summaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2016-12-19Merge "Set rabbitmq's port and IP via the config file and not the env file"Jenkins1-1/+3
2016-12-19Merge "Introduce role-specific nova-server-metadata"Jenkins6-12/+84
2016-12-16Introduce role-specific nova-server-metadataJuan Antonio Osorio Robles6-12/+84
We could already pass metadata to the nova server instances (on creation) via the ServerMetadata parameter, however, there was no way of doing this per-role. This introduces that by adding a {{role}}ServerMetadata parameter for each role. This parameter gets merged with the ServerMetadata parameter and allows this functionality. Note that both default to {}, and so does the result of merging those parameters with their default values. So nothing changes for the default settings. Change-Id: I334edcc51ce7ee82fc13b6cf4c0d74ccb7db099c
2016-12-14Set rabbitmq's port and IP via the config file and not the env fileJuan Antonio Osorio Robles1-1/+3
The RabbitMQ's puppet manifest configures the node's IP and port through environment variables. While this would usually be fine, it doesn't allow us to use TLS-only, since it will always try to start a TCP listener. So, by setting these values through the config file, when setting ssl_only for rabbitmq, they will effectively be discarded and thus allow us to use an SSL listener on the same port. Change-Id: I33d051a8c740baf69b99517378e1f9b0f3cc1681
2016-12-14Enable SECURE_PROXY_SSL_HEADER option for horizonJuan Antonio Osorio Robles1-0/+1
This reads makes Django take the X-Forwarded-Proto header into account when forming URLs. Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673 Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-09Add FreeIPA enrollment templateJuan Antonio Osorio Robles1-0/+72
This is based on previous work [1] and it's what I've been using to test the TLS-everywhere work. This introduces a template that will run on every node to enroll them to FreeIPA and acquire a ticket (authenticate) in order to be able to request certificates. Enrollment is done via the ipa-client-install command and it does the following: * Get FreeIPA's CA certificate and trust it. * Authenticate to FreeIPA using an OTP and get a kerberos keytab. * Set up several configurations that are needed for FreeIPA (sssd, kerberos, certmonger) The keytab is then used to authenticate and get an actual TGT (Ticket-Granting-Ticket) from Kerberos The previous implementation used a PreConfig hook, however, here it was modified to use NodeTLSCAData. This has the advantage that it runs on every node as opposed to the PreConfig hook where we had to specify the role type so it's a usability improvement. And, on the other hand, this does set up necessary things for the usage of FreeIPA as a CA, such as getting the certificate and enrolling to the CA. [1] https://github.com/JAORMX/freeipa-tripleo-incubator bp tls-via-certmonger Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-12-07Merge "neutron: don't set router_delete_namespaces"Jenkins1-2/+1
2016-12-06neutron: don't set router_delete_namespacesIhar Hrachyshka1-2/+1
It's no longer available in Neutron (removed in Mitaka). See: I2a879213c3b095a007a4531f430a33cea9fdf1bd Change-Id: I044c648eb8c4933667b8ea2c9159a30e5ebb7df3
2016-12-06Fix SwiftStorage role.Chris Jones1-2/+2
We now fetch the name argument from the correctly named SwiftStorage object. Change-Id: I885505eadfc778ab57793c97af4d1c6739ec9614 Closes-Bug: #1647716
2016-12-05Merge "Support multiple meter dispatchers in ceilometer config"Jenkins1-3/+3
2016-12-05Merge "Move nodes' fqdns to a map to remove clutter"Jenkins6-679/+660
2016-12-05Merge "Fix bug when using multiple DeployArtifactURLs"Jenkins1-1/+1
2016-12-02Merge "Revert "Use FQDN for rabbitmq's nodename env variable""Jenkins1-7/+1
2016-12-02Fix bug when using multiple DeployArtifactURLsChristian Schwede1-1/+1
The script tries to download all artifact URLs with a single request, instead of downloading each URL on its own if multiple DeployArtifactURLs were given. Change-Id: I6a8be699aff7023a67702bb1d3ddc2273984cd08
2016-12-02Revert "Use FQDN for rabbitmq's nodename env variable"Ben Nemec1-7/+1
This seems to have broken the updates job, causing it to fail with following error: Can't set long node name!\nPlease check your configuration\n Related-Bug: 1646873 This reverts commit 3e9fcfd09320ace07bc1bd4cb57feb98cd057332. Change-Id: I72ba891cd9cd8c4f1bc204144f46aaabbdfd3647
2016-12-02Merge "Composable Zaqar services"Jenkins1-0/+66
2016-12-02Move nodes' fqdns to a map to remove clutterJuan Antonio Osorio Robles6-679/+660
There were several instances where the short-names/FQDNs where being gotten in the same way in the role's templates. So this introduces a mapping to get these values in order to reduce clutter. Change-Id: Ie7df360bb69d56655f3e0fcbbf4d297db39b7a26
2016-12-02Merge "Use FQDN for rabbitmq's nodename env variable"Jenkins1-1/+7
2016-12-02Merge "Use network-based fqdn entry from hiera instead of the custom fact"Jenkins11-21/+21
2016-12-01Merge "ceph-rgw: add missing user parameter"Jenkins1-0/+1
2016-12-01ceph-rgw: add missing user parameterEmilien Macchi1-0/+1
'user' is required or puppet-ceph will complain that the Keystone_user has no title: Evaluation Error: Missing title. The title expression resulted in undef at /etc/puppet/modules/ceph/manifests/rgw/keystone/auth.pp The value is set to Swift, as we use the same credentials as Swift service. Closes-Bug: #1642524 Change-Id: Ib4a7c07086b0b3354c8e589612f330ecdffdc637
2016-12-01Merge "Initial support for composable upgrades with Heat+Ansible"Jenkins10-3/+225
2016-12-01Merge "Introduce network-based FQDNs via hiera"Jenkins6-0/+217
2016-12-01Merge "Add local template generation tox task"Jenkins1-0/+6
2016-12-01Initial support for composable upgrades with Heat+AnsibleSteven Hardy10-3/+225
This shows how we could wire in the upgrade steps using Ansible as was previously proposed e.g in https://review.openstack.org/#/c/321416/ but it's more closely integrated with the new composable services architecture. It's also very similar to the approach taken by SpinalStack where ansible snippets per-service were combined then run in a series of steps using Ansible tags. This patch just enables upgrade of keystone - we'll add support for other patches in subsequent patches. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
2016-12-01Merge "Hiera optimization: use a new hiera hook"Jenkins27-475/+389
2016-12-01Merge "Fix puppet/services/README.rst step description"Jenkins1-6/+0
2016-12-01Use FQDN for rabbitmq's nodename env variableJuan Antonio Osorio Robles1-1/+7
Change-Id: Iee1afeced0b210a46b273aafc0d40e99d6ee6d4e
2016-12-01Use network-based fqdn entry from hiera instead of the custom factJuan Antonio Osorio Robles11-21/+21
This changes how we get the network-based FQDNs for the specific services, from using the custom fact, to the new hiera entries. Change-Id: Iae668a5d89fb7bee091db4a761aa6c91d369b276
2016-12-01Introduce network-based FQDNs via hieraJuan Antonio Osorio Robles6-0/+217
Currently, one can get the network-based FQDNs via a custom puppet fact. This is currently unreliable, as it's based on the ::hostname fact which we assume it's set correctly by nova. However, this is not necessarily the case (for instance, if you use pre-deployed services such as we do with the multinode-jobs). In these cases, the ::hostname fact will return something other than what we specified in nova, and effectively breaks the configurations in we relly too much on the network-based FQDN facts. By using hiera instead, we avoid this issue as we set those values to be exactly what we expect (as we set them in the OS::TripleO::Server resource. Change-Id: I6ce31237098f57bdc0adfd3c42feef0073c224fb
2016-11-30Hiera optimization: use a new hiera hookDan Prince27-475/+389
This patch optimizes how we deploy hiera by using a new heat hook specifically designed to help compose hiera within heat templates. As part of this change: - we update all the 'hiera' software configurations to set the group to hiera instead of os-apply-config. - The new format uses JSON instead of YAML. The hook actually writes out the hiera JSON directly so no conversion takes place. Arrays, Strings, Booleans all stay in their native formats. As such we can avoid having to do many of the awkward string and list conversions in t-h-t to support the previous YAML formatting. - The new hook prefers JSON over YAML so upgrading users will have the new files prefered. (we will post a cleanup routine for the old files soon but this isn't a new behavior, JSON is now simply prefered.) - A lot of services required edits to account for default settings that worked in YAML that no longer work correctly in the native JSON format. In almost all these cases I think the resulting codes looks cleaner and is more explicit with regards to what is getting configured in hiera on the actual nodes. Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b Closes-bug: #1596373 Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
2016-11-30Add local template generation tox taskDan Prince1-0/+6
This patch adds a local version of our template processing routine so that developers can more quickly view the templates that are actually getting generated. I've noticed multiple developers now do a full deployment with 'overcloud deploy' only to download the swift container with the generated templates. This simple task avoids that step by allowing developers to generate it locally. It also aims to preserve the ability to use t-h-t templates directly with Heat (instead of going through Mistral) should users wish to do that. The new undercloud heat installer requires the ability to generate templates without requiring Mistral and Swift to do so. Ideally the Mistral API workflow would use this same code so perhaps in the future we might modify that routine to: -download swift tarball containing the templates -run this local routine that lives in t-h-t -re-upload the tarball of templates to the swift container Change-Id: Ie664c9c5f455b7320a58a26f35bc403355408d9b
2016-11-30Support multiple meter dispatchers in ceilometer configPradeep Kilambi1-3/+3
Currently we only support one dispatcher at a time. But ceilometer config supports dispatching data to multiple destinations at the same time. Update the param to support this. Change-Id: Ie7d854928513239a5903862623df12af1d02b642
2016-11-29Merge "Stop using puppet to configure VIPs in /etc/hosts"Jenkins1-56/+0
2016-11-28Use correct type for SensuRedactVariables parameterMartin Mágr1-1/+1
The parameter type is invalid making it impossible to enable monitoring-environment. Change-Id: I835d1e82480edb0b6d082a7496d7ceebb1781728 Closes-Bug: #1641080 Closes-Bug: rhbz#1392473
2016-11-28Merge "Enable TLS in the internal networkf or Mysql"Jenkins2-39/+92
2016-11-28Merge "adding swift middleware that is typically enabled by default"Jenkins1-0/+5
2016-11-27Stop using puppet to configure VIPs in /etc/hostsDan Prince1-56/+0
This patch drops use of the vip-hosts.yaml service which can cause issues during deployment because puppet 'hosts' resources overwrite the data in /etc/hosts. The only reason things seem to work at all at the moment is because our hosts element in t-i-e runs on each os-refresh-config iteration and re-adds the dropped hosts entries. To work around the issue we add a conditional which selectively adds the extra hosts entries only if the AddVipsToEtcHosts is set to true. Closes-bug: 1645123 Change-Id: Ic6aaeb249a127df83894f32a704219683a6382b2
2016-11-25Fix puppet/services/README.rst step descriptionSteven Hardy1-6/+0
We removed Step 6 in Iae33149e4a03cd64c5831e689be8189ad0cf034b but forgot to update the README. Similarly we made all roles use the same steps in Ia2ea559e8eeb64763908f75705e3728ee90b5744 so the comment is no longer true. Change-Id: If5482ebd22a2547ed2165199992840a0dcacb04c
2016-11-25Enable TLS in the internal networkf or MysqlJuan Antonio Osorio Robles2-39/+92
This adds the necessary hieradata for enabling TLS for MySQL (which happens to run on the internal network). It also adds a template so this can be done via certmonger. As with other services, this will fill the necessary specs for the certificate to be requested in a hash that will be consumed in puppet-tripleo. Note that this only enables that we can now use TLS, however, we still need to configure the services (or limit the users the services use) to only connect via SSL. But that will be done in another patch, as there is some things that need to land before we can do this (changes in puppetlabs-mysql and puppet-openstacklib). Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118 Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-11-24Merge "Make Ceilometer notifications non-blocking"Jenkins1-0/+1
2016-11-24Merge "Remove conditional for neutron l3_ha"Jenkins1-28/+10
2016-11-24Merge "Add panko api support to service templates"Jenkins3-0/+165
2016-11-23Merge "Add necessary parameters for encrypted volumes support"Jenkins1-0/+14
2016-11-23Merge "Make the CloudDomain defaults match the doc strings"Jenkins6-0/+6
2016-11-23Merge "Remove Combination alarms support"Jenkins1-6/+0
2016-11-23Merge "Configure Keystone Fernet Keys"Jenkins1-0/+11
2016-11-23Merge "Containerized Services for Composable Roles"Jenkins1-1/+16
2016-11-23Merge "Enables auto-detection for VIP interfaces"Jenkins2-17/+9
2016-11-22Make the CloudDomain defaults match the doc stringsJulie Pichon6-0/+6
Not having the default easily accessible is causing issues for the UI, as it cannot guess at it and can accidentally overwrite the value with an empty string (the expected default when unset). The default is already helpfully spelled out in the doc string for each file, this updates the parameter to match it. Change-Id: Ic284f9904e8f1d01cc717d59a0759f679d94106d Closes-Bug: #1643670