From 827d110a34c611956620cddddeab51dedb4f63e6 Mon Sep 17 00:00:00 2001
From: Dan Prince <dprince@redhat.com>
Date: Fri, 26 Aug 2016 13:48:39 -0400
Subject: Mv pacemaker and firewall out of controller

This patch moves settings for pacemaker and the tripleo firewall
out of controller.yaml.

Related bug: #1604414

Change-Id: I0164717bfd79cdea3de8eb7a64771028bea201ac
---
 overcloud.yaml                        |  2 -
 puppet/controller.yaml                | 75 -----------------------------------
 puppet/services/pacemaker.yaml        | 57 +++++++++++++++++++++++++-
 puppet/services/tripleo-firewall.yaml | 11 +++++
 4 files changed, 67 insertions(+), 78 deletions(-)

diff --git a/overcloud.yaml b/overcloud.yaml
index a85c57c0..04c6100d 100644
--- a/overcloud.yaml
+++ b/overcloud.yaml
@@ -440,9 +440,7 @@ resources:
         properties:
           CloudDomain: {get_param: CloudDomain}
           controllerExtraConfig: {get_param: controllerExtraConfig}
-          PcsdPassword: {get_resource: PcsdPassword}
           RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
-          RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]}
           ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]}
           EndpointMap: {get_attr: [EndpointMap, endpoint_map]}
           Hostname:
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index a4f87525..7650c1e8 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -23,18 +23,10 @@ parameters:
         ...
       }
     type: json
-  CorosyncIPv6:
-    default: false
-    description: Enable IPv6 in Corosync
-    type: boolean
   Debug:
     default: ''
     description: Set to True to enable debugging on all services.
     type: string
-  EnableFencing:
-    default: false
-    description: Whether to enable fencing in Pacemaker or not.
-    type: boolean
   EnableLoadBalancer:
     default: true
     description: Whether to deploy a LoadBalancer on the Controller
@@ -45,38 +37,6 @@ parameters:
       Additional hieradata to inject into the cluster, note that
       ControllerExtraConfig takes precedence over ExtraConfig.
     type: json
-  FencingConfig:
-    default: {}
-    description: |
-      Pacemaker fencing configuration. The JSON should have
-      the following structure:
-        {
-          "devices": [
-            {
-              "agent": "AGENT_NAME",
-              "host_mac": "HOST_MAC_ADDRESS",
-              "params": {"PARAM_NAME": "PARAM_VALUE"}
-            }
-          ]
-        }
-      For instance:
-        {
-          "devices": [
-            {
-              "agent": "fence_xvm",
-              "host_mac": "52:54:00:aa:bb:cc",
-              "params": {
-                "multicast_address": "225.0.0.12",
-                "port": "baremetal_0",
-                "manage_fw": true,
-                "manage_key_file": true,
-                "key_file": "/etc/fence_xvm.key",
-                "key_file_password": "abcdef"
-              }
-            }
-          ]
-        }
-    type: json
   OvercloudControlFlavor:
     description: Flavor for control nodes to request when deploying.
     default: baremetal
@@ -98,33 +58,13 @@ parameters:
     type: string
     constraints:
       - custom_constraint: nova.keypair
-  ManageFirewall:
-    default: false
-    description: Whether to manage IPtables rules.
-    type: boolean
-  PurgeFirewallRules:
-    default: false
-    description: Whether IPtables rules should be purged before setting up the new ones.
-    type: boolean
   NeutronPublicInterface:
     default: nic1
     description: What interface to bridge onto br-ex for network nodes.
     type: string
-  PcsdPassword:
-    type: string
-    description: The password for the 'pcsd' user.
-    hidden: true
-  RedisPassword:
-    description: The password for Redis
-    type: string
-    hidden: true
   RedisVirtualIP:
     type: string
     default: ''  # Has to be here because of the ignored empty value bug
-  RedisVirtualIPUri:
-    type: string
-    default: ''  # Has to be here because of the ignored empty value bug
-    description: An IP address which is wrapped in brackets in case of IPv6
   SwiftRawDisks:
     default: {}
     description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
@@ -358,17 +298,9 @@ resources:
       server: {get_resource: Controller}
       input_values:
         bootstack_nodeid: {get_attr: [Controller, name]}
-        debug: {get_param: Debug}
-        enable_fencing: {get_param: EnableFencing}
         enable_load_balancer: {get_param: EnableLoadBalancer}
-        manage_firewall: {get_param: ManageFirewall}
-        purge_firewall_rules: {get_param: PurgeFirewallRules}
-        corosync_ipv6: {get_param: CorosyncIPv6}
-        fencing_config: {get_param: FencingConfig}
-        pcsd_password: {get_param: PcsdPassword}
         enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
         redis_vip: {get_param: RedisVirtualIP}
-        ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]}
 
   # Map heat metadata into hiera datafiles
   ControllerConfig:
@@ -421,17 +353,10 @@ resources:
                 bootstack_nodeid: {get_input: bootstack_nodeid}
 
                 # Pacemaker
-                enable_fencing: {get_input: enable_fencing}
                 enable_load_balancer: {get_input: enable_load_balancer}
-                hacluster_pwd: {get_input: pcsd_password}
-                corosync_ipv6: {get_input: corosync_ipv6}
-                tripleo::fencing::config: {get_input: fencing_config}
 
                 # Redis
                 redis_vip: {get_input: redis_vip}
-                # Firewall
-                tripleo::firewall::manage_firewall: {get_input: manage_firewall}
-                tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
                 # Misc
                 tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
                 tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
index 31016761..5d1d666a 100644
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
 
 description: >
   Pacemaker service configured with Puppet
@@ -21,6 +21,51 @@ parameters:
   MonitoringSubscriptionPacemaker:
     default: 'overcloud-pacemaker'
     type: string
+  CorosyncIPv6:
+    default: false
+    description: Enable IPv6 in Corosync
+    type: boolean
+  EnableFencing:
+    default: false
+    description: Whether to enable fencing in Pacemaker or not.
+    type: boolean
+  PcsdPassword:
+    type: string
+    description: The password for the 'pcsd' user for pacemaker.
+    hidden: true
+    default: ''
+  FencingConfig:
+    default: {}
+    description: |
+      Pacemaker fencing configuration. The JSON should have
+      the following structure:
+        {
+          "devices": [
+            {
+              "agent": "AGENT_NAME",
+              "host_mac": "HOST_MAC_ADDRESS",
+              "params": {"PARAM_NAME": "PARAM_VALUE"}
+            }
+          ]
+        }
+      For instance:
+        {
+          "devices": [
+            {
+              "agent": "fence_xvm",
+              "host_mac": "52:54:00:aa:bb:cc",
+              "params": {
+                "multicast_address": "225.0.0.12",
+                "port": "baremetal_0",
+                "manage_fw": true,
+                "manage_key_file": true,
+                "key_file": "/etc/fence_xvm.key",
+                "key_file_password": "abcdef"
+              }
+            }
+          ]
+        }
+    type: json
 
 outputs:
   role_data:
@@ -44,5 +89,15 @@ outputs:
           '131 pacemaker udp':
             proto: 'udp'
             dport: 5405
+        corosync_ipv6: {get_param: CorosyncIPv6}
+        tripleo::fencing::config: {get_param: FencingConfig}
+        enable_fencing: {get_param: EnableFencing}
+        hacluster_pwd:
+          yaql:
+            expression: $.data.passwords.where($ != '').first()
+            data:
+              passwords:
+                - {get_param: PcsdPassword}
+                - {get_param: [DefaultPasswords, pcsd_password]}
       step_config: |
         include ::tripleo::profile::base::pacemaker
diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml
index 14965b4f..f6ec458f 100644
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@@ -18,11 +18,22 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  ManageFirewall:
+    default: false
+    description: Whether to manage IPtables rules.
+    type: boolean
+  PurgeFirewallRules:
+    default: false
+    description: Whether IPtables rules should be purged before setting up the new ones.
+    type: boolean
 
 outputs:
   role_data:
     description: Role data for the TripleO firewall settings
     value:
       service_name: tripleo_firewall
+      config_settings:
+        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
+        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
       step_config: |
         include ::tripleo::firewall
-- 
cgit 1.2.3-korg