Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
This moves the now nearly identical group resources inside the loop
there's a FIXME related to some deprecated compute parameters we'll
need to work around.
Change-Id: Iddd63c42754867125e65e7721ab9d9f46f4d6afb
Partially-Implements: blueprint custom-roles
|
|
|
|
|
|
|
|
|
|
The keystone public_endpoint value should be deduced from the calling
request and not hardcoded, or it makes network isolation impossible.
Change-Id: Ide6a65aa9393cb84591b0015ec5966cc01ffbcf8
Closes-Bug: 1381961
|
|
This is done in the vncproxy profile, but for some reason is not in
the compute one. It causes hiera to explode when the brackets are
left, so we need to do the bracket stripping here too.
Also switches both places to just use the host_nobrackets version
of the endpoint instead of stripping them with str_replace.
Change-Id: I7ccd84b575fd652f6412fdb1869c31c79a7bf53b
Closes-Bug: 1618623
|
|
Configure Keystone credentials by installing 2 keys with dynamic content
generated by python-tripleoclient.
Note: this is a first iteration of managing Keystone credentials. It has
a few limitations:
- keys are not exported to external storage.
- keys are not rotated automatically.
Change-Id: I45cf8821eadf528dfcdc8d74e6e0484597b0d2c0
|
|
There was currently no way of getting it and we can't asure that the
primary IP will use it. So it's explicitly needed there.
Change-Id: Idb3ca22ac136691b0bff6f94524d133a4fa10617
|
|
|
|
|
|
This is necessary for when HAProxy is terminating TLS for manila,
else we will have keystone discovery errors. This is the same we do
for several other services, as manila uses the same middleware.
Change-Id: Ice78b0abceb6a956bb8c1dc6212ee1b56b62b43f
|
|
|
|
This patch add support for deploying Ceph RGW.
Co-Authored-By: Giulio Fidente <gfidente@redhat.com>
Change-Id: I88c8659a36c2435834e8646c75880b0adc52e964
|
|
If these names don't match then we cannot set the service's nodes,
VIP and network.
Change-Id: I8f1c0eaf62eee2704a5f2556a553032106db606b
Closes-Bug: #1621368
|
|
|
|
|
|
Some network configurations uncovered what appears to be an issue where
a spurious 802.1q header is injected into tunnelled traffic. Adjusting
the default value to accomodate the extra overhead should avoid this
problem.
Partial-Bug: #1621533
Change-Id: I9ebad2d6ad34d90fcb998497873059995cdef276
|
|
|
|
|
|
|
|
To enable steps to be aligned between roles, we need to define
dependencies between the steps, which is only possible if we
move the steps out of distinct nested stacks so we can use
depends_on to serialized the steps for all roles.
Note that we may be able to further refactor later to remove the
per-role -config.yaml nested stacks as well.
Change-Id: Ia2ea559e8eeb64763908f75705e3728ee90b5744
Partially-Implements: blueprint custom-roles
|
|
|
|
|
|
The management network does not have a VIP, so it's been wrong to
generate a cloud name and hieradata for this. Instead, the network
that actually needs a name and a hosts entry is the ctlplane network,
which actually has a VIP and there are services that use it.
bp tls-via-certmonger
Closes-Bug: #1621742
Change-Id: I163b2c7b5684da6dc290636f54eefe3f2b0c3e3f
|
|
Make use of the new composable per-service node_ips lists by
adding a ServiceNetMap entry for SwiftStorage, then
pass the data to construct the raw device list into puppet-tripleo
instead of mangling it in t-h-t inside the role templates.
This will allow running swift storage services on nodes other than
the Controller and ObjectStorage roles, and is required to enable
custom roles.
Depends-On: I11deed1df712ecccf85d36a75b3bd2e9d226af36
Change-Id: I1bf5f8a9d34b1a5d64ab8656b386226b54ec1a27
Partially-Implements: blueprint custom-roles
|
|
|
|
This is setting sane defaults for vnc_api_lib.ini as requested from the
field. The settings still can be overriden using NovaComputeExtraConfig
if needed.
Change-Id: I6a823c0b34f6ea21aa16939577ac0e1563483557
Closes-Bug: #1620647
|
|
This patch introduces a parameter to allow customizing the Neutron
OpenvSwitch agent's firewall driver configuration.
Closes-Bug: 1618507
Change-Id: I595c392f7a1afe2164bf562224d9eda9b3dfa982
|
|
|
|
Keystone doesn't provide different flags to indicate that both of its
endpoints are enabled. So currently we have to manually add its
network to all-nodes-config.
bp tls-via-certmogner
Change-Id: Ibecd78706e84853107f698ba411a0c05e6f5be52
|
|
|
|
map_merge in heat templates should start with hypen for
each map group, few templates are missing the hypen for the
second map group, which is added in this patch
Closes-Bug: #1621008
Change-Id: I307fdd7afc374cce46d6e378594f1b688b9fd4f6
|
|
Include the neutron-base service definition to align pull in common
configurations. This might not be *absolutely* necessary as any required
common configuration would likely already be added by and OVS agent
service, etc. but it's better to be safe than sorry and it does keep
things consistent across the Neutron services.
Implements: blueprint tripleo-sriov
Change-Id: I10a9d9b29760475e6cd75e4057051c75a52ffbb7
|
|
This will aid us in using FQDNs instead of IPs if DNS is not set. If
the deployer already has DNS set up, they can easily disable this
profile by adding the use-dns-for-vips.yaml environment file.
bp tls-via-certmonger
Change-Id: I8c1b3f253d0149d575171c208f9a1342a7b26450
Depends-On: I1bdb2701dfb3e7ef072e674c9882d3be5af7296c
|
|
The nodes need to be aware of the fqdn's for the specific endpoints
in the cloud. This could be either to set the entries in /etc/hosts
or to select an appropriate hostname for a certificate to be
generated.
bp tls-via-certmonger
Change-Id: I9b4645b937a344f46ec18a9a68c5afa2bc5206d0
|
|
We recently made changes that add data to allNodesConfig, but
we didn't wire the files into the hierarchy on all roles.
Change-Id: I8e838b02bd982e600af54b14350106322244890a
Closes-Bug: #1620485
|
|
|
|
|
|
|
|
|
|
|
|
puppet aodh auth type defaults to password type and v2
auth_url doesnt work with domain. This fixes the url to
not include suffix.
Change-Id: I46d53e748d8932ed1183bedbdeb5eefcde679f9e
|
|
Previously we weren't creating Redis VIP in keepalived, causing Redis to
be unusable in non-HA deployments. This is now fixed.
Depends-On: I0bb37f6fb3eed022288b2dcfc7a88e8ff88a7ace
Change-Id: I0ecfda1e6ad5567f6f58d60bf418bc91761833ab
Closes-Bug: #1618510
|
|
Move Redis VIP from controller-only to all nodes so that we don't assume
where Redis is deployed.
Change-Id: I55f8d48e3e077951fbcc88158dd6f21a2fe5f457
Related-Bug: #1618510
Partially-Implements: blueprint custom-roles
|
|
This adds a mapping of which service is on which network. This
information can be used to fetch a certificate depending on the
network (since they use different hostnames).
Change-Id: I176245da591bea28aeabf3d2b552f24456c98c43
|
|
|