02c15311272126c5e530f118fbfb4a8f6e11a620
|
|
|
|
Added ExtraConfig templates and environment files
for Nuage Networks specific parameters.
Modified overcloud_compute.pp to conditionally
include nuage-metadata-agent.
Change-Id: I28106d8e26ad4d0158fe5e3a13f2f7b21e5c0b28
|
|
Added ExtraConfig templates and environment files for Nuage specific parameters.
Modified overcloud_compute.pp and overcloud_controller.pp to conditionally
include Nuage plugin and agents.
Change-Id: I95510c753b0a262c73566481f9e94279970f4a4f
|
|
* Fixed a comment to avoid ambiguity with concepts in Heat
* Removed default values from necessary parameters in the TLS
environment
* Simplified setting of the cert/key into a file.
Change-Id: I351778150a6fbf7affe1a0fddb1abb9869324dfc
|
|
Provides a simple mechanism to verify the correct certificates
landed.
A quick and simple way to verify SSL certificates were generated for
a given key is by comparing the modulus of the two. By outputing
the key modulus and certificate modulus we offer a way to verify
that the right cert and key have been deployed without compromising
any of the secrets.
Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
|