summaryrefslogtreecommitdiffstats
path: root/puppet/services/haproxy.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-06-08Configure crl file for HAProxyJuan Antonio Osorio Robles1-0/+6
This will enable HAProxy to use CRLs for the nodes it's proxying. bp tls-via-certmonger Depends-On: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd Change-Id: I2558113bf83674ce22d99364b63c0c5be446bf77
2017-05-15Add role specific information to the service templateSaravanan KR1-0/+12
When a service is enabled on multiple roles, the parameters for the service will be global. This change enables an option to provide role specific parameter to services and other templates. Two new parameters - RoleName and RoleParameters, are added to the service template. RoleName provides the role name of on which the current instance of the service is being applied on. RoleParameters provides the list of parameters which are configured specific to the role in the environment file, like below: parameters_default: # Default value for applied to all roles NovaReservedHostMemory: 2048 ComputeDpdkParameters: # Applied only to ComputeDpdk role NovaReservedHostMemory: 4096 In above sample, the cluster contains 2 roles - Compute, ComputeDpdk. The values of ComputeDpdkParameters will be passed on to the templates as RoleParameters while creating the stack for ComputeDpdk role. The parameter which supports role specific configuration, should find the parameter first in in the RoleParameters list, if not found, then the default (for all roles) should be used. Implements: blueprint tripleo-derive-parameters Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-05-03Internal TLS: Use specific CA file for haproxyJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets HAProxy to use a specific file for validating the certificates of the services it's proxying. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
2017-05-02Use list_concat for metadata_settings for haproxyJuan Antonio Osorio Robles1-6/+4
Change-Id: Ia0e0a12e1863dce657d4e1c7f9894ea5bfd008be
2017-03-01upgrades/validation: only run validation when services existEmilien Macchi1-0/+8
During upgrades, validation test if a service is running before the upgrade process starts. In some cases, servies doesn't exist yet so we don't want to run the validation. This patch makes sure we check if the service is actually present on the system before validating it's running correctly. Also it makes sure that services are enabled before trying to stop them. It allows use-cases where we want to add new services during an upgrade. Also install new packages of services added in Ocata, so we can validate upgrades on scenarios jobs. Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
2017-02-28Put service stop at step1 and quiesce at step2.Sofer Athlan-Guyot1-1/+1
In the previous release[1], the services were stopped before the pacemaker services, so that they get a chance to send last message to the database/rabbitmq queue: Let's do the upgrade in the same order. [1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71 Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
2017-01-27Adds a pre-upgrade check that service is running (step0)marios1-0/+3
Adds a step0 for most services to check that the state is running before continuing with any of the other upgrades steps (these are tagged step0). You can skip this service check by overriding the SkipUpgradeConfigTags parameter as follows: parameter_defaults: SkipUpgradeConfigTags: validation Co-Authored-By: Steven Hardy <shardy@redhat.com> Change-Id: Ie276f153015f671b720b6ed5beaac1b921661909
2017-01-25Add metadata settings for needed kerberos principalsJuan Antonio Osorio Robles1-0/+6
These are only used for TLS-everywhere, and fills up the kerberos principals that will need to be created for the certs used by the overcloud. With this, the metadata hook will format these principals correctly and will further pass them on to the nova metadata service. Where they can be used if there's a plugin enabled. bp tls-via-certmonger bp novajoin Change-Id: I873094bb69200052febda629fda698a7a782c031
2016-12-23Bump template version for all templates to "ocata"Steven Hardy1-1/+1
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-01Initial support for composable upgrades with Heat+AnsibleSteven Hardy1-0/+7
This shows how we could wire in the upgrade steps using Ansible as was previously proposed e.g in https://review.openstack.org/#/c/321416/ but it's more closely integrated with the new composable services architecture. It's also very similar to the approach taken by SpinalStack where ansible snippets per-service were combined then run in a series of steps using Ansible tags. This patch just enables upgrade of keystone - we'll add support for other patches in subsequent patches. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
2016-10-24Enables auto-detection for VIP interfacesTim Rozet1-12/+0
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan deployments ends up being the wrong interface. The public VIP interface was also defaulted to 'br-ex' which would be incorrect for vlan based deployments. Since a user has already given the nic template (and in most cases the subnet that corresponds to the nic) the installer should be able to figure out which interface the public/control vip should be on. These changes enable that type of auto-detection, unless a user explicitly overrides the heat parameters for ControlVirtualInterface and PublicVirtualInterface. Also, incorrect parameters from haproxy service are removed. Depends-On: I05105fce85be8ace986db351cdca2916f405ed04 Closes-Bug: 1606632 Change-Id: I3c1c39824ec32ced304a782edc6ef49c0769c108 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-09-29Add HAProxy TLS handled by certmonger as composable serviceJuan Antonio Osorio Robles1-10/+33
This adds some basic pieces to get certmonger to manage the certificates for HAProxy. The aim is to be flexible enough that we will be able to manage both public and internal certificates. This also adds a relevant environment to get the endpoints to have TLS everywhere. bp tls-via-certmonger Depends-On: I89001ae32f46c9682aecc118753ef6cd647baa62 Change-Id: Ife5f8c2f07233295bc15b4c605acf3d9bd62f162
2016-09-06Merge "Cleanup haproxy service from explicit services enablement"Jenkins1-22/+0
2016-08-31Availability monitoring agents supportMartin Mágr1-0/+4
- adds possibility to install sensu-client on all nodes - each composable service has it's own subscription Co-Authored-By: Emilien Macchi <emilien@redhat.com> Co-Authored-By: Michele Baldessari <michele@redhat.com> Implements: blueprint tripleo-opstools-availability-monitoring Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
2016-08-30Cleanup haproxy service from explicit services enablementGiulio Fidente1-22/+0
Change-Id: Ibc86d4dd0aa576345e3f174ea1adca3e6248e81e Depends-On: I5c620ba717f782b39c599aff24b4ac56fb695a04
2016-08-29Conditionally expose haproxy endpointsJuan Antonio Osorio Robles1-20/+20
With the introduction of the global config, HAProxy can know which endpoints to expose. It will get those via hieradata. Change-Id: I0f5ce8c7394625e8dce691ae1996457a9ea99a99
2016-08-25Ironic: add missing haproxy and firewall configurationDmitry Tantsur1-0/+1
Make sure Ironic API listens on a different IP than HAProxy. Also open firewall ports for Ironic API and TFTP. Change-Id: I9d843e76adcdb1085fd1e9fb7408a2387909382b
2016-08-24Move Keepalived/HAproxy settings out of controllerDan Prince1-0/+32
This moves the config settings out of controller.yaml for Keepalived and HAproxy. NOTE: the tripleo::haproxy::redis_password wasn't getting set correctly before this patch. Looks like a breakages that occurred when puppet-tripleo dropped the loadbalancer class. Related-Bug: #1604414 Change-Id: Id24b02ac73f4ae33b20194da8a5f99f17403ece9
2016-08-18Add DefaultPasswords to composable servicesDan Prince1-0/+3
This patch adds a new DefaultPasswords parameter to composable services. This is needed to help provide access to top level password resources that overcloud.yaml currently manages (passwords for Rabbit, Mysql, etc.). Moving the RandomString resources into composable services would cause them to regenerate within the stack. With this approach we can leave them where they are while we deprecate the top level mechanism and move the code that uses the passwords into the composable services. Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18Pass ServiceNetMap to servicesGiulio Fidente1-0/+6
This will be needed to pick the network where the service has to bind to from within the service template. Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-07-27Migrate Puppet Hieradata to composable servicesEmilien Macchi1-0/+21
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml except for some services that are not composable yet. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
2016-07-25Composable firewall rulesDan Prince1-0/+4
Split out the firewall rules in puppet/hieradata/controller.yaml into the composable services Depends-On: Id370362ab57347b75b1ab25afda877885b047263 Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
2016-07-22Add 'service_name' to composable servicesDan Prince1-0/+1
This patch adds a new service_name section to each composable service. We now have an explicit unit test check to ensure that service_name exists in tools/yaml-validate.py. This patch also wires service_names into hieradata on each of the roles so that tools can access the deployed services locally during deployment and upgrades. Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
2016-06-04Explode Loadbalancer role into HAproxy + keepalivedEmilien Macchi1-0/+18
Split Loadbalancer into HAproxy & Keepalived roles. Depends-On: I8aa9045fc80205485abab723968b26084f60bf71 Change-Id: If2723358099e78052c351a4a45fdf01d116a89df