Jenkins [Thu, 26 May 2016 14:11:18 +0000 (14:11 +0000)]
Merge "Add lookup_hiera_hash function"
Jenkins [Thu, 26 May 2016 07:39:02 +0000 (07:39 +0000)]
Merge "Add Heat profiles"
Giulio Fidente [Mon, 23 May 2016 19:09:21 +0000 (21:09 +0200)]
Add lookup_hiera_hash function
The lookup_hiera_hash function is meant to lookup for the value
of a given key from a given Hiera hash. In the manifests this is
possible by saving the value of the hash in a variable first but
when driving lookups from the Heat templates we can't do it.
Change-Id: Ie31bb70314db44a0a18e86090cc74aa4df5de169
Brad P. Crochet [Fri, 20 May 2016 12:16:03 +0000 (08:16 -0400)]
Change default CloudFormation ssl port to 13005
The current default of 13800 is a bit out of line with the other Heat
SSL ports. This makes it a more sane default of 13005.
Change-Id: Ic9aa71bfc80ca5fdb3b3c48dc55be7b98cf22ada
Jenkins [Fri, 20 May 2016 09:57:49 +0000 (09:57 +0000)]
Merge "Adds the base and pacemaker profile for the memcached service"
Jenkins [Thu, 19 May 2016 20:09:17 +0000 (20:09 +0000)]
Merge "Add loadbalancer profile for ha & non-ha"
Brad P. Crochet [Thu, 5 May 2016 11:52:47 +0000 (07:52 -0400)]
Add Heat profiles
Add Heat profiles for non-ha & ha scenarios.
Implements: blueprint refactor-puppet-manifests
Change-Id: I194cbb6aa307c2331597147545cf10299cab132f
marios [Thu, 5 May 2016 09:50:48 +0000 (12:50 +0300)]
Adds the base and pacemaker profile for the memcached service
Implements: blueprint refactor-puppet-manifests
This is the puppet-tripleo side for the memcached as a composable
service. The related tht review that uses this is at
I8802c2a0cf1e5fa1a6d1fab5e87f6014bea2f517
Change-Id: Icd504aef7dda144582c286c56c925a78566af72c
Emilien Macchi [Thu, 5 May 2016 15:41:21 +0000 (11:41 -0400)]
Add loadbalancer profile for ha & non-ha
The profile contains Puppet classes to deploy loadbalancer services
(HAproxy & Keepalived) for ha & non-ha scenarios.
A future iteration will split HAproxy & keepalived, but for now, we just
want to move out the code from THT to puppet-tripleo.
Change-Id: I9b106dcc1a4d446ab5dea8430ed295e6ec209cbd
Implements: blueprint refactor-puppet-manifests
Jenkins [Wed, 18 May 2016 15:29:00 +0000 (15:29 +0000)]
Merge "Composable role for RabbitMQ"
Jenkins [Wed, 18 May 2016 09:52:16 +0000 (09:52 +0000)]
Merge "Remove manage_service and enabled from TripleO manifests"
Emilien Macchi [Mon, 2 May 2016 20:42:21 +0000 (16:42 -0400)]
Composable role for RabbitMQ
Add RabbitMQ composable role, and keep the same logic that we had in
THT.
Implements: blueprint refactor-puppet-manifests
Change-Id: I961bdbe1cc6dd1d4a315de616439f9fc77d793ae
Emilien Macchi [Sat, 14 May 2016 09:22:02 +0000 (11:22 +0200)]
Remove Nova EC2 HAproxy endpoint
THT does not deploy Nova EC2 anymore, so we don't need the HAproxy
endpoint anymore.
Change-Id: Ia888fe7e14c736ef3678d9a7cf69a2deb9233342
Depends-On: Ief2d0e5c77b5ac58560606fee930fbd66c40ffc3
Alex Schultz [Fri, 13 May 2016 16:10:18 +0000 (10:10 -0600)]
Update keystone service name for signing keys
Since keystone is being run under apache, the signing keys should notify
apache and not the keystone service. The keystone service is actually
disabled, so if the keys get updated nothing happens.
Change-Id: Idfebeabf03d010956569c32b24437245e2b93c2a
Related-Bug: #
1581591
Jenkins [Wed, 11 May 2016 10:49:10 +0000 (10:49 +0000)]
Merge "Add the neutron-dnsmasq.conf to neutron profile"
Dan Prince [Wed, 11 May 2016 01:49:00 +0000 (21:49 -0400)]
Add the neutron-dnsmasq.conf to neutron profile
This was in the initial neutron profile patches but got removed
mid-way (see patch 16 comments here:
Ida781badbcd63bbcb481a2170638aefe262b717b). The file is in fact
required in order to get the ping test properly passing with TripleO.
Change-Id: Ibbfd79421f871e41f870745a593cca65e8c0e58a
Emilien Macchi [Tue, 10 May 2016 12:56:55 +0000 (08:56 -0400)]
keystone: drop usage of step 6
* Manage roles & endpoints at step 5
* Set correct orchestration for Pacemaker resources within a single
step.
Change-Id: I079e65f535af069312b602e8ff58be80ab2f2226
Jenkins [Tue, 10 May 2016 13:49:13 +0000 (13:49 +0000)]
Merge "Add tripleo::selinux"
Giulio Fidente [Fri, 6 May 2016 17:38:29 +0000 (19:38 +0200)]
Remove manage_service and enabled from TripleO manifests
These can be controlled via the specific Pacemaker role template.
Depends-On: I91a4267f0fc230f63df3333747d28463c7ae55fe
Change-Id: I8ef7bb94e048b998712b3534ceb51a7d10d016e9
Jenkins [Sat, 7 May 2016 23:17:33 +0000 (23:17 +0000)]
Merge "Add neutron profiles"
Jenkins [Fri, 6 May 2016 13:13:16 +0000 (13:13 +0000)]
Merge "add metadata.json file"
Jenkins [Fri, 6 May 2016 03:10:21 +0000 (03:10 +0000)]
Merge "Add dport/sport parameter to firewall rule"
Emilien Macchi [Thu, 5 May 2016 17:13:36 +0000 (13:13 -0400)]
add metadata.json file
This file will be useful to contain the release tag so we can
automatically generate tarballs in OpenStack Infra.
No requirements have been set, on purpose, because we won't use
puppetlabs forge to install the module.
Change-Id: Iada2ba5ff37760537cd15630333d2e80550fc031
James Slagle [Fri, 22 Apr 2016 13:30:38 +0000 (09:30 -0400)]
Add tripleo::selinux
Adds a class to configure SELinux. The code is taken from
puppet-openstack-cloud:
https://github.com/redhat-cip/puppet-openstack-cloud
This allows to share the same code for usage by both the Undercloud and
Overcloud.
Co-Authored By: Emilien Macchi <emilien@redhat.com>
Co-Authored By: Yanis Guenane <yguenane@redhat.com>
blueprint undercloud-elements
Change-Id: If214005df733d41c2fa4e197df247d8a14baaa14
James Slagle [Wed, 20 Apr 2016 14:11:36 +0000 (10:11 -0400)]
Add dport/sport parameter to firewall rule
The port parameter to puppetlabs-firewall is actually deprecated[1].
This adds support for using the new parameter names dport and sport. The
port parameter is still retained in puppet-tripleo for backwards
compatibily for anyone using that interface. It is marked deprecated in
the documentation, however no deprecation warning is needed because
there is already a warning from from puppetlabs-firewall.
blueprint undercloud-elements
Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
Michael Chapman [Wed, 16 Mar 2016 13:35:35 +0000 (00:35 +1100)]
Add neutron profiles
Implements: blueprint refactor-puppet-manifests
Add neutron profiles for both pacemaker and non-ha.
HA profiles are designed such that they include the base
profiles, disabling features as needed, while the base
profile can be used independently.
Co-Authored-By: Dan Prince <dprince@redhat.com>
Change-Id: Ida781badbcd63bbcb481a2170638aefe262b717b
Giulio Fidente [Wed, 4 May 2016 13:16:54 +0000 (15:16 +0200)]
Create dbs in step 3 for the roles
Before the roles we could make the create db operation depend on a
'galera-ready' resource [1]. We can't do it anymore from the role so
we need to do create in step 3, when we do sync as well.
1. https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/manifests/overcloud_controller_pacemaker.pp#L382
Change-Id: Id065a9180f1f1a41ab225ec5f755498ec7d9a827
Giulio Fidente [Thu, 28 Apr 2016 21:59:14 +0000 (16:59 -0500)]
Noop start/stop/restart action for Glance and Keystone in the roles
Change-Id: I1d95746cb990292462106c191987147eba30ee61
Giulio Fidente [Fri, 22 Apr 2016 14:45:56 +0000 (16:45 +0200)]
Move databases creation and sync with the role
This change moves the database creation and sync with the role
profile, so that it's only executed when the role is enabled and
by the role itself.
It also calls the non-pacemaker profiles out of the 'step'
conditional because the non-pacemaker profiles know how to deal with
'step' already.
Change-Id: I6c752cb53090e7ef8e0319bade462f2453ed7660
Related-Bug:
1572952
Giulio Fidente [Fri, 22 Apr 2016 14:00:49 +0000 (16:00 +0200)]
Add aodh and gnocchi to schema profiles
Change-Id: Ifb0cc7769ef99e4c7142c8f955f0ca721d61e9b5
Jenkins [Fri, 22 Apr 2016 13:55:57 +0000 (13:55 +0000)]
Merge "Add steps to database profiles"
Jenkins [Thu, 21 Apr 2016 14:53:30 +0000 (14:53 +0000)]
Merge "Enable HAProxy forwardfor option for Horizon."
Jenkins [Thu, 21 Apr 2016 14:50:02 +0000 (14:50 +0000)]
Merge "Add destination parameter to firewall rule"
Jenkins [Wed, 20 Apr 2016 22:16:35 +0000 (22:16 +0000)]
Merge "Add Glance profiles"
James Slagle [Wed, 20 Apr 2016 13:03:03 +0000 (09:03 -0400)]
Add destination parameter to firewall rule
Specifying a destination cidr is already supported by
puppetlabs-firewall, we just need to pass through the parameter in
rule.pp in puppet-tripleo.
This will allow creating iptables rules that forward network traffic for
a given cidr via puppet-tripleo.
Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
Michael Chapman [Tue, 19 Apr 2016 15:10:13 +0000 (01:10 +1000)]
Add steps to database profiles
Database schema profiles were missing step information, causing
schemas to be created too early.
Change-Id: Ic381804ce5f1aa257ece75d2e079f4b02f446344
Emilien Macchi [Tue, 1 Mar 2016 01:04:34 +0000 (20:04 -0500)]
IPv6 dual-stack support
TL;DR:
If keystone_public_api_vip and/or public_virtual_ip is an array of IPs,
HAproxy will be configured to listen on all IPs that are given in the
arrays.
It allows to specify an array for keystone_public_api_vip and/or
public_virtual_ip where one IP is v4 and another one is v6.
HAproxy will configured to listen on both and redirect the traffic to
the IPv6 network (Dual-Stack).
Implementation & background:
HAproxy requires binding options as an hash where each IP contains an
array of binding options.
TripleO does not support Puppet Parser [1] (yet) so we can't manipulate
data iterations inside the manifests.
This patch creates a custom function, called list_to_hash.
Example:
keystone_vips = ['192.168.0.1:5000', '192.168.0.2:5000']
$keystone_bind_opts = ['transparent']
Using this function:
$keystone_vips_hash = list_to_hash($keystone_vips,
$keystone_bind_opts)
Would return:
$keystone_vips_hash = {
'192.168.0.1:5000' => ['transparent'],
'192.168.0.2:5000' => ['transparent'],
}
This function will help us in loadbalancer.pp to construct binding
options in dynamic way.
It's backward compatible, so you don't have to give an array.
But if you do, multiple binding will be configured in HAproxy and you'll
also be able to deploy IPv6 Dual-Stack.
[1] https://docs.puppetlabs.com/puppet/latest/reference/lang_iteration.html
Change-Id: I003b6d7d171652654745861d4231882f9e0d373e
Jenkins [Mon, 18 Apr 2016 20:27:12 +0000 (20:27 +0000)]
Merge "Disable ip_nonlocal_bind (rely on the HAProxy 'transparent' option)"
Dimitri Savineau [Wed, 23 Mar 2016 14:14:30 +0000 (10:14 -0400)]
Enable HAProxy forwardfor option for Horizon.
Horizon's backends (httpd) see IP address of the haproxy in the logs instead
of the client address.
Adding forwardfor option allows to add the client address to the
X-Forwarded-For HTTP header and can be replace in the logs by configured the
backend servers with this header.
Change-Id: I54f0f5549d64768dacca71539c71a28cc99d9d95
Jenkins [Thu, 14 Apr 2016 08:29:15 +0000 (08:29 +0000)]
Merge "Add support for internal/admin endpoint TLS in HAProxy"
Jenkins [Thu, 14 Apr 2016 07:46:59 +0000 (07:46 +0000)]
Merge "Add generic manifest for loadbalancer endpoints"
Sofer Athlan-Guyot [Wed, 13 Apr 2016 20:37:05 +0000 (22:37 +0200)]
Refactor HAproxy and VIP creation.
In tripleo heat template, overcloud_controller_pacemaker.pp has a lot of
duplicate code to define haproxy and vip creation. This is an attempt
to refactor this.
Change-Id: I4cc6711911c1bfa1bc6063979e2b2a7ab5b8d37b
Jenkins [Mon, 11 Apr 2016 21:28:45 +0000 (21:28 +0000)]
Merge "Fix Sahara SSL default port"
Emilien Macchi [Tue, 22 Mar 2016 21:33:22 +0000 (17:33 -0400)]
Add Glance profiles
Add Glance profiles for non-ha & ha scenarios.
Change-Id: Ifc388f7058ccfff2818f531bcbc00c7179874bbc
Implements: blueprint refactor-puppet-manifests
Juan Antonio Osorio Robles [Fri, 8 Apr 2016 10:33:30 +0000 (10:33 +0000)]
Add support for internal/admin endpoint TLS in HAProxy
This commits adds the option to pass an internal certificate.
The aforementioned certificate will be used to terminate TLS
connections for the internal and admin endpoints.
Change-Id: I9d781b42c63cf34bd1f5ba2c71014c6b9de0f990
Juan Antonio Osorio Robles [Thu, 7 Apr 2016 06:51:49 +0000 (09:51 +0300)]
Add generic manifest for loadbalancer endpoints
In order to reduce repeated code in the loadbalancer manifest, the
repeated parts were moved into one manifest that contains the
endpoint resource.
Change-Id: Ib72abe9de7ab073dcbd780298385b0c519f363aa
Juan Antonio Osorio Robles [Mon, 11 Apr 2016 08:12:10 +0000 (11:12 +0300)]
Fix Sahara SSL default port
There were two issues with the SSL port for sahara.
* It was conflicting with Manila's port
* It was documented incorrectly
This has been fixed
Change-Id: I9f710e014890b6daa6b3e511fd811c1e25bd0de3
Pradeep Kilambi [Tue, 5 Apr 2016 15:34:49 +0000 (11:34 -0400)]
Map gnocchi vip to haproxy_listen_bind_param
Change-Id: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2
Jenkins [Mon, 11 Apr 2016 10:45:02 +0000 (10:45 +0000)]
Merge "Fix comparison to control_virtual_ip"
Juan Antonio Osorio Robles [Tue, 5 Apr 2016 07:43:33 +0000 (10:43 +0300)]
Remove individual service certificates
They are not being used and add extra logic and unnecessary clutter
to the code. So this CR removes them in favor of just configuring
TLS with the service_certificate. The only individual cert left was
the one for haproxy stats.
Change-Id: Ic3b769423917e723ecc83e32bcbae17568345661
Juan Antonio Osorio Robles [Thu, 7 Apr 2016 06:50:56 +0000 (09:50 +0300)]
Add missing services ports to service_ports map
AODH, Gnocchi, Sahara and Trove were missing from the service_ports
maps and thus had hardcoded ports in the listener configuration. The
addition of those ports to the map is required to give the
possibility to deployers to configure those ports if needed. This
commit adds them to that map.
Change-Id: Id009d65bf68ba91f97b0d60d32028da50fc88fc3
James Slagle [Mon, 4 Apr 2016 16:08:17 +0000 (12:08 -0400)]
Fix comparison to control_virtual_ip
When managing the vip's, we were incorrectly comparing the vip to
$control_virtual_interface instead of $controller_virtual_ip when
determining if we needed to actually create the vip or not.
This caused the vips for internal api, storage, and storage mgmt to
always be created even if they were the same as the control vip. Afaict,
this didn't actually cause any problems, other than having extra vip's
created when they weren't needed. Still, this corrects the code to do
what it was intended to do.
Change-Id: I29aee95afcba25008b8b7bee37ba636eb2595cca
Jenkins [Fri, 1 Apr 2016 08:36:19 +0000 (08:36 +0000)]
Merge "Make cipher suite and SSL options configurable"
Jenkins [Mon, 28 Mar 2016 21:16:05 +0000 (21:16 +0000)]
Merge "Redirect to https for horizon"
Jenkins [Sun, 27 Mar 2016 23:57:32 +0000 (23:57 +0000)]
Merge "Add keystone and db sync profiles"
Giulio Fidente [Tue, 22 Mar 2016 16:22:59 +0000 (17:22 +0100)]
Allow the Redis specific monitor to use authentication
When accessing Redis, if password protected, we need to update
the HAProxy checks so that they use a password or we won't be able
to gather which node is the replica master.
Also adds PING/PONG and QUIT/OK sequence before and after the info
command is sent.
More at https://bugzilla.redhat.com/show_bug.cgi?id=
1320036
Change-Id: Ia9e61e66c5426061eab8172f0a25820989597780
Juan Antonio Osorio Robles [Fri, 18 Mar 2016 07:57:42 +0000 (09:57 +0200)]
Make cipher suite and SSL options configurable
This CR enables the ability to set the cipher suite to be used by
HAproxy and the SSL options. So now the user can enable these through
hiera. The cipher suite comes from the Fedora system crypto policy.
Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48
Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
Michael Chapman [Tue, 15 Mar 2016 05:38:35 +0000 (16:38 +1100)]
Add keystone and db sync profiles
Implements: blueprint refactor-puppet-manifests
Add keystone profiles for both pacemaker and non-ha.
Add db sync profiles for pacemaker and non-ha.
HA profiles are designed such that they include the base
profiles, disabling features as needed, while the base
profile can be used independently.
Change-Id: I2faf5a78db802549053ec41678bf83bf28108189
Juan Antonio Osorio Robles [Fri, 18 Mar 2016 08:30:55 +0000 (10:30 +0200)]
Redirect to https for horizon
This adds a TLS binding listening on the internal network for
horizon. And on the other hand, if the public binding for horizon is
accessed via non-https, it will redirect to https.
Change-Id: I1f92ecd0c4845450df4b24f6b621d313ba9cbfc4
Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
Sofer Athlan-Guyot [Thu, 17 Mar 2016 16:44:41 +0000 (17:44 +0100)]
Hack to fix IPv6 parsing in facter.
This kludge fixes the wrong regexp used in facter to report all IPv6
addresses.
While the upstream bug[1] is being work out, this should do the job.
Closes-Bug:
1558490
[1] https://tickets.puppetlabs.com/browse/FACT-1372
Change-Id: I85dabbd26bf8f25b2a03d22f547618b666421a83
Ben Nemec [Wed, 9 Mar 2016 21:46:14 +0000 (21:46 +0000)]
Allow enabling authentication on haproxy.stats
Right now we always deploy the haproxy.stats endpoint with no
authentication, which is a security concern. Allow setting a
password on the endpoint so it isn't accessible to the world.
While this allows configuring SSL on the stats endpoint, it does
not use the service_certificate parameter because that certificate
is intended to be used only for public endpoints, and the stats
endpoint is actually on the admin VIP. Once we have support for
SSL on admin endpoints we can have stats use it by default.
Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
Jenkins [Wed, 9 Mar 2016 15:28:30 +0000 (15:28 +0000)]
Merge "Make OpenStack service ports configurable in HAProxy"
Juan Antonio Osorio Robles [Wed, 2 Mar 2016 13:54:16 +0000 (15:54 +0200)]
Make OpenStack service ports configurable in HAProxy
Some deployments were expecting specific ports for the OpenStack
services; In case the default ports are not meeting those needs, we
need to provide the means of changing the defaults.
Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
Jenkins [Thu, 3 Mar 2016 14:55:49 +0000 (14:55 +0000)]
Merge "loadbalancer: fix Redis timeout HAproxy config"
Juan Antonio Osorio Robles [Tue, 1 Mar 2016 07:34:16 +0000 (09:34 +0200)]
Always override X-Forwarded-Proto header for Heat
Heat has the ssl middleware to handle the X-Forwarded-Proto header by
default. We override this header when SSL is enabled because we need
to, but overriding it even when we won't be terminating SSL will
prevent some attacks using this header.
Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
Jason Guiditta [Thu, 25 Feb 2016 15:27:26 +0000 (10:27 -0500)]
loadbalancer: fix Redis timeout HAproxy config
Current HAproxy config is broken for Redis timeout parameters. This is what we
have today by default in HAproxy logs:
[WARNING] 238/115010 (13878) : config : missing timeouts for proxy 'redis'.
| While not properly invalid, you will certainly encounter various problems
| with such a configuration. To fix this, please ensure that all following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
This patch removes the explicit setting of client and server timeouts to 0,
which is the cause of the above warning. Instead, Redis will simply inherit the
haproxy defaults, which should be a more reasonable setting, and result in no
warnings.
Change-Id: Ibe7941bec02f5facf21732910c9ad96f547ff8e5
Juan Antonio Osorio Robles [Mon, 22 Feb 2016 13:09:05 +0000 (15:09 +0200)]
Override X-Forwarded-Proto header
Right now, the only manipulation done to the X-Forwarded-Proto header
is done if an SSL connection is established. This is not sufficient as
one might be able to erroneously put values through that header.
This patch disables that behaviour by defaulting to plain http if an
SSL connection is not established.
Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
Jenkins [Thu, 18 Feb 2016 13:19:57 +0000 (13:19 +0000)]
Merge "packages: secure upgrade workflow from dependency cycles"
Jenkins [Wed, 17 Feb 2016 09:25:04 +0000 (09:25 +0000)]
Merge "Handle redirects for Horizon"
Jenkins [Thu, 11 Feb 2016 20:40:46 +0000 (20:40 +0000)]
Merge "Enable X-Forwarded-Proto header for keystone admin endpoint"
Ben Nemec [Fri, 15 Jan 2016 18:45:11 +0000 (18:45 +0000)]
Handle redirects for Horizon
As for Heat, we need to be able to handle 30X redirects from Horizon
when configured to use SSL. Because Horizon's redirects are
handled directly by Apache, we can't use middleware to handle the
X-Forwarded-Proto header like we are planning to do for the other
services. However, in this case we don't need to worry about
rewriting urls in the payload like we do for the other services
because Horizon is just serving standard web pages, not custom
HTTP bodies with JSON contents.
One other change from the previous Heat patch is to drop the IP
from the rewrite regex. This is because Horizon will generally be
accessed via a DNS name, so the IP won't appear in the Location
header. The heat regex should probably be changed as well since
we now support registering endpoints with DNS names, but since we
plan to move all the other services to the X-Forwarded-Proto header
middleware anyway we can probably just wait until that happens and
then remove the Heat rule entirely.
Change-Id: I039a3036be17eeabe3cff68e0ef24f70907cc568
Jenkins [Thu, 11 Feb 2016 12:51:05 +0000 (12:51 +0000)]
Merge "Use HAProxy 'transparent' bind option for compat with IPv6"
Jenkins [Thu, 11 Feb 2016 12:50:56 +0000 (12:50 +0000)]
Merge "Make haproxy balancer default options configurable"
Jenkins [Mon, 25 Jan 2016 15:14:32 +0000 (15:14 +0000)]
Merge "loadbalancer: add Gnocchi API support"
Jenkins [Mon, 25 Jan 2016 09:32:22 +0000 (09:32 +0000)]
Merge "SSL/Cinder: enable ssl_header_handler filter"
Emilien Macchi [Fri, 22 Jan 2016 13:48:45 +0000 (08:48 -0500)]
Drop webmock dependency
webmock is not used anywhere in puppet-tripleo, let's clean it.
Change-Id: Idd8646e69e31a63791a345765c459d094a23f813
Juan Antonio Osorio Robles [Sat, 16 Jan 2016 10:07:59 +0000 (12:07 +0200)]
SSL/Cinder: enable ssl_header_handler filter
Enable oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory in
ssl_header_handler middlewarefilter so we can run Nova API with SSL
support.
Change-Id: If88dcdf9f4905e2a792b2fdc656eab51c85f637e
Emilien Macchi [Sat, 16 Jan 2016 00:25:17 +0000 (19:25 -0500)]
packages: secure upgrade workflow from dependency cycles
Change the workflow to be:
Upgrade all packages before any services that is notified & managed by
Puppet.
It also disable the Exec timeout so we rely on Heat timeout and not on
the 300s that are the default in Puppet [1]
Example: we upgrade and OpenStack config will change (obviously).
Puppet catalog will contain 3 important things:
* config resources
* service resources
* package-upgrade Exec resource
with that patch, what will happen:
* puppet will update config first or second and notify
services
* puppet will run package-upgrade first or second but before
the package-upgrade Exec resource
* at the very end, puppet will restart services
That way, we avoid complications with Puppet dependency cycle issues.
[1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout
Closes-Bug:
1536349
Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d
Juan Antonio Osorio Robles [Thu, 14 Jan 2016 09:01:13 +0000 (11:01 +0200)]
Enable X-Forwarded-Proto header for keystone admin endpoint
This is useful for handling URLs properly when TLS is enabled.
Change-Id: I4defed679cf3b2980dcc4ce1db030c0fdf154bfe
Giulio Fidente [Wed, 13 Jan 2016 20:12:57 +0000 (21:12 +0100)]
Disable ip_nonlocal_bind (rely on the HAProxy 'transparent' option)
Change-Id: Ib57a4bf463900e68cbf97900027f972e590799c2
Giulio Fidente [Fri, 8 Jan 2016 15:26:36 +0000 (16:26 +0100)]
Use HAProxy 'transparent' bind option for compat with IPv6
Change-Id: Iddf1fdaabc1c758546999e7af7e7412158400e7f
Juan Antonio Osorio Robles [Wed, 13 Jan 2016 16:26:15 +0000 (18:26 +0200)]
Enable X-Forwarded-Proto header for cinder
Change-Id: I3bd836140537fc5b7e3fba600a712d6a9d6f1185
Giulio Fidente [Fri, 8 Jan 2016 15:07:35 +0000 (16:07 +0100)]
Make haproxy balancer default options configurable
Change-Id: Id5e119e0949d27a6e3b3f21ecd5e2eb39f1eeb13
Jenkins [Thu, 7 Jan 2016 14:16:04 +0000 (14:16 +0000)]
Merge "Haproxy has non-working Horizon session persistence."
Jenkins [Thu, 7 Jan 2016 14:15:51 +0000 (14:15 +0000)]
Merge "Upgrade all packages after puppet managed ones"
Jenkins [Wed, 6 Jan 2016 12:37:20 +0000 (12:37 +0000)]
Merge "loadbalancer: fix MySQL timeout HAproxy config"
Jenkins [Tue, 5 Jan 2016 17:23:31 +0000 (17:23 +0000)]
Merge "Trove integration"
Jenkins [Tue, 5 Jan 2016 17:21:35 +0000 (17:21 +0000)]
Merge "Sahara integration"
Jenkins [Tue, 5 Jan 2016 16:54:22 +0000 (16:54 +0000)]
Merge "Enable X-Forwarded-Proto header for Heat and Nova"
Jenkins [Tue, 5 Jan 2016 16:43:11 +0000 (16:43 +0000)]
Merge "Enable X-Forwarded-Proto header for keystone_public"
Sofer Athlan-Guyot [Wed, 16 Dec 2015 13:07:02 +0000 (14:07 +0100)]
Haproxy has non-working Horizon session persistence.
Haproxy is using session persistence[1] for horizon. It is not
correctly configured though. The cookie is not properly set. This add
the necessary code.
[1]: http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
Change-Id: Ic9d79475cf84c25fb8146ecbc5f0a45862c106f0
Closes-Bug:
1526786
Ethan Gafford [Thu, 1 Oct 2015 23:28:47 +0000 (19:28 -0400)]
Trove integration
Adds configuration for Trove to loadbalancer class.
Partially-implements: blueprint trove-integration
Change-Id: I3cdf43b6d63ad0ee68db047518743c62b6689f56
Ethan Gafford [Fri, 4 Sep 2015 21:27:18 +0000 (17:27 -0400)]
Sahara integration
Adds configuration for Sahara to loadbalancer class.
Change-Id: I0f0a1dc2eaa57d8226bad8cfb250110296ab9614
Partially-implements: blueprint sahara-integration
Dan Prince [Wed, 23 Dec 2015 15:20:44 +0000 (10:20 -0500)]
Upgrade all packages after puppet managed ones
This updates tripleo::packages so that when enable_upgrade
is used it will:
1) upgrade puppet managed packages (will trigger puppet dependencies)
2) then upgrade all packages via exec
3) then restart services
NOTE: the intention here is that the Exec['update-packages'] will
always execute if enable_upgrade is set. It is not idempotent
in this regard because I think we always want to execute it
if enable_upgrade is set.
Change-Id: I02f7cf07792765359f19fdf357024d9e48690e42
Related-bug: #
1522943
Jenkins [Tue, 22 Dec 2015 18:50:28 +0000 (18:50 +0000)]
Merge "Adds IPv6 support for interface_for_ip function"
Juan Antonio Osorio Robles [Wed, 16 Dec 2015 16:56:29 +0000 (18:56 +0200)]
Enable X-Forwarded-Proto header for Heat and Nova
Change-Id: Icd666d9988d14ac1e9581f55589bf95243cc7641
Jenkins [Thu, 17 Dec 2015 10:20:03 +0000 (10:20 +0000)]
Merge "Allows customization of the HAProxy default timeouts"
Gilles Dubreuil [Mon, 16 Nov 2015 05:55:28 +0000 (16:55 +1100)]
Adds IPv6 support for interface_for_ip function
Proper interface matching when an IPv6 address is provided.
If Facter version used is < 3 then it adds the netmask6 facts as custom facts.
Fix bugs https://bugzilla.redhat.com/show_bug.cgi?id=
1280523
Change-Id: Ide26ca1740dc12ea5f47a28f4cecacd6ef0b18f9
Jaume Devesa [Mon, 30 Nov 2015 11:53:55 +0000 (12:53 +0100)]
Modify cassandra dependency
Switch to locp/cassandra module since it has much more options than
midonet/puppet-cassandra and it is already defined on the
openstack-puppet-modules packages in RHEL. More info:
https://bugzilla.redhat.com/show_bug.cgi?id=
1285718
Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b
Change-Id: Icea9bd96e4c80a26b9e813d383f84099c736d7bf
Jaume Devesa [Mon, 14 Dec 2015 11:49:31 +0000 (12:49 +0100)]
Adding psych on Gemfile explicitly
It seems like bundle has a bug[1] that, somehow, it unloads the psych
library unless is installed through bundle itself. It will be fixed on
bundle 1.2.
[1]: http://github.com/bundler/bundler/issues/2068
Change-Id: Ic2fa8a8f114c3183a656bfdb1bc2d6d6413dbb75
Code Review / apex-puppet-tripleo.git / log