Changes for configuring Nuage
[apex-tripleo-heat-templates.git] / puppet / controller.yaml
index d8d9a82..9f127f9 100644 (file)
@@ -106,6 +106,10 @@ parameters:
     default: true
     description: Whether to use Galera instead of regular MariaDB.
     type: boolean
+  EnableLoadBalancer:
+    default: true
+    description: Whether to deploy a LoadBalancer on the Controller
+    type: boolean
   EnableCephStorage:
     default: false
     description: Whether to deploy Ceph Storage (OSD) on the Controller
@@ -278,6 +282,14 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  ManageFirewall:
+    default: false
+    description: Whether to manage IPtables rules.
+    type: boolean
+  PurgeFirewallRules:
+    default: false
+    description: Whether IPtables rules should be purged before setting up the new ones.
+    type: boolean
   MysqlClusterUniquePart:
     description: A unique identifier of the MySQL cluster the controller is in.
     type: string
@@ -366,9 +378,18 @@ parameters:
     default: 'True'
     description: Allow automatic l3-agent failover
     type: string
+  NeutronEnableIsolatedMetadata:
+    default: 'False'
+    description: If True, DHCP provide metadata route to VM.
+    type: string
   NeutronEnableTunnelling:
     type: string
     default: "True"
+  NeutronEnableL2Pop:
+    type: string
+    description: >
+        Enable/disable the L2 population feature in the Neutron agents.
+    default: "False"
   NeutronFlatNetworks:
     type: string
     default: 'datacentre'
@@ -505,20 +526,6 @@ parameters:
     description: The user password for SNMPd with readonly rights running on all Overcloud nodes
     type: string
     hidden: true
-  SSLCACertificate:
-    default: ''
-    description: If set, the contents of an SSL certificate authority file.
-    type: string
-  SSLCertificate:
-    default: ''
-    description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints.
-    type: string
-    hidden: true
-  SSLKey:
-    default: ''
-    description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
-    type: string
-    hidden: true
   SwiftHashSuffix:
     default: unset
     description: A random string to be used as a salt when hashing to determine mappings
@@ -597,6 +604,14 @@ parameters:
   Hostname:
     type: string
     default: '' # Defaults to Heat created hostname
+  NetworkDeploymentActions:
+    type: comma_delimited_list
+    description: >
+      Heat action when to apply network configuration changes
+    default: ['CREATE']
+  NodeIndex:
+    type: number
+    default: 0
 
 resources:
 
@@ -693,10 +708,26 @@ resources:
     properties:
       config: {get_resource: NetworkConfig}
       server: {get_resource: Controller}
+      actions: {get_param: NetworkDeploymentActions}
       input_values:
         bridge_name: br-ex
         interface_name: {get_param: NeutronPublicInterface}
 
+  # Resource for site-specific injection of root certificate
+  NodeTLSCAData:
+    depends_on: NetworkDeployment
+    type: OS::TripleO::NodeTLSCAData
+    properties:
+      server: {get_resource: Controller}
+
+  # Hook for site-specific passing of private keys/certificates
+  NodeTLSData:
+    depends_on: NodeTLSCAData
+    type: OS::TripleO::NodeTLSData
+    properties:
+      server: {get_resource: Controller}
+      NodeIndex: {get_param: NodeIndex}
+
   ControllerDeployment:
     type: OS::TripleO::SoftwareDeployment
     depends_on: NetworkDeployment
@@ -706,6 +737,8 @@ resources:
       input_values:
         bootstack_nodeid: {get_attr: [Controller, name]}
         neutron_enable_tunneling: {get_param: NeutronEnableTunnelling}
+        neutron_enable_l2pop: {get_param: NeutronEnableL2Pop}
+        neutron_enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
         haproxy_log_address: {get_param: HAProxySyslogAddress}
         heat.watch_server_url:
           list_join:
@@ -806,8 +839,11 @@ resources:
         keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] }
         enable_fencing: {get_param: EnableFencing}
         enable_galera: {get_param: EnableGalera}
+        enable_load_balancer: {get_param: EnableLoadBalancer}
         enable_ceph_storage: {get_param: EnableCephStorage}
         enable_swift_storage: {get_param: EnableSwiftStorage}
+        manage_firewall: {get_param: ManageFirewall}
+        purge_firewall_rules: {get_param: PurgeFirewallRules}
         mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
         mysql_max_connections: {get_param: MysqlMaxConnections}
         mysql_root_password: {get_param: MysqlRootPassword}
@@ -887,6 +923,7 @@ resources:
         neutron_public_url: { get_param: [ EndpointMap, NeutronPublic, uri ] }
         neutron_admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
         neutron_admin_auth_url: { get_param: [ EndpointMap, KeystoneAdmin, uri ] }
+        nova_internal_url: { get_param: [ EndpointMap, NovaInternal, uri ] }
         ceilometer_backend: {get_param: CeilometerBackend}
         ceilometer_metering_secret: {get_param: CeilometerMeteringSecret}
         ceilometer_password: {get_param: CeilometerPassword}
@@ -998,6 +1035,7 @@ resources:
             - neutron_bigswitch_data # Optionally provided by ControllerExtraConfigPre
             - neutron_cisco_data # Optionally provided by ControllerExtraConfigPre
             - cisco_n1kv_data # Optionally provided by ControllerExtraConfigPre
+            - neutron_nuage_data # Optionally provided by ControllerExtraConfigPre
           datafiles:
             controller_extraconfig:
               mapped_data: {get_param: ControllerExtraConfig}
@@ -1022,6 +1060,7 @@ resources:
 
                 # Pacemaker
                 enable_fencing: {get_input: enable_fencing}
+                enable_load_balancer: {get_input: enable_load_balancer}
                 hacluster_pwd: {get_input: pcsd_password}
                 tripleo::fencing::config: {get_input: fencing_config}
 
@@ -1155,7 +1194,7 @@ resources:
                 # Neutron
                 neutron::bind_host: {get_input: neutron_api_network}
                 neutron::rabbit_password: {get_input: rabbit_password}
-                neutron::rabbit_user: {get_input: rabbit_user}
+                neutron::rabbit_user: {get_input: rabbit_username}
                 neutron::rabbit_use_ssl: {get_input: rabbit_client_use_ssl}
                 neutron::rabbit_port: {get_input: rabbit_client_port}
                 neutron::debug: {get_input: debug}
@@ -1164,6 +1203,8 @@ resources:
                 neutron::server::database_connection: {get_input: neutron_dsn}
                 neutron::agents::l3::external_network_bridge: {get_input: neutron_external_network_bridge}
                 neutron::agents::ml2::ovs::enable_tunneling: {get_input: neutron_enable_tunneling}
+                neutron::agents::ml2::ovs::l2_population: {get_input: neutron_enable_l2pop}
+                neutron::agents::dhcp::enable_isolated_metadata: {get_input: neutron_enable_isolated_metadata}
                 neutron::agents::ml2::ovs::local_ip: {get_input: neutron_local_ip}
                 neutron_flat_networks: {get_input: neutron_flat_networks}
                 neutron::agents::metadata::shared_secret: {get_input: neutron_metadata_proxy_shared_secret}
@@ -1193,6 +1234,15 @@ resources:
                 neutron_dsn: {get_input: neutron_dsn}
                 neutron::agents::metadata::auth_url: {get_input: keystone_identity_uri}
                 neutron::db::mysql::password: {get_input: neutron_password}
+                neutron::keystone::auth::public_url: {get_input: neutron_public_url }
+                neutron::keystone::auth::internal_url: {get_input: neutron_internal_url }
+                neutron::keystone::auth::admin_url: {get_input: neutron_admin_url }
+                neutron::keystone::auth::password: {get_input: neutron_password }
+                neutron::keystone::auth::region: {get_input: keystone_region}
+                neutron::server::notifications::nova_url: {get_input: nova_internal_url}
+                neutron::server::notifications::auth_url: {get_input: neutron_admin_auth_url}
+                neutron::server::notifications::tenant_name: 'service'
+                neutron::server::notifications::password: {get_input: nova_password}
 
                 # Ceilometer
                 ceilometer_backend: {get_input: ceilometer_backend}
@@ -1246,9 +1296,14 @@ resources:
                 rabbitmq::node_ip_address: {get_input: rabbitmq_network}
                 rabbitmq::erlang_cookie: {get_input: rabbit_cookie}
                 rabbitmq::file_limit: {get_input: rabbit_fd_limit}
+                rabbitmq::default_user: {get_input: rabbit_username}
+                rabbitmq::default_pass: {get_input: rabbit_password}
                 # Redis
                 redis::bind: {get_input: redis_network}
                 redis_vip: {get_input: redis_vip}
+                # Firewall
+                tripleo::firewall::manage_firewall: {get_input: manage_firewall}
+                tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
                 # Misc
                 memcached::listen_ip: {get_input: memcached_network}
                 neutron_public_interface_ip: {get_input: neutron_public_interface_ip}
@@ -1258,6 +1313,12 @@ resources:
                 tripleo::loadbalancer::control_virtual_interface: {get_input: control_virtual_interface}
                 tripleo::loadbalancer::public_virtual_interface: {get_input: public_virtual_interface}
                 tripleo::loadbalancer::haproxy_log_address: {get_input: haproxy_log_address}
+                # NOTE(jaosorior): The service certificate configuration for
+                # HAProxy was left commented because to properly use this, we
+                # need to be able to set up the keystone endpoints. And
+                # currently that is not possible, but is being addressed by
+                # other commits.  A subsequent commit will uncomment this.
+                #tripleo::loadbalancer::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
                 tripleo::packages::enable_install: {get_input: enable_package_install}
                 tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
 
@@ -1271,7 +1332,7 @@ resources:
   # Hook for site-specific additional pre-deployment config,
   # applying to all nodes, e.g node registration/unregistration
   NodeExtraConfig:
-    depends_on: ControllerExtraConfigPre
+    depends_on: [ControllerExtraConfigPre, NodeTLSData]
     type: OS::TripleO::NodeExtraConfig
     properties:
         server: {get_resource: Controller}
@@ -1351,5 +1412,13 @@ outputs:
       list_join:
         - ','
         - - {get_attr: [ControllerDeployment, deploy_stdout]}
+          - {get_attr: [NodeTLSCAData, deploy_stdout]}
+          - {get_attr: [NodeTLSData, deploy_stdout]}
           - {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
           - {get_param: UpdateIdentifier}
+  tls_key_modulus_md5:
+    description: MD5 checksum of the TLS Key Modulus
+    value: {get_attr: [NodeTLSData, key_modulus_md5]}
+  tls_cert_modulus_md5:
+    description: MD5 checksum of the TLS Certificate Modulus
+    value: {get_attr: [NodeTLSData, cert_modulus_md5]}