This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration.
With this patch the baremetal version of database service Redis
has been removed.
Change-Id: I530ee8196e1d4b81ae4886b234e1a530cf34becf
Related-Blueprint: services-yaml-flattening
This can be used to replace the per-role bootstrap_nodeid_ip,
and the redis-base template is updated to use the new hiera
key.
The old bootstrap_nodeid_ip appears to only be used for redis,
so the old key is removed, with an upgrade release note added
should any out-of-tree services reference this value.
Partial-Bug: #1792613
Change-Id: I830d5b9bae3e9d65c2c393e3dcdf70bffdb1ac7b
The current approach has several disadvantages:
- Requires shelling out to the hiera CLI, and is coupled to the puppet hieradata
- The bootstrap_nodeid is only unique per Role, not per service, so if you
deploy a service spanning more than one role it will evaluate true for
every role, not only once.
Instead lets use the per-service short_bootstrap_node_name, which is
available directly via the ansible inventory now ref
https://review.openstack.org/#/c/605046/
This is the first part of a cleanup for inconsistent handling of
bootstrap node evaluation, triggered by bug #1792613
Change-Id: Iefe4a37e8ced6f4e9018ae0da00e2349390d4927
Partial-Bug: #1792613
Depends-On: Idcee177b21e85cff9e0bf10f4c43c71eff9364ec
The new master branch should point now to rocky.
So, HOT templates should specify that they might contain features
for rocky release [1]
Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.
[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
Since https://review.openstack.org/#/c/514707/ added the net_ip_map
to hieradata, we can look up the per-network bind IPs via hiera
interpolation instead of heat map_replace.
In some cases the ServiceNetMap lookup is used for other things,
but anywhere we make use of the "magic" translation via NetIpMap
is changed the same way.
This will enable more of the configuration data to be exposed per
role vs per node in a future patch (to simplify our ansible
workflow).
Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com>
Change-Id: Ie3da9fedbfce87e85f74d8780e7ad1ceadda79c8
This patch reverts the revert of Redis TLS [1,2], and update the
pacemaker redis template to configure Redis to encrypt the
replication traffic between Redis nodes.
[1] a3769c0317
[2] ebc8414cd0
Depends-On: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1
Change-Id: I7f7be4bba6d41c04385f074857c82507cc8c2617
Closes-Bug: #1737707
Lets revert the tls support until we know it works.
Revert "TLS proxy for redis"
This reverts commit c2a93cf4c5.
Closes-bug: #1735259
Change-Id: I8157ce04617c094978175f3e4b3071bdf76362fe
Redis does not have TLS out of the box. Let's use a proxy container for
TLS termination.
bp tls-via-certmonger
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ie2ae0d048a71e1b1b4edb10c74bc0395a1a9d5c9
Depends-On: I078567c831ade540cf704f81564e2b7654c85c0b
Depends-On: Ia50933da9e59268b17f56db34d01dcc6b6c38147
Since these are obviously global parameters they shouldn't specify
what will be using them because they are used in multiple places.
Change-Id: I5054c2d67dffe802e37f8391dd7bad4721e29831
Partial-Bug: 1700664
Makes it possible to resolve network subnets within a service
template; the data is transported into a new property ServiceData
wired into every service which hopefully is generic enough to
be extended in the future and transport more data.
Data can be consumed in service templates to set config values
which need to know what is the subnet where a deamon operates (for
example the Ceph Public vs Cluster network).
Change-Id: I28e21c46f1ef609517175f7e7ee19e28d1c0cba2
When a service is enabled on multiple roles, the parameters for the
service will be global. This change enables an option to provide
role specific parameter to services and other templates.
Two new parameters - RoleName and RoleParameters, are added to the
service template. RoleName provides the role name of on which the
current instance of the service is being applied on. RoleParameters
provides the list of parameters which are configured specific to the
role in the environment file, like below:
parameters_default:
# Default value for applied to all roles
NovaReservedHostMemory: 2048
ComputeDpdkParameters:
# Applied only to ComputeDpdk role
NovaReservedHostMemory: 4096
In above sample, the cluster contains 2 roles - Compute, ComputeDpdk.
The values of ComputeDpdkParameters will be passed on to the templates
as RoleParameters while creating the stack for ComputeDpdk role. The
parameter which supports role specific configuration, should find the
parameter first in in the RoleParameters list, if not found, then the
default (for all roles) should be used.
Implements: blueprint tripleo-derive-parameters
Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
Via https://github.com/arioch/puppet-redis/pull/192 puppet-redis grew
ulimit support also for pacemaker managed redis instances. To be able to
use that we need to set redis::managed_by_cluster_manager to true.
We also allow redis::ulimit to be configurable and we set a default of
10420 which was the default value before the above change.
Change-Id: I06129870665d7d3bfa09057fd9f0a33a99f98397
Depends-On: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d
Closes-Bug: #1688464
We currently do not bind redis-sentinel to any IP:
redis 21144 0.0 0.0 142908 5908 ? Ssl 07:43 0:11 /usr/bin/redis-sentinel *:26379 [sentinel]
Let's bind it to the same network as redis.
Change-Id: I8a782ae1db84eb614aa3995a1638a2f370e70d06
Partial-Bug: #1673715
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
This patch optimizes how we deploy hiera by using a new
heat hook specifically designed to help compose hiera
within heat templates. As part of this change:
- we update all the 'hiera' software configurations to set the group to hiera
instead of os-apply-config.
- The new format uses JSON instead of YAML. The hook actually writes
out the hiera JSON directly so no conversion takes place. Arrays,
Strings, Booleans all stay in their native formats. As such we can avoid
having to do many of the awkward string and list conversions in t-h-t to
support the previous YAML formatting.
- The new hook prefers JSON over YAML so upgrading users will have the
new files prefered. (we will post a cleanup routine for the old files
soon but this isn't a new behavior, JSON is now simply prefered.)
- A lot of services required edits to account for default settings that
worked in YAML that no longer work correctly in the native JSON
format. In almost all these cases I think the resulting codes looks
cleaner and is more explicit with regards to what is getting
configured in hiera on the actual nodes.
Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b
Closes-bug: #1596373
Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
This moves the config settings out of controller.yaml for Keepalived
and HAproxy.
NOTE: the tripleo::haproxy::redis_password wasn't getting set
correctly before this patch. Looks like a breakages that
occurred when puppet-tripleo dropped the loadbalancer class.
Related-Bug: #1604414
Change-Id: Id24b02ac73f4ae33b20194da8a5f99f17403ece9
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).
Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.
Change-Id: I4f21603c58a169a093962594e860933306879e3f
This will be needed to pick the network where the service has
to bind to from within the service template.
Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
Currently we use hyphens, e.g cinder-api, but in overcloud.yaml
we have a lot of references to services (e.g for AllNodesConfig)
by underscore, e.g cinder_api. To enable dynamic generation of
this data, we need the service name in underscore format.
Change-Id: Ief13dfe5d8d7691dfe2534ad5c39d7eacbcb6f70
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.
This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.
Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
David J Peacock