summaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2015-11-26Minor fixes to TLS related resourcesJuan Antonio Osorio Robles3-6/+4
* Fixed a comment to avoid ambiguity with concepts in Heat * Removed default values from necessary parameters in the TLS environment * Simplified setting of the cert/key into a file. Change-Id: I351778150a6fbf7affe1a0fddb1abb9869324dfc
2015-11-25Merge "Output the SSL Certificate and Key modulus"Jenkins3-0/+26
2015-11-25Merge "Enable trust anchor injection"Jenkins7-6/+129
2015-11-25Merge "Inject TLS certificate and keys for the Overcloud"Jenkins3-14/+127
2015-11-25Output the SSL Certificate and Key modulusMark Chappell3-0/+26
Provides a simple mechanism to verify the correct certificates landed. A quick and simple way to verify SSL certificates were generated for a given key is by comparing the modulus of the two. By outputing the key modulus and certificate modulus we offer a way to verify that the right cert and key have been deployed without compromising any of the secrets. Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
2015-11-25Enable trust anchor injectionJuan Antonio Osorio Robles7-6/+129
This commit enables the injection of a trust anchor or root certificate into every node in the overcloud. This is in case that the TLS certificates for the controllers are signed with a self-signed CA or if the deployer would like to inject a relevant root certificate for other purposes. In this case the other nodes might need to have the root certificate in their trust chain in order to do proper validation Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
2015-11-23Merge "Implement Advanced Firewalling support"Jenkins8-0/+125
2015-11-23Inject TLS certificate and keys for the OvercloudJuan Antonio Osorio Robles3-14/+127
This is a first implementation of adding TLS termination to the load balancer in the controllers. The implementation was made so that the appropriate certificate/private key in PEM format is copied to the appropriate controller(s) via a software deployment resource. And the path is then referenced on the HAProxy configuration, but this part was left commented out because we need to be able to configure the keystone endpoints in order for this to work properly. Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
2015-11-23Merge "Allows for customization of NetworkDeployment actions"Jenkins5-2/+30
2015-11-20Merge "Change default host reserved memory to 2048MB from 512MB"Jenkins1-0/+6
2015-11-20Allows for customization of NetworkDeployment actionsGiulio Fidente5-2/+30
We don't necessarily want the network configuration to be reapplied with every template update so we add a param to configure on which action the NetworkDeployment resource should be executed. Change-Id: I0e86318eb5521e540cc567ce9d77e1060086d48b Co-Authored-By: Dan Sneddon <dsneddon@redhat.com> Co-Authored-By: James Slagle <jslagle@redhat.com> Co-Authored-By: Jiri Stransky <jstransk@redhat.com> Co-Authored-By: Steven Hardy <shardy@redhat.com>
2015-11-19Change default host reserved memory to 2048MB from 512MBJoe Talerico1-0/+6
Results from pmap of idle nova-compute: https://gist.github.com/jtaleric/addd9079d6cdf4f7cf42 Results from free -m and cat /proc/meminfo: https://gist.github.com/jtaleric/410130f09c2aad2dc7e9 bug: https://bugzilla.redhat.com/show_bug.cgi?id=1282644 Change-Id: I9b3ceecabfdae0a516cfc72886fde7b26cc68f82
2015-11-19Implement Advanced Firewalling supportEmilien Macchi8-0/+125
Consume puppet-tripleo to create/manage IPtables from Heat templates. This review put in place the logic to enable and setup firewall rules. A known set of rules are applied. More to come. Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22 Co-Authored-By: Yanis Guenane <yguenane@redhat.com> Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
2015-11-18Merge "Implement Neutron enable_isolated_metadata parameters"Jenkins1-0/+6
2015-11-17Merge "neutron: enable nova-event-callback by default"Jenkins4-2/+12
2015-11-17Merge "Pass ceph::pool arguments when calling class"Jenkins3-10/+6
2015-11-17neutron: enable nova-event-callback by defaultEmilien Macchi4-2/+12
* Add NovaApiVirtualIP string parameter. * Compute nova_url and nova_admin_auth_url parameters. * Configure in Hiera neutron::server::notifications::* parameters. * non-ha: include ::neutron::server::notifications * ha: include ::neutron::server::notifications and create orchestration * Set vif_plugging_is_fatal to True so we actually fail if Neutron is not able to create the VIF during Nova server creation workflow. Depends-On: I21dc10396e92906eab4651c318aa2ee62a8e03c7 Change-Id: I02e41f87404e0030d488476680af2f6d45af94ff
2015-11-17Implement Neutron enable_isolated_metadata parametersCyril Lopez1-0/+6
* Use the parameter in Puppet configuration (Hiera) to configure neutron BZ-1273303 Change-Id: Ic5a7a1f13fd2bc800cadc3a78b1daadbc0394787 Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2015-11-17Merge "Add support for enabling L2 population in Neutron"Jenkins2-0/+14
2015-11-16Add support for enabling L2 population in NeutronBrent Eagles2-0/+14
This change adds support for enabling/disabling L2 population in Neutron agents. It currently defaults to false. Change-Id: I3dd19feb4acb1046bc560b35e5a7a111364ea0d7
2015-11-16Merge "Bump further the stop/start timeout for pcmk/systemd services"Jenkins1-8/+8
2015-11-13Merge "honor the rabbit user and password provided"Jenkins2-2/+4
2015-11-13Merge "Fix cinder error when CinderNfsMountOptions option is absent"Jenkins2-2/+2
2015-11-13Pass ceph::pool arguments when calling classGiulio Fidente3-10/+6
Pass the ceph::pool properties as arguments to the class call instead of setting them as class defaults. Ceph recommends max 32 PGs and min 4 PGs per OSD so this change also lowers the defaults to 32 which works with 1 OSD, suits well a scenario with 3 OSDs and is easy to customize in the static hiera if more than 8 OSDs are deployed. More info at: https://bugzilla.redhat.com/show_bug.cgi?id=1252546 Change-Id: Ifed11d1857900b2251dfdf69d6b6f168150e6330
2015-11-13Merge "Refacter Endpoints into EndpointMap"Jenkins3-114/+35
2015-11-13Fix cinder error when CinderNfsMountOptions option is absentPierre Blanc2-2/+2
When I deploy director with NFS backend for cinder, sometimes I don't need nfs mount options. If I choose to omit this option, or if the option is defined to '', the deployment fails. This patch add just a default value for this option. Change-Id: Idf708aaecebd5c6db14f48ad2a53d6c2453be5ee Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1281870
2015-11-13Bump further the stop/start timeout for pcmk/systemd servicesGiulio Fidente1-8/+8
This bumps further up the stop/start timeout for the pcmk/systemd services so that it matches the 100s default set in future pcmk versions [1]. 1. https://github.com/ClusterLabs/pacemaker/commit/17d65e9f44061a4fa14a9cddd6edc403b2d6d2b3 Change-Id: I6fc18f1ad876c5a25723710a3b20d8ec9519dcba
2015-11-12Merge "Set default start/stop timeout for pcmk services to 95s"Jenkins1-8/+8
2015-11-11Merge "Allow customization of Ceph client user"Jenkins6-8/+31
2015-11-11Merge "Allow a user to specify a comma separated list of ntp servers"Jenkins5-30/+15
2015-11-11Refacter Endpoints into EndpointMapMark Chappell3-114/+35
Because many of the service endpoints URLs use the same patterns for generating the URLs it makes sense to use the same templates to reduce the copy and paste. In the process also adds support for explicitly specifying hostnames for use in the endpoints. Note: DNS must be pre-configured. The Heat templates do not directly configure DNS. Change-Id: Ie3270909beca3d63f2d7e4bcb04c559380ddc54d Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
2015-11-11Merge "Enable glance-api show_image_direct_url for COW"Jenkins1-0/+1
2015-11-11Merge "Revert "Manage keystone initialization directly in t-h-t manifests""Jenkins4-289/+2
2015-11-10Merge "Allow customization of the Ceph pool names"Jenkins6-13/+44
2015-11-10honor the rabbit user and password providedMike Burns2-2/+4
Currently rabbit username and password are defaulted and attempting to use anything else would result in a failure during deployment. Change-Id: I8a2e240a19f915309eee45ea3c3368d131af6c1b Related: rhbz#1261303
2015-11-10Set default start/stop timeout for pcmk services to 95sGiulio Fidente1-8/+8
This change will increase the default start/stop timeout for all the non-ocf pcmk services to 95s to make sure it allows for at least 90s to the systemd script to complete the start/stop. More info at: https://bugzilla.redhat.com/show_bug.cgi?id=1275324 Change-Id: I04f691396a4118b456728a43d71d32ac9a556431
2015-11-09Merge "Make puppet manifests compliant with Puppet 4.x"Jenkins7-363/+366
2015-11-05Add support to tag patch port for Cisco Nexus1000v VSM bringupShiva Prasad Rao1-0/+5
In some deployments we will need to tag the patch port connecting to vsm-br in order for traffic to go out. This patch takes passes the vlan parameter to the puppet. Change-Id: I18734ae39007985769db9371abe1740e0f2872f7
2015-11-05Allow customization of Ceph client userGiulio Fidente6-8/+31
Previously we enforced the Ceph user used by the OpenStack clients to be named 'openstack', this change allows for customization of such a name. Change-Id: Idef3e1ed4e8e21b645081869b8d6fad2329bdc60
2015-11-05Allow customization of the Ceph pool namesGiulio Fidente6-13/+44
This is useful in those scenarios were we want to use an external Ceph deployment with multiple overclouds. Change-Id: I1749d2a6547f6ce25843709e46a1447e8d42cfff
2015-11-05Make puppet manifests compliant with Puppet 4.xGael Chamoulaud7-363/+366
- https://docs.puppetlabs.com/puppet/3.8/reference/deprecated_language.html - Temporary disablement of the pupppet-lint autoload layout check failing for ringbuilder.pp. A fix for that will be part of an other patch. Change-Id: I495825641ab12e7c5789c1405649c356c5bb8051 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-11-05Merge "compute/ceilometer: use internalURL for os endpoint type"Jenkins1-0/+1
2015-11-05Merge "Fix dependency for Ceilometer agent when using MySQL"Jenkins1-8/+17
2015-11-04Merge "Do not enforce start timeout to 90s for neutron-server"Jenkins1-1/+0
2015-11-04Revert "Manage keystone initialization directly in t-h-t manifests"Ben Nemec4-289/+2
This reverts commit 86d6c1ddc76bad423194e789ffb5474e4e12960e. This likely has an impact on upgrades, and since we don't have an upgrade CI job yet I'm concerned that we may have just broken ourselves. I would prefer to wait to merge this until the CI job is in place. Change-Id: Ib2366cb4b40471a28122f6e9955da9bdb31a53fb
2015-11-04Merge "Manage keystone initialization directly in t-h-t manifests"Jenkins4-2/+289
2015-11-04Merge "Cisco Nexus ML2 MD: Need unique key for server level keys in hieradata"Jenkins1-3/+7
2015-11-04Do not enforce start timeout to 90s for neutron-serverGiulio Fidente1-1/+0
The same timeout value is set for every pcmk service in [1] 1. https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/manifests/overcloud_controller_pacemaker.pp#L81 Change-Id: I253f6cbc5ccdbf8c46cc537ff9600f201aae540a
2015-11-03Manage keystone initialization directly in t-h-t manifestsYanis Guenane4-2/+289
This is the second change of a servies of two, it creates the user, user_role, service and endpoint for: * glance * nova * neutron * cinder * horizon * swift * ceilometer * heat Change-Id: I50e792d98a2ba516ff498c58ad402f463c5f7e76
2015-11-03Create keystone roles and admin user from t-h-t manifestsYanis Guenane4-3/+55
Currently keystone initialization happens via os-cloud-config [1]. This commit moves some of that directly into the manifests. This is the first in a series of two changes to migrate it entirely into t-h-t. This change focus on implementing what keystone.initialize() was doing on the tripleoclient [2], creates the admin tenant, user and roles. It also creates the keystone endpoint itself. 1. https://github.com/openstack/os-cloud-config/blob/master/os_cloud_config/keystone.py#L128-L158 2. https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/overcloud_deploy.py#L462-L527 Change-Id: I98555b707ff9b91c6e218de5dca68106ea05c8ea Depends-On: Ia4b3244f114dcff746ab89d355ad4933f8fdbddf