Age | Commit message (Collapse) | Author | Files | Lines |
|
Instead of using the CA bundle, this sets HAProxy to use a specific file
for validating the certificates of the services it's proxying. This
helps in two ways:
* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
are valid, instead of any certificate that the system trusts (which
could include potentially compromised public certs).
Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
|
|
Change-Id: Ia0e0a12e1863dce657d4e1c7f9894ea5bfd008be
|
|
During upgrades, validation test if a service is running before the
upgrade process starts.
In some cases, servies doesn't exist yet so we don't want to run the
validation.
This patch makes sure we check if the service is actually present on the
system before validating it's running correctly.
Also it makes sure that services are enabled before trying to stop them.
It allows use-cases where we want to add new services during an upgrade.
Also install new packages of services added in Ocata, so we can validate
upgrades on scenarios jobs.
Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
|
|
In the previous release[1], the services were stopped before the
pacemaker services, so that they get a chance to send last message to
the database/rabbitmq queue:
Let's do the upgrade in the same order.
[1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71
Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
|
|
Adds a step0 for most services to check that the state is running
before continuing with any of the other upgrades steps (these are
tagged step0).
You can skip this service check by overriding the
SkipUpgradeConfigTags parameter as follows:
parameter_defaults:
SkipUpgradeConfigTags: validation
Co-Authored-By: Steven Hardy <shardy@redhat.com>
Change-Id: Ie276f153015f671b720b6ed5beaac1b921661909
|
|
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.
bp tls-via-certmonger
bp novajoin
Change-Id: I873094bb69200052febda629fda698a7a782c031
|
|
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
|
|
This shows how we could wire in the upgrade steps using Ansible
as was previously proposed e.g in https://review.openstack.org/#/c/321416/
but it's more closely integrated with the new composable services
architecture.
It's also very similar to the approach taken by SpinalStack where
ansible snippets per-service were combined then run in a series of
steps using Ansible tags.
This patch just enables upgrade of keystone - we'll add support for
other patches in subsequent patches.
Partially-Implements: blueprint overcloud-upgrades-per-service
Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
|
|
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan
deployments ends up being the wrong interface. The public VIP interface
was also defaulted to 'br-ex' which would be incorrect for vlan based
deployments. Since a user has already given the nic template (and in
most cases the subnet that corresponds to the nic) the installer should
be able to figure out which interface the public/control vip should be
on.
These changes enable that type of auto-detection, unless a user
explicitly overrides the heat parameters for ControlVirtualInterface and
PublicVirtualInterface. Also, incorrect parameters from haproxy service
are removed.
Depends-On: I05105fce85be8ace986db351cdca2916f405ed04
Closes-Bug: 1606632
Change-Id: I3c1c39824ec32ced304a782edc6ef49c0769c108
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
This adds some basic pieces to get certmonger to manage the
certificates for HAProxy. The aim is to be flexible enough that we
will be able to manage both public and internal certificates.
This also adds a relevant environment to get the endpoints to have
TLS everywhere.
bp tls-via-certmonger
Depends-On: I89001ae32f46c9682aecc118753ef6cd647baa62
Change-Id: Ife5f8c2f07233295bc15b4c605acf3d9bd62f162
|
|
|
|
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
|
|
Change-Id: Ibc86d4dd0aa576345e3f174ea1adca3e6248e81e
Depends-On: I5c620ba717f782b39c599aff24b4ac56fb695a04
|
|
With the introduction of the global config, HAProxy can know which
endpoints to expose. It will get those via hieradata.
Change-Id: I0f5ce8c7394625e8dce691ae1996457a9ea99a99
|
|
Make sure Ironic API listens on a different IP than HAProxy.
Also open firewall ports for Ironic API and TFTP.
Change-Id: I9d843e76adcdb1085fd1e9fb7408a2387909382b
|
|
This moves the config settings out of controller.yaml for Keepalived
and HAproxy.
NOTE: the tripleo::haproxy::redis_password wasn't getting set
correctly before this patch. Looks like a breakages that
occurred when puppet-tripleo dropped the loadbalancer class.
Related-Bug: #1604414
Change-Id: Id24b02ac73f4ae33b20194da8a5f99f17403ece9
|
|
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).
Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.
Change-Id: I4f21603c58a169a093962594e860933306879e3f
|
|
This will be needed to pick the network where the service has
to bind to from within the service template.
Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
|
|
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
|
|
Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services
Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
|
|
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.
This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.
Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
|
|
Split Loadbalancer into HAproxy & Keepalived roles.
Depends-On: I8aa9045fc80205485abab723968b26084f60bf71
Change-Id: If2723358099e78052c351a4a45fdf01d116a89df
|