Age | Commit message (Collapse) | Author | Files | Lines |
|
Provision the Keystone Fernet Token provider
by installing 2 keys with dynamic content
generated by python-tripleoclient.
Note that this only sets up the necessary keys to use fernet as a token
provider, however, this does not intend to set it up as the default
provider; This will be discussed and will come as part of another
commit.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: Ic070d160b519b8637997dbde165dbf15275e0dfe
Change-Id: Iaa5499614417000c1b9ba42a776a50cb22c1bb30
|
|
In order to eventually enable fernet tokens for keystone, we need to be
specify the token provider. This change codifies the current default
used by TripleO of uuid tokens and fernet token setup disabled.
Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a
Closes-Bug: #1641763
|
|
Closes-Bug: rhbz#1392428
Closes-Bug: #1640834
Change-Id: I2a1a869493ccb4c8d5b9aea26b8ef947750d2cfe
|
|
|
|
|
|
Change-Id: Ib25849565c617f32357ef545957f58454b2a53f8
|
|
This adds an environment file that can be used to enable TLS in
the internal endpoints via certmonger if used. This will include
a nested stack that will create the hash that will be used to
create the certmonger certificates.
When setting up a service over apache via puppet, we used to disable
explicitly ssl (which sets modd_ssl-related fields for that vhost).
We now make this depend on the EnableInternalTLS flag. This has only
been done for keystone, but more services will be added as the
puppet code lands
bp tls-via-certmonger
Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039
Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
|
|
This patch movs the various db::mysql hiera settings into a
'mysql' specific service_config_settings section for each
service so that these will only get applied on the MySQL service
node. This follows a similar puppet-tripleo change where we
create the actual databases for all services locally on
the MySQL service node to avoid permission issues.
Change-Id: Ic0692b1f7aa8409699630ef3924c4be98ca6ffb2
Closes-bug: #1620595
Depends-On: I05cc0afa9373429a3197c194c3e8f784ae96de5f
Depends-On: I5e1ef2dc6de6f67d7c509e299855baec371f614d
|
|
In upstream puppet-keystone, the boostrap process should use an admin
password not the admin token for the bootstrapping of keystone. The
admin password option is being added to the upstream class so we will
need to provide it to properly have keystone bootstrapped.
Change-Id: Icab4b0cb70d6caf2f2792c4fe730f060b807fbc1
Depends-On: I7a706d93b43ec025bdb4b29667f64ff2f7dd52a0
Related-Bug: #1621959
|
|
Change-Id: I291bfb1e5736864ea504cd82eea1d4001fcdd931
|
|
Currently the servername is incorrectly set for the services running
over apache. It currently takes the default value which is just the
regular FQDN, when the services actually might be running on
different IPs that require alternative FQDNs.
This fixes that by filling that value from a fact in hiera that's
dependant on the service's network.
Closes-Bug: #1625677
Change-Id: Ib7ea5fd2d18a376eaa2f5a3fa5687cb9b719a8e2
|
|
This implements support for installing fluentd agents as a composable
service on the overcloud.
Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940
Implements: tripleo-opstools-centralized-logging
Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
|
|
|
|
The keystone public_endpoint value should be deduced from the calling
request and not hardcoded, or it makes network isolation impossible.
Change-Id: Ide6a65aa9393cb84591b0015ec5966cc01ffbcf8
Closes-Bug: 1381961
|
|
Configure Keystone credentials by installing 2 keys with dynamic content
generated by python-tripleoclient.
Note: this is a first iteration of managing Keystone credentials. It has
a few limitations:
- keys are not exported to external storage.
- keys are not rotated automatically.
Change-Id: I45cf8821eadf528dfcdc8d74e6e0484597b0d2c0
|
|
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription
Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
|
|
This patch moves the settings for Nova, Neutron, and Horizon
out of controller.yaml.
Also fixes the NovaPassword settings in nova-base.yaml
so they don't use get_input.
Also, creates a new apache.yaml base service to contain shared
apache settings for several services which use Apache for WSGI.
Co-Authored-By: Giulio Fidente <gfidente@redhat.com>
Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e
Related-bug: #1604414
|
|
This patch moves keystone, mongodb, and manila
bind host settings out of controller.yaml and into
composable services.
Change-Id: I1874dc47fffa30606107999da702442badde35c9
|
|
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).
Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.
Change-Id: I4f21603c58a169a093962594e860933306879e3f
|
|
This will be needed to pick the network where the service has
to bind to from within the service template.
Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
|
|
Currently we have a hard-coded set of per-service parameters, which
will cause problems for custom roles and full composability.
As a first step towards making this more configurable, remove the
hard-coded per-service parameters from overcloud.yaml, and adjust
the EndpointMap generation to instead accept two mappings, the
ServiceNetMap and a mapping of networks to IPs (effectively this
just moves the map lookup inside the endpoint map instead of
inside overcloud.yaml)
Change-Id: Ib522e89c36eed2115a6586dd5a6770907d9b33db
Partially-Implements: blueprint custom-roles
|
|
These interfaces have all been deprecated by keystone, and we don't
offer any parameter interface to select PKI token format anyway,
so remove these to align with keystone reccomendations.
The keystone.conf.sample says these values may be silently ignored or
removed, so it seems reasonable to do the same here (parameter_defaults
should be ignored from old stacks).
Change-Id: Ic88d584863a98ed49fc335825fbfba7a52b0f14e
Depends-On: I8232262b928c91dcde7bea2f23fa2a7c2660719e
|
|
This is the THT part that brings us the next generation architecture
as described in the following spec:
https://review.openstack.org/#/c/299628/
Blueprint:
https://blueprints.launchpad.net/tripleo/+spec/ha-lightweight-architecture
So far we tested deployment + tripleo.sh --overcloud-pingtest and
failover + tripleo.sh --overcloud-pingtest
Note that many of the Pacemaker template files become redundant with
this change, but to simplify the process of getting this change landed,
those templates will not be removed until a future commit.
Depends-On: I5e7585c08675d8a4bd071523b94210d325d79b59
Change-Id: I00bccb2563c006f80baed623b64f1e17af20dd4e
Implements: blueprint ha-lightweight-architecture
Co-Author: cmsj@tenshu.net
|
|
The http_proxy_to_wsgi middleware was recently added to keystone as
default in the pipeline [1]. So this takes it into use instead of the
non-standard option we were using before, which will be deprecated.
We already enable this middleware for nova, cinder and heat.
[1] Iad628a863e55cbf20c89ef23ebc7527ba8e1a835
Depends-On: I0fec98a6e1d9c8be4d8b8df382b78ba2815790f9
Change-Id: I8c1b84adc828a2b8c9ea11c4e2b8349427b1b206
|
|
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
|
|
Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services
Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
|
|
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.
This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.
Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
|
|
The current default doesn't get expanded to its real value correctly,
the new one should work better, it's according to hiera docs:
https://docs.puppet.com/hiera/3.2/variables.html
Change-Id: I8d1df131d2f1eee4ae0f725358d33a3ecfa3175a
|
|
Now that keystone is run with wsgi apache the KeystoneWorkers
param has no efffect [1]. This repurposes KeystoneWorkers to now
set wsgi::apache::workers and adds the
keystone::wsgi::apache::threads hardcoding to 1 (can overrride
via extraconfig data)
[1] https://github.com/openstack/puppet-keystone/blob/51c68fb127c28b9748b352871783c3ec6ef5c83b/manifests/init.pp#L396
Closes-Bug: 1598092
Change-Id: I503d1f0d3f4c56abfaf4609ea8290e78668013b6
|
|
Change-Id: I934aff4960588a3957b7a7bcc90385ae48d34d1e
|
|
By passing the MysqlVirtualIP via the EndpointMap we won't need it
to be provided as a parameter to the services.
This follows what is already happening for the glance registry
service with I9186e56cd4746a60e65dc5ac12e6595ac56505f0.
Change-Id: Iad2ab389bf64d0fc8b06eb0e7d29b5370ff27dff
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
|
|
Adds new puppet and puppet pacemaker specific services for
Keystone.
The puppet manifests for keystone now live in puppet-tripleo.
Hiera settings are driven by the nested stack heat templates
and used to control puppet-keystone and puppet-tripleo
directly.
The Pacemaker template extends the default keystone service and
swaps in the pacemaker specific puppet-tripleo profile instead.
Change-Id: I8b30438a27e9d5ec4e7d335e0bd1a931a20b03a2
Depends-On: I2faf5a78db802549053ec41678bf83bf28108189
|