summaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2017-05-11Merge "Disabling replacing fernet keys from puppet"Jenkins1-0/+1
2017-05-11Merge "Make upgrade steps unconditional to fix broken dependencies"Jenkins1-19/+0
2017-05-11Disabling replacing fernet keys from puppetJuan Antonio Osorio Robles1-0/+1
Once puppet has written the initial fernet keys, if a deployer wants to rotate them, the keys will be overwritten when another overcloud deploy is executed (for instance, for updates or upgrades). This disables replacing this keys via puppet, so now the operator can rotate the keys out of band. Change-Id: I01fd46ba7c5e0db12524095dc9fe29e90cb0de57
2017-05-10Merge "Add networking-vpp ML2 mechanism driver support"Jenkins1-0/+48
2017-05-09Make upgrade steps unconditional to fix broken dependenciesJiri Stransky1-19/+0
Change I5c8b0c4abfc0607f42fd3f2da9f5ef2702b1bbe1 introduced conditions to optimize upgrade times and fix related bugs. Unfortunately the conditional inclusion would have to be paired with support in depends_on to work as we need. Currently we can hit this bug if the batch upgrade steps are undefined for some role, but upgrade steps are definied: The specified reference "ControllerUpgradeBatch_Step2" (in ControllerUpgradeConfig_Step0) is incorrect. To fix this we have to make the steps unconditional. This isn't fully reverting the original change because that change also addressed ordering issues. Change-Id: I369591f4757c10142f5b455e64aa778e1a9a5611 Closes-Bug: #1689553
2017-05-07Merge "Set puppet-redis managed_by_cluster_manager to true"Jenkins2-0/+6
2017-05-06Set puppet-redis managed_by_cluster_manager to trueMichele Baldessari2-0/+6
Via https://github.com/arioch/puppet-redis/pull/192 puppet-redis grew ulimit support also for pacemaker managed redis instances. To be able to use that we need to set redis::managed_by_cluster_manager to true. We also allow redis::ulimit to be configurable and we set a default of 10420 which was the default value before the above change. Change-Id: I06129870665d7d3bfa09057fd9f0a33a99f98397 Depends-On: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d Closes-Bug: #1688464
2017-05-05Use the make_url function to build URLsZane Bitter20-242/+236
Change-Id: I2b23d92c85d5ecc889a7ee597b90e930bde9028e Depends-On: I72f84e737b042ecfaabf5639c6164d46a072b423
2017-05-05Merge "Add StackUpdateType to set hiera on upgrade"Jenkins1-1/+11
2017-05-04Merge "[N->O] Add openstack-nova-migration to compute nodes."Jenkins1-0/+3
2017-05-04Merge "Restrict nova migration ssh tunnel"Jenkins1-0/+5
2017-05-04Merge "Configure snmpd auth params in ceilometer profile"Jenkins1-0/+10
2017-05-04Add StackUpdateType to set hiera on upgradeSteven Hardy1-1/+11
This will enable those consuming the stack_update_type hieradata set by this parameter to differentiate an update from a major upgrade Change-Id: I38469f4b7d04165ea5371aeb0cbd2e9349d70c79
2017-05-04Merge "Internal TLS: Use specific CA file for mysql-client"Jenkins1-0/+6
2017-05-04Merge "Internal TLS: use common CA file parameter for libvirt CA cert"Jenkins1-5/+20
2017-05-03Merge "Add back Heat conditions in upgrade workflow"Jenkins1-28/+50
2017-05-03Merge "snmp: add SnmpdBindHost parameter"Jenkins1-0/+5
2017-05-03Merge "Set reasonable TTL defaults for Ceilometer DB"Jenkins1-1/+12
2017-05-03Merge "Expose metric delay processing metric"Jenkins1-0/+5
2017-05-03[N->O] Add openstack-nova-migration to compute nodes.Sofer Athlan-Guyot1-0/+3
This add openstack-nova-migration on the compute during the upgrade. Closes-Bug: #1687081 Depends-on: Iab022bdfb655e3c52fecebf416e75c9e981072ab Depends-on: I02dc8934521340f42ac44a7d16889f6d79620c33 Change-Id: I3db2a3188e538eeaef61769d38f0166545444cfe
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-0/+5
Specify the allowed networks for migration ssh tunneling. bp tripleo-cold-migration Change-Id: Iab022bdfb655e3c52fecebf416e75c9e981072ab Depends-on: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-05-03Merge "Add parameter Ec2ApiExternalNetwork for VPCs"Jenkins1-0/+15
2017-05-03Add back Heat conditions in upgrade workflowGiulio Fidente1-28/+50
By adding back the conditions we avoid the deployment of unneded software configs on nodes where we don't have any upgrade task to run, speeding up the upgrade process. Related-Bug: #1679486 Related-Bug: #1678101 Change-Id: I5c8b0c4abfc0607f42fd3f2da9f5ef2702b1bbe1
2017-05-03Configure snmpd auth params in ceilometer profilePradeep Kilambi1-0/+10
Depends-On: I55ac06e1a561d29d7e1c928a1684989c9654b95d Change-Id: Id29e96979b937593efe244f46ce2dd74df3aaa7f
2017-05-03Set reasonable TTL defaults for Ceilometer DBPradeep Kilambi1-1/+12
By deafult, we let the data live for ever. Which isnt very efficient. Lets expose params to tweak this and use a reasonable default. Change-Id: I145fa73a7af9cb4135ba910d3659853b3baa893d
2017-05-03Expose metric delay processing metricPradeep Kilambi1-0/+5
For performance reasons we might want to tweak this param lets expose this via tripleo. The puppet changes were added in this patch I5de5283d1b14e0bba63d6d9a440611914ba86ca4 Change-Id: I72f1fe3a47060fe37602a70b8a74fba72209127c
2017-05-03Internal TLS: Use specific CA file for mysql-clientJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
2017-05-03Internal TLS: use common CA file parameter for libvirt CA certJuan Antonio Osorio Robles1-5/+20
libvirt has its own parameter for setting the CA, however, if we have a common CA for all services in the internal network (which we do), it's more consistent to use the common parameter for configuring that CA file. The previous parameter was left in case the deployer wants to use a specific CA file for the compute nodes. Change-Id: I3d132d3d257d7ea9f43e49593f8509c3cd205ca5
2017-05-03Internal TLS: Use specific CA file for haproxyJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets HAProxy to use a specific file for validating the certificates of the services it's proxying. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
2017-05-02Add deprecation notes for panko servicePradeep Kilambi1-1/+3
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
2017-05-02Merge "Fix for the resource ControllerPostPuppetMaintenanceModeDeployment"Jenkins1-1/+1
2017-05-02Merge "Deprecate ceilometer collector"Jenkins3-33/+72
2017-05-02Merge "Use list_concat for metadata_settings for haproxy"Jenkins1-6/+4
2017-05-02snmp: add SnmpdBindHost parameterEmilien Macchi1-0/+5
SnmpdBindHost will be useful for users who want to change the binding options for SNMP daemon. It has to be an array, and by the default the value is ['udp:161','udp6:[::1]:161'] like it was in puppet-tripleo profile. Change-Id: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614 Closes-Bug: #1687628
2017-05-02Fix for the resource ControllerPostPuppetMaintenanceModeDeploymentCarlos Camacho1-1/+1
Closes-Bug:1686619 Change-Id: I7c32ca39a456de9833d30c31d41fcb727d2b0a34
2017-05-02Add parameter Ec2ApiExternalNetwork for VPCsSven Anderson1-0/+15
Change-Id: I26652afe0f513ec354c05570e7fa0e5b4b0ab669
2017-05-02Use list_concat for metadata_settings for haproxyJuan Antonio Osorio Robles1-6/+4
Change-Id: Ia0e0a12e1863dce657d4e1c7f9894ea5bfd008be
2017-04-29Allow to deploy Octavia API & Neutron Server on 2 different nodesEmilien Macchi1-1/+2
Exporting the neutron::server parameter into the neutron_api service, so Octavia API and Neutron Server can be separated. Change-Id: Iee28b0e84a00bd589d6f14a73f0c3f32d310b393 Closes-Bug: #1687026
2017-04-28Merge "Enables support for configuring Cinder with Pure Storage FlashArray ↵Jenkins1-0/+68
storage backend"
2017-04-27Merge "aodh-base.yaml uses a hard coded keystone region name"Jenkins1-1/+1
2017-04-27Merge "Disable default vhost for apache"Jenkins1-0/+1
2017-04-27Merge "upgrades: deploy mod_ssl when upgrading apache"Jenkins10-95/+150
2017-04-27Merge "Change the default for rabbitmq back to ha-mode: all"Jenkins2-33/+4
2017-04-27Merge "Pass httpd service_name to Zaqar"Jenkins1-0/+1
2017-04-27Merge "[ironic] expose default boot_option in configuration and change it to ↵Jenkins1-0/+8
local"
2017-04-27Disable default vhost for apacheBogdan Dobrelya1-0/+1
It is required for a hybrid deployments when WSGI based services running both at host and in containers, without conflicting default ports. Partial-bug: #1686637 Co-authored-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I9d0a5bb32337a6a8f1a4036f9560df79dfe1d90a Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-26upgrades: deploy mod_ssl when upgrading apacheEmilien Macchi10-95/+150
1) When Apache is upgraded, install mod_ssl rpm. See https://bugs.launchpad.net/tripleo/+bug/1682448 to understand why we need mod_ssl. 2) All services that run Apache for API will use the snippet from Apache service to deploy mod_ssl, so we don't duplicate the code in all services. It's using the same mechanism as ovs upgrade to compile upgrade_tasks between both services. Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84 Closes-Bug: #1686503
2017-04-26Change the default for rabbitmq back to ha-mode: allMichele Baldessari2-33/+4
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a nice performance boost with rabbitmq, it makes rabbit less resilient to network glitches as we painfully found out via https://bugzilla.redhat.com/show_bug.cgi?id=1441635. This is the THT part of the change that changes the default to ha-mode: all. Closes-Bug: #1686337 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Co-Authored-By: John Eckersberg <jeckersb@redhat.com> Change-Id: I7afcf2b3c8deb13fc2134e4cae9c06a44e775384 Depends-On: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-21/+56
2017-04-25Deprecate ceilometer collectorPradeep Kilambi3-33/+72
Ceilometer collector is deprecated in Pike release. Do not deploy by default. Instead use the pipeline yaml to configure the publisher directly. Closes-bug: #1676961 Change-Id: Ic71360c6307086d5393cd37d38ab921de186a2e0