Commit Graph

29 Commits

Author SHA1 Message Date
Juan Antonio Osorio Robles a72f8d4ae9 Remove deprecated TLS-related environment files
The ones in environments/ssl/ are preferred instead. These have been
available since pike.

Change-Id: I84a7b354ede46d6ec88964e5dcbd5678d89c8c0f
Depends-On: I5a905ec7499a6faa08cbcacfccb19a6e424e4a80
2019-01-18 09:57:48 +00:00
Cédric Jeanneret 59b762658d Manage public certificate with ansible
This is basically a rewrite of the bash script pushed by
puppet/extraconfig/tls/tls-cert-inject.yaml

UpgradeImpact: NodeTLSData is not used anymore

Change-Id: Iaf7386207e5bd8b336759f51e4405fe15114123a
2018-05-31 14:50:00 +02:00
Pradeep Kilambi 25b0b97c38 Add incoming storage driver param
Change-Id: I5b71099d2e1c25b86ceed430f15ee28ef0f37f5c
2018-02-01 19:25:11 +00:00
Jenkins 96813ba268 Merge "Support config dir for env generator input files" 2017-06-19 15:26:33 +00:00
Ben Nemec f503d1b0e7 Support config dir for env generator input files
We're not going to want to list every single sample environment in
a single file, so let's also take a directory and just read every
yaml file in it.  This commit adds support for that as well as
some initial environments to demonstrate its use.

Change-Id: If2c608f2a61fc5e16784ab594d23f1fa335e1d3c
2017-06-12 15:02:50 -05:00
Ben Nemec d8c0c33012 Change HorizonSecureCookies default to False
HorizonSecureCookies is incompatible with non-ssl deployments, which
is our default deployment method.  When SSL is in use, it can be
turned on in the enable-tls.yaml file.  This does mean that
existing users won't automatically get this feature turned on as
part of their upgrade because enable-tls.yaml is an environment that
is intended to be copied and edited, but it's simple to add the
parameter to the file for users who want that behavior after they
upgrade to a version where it is available.

Change-Id: If83d3d8709fc4e0c09569e8bf524721d332bf560
Closes-Bug: 1696861
2017-06-08 16:28:34 -05:00
Juan Antonio Osorio Robles b31116a712 Move resource registry override to enable-tls.yaml
It makes more sense for the enable-tls.yaml file to contain the
resource registry override, since it contains parameters that are
actually used there. Also, this allows us to reuse the
tls-endpoints-public-* files for other methods of enabling TLS (such
as with certmonger).

Change-Id: I98c63d0007e61968c0490a474eddb42548891fa6
2016-08-23 08:53:50 +03:00
Ben Nemec 8cd7861a26 Decouple EndpointMap from SSL certificate params
Having the endpoint map in the same environment as the SSL
certificate parameters means that every time a service is added to
the overcloud, the user must remember to update their copy of
enable-tls.yaml to reflect the new service.

To avoid this, let's separate the SSL EndpointMap from the SSL
certificates so users can simply pass the shipped list of SSL
endpoints and only have to customize the certificate env file. As
and added bonus, this means they won't have to put the certificates
in enable-tls.yaml specifically.  The parameters can be set
anywhere, and will be used as long as one of the tls-endpoints
envs is also specified.

inject-trust-anchor.yaml is not changed, but it could already be
used in the same fashion.  The root certificate param could be set
in any env passed after inject-trust-anchor.yaml, and then
inject-trust-anchor.yaml would only be responsible for setting the
appropriate resource_registry entry.  This way there is no need to
customize the in-tree inject-trust-anchor.yaml either.

Change-Id: I38eabb903b8382e6577ccc97e21fbb9d09c382b3
2016-08-12 10:26:16 -05:00
Steven Hardy 450be229c3 Convert EndpointMap to not require per-service VIP parameters
Currently we have a hard-coded set of per-service parameters, which
will cause problems for custom roles and full composability.

As a first step towards making this more configurable, remove the
hard-coded per-service parameters from overcloud.yaml, and adjust
the EndpointMap generation to instead accept two mappings, the
ServiceNetMap and a mapping of networks to IPs (effectively this
just moves the map lookup inside the endpoint map instead of
inside overcloud.yaml)

Change-Id: Ib522e89c36eed2115a6586dd5a6770907d9b33db
Partially-Implements: blueprint custom-roles
2016-08-11 14:35:48 +03:00
Ryan Hefner b99733d08a Enable Manila integration - as a composable controller service
Allows the installation and configuration of Manila.
Supports the generic driver only. This has a dependency on the
puppet-tripleo classes for manila where the puppet specific
config now lives.

The review at https://review.openstack.org/#/c/315658/ has been
merge into this one, as of v68, so manila lands as a composable
service. This was brought up on the mailing list at [1]

[1] http://lists.openstack.org/pipermail/openstack-dev/2016-May/096126.html

Co-Authored-By: Marios Andreou <marios@redhat.com>
Implements: blueprint composable-services-within-roles
Depends-On: I444916d60a67bf730bf4089323dba1c1429e2e71
Depends-On: I9eda4b3364e5c59342761a1ec71b0eb567c69cf1
Depends-On: I571b65a5402c1028418476a573ebeb9450ed00c9
Change-Id: I7acebac4354fca1f8d7ff6c343c1346bf29b81c6
2016-08-02 17:18:07 +03:00
Juan Antonio Osorio Robles 62d6d5d933 Add MysqlNoBracketsInternal to enable-tls.yaml
Change-Id: Ife466e6a8b8112777d4c0e845e31fa633da5e53d
2016-07-18 15:17:13 +03:00
Imre Farkas dfbc9380aa Basic support for deploying Ironic in overcloud
Note that this change is not enough yet to deploy bare metal instances,
it only deploys Ironic services themselves and makes sure they work.

Also it does not support HA for now.

Co-Authored-By: Dmitry Tantsur <dtansur@redhat.com>
Partially-implements: blueprint ironic-integration
Change-Id: I541be905022264e2d4828e7c46338f2e300df540
2016-06-29 15:59:08 +02:00
Giulio Fidente a6438a2082 Pass MysqlVirtualIP via EndpointMap
By passing the MysqlVirtualIP via the EndpointMap we won't need it
to be provided as a parameter to the services.

This follows what is already happening for the glance registry
service with I9186e56cd4746a60e65dc5ac12e6595ac56505f0.

Change-Id: Iad2ab389bf64d0fc8b06eb0e7d29b5370ff27dff
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
2016-05-30 10:22:59 +03:00
Jenkins 27625182b2 Merge "add heat-api-cfn to endpoint map" 2016-05-19 08:58:44 +00:00
Emilien Macchi e148af8483 Remove Nova EC2 deployment
Nova EC2 does not exist anymore since Mitaka, parameters are already
deprecated in Mitaka and send warnings to the Puppet catalog.
The service has been replaced by ec2api project, where Puppet OpenStack
team is currently writting a module.

In the meantime we add support in TripleO, this patch removes all
occurences of Nova EC2 configuration, which are useless and send
warnings for nothing.

Change-Id: Ief2d0e5c77b5ac58560606fee930fbd66c40ffc3
2016-05-16 15:23:48 +02:00
Steven Hardy be24147dc8 add heat-api-cfn to endpoint map
Change-Id: I8f98ce92fc387d2263fda738c1c8a209e3cbbb85
2016-05-12 12:21:20 +00:00
Giulio Fidente 55cd264439 The Sahara SSL endpoint was announced on the wrong port
Change-Id: I0cab3cdb2189dab3844f2eda52b8697d05ad3447
2016-04-21 16:41:17 +02:00
Dan Prince c717a4d1b8 Add GlanceRegistry to the endpoint map
This patch adds GlanceRegistry to the endpoint map. This
will make accessing Glance registry setings via the endpoint
map possible.

Change-Id: I9186e56cd4746a60e65dc5ac12e6595ac56505f0
2016-04-14 14:47:06 +03:00
Pradeep Kilambi 0970068cbb Deploy Gnocchi as a Ceilometer metrics storage backend
* Deploy Gnocchi API.
* Storage backends: swift, rbd and file.
* Indexer backend default to mysql
* Configure Ceilometer to send metrics datas to Gnocchi
* Pacemaker config

Depends-On: Ic8778a3104e0ed0460423e4bf857682220dc5802
Depends-On: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2

Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com>

Change-Id: Ifde17b1ab8fa2b30544633e455e1c7eb475705aa
2016-04-11 12:27:38 -04:00
Zane Bitter d773227e7d Don't have separate protocols/ports for Keystone v3
The change in ab068a824e is described as
temporary, so it would be better if it did not affect the EndpointMap
parameter (which is effectively a public interface, since it may be
overridden in an environment file). No configuration should end up with
different ports/protocols/hosts for Keystone v2 and v3, and somebody
customising them should not have to account for them separately. Nor
should things break when the need to distinguish between v2 and v3
endpoints goes away.

This change removes the KeystoneV3* keys from the EndpointMap input and
uses the Keystone* keys instead, so that any change to the internal
organisation becomes transparent to the user.

Change-Id: If4cdd9232f4dbc9f2af651bbdfe68f09dc26ed2e
2016-04-11 04:50:28 +00:00
Jenkins 19e44d2a61 Merge "Deploy Aodh services, replacing Ceilometer Alarm" 2016-03-24 17:51:43 +00:00
Pradeep Kilambi 2018c38ed4 Deploy Aodh services, replacing Ceilometer Alarm
Ceilometer Alarm is deprecated in Liberty by Aodh.

This patch:
* manage Aodh Keystone resources
* deploy Aodh API under WSGI, Notifier, Listener and Evaluator
* manage new parameters to customize Aodh deployment
* uses ceilometer DB for the upgrade path
* pacemaker config
* Add migration logic to remove pcs resources

Depends-On: I5333faa72e52d2aa2a622ac2d4b60825aadc52b5
Depends-On: Ib6c9c4c35da3fb55e0ca8e2d5a58ebaf4204d792

Co-Authored-By: Emilien Macchi <emilien@redhat.com>

Change-Id: Ib47a22884afb032ebc1655e1a4a06bfe70249134
2016-03-20 10:27:21 -04:00
Giulio Fidente 072dad2c23 Remove GlanceRegistry from EndpointMap
We don't need an endpoint for the glance-registry service, that is
used by glance-api when needed and is not meant to be user-facing.

Change-Id: Ia6c9dd6164d3b91adbc937d70fa74d5fbbfb28a3
2016-03-18 11:29:00 +01:00
Ben Nemec 352fae4aa4 Update enable-tls.yaml with new endpoints
A couple of new endpoints have been added, and if they're not in
the configured value for EndpointMap it will cause problems.

Sahara is not added as ssl-enabled because I don't believe it has
been added to the loadbalancer yet.

Note that there is work underway to CI overcloud SSL, which should
catch problems like this in the future.

Change-Id: Ia8a106fd94da7be8675ea84f5fbb9ac959771d10
2016-03-08 09:48:39 -06:00
James Slagle 8da8b84560 Revert "Deploy Aodh services, replacing Ceilometer Alarm"
This just a revert to see if reverting this gets back to a normal CI run time.

This reverts commit f72aed8559.

Change-Id: I04a0893f6cf69f547a4db26261005e580e1fc90b
2016-03-04 23:05:35 -05:00
Emilien Macchi f72aed8559 Deploy Aodh services, replacing Ceilometer Alarm
Ceilometer Alarm is deprecated in Liberty by Aodh.

This patch:
* manage Aodh Keystone resources
* deploy Aodh API under WSGI, Notifier, Listener and Evaluator
* manage new parameters to customize Aodh deployment
* uses ceilometer DB for the upgrade path
* pacemaker config

Depends-On: I9e34485285829884d9c954b804e3bdd5d6e31635
Depends-On: I891985da9248a88c6ce2df1dd186881f582605ee
Depends-On: Ied8ba5985f43a5c5b3be5b35a091aef6ed86572f

Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com>

Change-Id: I58d419173e80d2462accf7324c987c71420fd5f6
2016-03-03 13:34:38 -05:00
Ben Nemec dd7602ad82 Allow vncproxy to work with ssl enabled
Right now our vncproxy settings are hard-coded to http and the
non-ssl port.  This change adds a vncproxy entry to the endpoint
map and uses those values to configure the proxy correctly on
compute nodes.  This is sufficient to get it working in my
environment with ssl enabled.

Change-Id: I9d69b088eef4700959b33c7e0eb44932949d7b71
2016-01-15 17:59:22 -06:00
Juan Antonio Osorio Robles ddc0d78dec Enable TLS in loadbalancer if cert path is detected
If there is a value for the certificate path (which should only happen
if the environment for enabling TLS is used) then the loadbalancer will
detect it and configure it's front ends correctly. On the other hand
a proper override for the example environment was given, since this
will be needed because we want to pass the hosts and protocols
correctly so the tripleoclient will catch it and pass it to
os-cloud-config

Change-Id: Ifba51495f0c99398291cfd29d10c04ec33b8fc34
Depends-On: Ie2428093b270ab8bc19fcb2130bb16a41ca0ce09
2015-12-08 11:43:28 +02:00
Juan Antonio Osorio Robles 97b12afbad Inject TLS certificate and keys for the Overcloud
This is a first implementation of adding TLS termination to the load
balancer in the controllers. The implementation was made so that the
appropriate certificate/private key in PEM format is copied to the
appropriate controller(s) via a software deployment resource.

And the path is then referenced on the HAProxy configuration, but this
part was left commented out because we need to be able to configure the
keystone endpoints in order for this to work properly.

Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
2015-11-23 11:55:26 +02:00