aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/extraconfig
AgeCommit message (Collapse)AuthorFilesLines
2016-12-20FreeIPA: Make OTP and FreeIPA server parameters optionalJuan Antonio Osorio Robles1-5/+16
In the freeipa-enroll.yaml, it can be the case that the node has been enrolled (via a cloud-init script); in this case, the OTP and the FreeIPA server are optional. However, we still need to get a kerberos ticket, which is the last step of this script, since this ticket is what certmonger will use to request the certificates in subsequent steps. Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
2016-12-09Add FreeIPA enrollment templateJuan Antonio Osorio Robles1-0/+72
This is based on previous work [1] and it's what I've been using to test the TLS-everywhere work. This introduces a template that will run on every node to enroll them to FreeIPA and acquire a ticket (authenticate) in order to be able to request certificates. Enrollment is done via the ipa-client-install command and it does the following: * Get FreeIPA's CA certificate and trust it. * Authenticate to FreeIPA using an OTP and get a kerberos keytab. * Set up several configurations that are needed for FreeIPA (sssd, kerberos, certmonger) The keytab is then used to authenticate and get an actual TGT (Ticket-Granting-Ticket) from Kerberos The previous implementation used a PreConfig hook, however, here it was modified to use NodeTLSCAData. This has the advantage that it runs on every node as opposed to the PreConfig hook where we had to specify the role type so it's a usability improvement. And, on the other hand, this does set up necessary things for the usage of FreeIPA as a CA, such as getting the certificate and enrolling to the CA. [1] https://github.com/JAORMX/freeipa-tripleo-incubator bp tls-via-certmonger Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-10-04Merge "Use netapp_host_type instead of netapp_eseries_host_type"Jenkins1-4/+14
2016-10-03reload HAProxy config in HA setups when certificate is updatedJuan Antonio Osorio Robles1-4/+2
When updating a certificate for HAProxy, we only do a reload of the configuration on non-HA setups. This means that if we try the same in an HA setup, the cloud will still serve the old certificate and that leads to several issues, such as serving a revoked or even a compromised certificate for some time, or just SSL issues that the certificate doesn't match. This enables a reload for HA cases too. Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a Closes-Bug: #1629886
2016-09-29Use netapp_host_type instead of netapp_eseries_host_typeGiulio Fidente1-4/+14
This patch deprecates netapp_eseries_host_type in favor of netapp_host_type. Change-Id: I113c770ca2e4dc54526d4262bacae48e223c54f4 Closes-Bug: 1579161
2016-09-25get_param calls with multiple arguments need brackets around themMichele Baldessari2-8/+8
This issue was spotted during major upgrade where we had calls like this: servers: {get_param: servers, Controller} These get_param calls are hanging indefinitely and make the whole upgrade end in a timeout. We need to put brackets around the get_param function when there are multiple arguments: http://docs.openstack.org/developer/heat/template_guide/hot_spec.html#get-param This is already done in most of the tree, and the few places where this was not happening were parts not under CI. After this change the following grep returns only one false positive: grep -ir get_param: |grep -v -- '\[' |grep ',' Change-Id: I65b23bb44f37b93e017dd15a5212939ffac76614 Closes-Bug: #1626628
2016-09-17Merge "Convert AllNodesExtraConfig to support composable roles"Jenkins2-28/+12
2016-09-16Convert AllNodesExtraConfig to support composable rolesSteven Hardy2-28/+12
This adjusts the interface to OS::TripleO::AllNodesExtraConfig so it supports custom/composable/optional roles. Note this does break backwards compatibility, and I can't see any way to avoid that. I've converted the in-tree templates, and we'll have to document carefully and or provide a script (or automated conversion via mistral perhaps?) to allow folks to easily adjust any out of tree templates to the new format. Basically you just have to: 1. Remove all the *_servers parameters, replace with one "servers" json parameter 2. Replace references to e.g "controller_servers" with "servers, Controller" which does a path-based lookup into the json map provided by overcloud.yaml Change-Id: I5eebf853646b2f6300d6b542fcd4f43e82d3b413 Partially-Implements: blueprint custom-roles
2016-09-08Populate vnc_api_lib.ini on compute nodes with OpenContrailJiri Stransky1-0/+12
This is setting sane defaults for vnc_api_lib.ini as requested from the field. The settings still can be overriden using NovaComputeExtraConfig if needed. Change-Id: I6a823c0b34f6ea21aa16939577ac0e1563483557 Closes-Bug: #1620647
2016-07-05Remove config_identifier from all_nodes extraconfig examplesSteven Hardy2-16/+0
Since https://review.openstack.org/#/c/315616 this is no longer required. Change-Id: I0452d1577a25d19b4351bfe7830a6c7bbe485e67
2016-07-04Switch Ceph Monitor/OSD/Client/External to composable rolesGiulio Fidente1-120/+0
Change-Id: I1921115cb6218c7554348636c404245c79937673 Depends-On: I7ac096feb9f5655003becd79d2eea355a047c90b Depends-On: I871ef420700e6d0ee5c1e444e019d58b3a9a45a6
2016-06-23Merge "Drop extraconfig for neutron-opencontrail.yaml"Jenkins1-62/+0
2016-06-23Merge "Drop extraconfig for neutron-nuage.yaml"Jenkins1-91/+0
2016-06-20Create Cinder backup pool in CephBoris Kreitchman1-1/+6
Creates pool in Ceph for Cinder backups and adds proper access permissions. To be used with https://review.openstack.org/#/c/311218 Change-Id: Ibf84f78aff92dbd83c6e254ceb7a80e86c15036d
2016-06-16Drop extraconfig for neutron-opencontrail.yamlDan Prince1-62/+0
This patch drops the extraconfig interface in favor of using the composable services nested stack instead. The benefit is that it is easier to enable multiple services (like network and storage backends at the same time) and all of the opencontrail settings get to live in the same file. Partially-implements: blueprint composable-services-within-roles Change-Id: I0edbd86a8c981bd6e8a547cd2a6ebed18ecdbb31
2016-06-16Drop extraconfig for neutron-nuage.yamlDan Prince1-91/+0
This patch drops the extraconfig interface in favor of using the composable services nested stack instead. The benefit is that it is easier to enable multiple services (like network and storage backends at the same time) and all of the nuage settings get to live in the same file. Partially-implements: blueprint composable-services-within-roles Change-Id: I15fe14e9d6881bc408eb6bb10d9293bd914ef858
2016-06-13Drop extraconfig for neutron-plumgrid.yamlDan Prince1-113/+0
This patch drops the extraconfig interface in favor of using the composable services nested stack instead. The benefit is that it is easier to enable multiple services (like network and storage backends at the same time) and all of the plumgrid settings get to live in the same file. Partially-implements: blueprint composable-services-within-roles Change-Id: I1c5827e3650a29f7a0258531f84ae0f50f22343d
2016-06-09Replace no-op TLS stacks with OS::Heat::NoneJuan Antonio Osorio Robles2-51/+0
These stacks effectively do nothing. So better replace them with the None resource. Change-Id: If1fc759ca7f03f66229c27560cc4b8e10baa0f11
2016-06-02Switch Cinder Api/Scheduler/Volume to composable rolesGiulio Fidente4-5/+5
Uses a shared cinder-base resource to do the database and messaging configuration for all three services. Depends-On: I3c6d5226eed5f0f852b0ad9476c7cd9a959fda69 Change-Id: I47c5fd190efca5f02e73fd22aba6cda573daf5cc
2016-05-30loadbalancer: update hiera parameters for HAproxy/keepalived splitEmilien Macchi1-1/+1
In puppet-tripleo, we split loadbalancer.pp in 2 classes to be more composable: haproxy & keepalived. This patch is just updating all hiera parameters related to HAproxy & keepalived. Depends-On: I46ed8348dc990d9aa0d896e1abea3b30a8292634 Change-Id: Ibf56184cd10af1d0dcae773c02b0f31a6204badf
2016-05-26Fix ceph keyring setting for gnocchiPradeep Kilambi1-1/+3
The ceph_keyring value is expected to be a full path to the keyring. But we currently only pass in client.<cephuser>. This patch fixes the value to be full path. Closes-Bug: #1586010 Change-Id: I5666c44bb35b6ae109c68506704eff776f5dceda
2016-04-18Merge "Reload haproxy after injecting certs w/o pcmk too"Jenkins1-0/+8
2016-04-11Deploy Gnocchi as a Ceilometer metrics storage backendPradeep Kilambi1-1/+13
* Deploy Gnocchi API. * Storage backends: swift, rbd and file. * Indexer backend default to mysql * Configure Ceilometer to send metrics datas to Gnocchi * Pacemaker config Depends-On: Ic8778a3104e0ed0460423e4bf857682220dc5802 Depends-On: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2 Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com> Change-Id: Ifde17b1ab8fa2b30544633e455e1c7eb475705aa
2016-04-05Reload haproxy after injecting certs w/o pcmk tooBen Nemec1-0/+8
This was accidentally dropped from Id5ed05b3a20d06af8ae7a3d6f859b03399b0d77d but we should handle the non-pacemaker case as well. Change-Id: Ia06746f9c536159cd7b62259e450b3dec331cdb0
2016-03-18PLUMgrid Neutron integrationQasim Sarfraz1-0/+113
Enable PLUMgrid neutron liberty plugin in a TripleO overcloud environment. Change-Id: I07025f67ec3f3399aac4dcd10cc37e857772548b Signed-off-by: Qasim Sarfraz <qasims@plumgrid.com>
2016-03-15Merge "Fix typos"Jenkins2-3/+3
2016-03-10Support the deployment of Ceph over IPv6Giulio Fidente1-1/+7
To deploy Ceph on IPv6, we need to enable ms_bind_ipv6 in addition to passing the list of MON IPs in brackets. Change-Id: I3644b8fc06458e68574afa5573f07442f0a09190
2016-03-08Fix typosSwapnil Kulkarni (coolsvap)2-3/+3
Multiple files in t-h-t were having small typos. Fixed in this patchset. . Change-Id: I82d7071747f47544990ed46e2be22931190406b3
2016-03-03Updated the heat_template_versionrajinir2-2/+2
Fixed the heat_template_version of these YAML files to the liberty release version according to HOT template specs. Change-Id: Ic5e0d843f7e164c59fb1737e52ef4cf6ad4df77f
2016-02-29Cisco nexus config template - obsolete parameter (replay count).Leon Zachery1-2/+9
Due to fix: https://bugs.launchpad.net/networking-cisco/+bug/1469839, the replay count parameter is no longer used. This needs to be reflected in the Triple O templates. Change-Id: I666c4394108287adcb4989e897ab3936667a602b Closes-bug: #1551387
2016-02-29Merge "OpenContrail heat templates"Jenkins2-0/+109
2016-02-22Add extra config yaml files for big switch agents.xinwu2-1/+45
This change adds extra config yaml files for big switch agent and big switch lldp. This change is mainly for compute nodes. The changes related to controller nodes are landed at e78e1c8d9b5a7ebf327987b22091bff3ed42d1c1 This change also removes the neutron_enable_bigswitch_ml2 flag. Instead, User needs to specify NeutronMechanismDrivers: bsn_ml2 in environment file. Previous discussion about this change can be found at an abandoned review request https://review.openstack.org/#/c/271940/ Depends-On: Iefcfe698691234490504b6747ced7bb9147118de Change-Id: I81341a4b123dc4a8312a9a00f4b663c7cca63d7c
2016-02-18Merge "Make injected CA file readable by others"Jenkins1-1/+1
2016-02-17Make injected CA file readable by othersJuan Antonio Osorio Robles1-1/+1
Currently the permissions for the CA file that is injected (if the environment is set), doesn't permit users that don't belong to the group that owns the file to read it. This is too restrictive and isn't necessary, as the certificate should be public. This is useful in the case where we want a service that can't read the certificate chain (or bundle) to be able to read that CA certificate. This is the case for the MariaDB version that is being used in CentOS 7.1 for example. Change-Id: I6ff59326a5570670c031b448fb0ffd8dfbd8b025
2016-02-16Wire the Glance rbd user correctly into the external Ceph templateGiulio Fidente1-1/+1
We were incorrectly wiring the rbd user to the relevant glance module parameter, making it was impossible to customize the rbd user when using an external Ceph. Change-Id: Ibe4eaedf986a9077f869c6530381e69ee0281f5b
2016-01-21OpenContrail heat templatesNicolas Hicher2-0/+109
Deploy a TripleO overcloud with OpenContrail Vrouter plugin configured to interact with an existing OpenContrail Server Manager. OpenContrail is an Apache 2.0-licensed project that is built using standards-based protocols and provides all the necessary components for network virtualization–SDN controller, virtual router, analytics engine, and published northbound APIs. It has an extensive REST API to configure and gather operational and analytics data from the system. Co-Authored-By: Jiri Stransky <jistr@redhat.com> Change-Id: I699a7c4ea09d024fe4d70c6a507c524f0a7aafd5
2016-01-18Merge "Set the name property for all deployment resources"Jenkins9-0/+16
2016-01-06Enable Dell Storage Center iscsi Backends in Cinderrajinir1-0/+87
Enables support for configuring Cinder with a Dell Storage Center iscsi storage backend. This change adds all relevant parameters for: - Dell Storage Center SC Series (iSCSI) Change-Id: I3b1a4346f494139ab123c7dc1a62f81d03c9e728
2016-01-06Merge "Enable Equallogic Backends in Cinder"Jenkins1-0/+86
2015-12-21MidoNet heat templatesJaume Devesa1-0/+119
Deploy a TripleO overcloud with networking midonet. MidoNet is a monolithic plugin and quite changes on the puppet manifest must be done. Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b Depends-On: I6f1ac659297b8cf6671e11ad23284f8f543568b0 Depends-On: Icea9bd96e4c80a26b9e813d383f84099c736d7bf Change-Id: I9692e2ef566ea37e0235a6059b1ae1ceeb9725ba
2015-12-10Set the name property for all deployment resourcesSteve Baker9-0/+16
There are two reasons the name property should always be set for deployment resources: - The name often shows up in logs, files and API calls, the default derived name is long and unhelpful - Sorting by name determines the merge order of os-apply-config, and the execution order of puppet/shell scripts (note this is different to resource dependency order) so leaving the default name results in an undetermined order which could lead to unpredictable deployment of configs This change simply sets the name to the resource name, but a future change should prepend each name with a run-parts style 2 digit prefix so that the order is explicitly stated. Documentation for extraconfig needs to clearly state what prefix is needed to override which merge/execution order. For existing overcloud stacks, heat currently replaces deployment resources when the name changes, so this change Depends-On: I95037191915ccd32b2efb72203b146897a4edbc9 Change-Id: Ic4bcd56aa65b981275c3d4214588bfc4de63b3b0
2015-12-07Change for configuring use_forwarded_for value for NuageLokesh Jain1-0/+7
Added a parameter to Nuage ExtraConfig template for setting use_forwarded_for value required by Nuage metadata agent Change-Id: I02c15311272126c5e530f118fbfb4a8f6e11a620
2015-12-03Merge "Minor fixes to TLS related resources"Jenkins2-5/+3
2015-11-30Changes for configuring NuageRohit Pagedar1-0/+50
Added ExtraConfig templates and environment files for Nuage Networks specific parameters. Modified overcloud_compute.pp to conditionally include nuage-metadata-agent. Change-Id: I28106d8e26ad4d0158fe5e3a13f2f7b21e5c0b28
2015-11-30Changes for configuring NuageLokesh Jain2-0/+125
Added ExtraConfig templates and environment files for Nuage specific parameters. Modified overcloud_compute.pp and overcloud_controller.pp to conditionally include Nuage plugin and agents. Change-Id: I95510c753b0a262c73566481f9e94279970f4a4f
2015-11-26Minor fixes to TLS related resourcesJuan Antonio Osorio Robles2-5/+3
* Fixed a comment to avoid ambiguity with concepts in Heat * Removed default values from necessary parameters in the TLS environment * Simplified setting of the cert/key into a file. Change-Id: I351778150a6fbf7affe1a0fddb1abb9869324dfc
2015-11-25Output the SSL Certificate and Key modulusMark Chappell2-0/+20
Provides a simple mechanism to verify the correct certificates landed. A quick and simple way to verify SSL certificates were generated for a given key is by comparing the modulus of the two. By outputing the key modulus and certificate modulus we offer a way to verify that the right cert and key have been deployed without compromising any of the secrets. Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
2015-11-25Enable trust anchor injectionJuan Antonio Osorio Robles2-0/+83
This commit enables the injection of a trust anchor or root certificate into every node in the overcloud. This is in case that the TLS certificates for the controllers are signed with a self-signed CA or if the deployer would like to inject a relevant root certificate for other purposes. In this case the other nodes might need to have the root certificate in their trust chain in order to do proper validation Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
2015-11-23Inject TLS certificate and keys for the OvercloudJuan Antonio Osorio Robles2-0/+109
This is a first implementation of adding TLS termination to the load balancer in the controllers. The implementation was made so that the appropriate certificate/private key in PEM format is copied to the appropriate controller(s) via a software deployment resource. And the path is then referenced on the HAProxy configuration, but this part was left commented out because we need to be able to configure the keystone endpoints in order for this to work properly. Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
2015-11-12Enable Equallogic Backends in Cinderrajinir1-0/+86
Enables support for configuring Cinder with a Dell Equallogic storage backend. This change adds all relevant parameters for: - Equallogic PS-Series (iSCSI) Change-Id: Ia0f71863cfb12f2cdda43dcf707a9a7145963001