692717bd46
The LP bug referenced below describes a number of issues when
cinder tries to use etcd for its distributed lock manager with
internal TLS enabled. This patch resolves issues related to
generating and distributing etcd's cert and key files.
- The etcd cert must contain a subject alternative name (SAN) for the
etcd node's internal API IP address. This is necessary because etcd
wants to use IP addresses (versus host names), and this requires the
IP address be listed in the TLS certificate.
- The cert and key files are generated on the host, and must be
available to multiple services running in their respective containers.
The cert and key files need to be bind mounted, and an ACL is
required so the etcd and cinder services have permission to read the
files.
EnableEtcdInternalTLS, a workaround introduced in [1], still defaults
to False. The default value can be switched to True after tripleo
switches from using novajoin to the ansible tripleo-ipa role for
registering nodes with the IdM service.
[1] https://review.opendev.org/#/q/Iec0d02f8f51067098dd58beb4fe57a7fd5ab5651
Closes-Bug: #1869955
Depends-On: Ifa7452ec15b81f48d7e5fb1252f20b5af1dff95c
Change-Id: I798d60818b214de9266226c8409b69525a951dd5
(cherry picked from commit
|
||
---|---|---|
ci | ||
common | ||
container_config_scripts | ||
deployed-server | ||
deployment | ||
environments | ||
extraconfig | ||
firstboot | ||
network | ||
plan-samples | ||
puppet | ||
releasenotes | ||
roles | ||
sample-env-generator | ||
scripts | ||
tools | ||
tripleo_heat_templates | ||
validation-scripts | ||
zuul.d | ||
.gitignore | ||
.gitreview | ||
.testr.conf | ||
LICENSE | ||
README.rst | ||
all-nodes-validation.yaml | ||
babel.cfg | ||
bindep.txt | ||
capabilities-map.yaml | ||
config-download-software.yaml | ||
config-download-structured.yaml | ||
default_passwords.yaml | ||
j2_excludes.yaml | ||
lower-constraints.txt | ||
net-config-bond.j2.yaml | ||
net-config-bridge.j2.yaml | ||
net-config-linux-bridge.j2.yaml | ||
net-config-noop.j2.yaml | ||
net-config-standalone.j2.yaml | ||
net-config-static-bridge-with-external-dhcp.j2.yaml | ||
net-config-static-bridge.j2.yaml | ||
net-config-static.j2.yaml | ||
net-config-undercloud.j2.yaml | ||
network_data.yaml | ||
network_data_dashboard.yaml | ||
network_data_ganesha.yaml | ||
network_data_routed.yaml | ||
network_data_subnets_routed.yaml | ||
network_data_undercloud.yaml | ||
overcloud-resource-registry-puppet.j2.yaml | ||
overcloud.j2.yaml | ||
plan-environment.yaml | ||
requirements.txt | ||
roles_data.yaml | ||
roles_data_undercloud.yaml | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
tripleo-heat-templates
Heat templates to deploy OpenStack using OpenStack.
- Free software: Apache License (2.0)
- Documentation: https://docs.openstack.org/tripleo-docs/latest/
- Source: https://opendev.org/openstack/tripleo-heat-templates
- Bugs: https://bugs.launchpad.net/tripleo
- Release notes: https://docs.openstack.org/releasenotes/tripleo-heat-templates/
Features
The ability to deploy a multi-node, role based OpenStack deployment using OpenStack Heat. Notable features include:
- Choice of deployment/configuration tooling: puppet, (soon) docker
- Role based deployment: roles for the controller, compute, ceph, swift, and cinder storage
- physical network configuration: support for isolated networks, bonding, and standard ctlplane networking
Directories
A description of the directory layout in TripleO Heat Templates.
- environments: contains heat environment files that can be used with -e
on the command like to enable features, etc.
- extraconfig: templates used to enable 'extra' functionality. Includes
functionality for distro specific registration and upgrades.
- firstboot: example first_boot scripts that can be used when initially
creating instances.
- network: heat templates to help create isolated networks and ports
- puppet: templates mostly driven by configuration with puppet. To use these
templates you can use the overcloud-resource-registry-puppet.yaml.
- validation-scripts: validation scripts useful to all deployment
configurations
- roles: example roles that can be used with the tripleoclient to generate
a roles_data.yaml for a deployment See the roles/README.rst for additional details.
Service testing matrix
The configuration for the CI scenarios will be defined in tripleo-heat-templates/ci/ and should be executed according to the following table:
- | scn000 | scn001 | scn002 | scn003 | scn004 | scn006 | scn007 | scn009 | scn010 | non-ha | ovh-ha |
---|---|---|---|---|---|---|---|---|---|---|---|
keystone |
|
|
|
|
|
|
|
|
|
|
|
glance |
|
swift |
|
|
|
|
|
|
|
||
cinder |
|
iscsi | |||||||||
heat |
|
|
|||||||||
ironic |
|
||||||||||
mysql |
|
|
|
|
|
|
|
|
|
|
|
neutron |
|
|
|
|
|
|
|
|
|
||
neutron-bgpvpn |
|
||||||||||
ovn |
|
||||||||||
neutron-l2gw |
|
||||||||||
om-rpc | rabbit | rabbit |
|
rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | ||
om-notify | rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | rabbit | ||
redis |
|
|
|||||||||
haproxy |
|
|
|
|
|
|
|
|
|
||
memcached |
|
|
|
|
|
|
|
|
|
||
pacemaker |
|
|
|
|
|
|
|
|
|
||
nova |
|
|
|
|
ironic |
|
|
|
|
||
ntp |
|
|
|
|
|
|
|
|
|
|
|
snmp |
|
|
|
|
|
|
|
|
|
|
|
timezone |
|
|
|
|
|
|
|
|
|
|
|
sahara |
|
||||||||||
mistral |
|
||||||||||
swift |
|
||||||||||
aodh |
|
|
|||||||||
ceilometer |
|
|
|||||||||
gnocchi |
|
|
|||||||||
panko |
|
|
|||||||||
barbican |
|
||||||||||
zaqar |
|
||||||||||
ec2api |
|
||||||||||
cephrgw |
|
||||||||||
tacker |
|
||||||||||
cephmds |
|
||||||||||
manila |
|
||||||||||
collectd |
|
||||||||||
designate |
|
||||||||||
octavia |
|