The new parameter allows to toggle the apache configuration management.
This will be useful once we get [1] so that we can migrate services to
the new configuration management one by one.
[1] https://review.opendev.org/c/openstack/tripleo-ansible/+/853481
Change-Id: Id1ddbae4946e5c428d0f21ef89e20a11665a370e
The hiera function is deprecated and does not work with the latest
hieradata version 5. It should be replaced by the new lookup
function[1].
[1] https://puppet.com/docs/puppet/7/hiera_automatic.html
With the lookup function, we can define value type and merge behavior,
but these are kept default at this moment to limit scope of this change
to just simple replacement. Adding value type might be useful to make
sure the value is in expected type (especially when a boolean value is
expected), but we will revisit that later.
example:
lookup(<NAME>, [<VALUE TYPE>], [<MERGE BEHAVIOR>], [<DEFAULT VALUE>])
Change-Id: Ifa4bd5ff6a9f90c943fef34617bd70fa36bd9288
This is follow-up of 93d102ea57 and fixes
the undefined tls_* variables when internal tls is disabled.
Change-Id: Ib2abe2c31be55a13318a331e5ba2192d84641d5f
When internal TLS is enabled we use a proxy in front of
neutron server. Config generated in change
I302558e718ce35c4d632137c5efa08f502939b40 conflicts with
the one generated for tls_proxy. Till we convert neutron_api
to be deployed with httpd, let's generate the wsgi config
only when enable_internal_tls is false.
Closes-Bug: #1936776
Change-Id: I2901ea548332a043a8ffeb268f3a0ccbca265377
This change makes that haproxy monitors service availability by sending
HTTP request which is responsed by healthcheck middleware, to ensure
that backend api can respond to requests.
Change-Id: Idbfe6a8e110ec24d9fe64e43d82772bb05fa00ba
... because all parameters for nova notifications have been migrated
from neutron::server::notifications.
Depends-on: https://review.opendev.org/#/c/740616/
Change-Id: Id16d5fefa22707823f0bd2b0831d574ac217e4aa
Downcase in puppet 6.14 throws an error if the input to it is Undef. We
can avoid this by checking for a value before trying to downcase.
See context https://review.rdoproject.org/r/#/c/26297/
Change-Id: Ib2e97060523a4198a14949a15c9171b56928699c
Use memcached to cache token in neutron authtoken, as in-process
cache, which we currently use, was already deprecated[1].
[1] Ied2b88c8cefe5655a88d0c2f334de04e588fa75a
Change-Id: I8a7b01b4f16ab94fedabc20cc876b68d8cb6e04a
Some services are missing the base apache configuration, when
running with TLS and under WSGI. Address that in its base
profiles.
Related-Bug: #1835414
Change-Id: I8148a039ab9dcbc97baff141aae6ebab4c27e16d
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
The only service that needs the neutron::designate configuration
options is neutron-server, and if we include it for other neutron
services we may end up with missing config because the relevant
designate hieradata is only generated for neutron-api.
Change-Id: I2c71132a1c3be34b51e81b0932f094cfacadd5aa
Closes-Bug: 1811134
This solves the problem that bootstrap_nodeid, which is set to the
first node in each role via t-h-t, can match potentially more than
one node - e.g in the event that a service is deployed such that it
spans more than one role.
The SERVICE_short_bootstrap_node_name is automatically generated
based on the composable service template service_name, and this
considers all roles where the service is enabled, e.g it should
only evaluate true once regardles off the roles where the service
is enabled.
Change-Id: I48ec4549552910f3cb8db960b0ff10a6c61b4bb9
Partial-Bug: #1792613
It'll be required by the containerized undercloud, so we can configure
specific quotas for Neutron.
Change-Id: I9c23f7fcc10e297c805e7c08433003cd86300b0b
For the TLS everywhere job, there are some apache vhosts set up that
serve as TLS proxies. These need to be started at the same time as the
rest of the apache vhosts too.
Change-Id: I15e67c7c04142cff01704e2590d3b2a6a949cc06
The step is typically set with the hieradata setting an integer value:
{"step": 1}
However it would be useful for the value to be a string so that
substitutions are possible, for example:
{"step": "%{::step}"}
This change ensures the step parameter defaults to an integer by
calling Integer(hiera('step'))
This change was made by manually removing the undef defaults from
fluentd.pp, uchiwa.pp, and sensu.pp then bulk updating with:
find ./ -type f -print0 |xargs -0 sed -i "s/= hiera('step')/= Integer(hiera('step'))/"
Change-Id: I8a47ca53a7dea8391103abcb8960a97036a6f5b3
This is now the job of the certmonger_user profile. So these bits are
not needed anymore in the service profiles.
Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800
Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
Since the commit this depends on sets it up via hieradata, the
conditionals here are no longer needed.
bp tls-via-certmonger
Depends-On: I9252512dbf9cf2e3eec50c41bf10629d36070bbd
Change-Id: I37275e42763e103b81878b6af07c750a524c5697
This uses the tls_proxy resource added in a previous commit [1] in
front of the neutron server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to
clean it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
This class was being included in the same way in two different branches
of the code which could be joined in the initial branch (or if
statement).
Change-Id: Iee3c1663a2fe929b21a9c089d89b721600af66bd
This is currently calculated in t-h-t but has a hard-coded reference
to the ControllerCount which is incompatible with custom-roles.
So instead calculate the setting based on the number of neutron API
services running (on any role, not just Controller), combined with
whether DVR is enabled (equivalent to current t-h-t logic).
To avoid breaking the NeutronL3HA parameter in t-h-t we maintain an
optional parameter to override the calculated value.
Change-Id: I01c50973eec8138ec61304f2982d5026142f267c
Partial-Bug: #1629187
This patch moves the various DB syncs into the MySQL role.
Database creation needs to occur on the MySQL server to
avoid permission issues.
This patch also moves database creation to step 2 so we can
guarantee that all per-service databases exist at this time.
This avoids complex ordering needed during step 3 where
services, on different hosts, can run their own db sync's
in a distributed fashion.
Change-Id: I05cc0afa9373429a3197c194c3e8f784ae96de5f
Partial-bug: #1620595
In the Next Generation HA architecture a number of active/active services
will be run via systemd. In order for this to work we need to make sure that
the sync_db operation only takes place on the bootstrap node, just like it is
done today for the pacemaker profiles.
We do this by removing sync_db as a parameter and instead set it to true
or false depending if the hostname matches the bootstrap_node as it is done
today in the pacemaker role.
Note that we call hiera('bootstrap_nodeid', undef) because if a profile
is included on a non controller node that variable will be undefined.
The following testing was done:
- HA puppet-pacemaker.yaml scenario with three computes
- NonHA with one controller
- NonHA with three controllers
Fixes-Bug: 1600149
Co-Author: cmsj@tenshu.net
Change-Id: I04a7b9e3c18627ea512000a34357acb7f27d6e0e
Implements: blueprint ha-lightweight-architecture
We perform the Galera setup in step 2 so there is no guarantee that the
database will be available in that same step [1].
We used to implement a dependency in puppet using the 'galera-ready'
resource (clustercheck) but this is not possible with roles because we
also don't have any guarantee about clustercheck being installed on the
same node.
Because of the above all services must create/sync their databases
in a later step. This patch fixes Nova API and Neutron Server, the other
services use step 3 already.
1. https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/README.rst
Change-Id: I22750ffb64afbe40b5560a6a0d0dabc5b8927d32
This patch brings the neutron profiles and the
associated steps in line with what already happens in
t-h-t. Specifically:
-we want to create the db $step >= 2 and $sync_db
-we want to make sure plugin.ini exists before the neutron dbsync
-we want to make sure the db sync runs before neutron::server starts
when using pacemaker
-split the neutron server profiles. They are quite different across
pacemaker and base.
Change-Id: I52815f45a04bf3e39940b9cb116261730580a3e2
These can be controlled via the specific Pacemaker role template.
Depends-On: I91a4267f0fc230f63df3333747d28463c7ae55fe
Change-Id: I8ef7bb94e048b998712b3534ceb51a7d10d016e9
Implements: blueprint refactor-puppet-manifests
Add neutron profiles for both pacemaker and non-ha.
HA profiles are designed such that they include the base
profiles, disabling features as needed, while the base
profile can be used independently.
Co-Authored-By: Dan Prince <dprince@redhat.com>
Change-Id: Ida781badbcd63bbcb481a2170638aefe262b717b