X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=puppet%2Fservices%2Fnova-libvirt.yaml;h=38608bf498d80aed977f0c19f50b956326a524b3;hb=refs%2Fheads%2Fmaster;hp=21a5e78a40ab9f8a1bb1e794f026638a1c0e6387;hpb=63bd7483196808d028b2e35d9cc4e4e1609969da;p=apex-tripleo-heat-templates.git

diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 21a5e78a..38608bf4 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -1,9 +1,13 @@
-heat_template_version: ocata
+heat_template_version: pike
 
 description: >
   Libvirt service configured with Puppet
 
 parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
   ServiceNetMap:
     default: {}
     description: Mapping of service_name -> network name. Typically set
@@ -13,11 +17,33 @@ parameters:
   DefaultPasswords:
     default: {}
     type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
   EndpointMap:
     default: {}
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  CephClientUserName:
+    default: openstack
+    type: string
+  CephClientKey:
+    description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
+    type: string
+    hidden: true
+  CephClusterFSID:
+    type: string
+    description: The Ceph cluster FSID. Must be a UUID.
+  CinderEnableRbdBackend:
+    default: false
+    description: Whether to enable or not the Rbd backend for Cinder
+    type: boolean
   NovaComputeLibvirtType:
     type: string
     default: kvm
@@ -40,36 +66,65 @@ parameters:
     default: true
     description: If set to true and if EnableInternalTLS is enabled, it will
                  set the libvirt URI's transport to tls and configure the
-                 relevant keys for libvirt.
+                 relevant keys for libvirt. NOTE. this is currently being
+                 ignored and TLS for libvirtd is always disabled for now.
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
   LibvirtCACert:
     type: string
-    default: '/etc/ipa/ca.crt'
+    default: ''
     description: This specifies the CA certificate to use for TLS in libvirt.
                  This file will be symlinked to the default CA path in libvirt,
                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
                  GNU TLS, which is the TLS backend for libvirt, the file must
-                 be less than 65K (so we can't use the system's CA bundle). The
-                 current default reflects TripleO's default CA, which is
-                 FreeIPA. It will only be used if internal TLS is enabled.
+                 be less than 65K (so we can't use the system's CA bundle).
+                 This parameter should be used if the default (which comes from
+                 the InternalTLSCAFile parameter) is not desired. The current
+                 default reflects TripleO's default CA, which is FreeIPA.
+                 It will only be used if internal TLS is enabled.
+  MigrationSshKey:
+    type: json
+    description: >
+      SSH key for migration.
+      Expects a dictionary with keys 'public_key' and 'private_key'.
+      Values should be identical to SSH public/private key files.
+    default:
+      public_key: ''
+      private_key: ''
+  MigrationSshPort:
+    default: 2022
+    description: Target port for migration over ssh
+    type: number
 
 conditions:
 
-  use_tls_for_live_migration:
-    and:
-    - equals:
-      - {get_param: EnableInternalTLS}
-      - true
-    - equals:
-      - {get_param: UseTLSTransportForLiveMigration}
-      - true
+  use_tls_for_live_migration: false
+  # and:
+  # - equals:
+  #   - {get_param: EnableInternalTLS}
+  #   - true
+  # - equals:
+  #   - {get_param: UseTLSTransportForLiveMigration}
+  #   - true
+
+  libvirt_specific_ca_unset:
+    equals:
+      - {get_param: LibvirtCACert}
+      - ''
 
 resources:
   NovaBase:
     type: ./nova-base.yaml
     properties:
+      ServiceData: {get_param: ServiceData}
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
 
 outputs:
   role_data:
@@ -84,8 +139,17 @@ outputs:
           - nova::compute::libvirt::manage_libvirt_services: false
           # we manage migration in nova common puppet profile
             nova::compute::libvirt::migration_support: false
-            tripleo::profile::base::nova::manage_migration: true
-            tripleo::profile::base::nova::libvirt_enabled: true
+            nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
+            nova::compute::rbd::rbd_keyring:
+              list_join:
+              - '.'
+              - - 'client'
+                - {get_param: CephClientUserName}
+            nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
+            nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
+            tripleo::profile::base::nova::migration::client::libvirt_enabled: true
+            tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
+            tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
@@ -93,19 +157,22 @@ outputs:
             nova::compute::libvirt::qemu::max_files: 32768
             nova::compute::libvirt::qemu::max_processes: 131072
             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+            rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
             tripleo.nova_libvirt.firewall_rules:
               '200 nova_libvirt':
                 dport:
                   - 16514
                   - '49152-49215'
-                  - '5900-5999'
+                  - '5900-6923'
 
           -
             if:
               - use_tls_for_live_migration
               -
                 generate_service_certificates: true
-                tripleo::profile::base::nova::libvirt_tls: true
+                tripleo::profile::base::nova::migration::client::libvirt_tls: true
+                nova::migration::libvirt::listen_address:
+                  get_param: [ServiceNetMap, NovaLibvirtNetwork]
                 nova::migration::libvirt::live_migration_inbound_addr:
                   str_replace:
                     template:
@@ -113,7 +180,10 @@ outputs:
                     params:
                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
-                  get_param: LibvirtCACert
+                  if:
+                    - libvirt_specific_ca_unset
+                    - get_param: InternalTLSCAFile
+                    - get_param: LibvirtCACert
                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
                 libvirt_certificates_specs: