| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This de-couples public TLS from controllers to now run wherever HAProxy
is deployed.
Partially-Implements: blueprint composable-networks
Change-Id: I9e84a25a363899acf103015527787bdd8248949f
|
|
Since these are obviously global parameters they shouldn't specify
what will be using them because they are used in multiple places.
Change-Id: I5054c2d67dffe802e37f8391dd7bad4721e29831
Partial-Bug: 1700664
|
|
Makes it possible to resolve network subnets within a service
template; the data is transported into a new property ServiceData
wired into every service which hopefully is generic enough to
be extended in the future and transport more data.
Data can be consumed in service templates to set config values
which need to know what is the subnet where a deamon operates (for
example the Ceph Public vs Cluster network).
Change-Id: I28e21c46f1ef609517175f7e7ee19e28d1c0cba2
|
|
This is associated with the haproxy service, so set the hieradata there
instead. This is needed so we can render the controller role template
via j2, and also if anyone ever wants to run haproxy on some role other
then the Controller.
Change-Id: I82b992afe42f6da7788f6efca2366863c3bf68f7
Partially-Implements: blueprint composable-networks
|
|
This was made configurable in a recent commit [1] So this flag makes it
easier for deployers to use that functionality.
[1] Ic68266eaf39d6803f7c3e299095578bbcfd63b88
Change-Id: Iffff20dcda53bc7237586dd240e581bcb0282844
|
|
This will enable HAProxy to use CRLs for the nodes it's proxying.
bp tls-via-certmonger
Depends-On: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
Change-Id: I2558113bf83674ce22d99364b63c0c5be446bf77
|
|
When a service is enabled on multiple roles, the parameters for the
service will be global. This change enables an option to provide
role specific parameter to services and other templates.
Two new parameters - RoleName and RoleParameters, are added to the
service template. RoleName provides the role name of on which the
current instance of the service is being applied on. RoleParameters
provides the list of parameters which are configured specific to the
role in the environment file, like below:
parameters_default:
# Default value for applied to all roles
NovaReservedHostMemory: 2048
ComputeDpdkParameters:
# Applied only to ComputeDpdk role
NovaReservedHostMemory: 4096
In above sample, the cluster contains 2 roles - Compute, ComputeDpdk.
The values of ComputeDpdkParameters will be passed on to the templates
as RoleParameters while creating the stack for ComputeDpdk role. The
parameter which supports role specific configuration, should find the
parameter first in in the RoleParameters list, if not found, then the
default (for all roles) should be used.
Implements: blueprint tripleo-derive-parameters
Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
|
|
Instead of using the CA bundle, this sets HAProxy to use a specific file
for validating the certificates of the services it's proxying. This
helps in two ways:
* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
are valid, instead of any certificate that the system trusts (which
could include potentially compromised public certs).
Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
|
|
Change-Id: Ia0e0a12e1863dce657d4e1c7f9894ea5bfd008be
|
|
During upgrades, validation test if a service is running before the
upgrade process starts.
In some cases, servies doesn't exist yet so we don't want to run the
validation.
This patch makes sure we check if the service is actually present on the
system before validating it's running correctly.
Also it makes sure that services are enabled before trying to stop them.
It allows use-cases where we want to add new services during an upgrade.
Also install new packages of services added in Ocata, so we can validate
upgrades on scenarios jobs.
Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
|
|
In the previous release[1], the services were stopped before the
pacemaker services, so that they get a chance to send last message to
the database/rabbitmq queue:
Let's do the upgrade in the same order.
[1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71
Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
|
|
Adds a step0 for most services to check that the state is running
before continuing with any of the other upgrades steps (these are
tagged step0).
You can skip this service check by overriding the
SkipUpgradeConfigTags parameter as follows:
parameter_defaults:
SkipUpgradeConfigTags: validation
Co-Authored-By: Steven Hardy <shardy@redhat.com>
Change-Id: Ie276f153015f671b720b6ed5beaac1b921661909
|
|
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.
bp tls-via-certmonger
bp novajoin
Change-Id: I873094bb69200052febda629fda698a7a782c031
|
|
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
|
|
This shows how we could wire in the upgrade steps using Ansible
as was previously proposed e.g in https://review.openstack.org/#/c/321416/
but it's more closely integrated with the new composable services
architecture.
It's also very similar to the approach taken by SpinalStack where
ansible snippets per-service were combined then run in a series of
steps using Ansible tags.
This patch just enables upgrade of keystone - we'll add support for
other patches in subsequent patches.
Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
|
|
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan
deployments ends up being the wrong interface. The public VIP interface
was also defaulted to 'br-ex' which would be incorrect for vlan based
deployments. Since a user has already given the nic template (and in
most cases the subnet that corresponds to the nic) the installer should
be able to figure out which interface the public/control vip should be
on.
These changes enable that type of auto-detection, unless a user
explicitly overrides the heat parameters for ControlVirtualInterface and
PublicVirtualInterface. Also, incorrect parameters from haproxy service
are removed.
Depends-On: I05105fce85be8ace986db351cdca2916f405ed04
Closes-Bug: 1606632
Change-Id: I3c1c39824ec32ced304a782edc6ef49c0769c108
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
This adds some basic pieces to get certmonger to manage the
certificates for HAProxy. The aim is to be flexible enough that we
will be able to manage both public and internal certificates.
This also adds a relevant environment to get the endpoints to have
TLS everywhere.
bp tls-via-certmonger
Depends-On: I89001ae32f46c9682aecc118753ef6cd647baa62
Change-Id: Ife5f8c2f07233295bc15b4c605acf3d9bd62f162
|
|
|
|
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
|
|
Change-Id: Ibc86d4dd0aa576345e3f174ea1adca3e6248e81e
Depends-On: I5c620ba717f782b39c599aff24b4ac56fb695a04
|
|
With the introduction of the global config, HAProxy can know which
endpoints to expose. It will get those via hieradata.
Change-Id: I0f5ce8c7394625e8dce691ae1996457a9ea99a99
|
|
Make sure Ironic API listens on a different IP than HAProxy.
Also open firewall ports for Ironic API and TFTP.
Change-Id: I9d843e76adcdb1085fd1e9fb7408a2387909382b
|
|
This moves the config settings out of controller.yaml for Keepalived
and HAproxy.
NOTE: the tripleo::haproxy::redis_password wasn't getting set
correctly before this patch. Looks like a breakages that
occurred when puppet-tripleo dropped the loadbalancer class.
Related-Bug: #1604414
Change-Id: Id24b02ac73f4ae33b20194da8a5f99f17403ece9
|
|
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).
Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.
Change-Id: I4f21603c58a169a093962594e860933306879e3f
|
|
This will be needed to pick the network where the service has
to bind to from within the service template.
Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
|
|
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
|
|
Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services
Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
|
|
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.
This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.
Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
|
|
Split Loadbalancer into HAproxy & Keepalived roles.
Depends-On: I8aa9045fc80205485abab723968b26084f60bf71
Change-Id: If2723358099e78052c351a4a45fdf01d116a89df
|
Juan Antonio Osorio Robles
Ben Nemec
Giulio Fidente
Steven Hardy
Saravanan KR
Emilien Macchi
Sofer Athlan-Guyot
marios
Tim Rozet
Jenkins
Martin Mágr
Dmitry Tantsur
Dan Prince