aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
AgeCommit message (Collapse)AuthorFilesLines
2017-05-03Internal TLS: Use specific CA file for mysql-clientJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
2017-05-03Internal TLS: use common CA file parameter for libvirt CA certJuan Antonio Osorio Robles1-5/+20
libvirt has its own parameter for setting the CA, however, if we have a common CA for all services in the internal network (which we do), it's more consistent to use the common parameter for configuring that CA file. The previous parameter was left in case the deployer wants to use a specific CA file for the compute nodes. Change-Id: I3d132d3d257d7ea9f43e49593f8509c3cd205ca5
2017-05-03Internal TLS: Use specific CA file for haproxyJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets HAProxy to use a specific file for validating the certificates of the services it's proxying. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
2017-05-02Add deprecation notes for panko servicePradeep Kilambi1-1/+3
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
2017-05-02Merge "Fix for the resource ControllerPostPuppetMaintenanceModeDeployment"Jenkins1-1/+1
2017-05-02Merge "Deprecate ceilometer collector"Jenkins3-33/+72
2017-05-02Merge "Use list_concat for metadata_settings for haproxy"Jenkins1-6/+4
2017-05-02snmp: add SnmpdBindHost parameterEmilien Macchi1-0/+5
SnmpdBindHost will be useful for users who want to change the binding options for SNMP daemon. It has to be an array, and by the default the value is ['udp:161','udp6:[::1]:161'] like it was in puppet-tripleo profile. Change-Id: Iccf0a8d35cc05d34272c078c97a5dddfb8e7d614 Closes-Bug: #1687628
2017-05-02Fix for the resource ControllerPostPuppetMaintenanceModeDeploymentCarlos Camacho1-1/+1
Closes-Bug:1686619 Change-Id: I7c32ca39a456de9833d30c31d41fcb727d2b0a34
2017-05-02Add parameter Ec2ApiExternalNetwork for VPCsSven Anderson1-0/+15
Change-Id: I26652afe0f513ec354c05570e7fa0e5b4b0ab669
2017-05-02Use list_concat for metadata_settings for haproxyJuan Antonio Osorio Robles1-6/+4
Change-Id: Ia0e0a12e1863dce657d4e1c7f9894ea5bfd008be
2017-05-01Enable splay for os-collect-configAlex Schultz6-0/+60
At scale, having the os-collect-config instances all check in at the same time can cause performance problems. This change enables splay and sets it to a default maximum random sleep of 30 seconds prior to the os-collect-config polling. Change-Id: Iab8b51f4e5fb4727b8aa7e081f5cbfcbf11f7fcb Depends-On: I88f623c9e8db9ed4a186918206a63faec8f7f673 Closes-Bug: #1677314
2017-04-29Allow to deploy Octavia API & Neutron Server on 2 different nodesEmilien Macchi1-1/+2
Exporting the neutron::server parameter into the neutron_api service, so Octavia API and Neutron Server can be separated. Change-Id: Iee28b0e84a00bd589d6f14a73f0c3f32d310b393 Closes-Bug: #1687026
2017-04-28Merge "Enables support for configuring Cinder with Pure Storage FlashArray ↵Jenkins1-0/+68
storage backend"
2017-04-28Support Redfish hardware in the overcloud IronicDmitry Tantsur1-1/+13
Part of blueprint redfish-support Depends-On: I0bd6697a33a62d62ee94a1de768b8516bba2e2bc Depends-On: Ib14f87800ae7657cf6176a4820248a2ce048241d Change-Id: I2482d3a7549ac9ebc7c0c20626e479575aaad182
2017-04-27Merge "aodh-base.yaml uses a hard coded keystone region name"Jenkins1-1/+1
2017-04-27Merge "Disable default vhost for apache"Jenkins1-0/+1
2017-04-27Merge "upgrades: deploy mod_ssl when upgrading apache"Jenkins10-95/+150
2017-04-27Merge "Change the default for rabbitmq back to ha-mode: all"Jenkins2-33/+4
2017-04-27Merge "Pass httpd service_name to Zaqar"Jenkins1-0/+1
2017-04-27Merge "[ironic] expose default boot_option in configuration and change it to ↵Jenkins1-0/+8
local"
2017-04-27Disable default vhost for apacheBogdan Dobrelya1-0/+1
It is required for a hybrid deployments when WSGI based services running both at host and in containers, without conflicting default ports. Partial-bug: #1686637 Co-authored-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I9d0a5bb32337a6a8f1a4036f9560df79dfe1d90a Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-26upgrades: deploy mod_ssl when upgrading apacheEmilien Macchi10-95/+150
1) When Apache is upgraded, install mod_ssl rpm. See https://bugs.launchpad.net/tripleo/+bug/1682448 to understand why we need mod_ssl. 2) All services that run Apache for API will use the snippet from Apache service to deploy mod_ssl, so we don't duplicate the code in all services. It's using the same mechanism as ovs upgrade to compile upgrade_tasks between both services. Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84 Closes-Bug: #1686503
2017-04-26Open ports 443 and 80 on haproxy's firewall when horizon is standaloneRadomir Dopieralski1-0/+7
Change-Id: Ifec9839ac0fc688678f0221bb731fb64bd86d2d9
2017-04-26Change the default for rabbitmq back to ha-mode: allMichele Baldessari2-33/+4
In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a nice performance boost with rabbitmq, it makes rabbit less resilient to network glitches as we painfully found out via https://bugzilla.redhat.com/show_bug.cgi?id=1441635. This is the THT part of the change that changes the default to ha-mode: all. Closes-Bug: #1686337 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Co-Authored-By: John Eckersberg <jeckersb@redhat.com> Change-Id: I7afcf2b3c8deb13fc2134e4cae9c06a44e775384 Depends-On: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-21/+56
2017-04-25Deprecate ceilometer collectorPradeep Kilambi3-33/+72
Ceilometer collector is deprecated in Pike release. Do not deploy by default. Instead use the pipeline yaml to configure the publisher directly. Closes-bug: #1676961 Change-Id: Ic71360c6307086d5393cd37d38ab921de186a2e0
2017-04-25Deploy ceilometer_auth_enabled to node containing keystoneJuan Antonio Osorio Robles1-1/+1
This hiera key is used by keystone to create the ceilometer service user. It works in CI cause keystone and the ceilometer services are in the same node. However, this fails if keystone is deployed on a separate note. We should only deploy it in the nodes containing the keystone service since it's only relevant to create the service user. Change-Id: Ic0f02fe9a78a1fe14ac2b87197692fbd80c003b8 Closes-Bug: #1685828
2017-04-25Pass httpd service_name to ZaqarThomas Herve1-0/+1
This removes the need to do it in puppet-tripleo Change-Id: I6f44a6a02041c0fbbafb770a087a0032c3a53a76
2017-04-25Merge "Disable Manila CephFS snapshots by default"Jenkins1-1/+1
2017-04-25Merge "Add initial support for NSX plugin"Jenkins1-0/+66
2017-04-24Dell SC: Add secondary DSM supportrajinir1-0/+16
Adds support for a secondary DSM in case the primary becomes unavailable. Change-Id: I0887e15a7e1c90a4f333bef6cdbb5d43ba0cd838 Closes-Bug: #1681492 Depends-On: I331466e4f254b2b8ff7891b796e78cd30c2c87f7
2017-04-24Merge "Merge pre|post puppet resources into pre|post config."Jenkins1-17/+2
2017-04-24Merge "Run Zaqar with httpd in puppet service"Jenkins1-12/+54
2017-04-24Merge pre|post puppet resources into pre|post config.Carlos Camacho1-17/+2
The [Pre|Post]Puppet resources were renamed in https://review.openstack.org/#/c/365763. This was intended for having a pre/post deployment steps using an agnostic name instead of being attached to a technology. The renaming was unintentionally reverted in https://review.openstack.org/#/c/393644/ and https://review.openstack.org/#/c/434451. This submission merge both resources into one, and remove the old pre|post hooks. Closes-bug: #1669756 Change-Id: Ic9d97f172efd2db74255363679b60f1d2dc4e064
2017-04-24Merge "Allow configuring enabled hardware types for Ironic"Jenkins1-0/+6
2017-04-22Merge "Increase documentation about parameters"Jenkins1-1/+3
2017-04-21Merge "Add service config settings to agent services"Jenkins3-0/+6
2017-04-21Merge "glance: deploy services with Keystone v3 endpoints"Jenkins1-2/+5
2017-04-21Merge "SSHD Service extensions"Jenkins1-0/+29
2017-04-21Merge "Use conditionals for neutron and glance worker defaults"Jenkins2-10/+20
2017-04-21Merge "Add NeutronDnsDomain heat option, undercloud fix"Jenkins1-0/+5
2017-04-20Merge "N->O Manual puppet commands have the right modulepath."Jenkins1-1/+1
2017-04-20N->O Manual puppet commands have the right modulepath.Sofer Athlan-Guyot1-1/+1
In two places during upgrade we manually trigger puppet. There can be a problem when new puppet modules are added, and their corresponding symlinks in /etc/puppet/modules are not created during the installation as their are installed in /usr/share/openstack-puppet/modules. To prevent the issue tripleo set modulepath in the templates. We must use the same modulepath to make sure that we don't fail because of missing module in the manual puppet run. This particulary happens when you upgrade from M->N->O, as the base image in Mitaka doesn't have the proper symlinks and they are not created during the installation of the package. Closes-Bug: #1684587 Change-Id: I79df6ea33f1c58e13309176a6de41b7572541fd6
2017-04-20Merge "TLS-everywhere: Enable for TLS libvirt live migration"Jenkins1-0/+82
2017-04-20Run Zaqar with httpd in puppet serviceThomas Herve1-12/+54
This switches Zaqar to run with httpd when configured by puppet. Change-Id: I69b923dd76a60e9ec786cae886c137ba572ec906
2017-04-20Merge "N->O upgrade, fix wrong parameters to nova placement."Jenkins1-1/+2
2017-04-20Merge "Pluggable server type per Role"Jenkins6-6/+6
2017-04-20glance: deploy services with Keystone v3 endpointsEmilien Macchi1-2/+5
* Switch auth_uri to point to Keystone versionless endpoint. * Switch Swift auth url to use Keystone versionless endpoint and Keystone v3 API. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I78cdd2286b5a5094f36d4f3c7c58340745664449 Partial-blueprint: keystone-v3
2017-04-19SSHD Service extensionsLuke Hinds1-0/+29
This change implements a MOTD message and provides a hash of sshd config options which are sourced to the puppet-ssh module as a hash. The SSHD puppet service is enabled by default, as it is required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293. Also added the service to the CI roles. Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e Depends-On: I1d09530d69e42c0c36311789166554a889e46556 Closes-Bug: #1668543 Co-Authored-By: Oliver Walsh <owalsh@redhat.com>