Merge "Re-organizes Contrail services to the correct roles"

2017-01-31 22:45:13 +00:00 · 2017-01-31 22:45:13 +00:00 · 3e85ebb1df
commit 3e85ebb1df
parent 349d05d656 9c9667e214
11 changed files with 1857 additions and 318 deletions
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -64,6 +64,26 @@
 #  Can be a string or an array.
 #  Defaults to undef
 #
+# [*contrail_config_hosts*]
+#  (optional) Specify the contrail config hosts ips.
+#  Defaults to hiera('contrail_config_node_ips')
+#
+# [*contrail_config_hosts_names*]
+#  (optional) Specify the contrail config hosts.
+#  Defaults to hiera('contrail_config_node_ips')
+#
+# [*contrail_config*]
+#  (optional) Switch to check that contrail config is enabled.
+#  Defaults to hiera('contrail_config_enabled')
+#
+# [*contrail_webui*]
+#  (optional) Switch to check that contrail config is enabled.
+#  Defaults to hiera('contrail_webui_enabled')
+#
+# [*contrail_analytics*]
+#  (optional) Switch to check that contrail config is enabled.
+#  Defaults to hiera('contrail_analytics_enabled')
+#
 # [*public_virtual_ip*]
 #  Public IP or group of IPs to bind the pools
 #  Can be a string or an array.
@ -519,6 +539,11 @@ class tripleo::haproxy (
  $haproxy_stats_password      = undef,
  $controller_hosts            = hiera('controller_node_ips'),
  $controller_hosts_names      = hiera('controller_node_names', undef),
+  $contrail_config_hosts       = hiera('contrail_config_node_ips', undef),
+  $contrail_config_hosts_names = hiera('contrail_config_node_names', undef),
+  $contrail_analytics          = hiera('contrail_analytics_enabled', false),
+  $contrail_config             = hiera('contrail_config_enabled', false),
+  $contrail_webui              = hiera('contrail_webui_enabled', false),
  $service_certificate         = undef,
  $use_internal_certificates   = false,
  $internal_certificates_specs = {},
@ -616,6 +641,14 @@ class tripleo::haproxy (
    cinder_api_ssl_port => 13776,
    congress_api_port => 1789,
    congress_api_ssl_port => 13789,
+    contrail_config_port => 8082,
+    contrail_config_ssl_port => 18082,
+    contrail_discovery_port => 5998,
+    contrail_discovery_ssl_port => 15998,
+    contrail_analytics_port => 8090,
+    contrail_analytics_ssl_port => 18090,
+    contrail_webui_http_port => 8080,
+    contrail_webui_https_port => 8143,
    docker_registry_port => 8787,
    docker_registry_ssl_port => 13787,
    glance_api_port => 9292,
@ -1561,5 +1594,50 @@ class tripleo::haproxy (
      public_ssl_port   => $ports[ui_ssl_port],
    }
  }
-
+  if $contrail_config {
+    ::tripleo::haproxy::endpoint { 'contrail_config':
+      public_virtual_ip => $public_virtual_ip,
+      internal_ip       => hiera('contrail_config_vip', $controller_virtual_ip),
+      service_port      => $ports[contrail_config_port],
+      ip_addresses      => hiera('contrail_config_node_ips'),
+      server_names      => hiera('contrail_config_node_ips'),
+      public_ssl_port   => $ports[contrail_config_ssl_port],
+    }
+    ::tripleo::haproxy::endpoint { 'contrail_discovery':
+      public_virtual_ip => $public_virtual_ip,
+      internal_ip       => hiera('contrail_config_vip', $controller_virtual_ip),
+      service_port      => $ports[contrail_discovery_port],
+      ip_addresses      => hiera('contrail_config_node_ips'),
+      server_names      => hiera('contrail_config_node_ips'),
+      public_ssl_port   => $ports[contrail_discovery_ssl_port],
+    }
+  }
+  if $contrail_analytics {
+    ::tripleo::haproxy::endpoint { 'contrail_analytics':
+      public_virtual_ip => $public_virtual_ip,
+      internal_ip       => hiera('contrail_analytics_vip', $controller_virtual_ip),
+      service_port      => $ports[contrail_analytics_port],
+      ip_addresses      => hiera('contrail_config_node_ips'),
+      server_names      => hiera('contrail_config_node_ips'),
+      public_ssl_port   => $ports[contrail_analytics_ssl_port],
+    }
+  }
+  if $contrail_webui {
+    ::tripleo::haproxy::endpoint { 'contrail_webui_http':
+      public_virtual_ip => $public_virtual_ip,
+      internal_ip       => hiera('contrail_webui_vip', $controller_virtual_ip),
+      service_port      => $ports[contrail_webui_http_port],
+      ip_addresses      => hiera('contrail_config_node_ips'),
+      server_names      => hiera('contrail_config_node_ips'),
+      public_ssl_port   => $ports[contrail_webui_http_port],
+    }
+    ::tripleo::haproxy::endpoint { 'contrail_webui_https':
+      public_virtual_ip => $public_virtual_ip,
+      internal_ip       => hiera('contrail_webui_vip', $controller_virtual_ip),
+      service_port      => $ports[contrail_webui_https_port],
+      ip_addresses      => hiera('contrail_config_node_ips'),
+      server_names      => hiera('contrail_config_node_ips'),
+      public_ssl_port   => $ports[contrail_webui_https_port],
+    }
+  }
 }
--- a/manifests/network/contrail/analytics.pp
+++ b/manifests/network/contrail/analytics.pp
@ -43,6 +43,21 @@
 #  String value.
 #  Defaults to hiera('contrail::admin_user')
 #
+# [*api_server*]
+#  (optional) IP address of api server
+#  String value.
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*api_port*]
+#  (optional) port of api server
+#  String value.
+#  Defaults to hiera('contrail::api_port')
+#
+# [*analytics_aaa_mode*]
+#  (optional) analytics aaa mode parameter
+#  String value.
+#  Defaults to hiera('contrail::analytics_aaa_mode')
+#
 # [*auth_host*]
 #  (optional) keystone server ip address
 #  String (IPv4) value.
@ -53,11 +68,26 @@
 #  Integer value.
 #  Defaults to hiera('contrail::auth_port')
 #
+# [*auth_port_ssl*]
+#  (optional) keystone ssl port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port_ssl')
+#
 # [*auth_protocol*]
 #  (optional) authentication protocol.
 #  String value.
 #  Defaults to hiera('contrail::auth_protocol')
 #
+# [*ca_file*]
+#  (optional) ca file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
+# [*cert_file*]
+#  (optional) cert file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
 # [*cassandra_server_list*]
 #  (optional) List IPs+port of Cassandra servers
 #  Array of strings value.
@ -76,7 +106,7 @@
 # [*disc_server_ip*]
 #  (optional) IPv4 address of discovery server.
 #  String (IPv4) value.
-#  Defaults to hiera('contrail::disc_server_ip')
+#  Defaults to hiera('contrail_config_vip')
 #
 # [*disc_server_port*]
 #  (optional) port Discovery server listens on.
@ -103,6 +133,31 @@
 #  String (IPv4) value + port
 #  Defaults to hiera('contrail::memcached_server')
 #
+# [*public_vip*]
+#  (optional) Public virtual IP address
+#  String (IPv4) value
+#  Defaults to hiera('public_virtual_ip')
+#
+# [*rabbit_server*]
+#  (optional) IPv4 addresses of rabbit server.
+#  Array of String (IPv4) value.
+#  Defaults to hiera('rabbitmq_node_ips')
+#
+# [*rabbit_user*]
+#  (optional) Rabbit user
+#  String value.
+#  Defaults to hiera('contrail::rabbit_user')
+#
+# [*rabbit_password*]
+#  (optional) Rabbit password
+#  String value.
+#  Defaults to hiera('contrail::rabbit_password')
+#
+# [*rabbit_port*]
+#  (optional) port of rabbit server
+#  String value.
+#  Defaults to hiera('contrail::rabbit_port')
+#
 # [*redis_server*]
 #  (optional) IPv4 address of redis server.
 #  String (IPv4) value.
@ -123,123 +178,209 @@
 #  Integer value.
 #  Defaults to 8081
 #
+# [*step*]
+#  (optional) Step stack is in
+#  Integer value.
+#  Defaults to hiera('step')
+#
 # [*zk_server_ip*]
 #  (optional) List IPs+port of Zookeeper servers
 #  Array of strings value.
 #  Defaults to hiera('contrail::zk_server_ip')
 #
 class tripleo::network::contrail::analytics(
-  $host_ip,
-  $admin_password = hiera('contrail::admin_password'),
-  $admin_tenant_name = hiera('contrail::admin_tenant_name'),
-  $admin_token = hiera('contrail::admin_token'),
-  $admin_user = hiera('contrail::admin_user'),
-  $auth_host = hiera('contrail::auth_host'),
-  $auth_port = hiera('contrail::auth_port'),
-  $auth_protocol = hiera('contrail::auth_protocol'),
-  $cassandra_server_list = hiera('contrail::cassandra_server_list'),
-  $collector_http_server_port = 8089,
-  $collector_sandesh_port = 8086,
-  $disc_server_ip = hiera('contrail::disc_server_ip'),
-  $disc_server_port = hiera('contrail::disc_server_port'),
-  $http_server_port = 8090,
-  $insecure = hiera('contrail::insecure'),
-  $kafka_broker_list = hiera('contrail::kafka_broker_list'),
-  $memcached_servers = hiera('contrail::memcached_server'),
-  $redis_server = '127.0.0.1',
-  $redis_server_port = 6379,
-  $rest_api_ip = '0.0.0.0',
-  $rest_api_port = 8081,
-  $zk_server_ip = hiera('contrail::zk_server_ip'),
+  $step                       = hiera('step'),
+  $admin_password             = hiera('contrail::admin_password'),
+  $admin_tenant_name          = hiera('contrail::admin_tenant_name'),
+  $admin_token                = hiera('contrail::admin_token'),
+  $admin_user                 = hiera('contrail::admin_user'),
+  $api_server                 = hiera('contrail_config_vip'),
+  $api_port                   = hiera('contrail::api_port'),
+  $auth_host                  = hiera('contrail::auth_host'),
+  $auth_port                  = hiera('contrail::auth_port'),
+  $auth_protocol              = hiera('contrail::auth_protocol'),
+  $auth_port_ssl              = hiera('contrail::auth_port_ssl'),
+  $analytics_aaa_mode         = hiera('contrail::analytics_aaa_mode'),
+  $cassandra_server_list      = hiera('contrail_analytics_database_node_ips'),
+  $ca_file                    = hiera('contrail::service_certificate',false),
+  $cert_file                  = hiera('contrail::service_certificate',false),
+  $collector_http_server_port = hiera('contrail::analytics::collector_http_server_port'),
+  $collector_sandesh_port     = hiera('contrail::analytics::collector_sandesh_port'),
+  $disc_server_ip             = hiera('contrail_config_vip'),
+  $disc_server_port           = hiera('contrail::disc_server_port'),
+  $http_server_port           = hiera('contrail::analytics::http_server_port'),
+  $host_ip                    = hiera('contrail::analytics::host_ip'),
+  $insecure                   = hiera('contrail::insecure'),
+  $kafka_broker_list          = hiera('contrail_analytics_database_node_ips'),
+  $memcached_servers          = hiera('contrail::memcached_server'),
+  $public_vip                 = hiera('public_virtual_ip'),
+  $rabbit_server              = hiera('rabbitmq_node_ips'),
+  $rabbit_user                = hiera('contrail::rabbit_user'),
+  $rabbit_password            = hiera('contrail::rabbit_password'),
+  $rabbit_port                = hiera('contrail::rabbit_port'),
+  $redis_server               = hiera('contrail::analytics::redis_server'),
+  $redis_server_port          = hiera('contrail::analytics::redis_server_port'),
+  $rest_api_ip                = hiera('contrail::analytics::rest_api_ip'),
+  $rest_api_port              = hiera('contrail::analytics::rest_api_port'),
+  $zk_server_ip               = hiera('contrail_database_node_ips'),
 )
 {
-  class {'::contrail::keystone':
-    keystone_config => {
-      'KEYSTONE' => {
+  $cassandra_server_list_9042 = join([join($cassandra_server_list, ':9042 '),':9042'],'')
+  $kafka_broker_list_9092 = join([join($kafka_broker_list, ':9092 '),':9092'],'')
+  $rabbit_server_list_5672 = join([join($rabbit_server, ":${rabbit_port},"),":${rabbit_port}"],'')
+  $redis_config = "bind ${host_ip} 127.0.0.1"
+  $zk_server_ip_2181 = join([join($zk_server_ip, ':2181 '),':2181'],'')
+  $zk_server_ip_2181_comma = join([join($zk_server_ip, ':2181,'),':2181'],'')
+
+  if $auth_protocol == 'https' {
+    $keystone_config = {
+        'admin_password'    => $admin_password,
+        'admin_tenant_name' => $admin_tenant_name,
+        'admin_user'        => $admin_user,
+        'auth_host'         => $auth_host,
+        'auth_port'         => $auth_port_ssl,
+        'auth_protocol'     => $auth_protocol,
+        'insecure'          => $insecure,
+        'certfile'          => $cert_file,
+        'cafile'            => $ca_file,
+    }
+    $vnc_api_lib_config = {
+      'auth' => {
+        'AUTHN_SERVER'   => $public_vip,
+        'AUTHN_PORT'     => $auth_port_ssl,
+        'AUTHN_PROTOCOL' => $auth_protocol,
+        'certfile'       => $cert_file,
+        'cafile'         => $ca_file,
+      },
+    }
+  } else {
+    $keystone_config = {
        'admin_password'    => $admin_password,
        'admin_tenant_name' => $admin_tenant_name,
-        'admin_token'       => $admin_token,
        'admin_user'        => $admin_user,
        'auth_host'         => $auth_host,
        'auth_port'         => $auth_port,
        'auth_protocol'     => $auth_protocol,
        'insecure'          => $insecure,
-        'memcached_servers' => $memcached_servers,
+    }
+    $vnc_api_lib_config = {
+      'auth' => {
+        'AUTHN_SERVER' => $public_vip,
      },
-    },
-  } ->
-  class {'::contrail::analytics':
-    analytics_api_config  => {
-      'DEFAULTS'  => {
-        'cassandra_server_list' => $cassandra_server_list,
-        'host_ip'               => $host_ip,
-        'http_server_port'      => $http_server_port,
-        'redis_server'          => $redis_server,
-        'rest_api_ip'           => $rest_api_ip,
-        'rest_api_port'         => $rest_api_port,
+    }
+  }
+  if $step >= 3 {
+    class {'::contrail::analytics':
+      alarm_gen_config         => {
+        'DEFAULTS'  => {
+          'host_ip'              => $host_ip,
+          'kafka_broker_list'    => $kafka_broker_list_9092,
+          'rabbitmq_server_list' => $rabbit_server_list_5672,
+          'rabbitmq_user'        => $rabbit_user,
+          'rabbitmq_password'    => $rabbit_password,
+          'zk_list'              => $zk_server_ip_2181,
+        },
+        'DISCOVERY' => {
+          'disc_server_ip'   => $disc_server_ip,
+          'disc_server_port' => $disc_server_port,
+        },
      },
-      'DISCOVERY' => {
-        'disc_server_ip'   => $disc_server_ip,
-        'disc_server_port' => $disc_server_port,
+      analytics_nodemgr_config => {
+        'DISCOVERY' => {
+          'server' => $disc_server_ip,
+          'port'   => $disc_server_port,
+        },
      },
-      'REDIS'     => {
-        'redis_server_port' => $redis_server_port,
-        'redis_query_port'  => $redis_server_port,
-        'server'            => $redis_server,
+      analytics_api_config     => {
+        'DEFAULTS'  => {
+          'api_server'            => "${api_server}:${api_port}",
+          'aaa_mode'              => $analytics_aaa_mode,
+          'cassandra_server_list' => $cassandra_server_list_9042,
+          'host_ip'               => $host_ip,
+          'http_server_port'      => $http_server_port,
+          'rest_api_ip'           => $rest_api_ip,
+          'rest_api_port'         => $rest_api_port,
+        },
+        'DISCOVERY' => {
+          'disc_server_ip'   => $disc_server_ip,
+          'disc_server_port' => $disc_server_port,
+        },
+        'REDIS'     => {
+          'redis_server_port' => $redis_server_port,
+          'redis_query_port'  => $redis_server_port,
+          'server'            => $redis_server,
+        },
+        'KEYSTONE'  => $keystone_config,
      },
-    },
-    collector_config      => {
-      'DEFAULTS'  => {
-        'cassandra_server_list' => $cassandra_server_list,
-        'disc_server_ip'        => $disc_server_ip,
-        'hostip'                => $host_ip,
-        'http_server_port'      => $collector_http_server_port,
-        'kafka_broker_list'     => $kafka_broker_list,
-        'zookeeper_server_list' => $zk_server_ip,
+      collector_config         => {
+        'DEFAULT'   => {
+          'cassandra_server_list' => $cassandra_server_list_9042,
+          'hostip'                => $host_ip,
+          'http_server_port'      => $collector_http_server_port,
+          'kafka_broker_list'     => $kafka_broker_list_9092,
+          'zookeeper_server_list' => $zk_server_ip_2181_comma,
+        },
+        'COLLECTOR' => {
+          'port' => $collector_sandesh_port,
+        },
+        'DISCOVERY' => {
+          'port'   => $disc_server_port,
+          'server' => $disc_server_ip,
+        },
+        'REDIS'     => {
+          'port'   => $redis_server_port,
+          'server' => $redis_server,
+        },
      },
-      'COLLECTOR' => {
-        'port' => $collector_sandesh_port,
+      query_engine_config      => {
+        'DEFAULT'   => {
+          'cassandra_server_list' => $cassandra_server_list_9042,
+          'hostip'                => $host_ip,
+        },
+        'DISCOVERY' => {
+          'port'   => $disc_server_port,
+          'server' => $disc_server_ip,
+        },
+        'REDIS'     => {
+          'port'   => $redis_server_port,
+          'server' => $redis_server,
+        },
      },
-      'DISCOVERY' => {
-        'port'   => $disc_server_port,
-        'server' => $disc_server_ip,
+      snmp_collector_config    => {
+        'DEFAULTS'  => {
+          'zookeeper' => $zk_server_ip_2181_comma,
+        },
+        'DISCOVERY' => {
+          'disc_server_ip'   => $disc_server_ip,
+          'disc_server_port' => $disc_server_port,
+        },
      },
-      'REDIS'     => {
-        'port'   => $redis_server_port,
-        'server' => $redis_server,
+      redis_config             => $redis_config,
+      topology_config          => {
+        'DEFAULTS'  => {
+          'zookeeper' => $zk_server_ip_2181_comma,
+        },
+        'DISCOVERY' => {
+          'disc_server_ip'   => $disc_server_ip,
+          'disc_server_port' => $disc_server_port,
+        },
      },
-    },
-    query_engine_config   => {
-      'DEFAULTS'  => {
-        'cassandra_server_list' => $cassandra_server_list,
-        'hostip'                => $host_ip,
+      vnc_api_lib_config       => $vnc_api_lib_config,
+      keystone_config          => {
+        'KEYSTONE'     => $keystone_config,
      },
-      'DISCOVERY' => {
-        'port'   => $disc_server_port,
-        'server' => $disc_server_ip,
-      },
-      'REDIS'     => {
-        'port'   => $redis_server_port,
-        'server' => $redis_server,
-      },
-    },
-    snmp_collector_config => {
-      'DEFAULTS'  => {
-        'zk_server_ip' => $zk_server_ip,
-      },
-      'DISCOVERY' => {
-        'disc_server_ip'   => $disc_server_ip,
-        'disc_server_port' => $disc_server_port,
-      },
-    },
-    topology_config       => {
-      'DEFAULTS'  => {
-        'zk_server_ip' => $zk_server_ip,
-      },
-      'DISCOVERY' => {
-        'disc_server_ip'   => $disc_server_ip,
-        'disc_server_port' => $disc_server_port,
-      },
-    },
+    }
+  }
+  if $step >= 5 {
+    class {'::contrail::analytics::provision_analytics':
+      api_address                => $api_server,
+      api_port                   => $api_port,
+      analytics_node_address     => $host_ip,
+      analytics_node_name        => $::fqdn,
+      keystone_admin_user        => $admin_user,
+      keystone_admin_password    => $admin_password,
+      keystone_admin_tenant_name => $admin_tenant_name,
+      openstack_vip              => $public_vip,
+    }
  }
 }
--- a/manifests/network/contrail/analyticsdatabase.pp
+++ b/manifests/network/contrail/analyticsdatabase.pp
@ -0,0 +1,202 @@
+#
+# Copyright (C) 2015 Juniper Networks
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::network::contrail::analyticsdatabase
+#
+# Configure Contrail Analytics Database services
+#
+# == Parameters:
+#
+# [*auth_host*]
+#  (optional) IPv4 VIP of Keystone
+#  String (IPv4) value
+#  Defaults to hiera('contrail::auth_host')
+#
+# [*auth_port_ssl*]
+#  (optional) keystone ssl port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port_ssl')
+#
+# [*auth_protocol*]
+#  (optional) authentication protocol.
+#  String value.
+#  Defaults to hiera('contrail::auth_protocol')
+#
+# [*api_server*]
+#  (optional) IPv4 VIP of Contrail Config API
+#  String (IPv4) value
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*api_port*]
+#  (optional) Port of Contrail Config API
+#  String value
+#  Defaults to hiera('contrail::api_port')
+#
+# [*admin_password*]
+#  (optional) Keystone Admin password
+#  String value
+#  Defaults to hiera('contrail::admin_password')
+#
+# [*admin_tenant_name*]
+#  (optional) Keystone Admin tenant name
+#  String value
+#  Defaults to hiera('contrail::admin_tenant_name')
+#
+# [*admin_token*]
+#  (optional) Keystone Admin token
+#  String value
+#  Defaults to hiera('contrail::admin_token')
+#
+# [*admin_user*]
+#  (optional) Keystone Admin user
+#  String value
+#  Defaults to hiera('contrail::admin_user')
+#
+# [*ca_file*]
+#  (optional) ca file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
+# [*cert_file*]
+#  (optional) cert file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
+# [*cassandra_servers*]
+#  (optional) List of analytics cassandra servers
+#  List (IPv4) value
+#  Defaults to hiera('contrail_analytics_database_node_ips')
+#
+# [*disc_server_ip*]
+#  (optional) IPv4 VIP of Contrail Discovery
+#  String (IPv4) value
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*disc_server_port*]
+#  (optional) port Discovery server listens on.
+#  Integer value.
+#  Defaults to hiera('contrail::disc_server_port')
+#
+# [*host_ip*]
+#  (optional) host IP address of Database node
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::analytics::database::host_ip')
+#
+# [*host_name*]
+#  (optional) host name of database node
+#  String value
+#  Defaults to $::hostname
+#
+# [*kafka_hostnames*]
+#  (optional) list of kafka server hostnames
+#  List value
+#  Defaults to hiera('contrail_analytics_database_short_node_names', '')
+#
+# [*public_vip*]
+#  (optional) Public VIP
+#  String (IPv4) value
+#  Defaults to hiera('public_virtual_ip')
+#
+# [*step*]
+#  (optional) step in the stack
+#  String value
+#  Defaults to hiera('step')
+#
+# [*zookeeper_server_ips*]
+#  (optional) list of zookeeper server IPs
+#  List value
+#  Defaults to hiera('contrail_database_node_ips')
+#
+class tripleo::network::contrail::analyticsdatabase(
+  $step                 = hiera('step'),
+  $auth_host            = hiera('contrail::auth_host'),
+  $api_server           = hiera('contrail_config_vip'),
+  $api_port             = hiera('contrail::api_port'),
+  $admin_password       = hiera('contrail::admin_password'),
+  $admin_tenant_name    = hiera('contrail::admin_tenant_name'),
+  $admin_token          = hiera('contrail::admin_token'),
+  $admin_user           = hiera('contrail::admin_user'),
+  $auth_port_ssl        = hiera('contrail::auth_port_ssl'),
+  $auth_protocol        = hiera('contrail::auth_protocol'),
+  $cassandra_servers    = hiera('contrail_analytics_database_node_ips'),
+  $ca_file              = hiera('contrail::service_certificate',false),
+  $cert_file            = hiera('contrail::service_certificate',false),
+  $disc_server_ip       = hiera('contrail_config_vip'),
+  $disc_server_port     = hiera('contrail::disc_server_port'),
+  $host_ip              = hiera('contrail::analytics::database::host_ip'),
+  $host_name            = $::hostname,
+  $kafka_hostnames      = hiera('contrail_analytics_database_short_node_names', ''),
+  $public_vip           = hiera('public_virtual_ip'),
+  $zookeeper_server_ips = hiera('contrail_database_node_ips'),
+)
+{
+  if $auth_protocol == 'https' {
+    $vnc_api_lib_config = {
+      'auth' => {
+        'AUTHN_SERVER'   => $public_vip,
+        'AUTHN_PORT'     => $auth_port_ssl,
+        'AUTHN_PROTOCOL' => $auth_protocol,
+        'certfile'       => $cert_file,
+        'cafile'         => $ca_file,
+      },
+    }
+  } else {
+    $vnc_api_lib_config = {
+      'auth' => {
+        'AUTHN_SERVER' => $public_vip,
+      },
+    }
+  }
+  if $step == 2 {
+    class {'::contrail::analyticsdatabase':
+      analyticsdatabase_params => {
+        'auth_host'             => $auth_host,
+        'api_server'            => $api_server,
+        'admin_password'        => $admin_password,
+        'admin_tenant_name'     => $admin_tenant_name,
+        'admin_token'           => $admin_token,
+        'admin_user'            => $admin_user,
+        'cassandra_servers'     => $cassandra_servers,
+        'host_ip'               => $host_ip,
+        'disc_server_ip'        => $disc_server_ip,
+        'disc_server_port'      => $disc_server_port,
+        'kafka_hostnames'       => $kafka_hostnames,
+        'zookeeper_server_ips'  => $zookeeper_server_ips,
+        database_nodemgr_config => {
+          'DEFAULT'   => {
+            'hostip' => $host_ip,
+          },
+          'DISCOVERY' => {
+            'port'   => $disc_server_port,
+            'server' => $disc_server_ip,
+          },
+        },
+        vnc_api_lib_config      => $vnc_api_lib_config,
+      }
+    }
+  }
+  if $step >= 5 {
+    class {'::contrail::database::provision_database':
+      api_address                => $api_server,
+      api_port                   => $api_port,
+      database_node_address      => $host_ip,
+      database_node_name         => $host_name,
+      keystone_admin_user        => $admin_user,
+      keystone_admin_password    => $admin_password,
+      keystone_admin_tenant_name => $admin_tenant_name,
+      openstack_vip              => $public_vip,
+    }
+  }
+}
--- a/manifests/network/contrail/config.pp
+++ b/manifests/network/contrail/config.pp
@ -19,21 +19,11 @@
 #
 # == Parameters:
 #
-# [*ifmap_password*]
-#  (required) ifmap password
-#  String value.
 #
-# [*ifmap_server_ip*]
-#  (required) ifmap server ip address.
+# [*aaa_mode*]
+#  (optional) aaa mode parameter
 #  String value.
-#
-# [*ifmap_username*]
-#  (required) ifmap username
-#  String value.
-#
-# [*rabbit_server*]
-#  (required) IPv4 address of rabbit server.
-#  String (IPv4) value.
+#  Defaults to hiera('contrail::aaa_mode')
 #
 # [*admin_password*]
 #  (optional) admin password
@ -55,6 +45,16 @@
 #  String value.
 #  Defaults to hiera('contrail::admin_user')
 #
+# [*api_server*]
+#  (optional) VIP of Config API
+#  String (IPv4) value.
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*api_port*]
+#  (optional) Port of Config API
+#  String value.
+#  Defaults to hiera('contrail::api_port')
+#
 # [*auth*]
 #  (optional) Authentication method.
 #  Defaults to hiera('contrail::auth')
@ -68,81 +68,232 @@
 #  (optional) keystone port.
 #  Defaults to hiera('contrail::auth_port')
 #
+# [*auth_port_ssl*]
+#  (optional) keystone ssl port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port_ssl')
+#
 # [*auth_protocol*]
 #  (optional) authentication protocol.
 #  Defaults to hiera('contrail::auth_protocol')
 #
+# [*ca_file*]
+#  (optional) ca file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
+# [*cert_file*]
+#  (optional) cert file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
 # [*cassandra_server_list*]
 #  (optional) List IPs+port of Cassandra servers
 #  Array of strings value.
 #  Defaults to hiera('contrail::cassandra_server_list')
 #
+# [*config_hostnames*]
+#  (optional) Config hostname list
+#  Array of string value.
+#  Defaults to hiera('contrail_config_short_node_names')
+#
+# [*control_server_list*]
+#  (optional) IPv4 addresses of control server.
+#  Array of string (IPv4) value.
+#  Defaults to hiera('contrail_control_node_ips')
+#
 # [*disc_server_ip*]
 #  (optional) IPv4 address of discovery server.
 #  String (IPv4) value.
-#  Defaults to hiera('contrail::disc_server_ip')
+#  Defaults to hiera('contrail_config_vip'),
+#
+# [*disc_server_port*]
+#  (optional) port of discovery server
+#  String value.
+#  Defaults to hiera('contrail::disc_server_port')
+#
+# [*host_ip*]
+#  (optional) IPv4 address of Config server
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::config::host_ip')
+#
+# [*ifmap_password*]
+#  (optional) ifmap password
+#  String value.
+#  Defaults to hiera('contrail::config::ifmap_password')
+#
+# [*ifmap_server_ip*]
+#  (optional) ifmap server ip address.
+#  String value.
+#  Defaults to hiera('contrail::config::host_ip')
+#
+# [*ifmap_username*]
+#  (optional) ifmap username
+#  String value.
+#  Defaults to hiera('contrail::config::ifmap_password')
 #
 # [*insecure*]
 #  (optional) insecure mode.
 #  Defaults to hiera('contrail::insecure')
 #
+# [*ipfabric_service_port*]
+#  (optional) linklocal ip fabric port
+#  String value
+#  Defaults to 8775
+#
 # [*listen_ip_address*]
 #  (optional) IP address to listen on.
 #  String (IPv4) value.
-#  Defaults to '0.0.0.0'
+#  Defaults to hiera('contrail::config::listen_ip_address')
 #
 # [*listen_port*]
 #  (optional) Listen port for config-api
-#  Defaults to 8082
+#  Defaults to hiera('contrail::api_port')
+#
+# [*linklocal_service_name*]
+#  (optional) name of link local service
+#  String value
+#  Defaults to metadata
+#
+# [*linklocal_service_port*]
+#  (optional) port of link local service
+#  String value
+#  Defaults to 80
+#
+# [*linklocal_service_name*]
+#  (optional) name of link local service
+#  String value
+#  Defaults to metadata
+#
+# [*linklocal_service_ip*]
+#  (optional) IPv4 address of link local service
+#  String (IPv4) value
+#  Defaults to 169.254.169.254
 #
 # [*memcached_servers*]
 #  (optional) IPv4 address of memcached servers
 #  String (IPv4) value + port
 #  Defaults to hiera('contrail::memcached_server')
 #
-# [*multi_tenancy*]
-#  (optional) Defines if mutli-tenancy is enabled.
-#  Defaults to hiera('contrail::multi_tenancy')
+# [*public_vip*]
+#  (optional) Public virtual ip
+#  String value.
+#  Defaults to hiera('public_virtual_ip')
+#
+# [*step*]
+#  (optional) Step stack is in
+#  Integer value.
+#  Defaults to hiera('step')
+#
+# [*rabbit_server*]
+#  (optional) rabbit server
+#  Array of string value.
+#  Defaults to hiera('rabbitmq_node_ips')
+#
+# [*rabbit_user*]
+#  (optional) rabbit user
+#  String value.
+#  Defaults to hiera('contrail::rabbit_user')
+#
+# [*rabbit_password*]
+#  (optional) rabbit password
+#  String value.
+#  Defaults to hiera('contrail::rabbit_password')
+#
+# [*rabbit_port*]
+#  (optional) rabbit server port
+#  String value.
+#  Defaults to hiera('contrail::rabbit_port')
 #
 # [*redis_server*]
 #  (optional) IPv4 address of redis server.
 #  String (IPv4) value.
-#  Defaults to '127.0.0.1'
+#  Defaults to hiera('contrail::config::redis_server')
 #
 # [*zk_server_ip*]
 #  (optional) List IPs+port of Zookeeper servers
 #  Array of strings value.
-#  Defaults to hiera('contrail::zk_server_ip')
+#  Defaults to hiera('contrail_database_node_ips')
 #
 class tripleo::network::contrail::config(
-  $ifmap_password,
-  $ifmap_server_ip,
-  $ifmap_username,
-  $rabbit_server,
-  $admin_password = hiera('contrail::admin_password'),
-  $admin_tenant_name = hiera('contrail::admin_tenant_name'),
-  $admin_token = hiera('contrail::admin_token'),
-  $admin_user = hiera('contrail::admin_user'),
-  $auth = hiera('contrail::auth'),
-  $auth_host = hiera('contrail::auth_host'),
-  $auth_port = hiera('contrail::auth_port'),
-  $auth_protocol = hiera('contrail::auth_protocol'),
-  $cassandra_server_list = hiera('contrail::cassandra_server_list'),
-  $disc_server_ip = hiera('contrail::disc_server_ip'),
-  $insecure = hiera('contrail::insecure'),
-  $listen_ip_address = '0.0.0.0',
-  $listen_port = 8082,
-  $memcached_servers = hiera('contrail::memcached_server'),
-  $multi_tenancy = hiera('contrail::multi_tenancy'),
-  $redis_server = '127.0.0.1',
-  $zk_server_ip = hiera('contrail::zk_server_ip'),
+  $step  = hiera('step'),
+  $aaa_mode               = hiera('contrail::aaa_mode'),
+  $admin_password         = hiera('contrail::admin_password'),
+  $admin_tenant_name      = hiera('contrail::admin_tenant_name'),
+  $admin_token            = hiera('contrail::admin_token'),
+  $admin_user             = hiera('contrail::admin_user'),
+  $api_server             = hiera('contrail_config_vip'),
+  $api_port               = hiera('contrail::api_port'),
+  $auth                   = hiera('contrail::auth'),
+  $auth_host              = hiera('contrail::auth_host'),
+  $auth_port              = hiera('contrail::auth_port'),
+  $auth_port_ssl          = hiera('contrail::auth_port_ssl'),
+  $auth_protocol          = hiera('contrail::auth_protocol'),
+  $cassandra_server_list  = hiera('contrail_database_node_ips'),
+  $ca_file                = hiera('contrail::service_certificate',false),
+  $cert_file              = hiera('contrail::service_certificate',false),
+  $config_hostnames       = hiera('contrail_config_short_node_names'),
+  $control_server_list    = hiera('contrail_control_node_ips'),
+  $disc_server_ip         = hiera('contrail_config_vip'),
+  $disc_server_port       = hiera('contrail::disc_server_port'),
+  $host_ip                = hiera('contrail::config::host_ip'),
+  $ifmap_password         = hiera('contrail::config::ifmap_password'),
+  $ifmap_server_ip        = hiera('contrail::config::host_ip'),
+  $ifmap_username         = hiera('contrail::config::ifmap_username'),
+  $insecure               = hiera('contrail::insecure'),
+  $ipfabric_service_port  = 8775,
+  $listen_ip_address      = hiera('contrail::config::listen_ip_address'),
+  $listen_port            = hiera('contrail::api_port'),
+  $linklocal_service_port = 80,
+  $linklocal_service_name = 'metadata',
+  $linklocal_service_ip   = '169.254.169.254',
+  $memcached_servers      = hiera('contrail::memcached_server'),
+  $public_vip             = hiera('public_virtual_ip'),
+  $rabbit_server          = hiera('rabbitmq_node_ips'),
+  $rabbit_user            = hiera('contrail::rabbit_user'),
+  $rabbit_password        = hiera('contrail::rabbit_password'),
+  $rabbit_port            = hiera('contrail::rabbit_port'),
+  $redis_server           = hiera('contrail::config::redis_server'),
+  $zk_server_ip           = hiera('contrail_database_node_ips'),
 )
 {
  validate_ip_address($listen_ip_address)
  validate_ip_address($disc_server_ip)
  validate_ip_address($ifmap_server_ip)
-  class {'::contrail::keystone':
-    keystone_config => {
+  $basicauthusers_property_control = map($control_server_list) |$item| { "${item}.control:${item}.control" }
+  $basicauthusers_property_dns = $control_server_list.map |$item| { "${item}.dns:${item}.dns" }
+  $basicauthusers_property = concat($basicauthusers_property_control, $basicauthusers_property_dns)
+  $cassandra_server_list_9160 = join([join($cassandra_server_list, ':9160 '),':9160'],'')
+  $rabbit_server_list_5672 = join([join($rabbit_server, ':5672,'),':5672'],'')
+  $zk_server_ip_2181 = join([join($zk_server_ip, ':2181,'),':2181'],'')
+
+  if $auth_protocol == 'https' {
+    $keystone_config = {
+      'KEYSTONE' => {
+        'admin_password'    => $admin_password,
+        'admin_tenant_name' => $admin_tenant_name,
+        'admin_token'       => $admin_token,
+        'admin_user'        => $admin_user,
+        'auth_host'         => $auth_host,
+        'auth_port'         => $auth_port_ssl,
+        'auth_protocol'     => $auth_protocol,
+        'insecure'          => $insecure,
+        'memcached_servers' => $memcached_servers,
+        'certfile'          => $cert_file,
+        'cafile'            => $ca_file,
+      },
+    }
+    $vnc_api_lib_config = {
+      'auth' => {
+        'AUTHN_SERVER'   => $public_vip,
+        'AUTHN_PORT'     => $auth_port_ssl,
+        'AUTHN_PROTOCOL' => $auth_protocol,
+        'certfile'       => $cert_file,
+        'cafile'         => $ca_file,
+      },
+    }
+  } else {
+    $keystone_config = {
      'KEYSTONE' => {
        'admin_password'    => $admin_password,
        'admin_tenant_name' => $admin_tenant_name,
@ -154,62 +305,116 @@ class tripleo::network::contrail::config(
        'insecure'          => $insecure,
        'memcached_servers' => $memcached_servers,
      },
-    },
-  } ->
-  class {'::contrail::config':
-    api_config            => {
-      'DEFAULTS' => {
-        'auth'                  => $auth,
-        'cassandra_server_list' => $cassandra_server_list,
-        'disc_server_ip'        => $disc_server_ip,
-        'ifmap_password'        => $ifmap_password,
-        'ifmap_server_ip'       => $ifmap_server_ip,
-        'ifmap_username'        => $ifmap_username,
-        'listen_ip_addr'        => $listen_ip_address,
-        'listen_port'           => $listen_port,
-        'multi_tenancy'         => $multi_tenancy,
-        'rabbit_server'         => $rabbit_server,
-        'redis_server'          => $redis_server,
-        'zk_server_ip'          => $zk_server_ip,
+    }
+    $vnc_api_lib_config = {
+      'auth' => {
+        'AUTHN_SERVER' => $public_vip,
      },
-    },
-    device_manager_config => {
-      'DEFAULTS' => {
-        'cassandra_server_list' => $cassandra_server_list,
-        'disc_server_ip'        => $disc_server_ip,
-        'rabbit_server'         => $rabbit_server,
-        'redis_server'          => $redis_server,
-        'zk_server_ip'          => $zk_server_ip,
+    }
+  }
+  if $step >= 3 {
+    class {'::contrail::config':
+      api_config              => {
+        'DEFAULTS' => {
+          'aaa_mode'              => $aaa_mode,
+          'auth'                  => $auth,
+          'cassandra_server_list' => $cassandra_server_list_9160,
+          'disc_server_ip'        => $disc_server_ip,
+          'ifmap_password'        => $ifmap_password,
+          'ifmap_server_ip'       => $ifmap_server_ip,
+          'ifmap_username'        => $ifmap_username,
+          'listen_ip_addr'        => $listen_ip_address,
+          'listen_port'           => $listen_port,
+          'rabbit_server'         => $rabbit_server_list_5672,
+          'rabbit_user'           => $rabbit_user,
+          'rabbit_password'       => $rabbit_password,
+          'redis_server'          => $redis_server,
+          'zk_server_ip'          => $zk_server_ip_2181,
+        },
      },
-    },
-    schema_config         => {
-      'DEFAULTS' => {
-        'cassandra_server_list' => $cassandra_server_list,
-        'disc_server_ip'        => $disc_server_ip,
-        'ifmap_password'        => $ifmap_password,
-        'ifmap_server_ip'       => $ifmap_server_ip,
-        'ifmap_username'        => $ifmap_username,
-        'rabbit_server'         => $rabbit_server,
-        'redis_server'          => $redis_server,
-        'zk_server_ip'          => $zk_server_ip,
+      basicauthusers_property => $basicauthusers_property,
+      config_nodemgr_config   => {
+        'DISCOVERY' => {
+          'server' => $disc_server_ip,
+          'port'   => $disc_server_port,
+        },
      },
-    },
-    discovery_config      => {
-      'DEFAULTS' => {
-        'cassandra_server_list' => $cassandra_server_list,
-        'zk_server_ip'          => $zk_server_ip,
+      device_manager_config   => {
+        'DEFAULTS' => {
+          'cassandra_server_list' => $cassandra_server_list_9160,
+          'disc_server_ip'        => $disc_server_ip,
+          'disc_server_port'      => $disc_server_port,
+          'rabbit_server'         => $rabbit_server_list_5672,
+          'rabbit_user'           => $rabbit_user,
+          'rabbit_password'       => $rabbit_password,
+          'redis_server'          => $redis_server,
+          'zk_server_ip'          => $zk_server_ip_2181,
+        },
      },
-    },
-    svc_monitor_config    => {
-      'DEFAULTS' => {
-        'cassandra_server_list' => $cassandra_server_list,
-        'disc_server_ip'        => $disc_server_ip,
-        'ifmap_password'        => $ifmap_password,
-        'ifmap_server_ip'       => $ifmap_server_ip,
-        'ifmap_username'        => $ifmap_username,
-        'rabbit_server'         => $rabbit_server,
-        'redis_server'          => $redis_server,
+      discovery_config        => {
+        'DEFAULTS' => {
+          'cassandra_server_list' => $cassandra_server_list_9160,
+          'zk_server_ip'          => $zk_server_ip_2181,
+          },
      },
-    },
+      keystone_config         => $keystone_config,
+      schema_config           => {
+        'DEFAULTS' => {
+          'cassandra_server_list' => $cassandra_server_list_9160,
+          'disc_server_ip'        => $disc_server_ip,
+          'disc_server_port'      => $disc_server_port,
+          'ifmap_password'        => $ifmap_password,
+          'ifmap_server_ip'       => $ifmap_server_ip,
+          'ifmap_username'        => $ifmap_username,
+          'rabbit_server'         => $rabbit_server_list_5672,
+          'rabbit_user'           => $rabbit_user,
+          'rabbit_password'       => $rabbit_password,
+          'redis_server'          => $redis_server,
+          'zk_server_ip'          => $zk_server_ip_2181,
+        },
+      },
+      svc_monitor_config      => {
+        'DEFAULTS' => {
+          'cassandra_server_list' => $cassandra_server_list_9160,
+          'disc_server_ip'        => $disc_server_ip,
+          'disc_server_port'      => $disc_server_port,
+          'ifmap_password'        => $ifmap_password,
+          'ifmap_server_ip'       => $ifmap_server_ip,
+          'ifmap_username'        => $ifmap_username,
+          'rabbit_server'         => $rabbit_server_list_5672,
+          'rabbit_user'           => $rabbit_user,
+          'rabbit_password'       => $rabbit_password,
+          'redis_server'          => $redis_server,
+          'zk_server_ip'          => $zk_server_ip_2181,
+        },
+      },
+      vnc_api_lib_config      => $vnc_api_lib_config,
+    }
+  }
+  if $step >= 5 {
+    class {'::contrail::config::provision_config':
+      api_address                => $api_server,
+      api_port                   => $api_port,
+      config_node_address        => $host_ip,
+      config_node_name           => $::hostname,
+      keystone_admin_user        => $admin_user,
+      keystone_admin_password    => $admin_password,
+      keystone_admin_tenant_name => $admin_tenant_name,
+      openstack_vip              => $public_vip,
+    }
+    if $config_hostnames[0] == $::hostname {
+      class {'::contrail::config::provision_linklocal':
+        api_address                => $api_server,
+        api_port                   => $api_port,
+        ipfabric_service_ip        => $api_server,
+        ipfabric_service_port      => $ipfabric_service_port,
+        keystone_admin_user        => $admin_user,
+        keystone_admin_password    => $admin_password,
+        keystone_admin_tenant_name => $admin_tenant_name,
+        linklocal_service_name     => $linklocal_service_name,
+        linklocal_service_ip       => $linklocal_service_ip,
+        linklocal_service_port     => $linklocal_service_port,
+      }
+    }
  }
 }
--- a/manifests/network/contrail/control.pp
+++ b/manifests/network/contrail/control.pp
@ -19,19 +19,6 @@
 #
 # == Parameters:
 #
-# [*host_ip*]
-#  (required) host IP address of Control
-#  String (IPv4) value.
-#
-# [*ifmap_password*]
-#  (required) ifmap password
-#  String value.
-#
-# [*ifmap_username*]
-#  (optional) ifmap username
-#  String value.
-#  Defaults to hiera('contrail::ifmap_username'),
-#
 # [*admin_password*]
 #  (optional) admin password
 #  String value.
@ -42,16 +29,21 @@
 #  String value.
 #  Defaults to hiera('contrail::admin_tenant_name'),
 #
-# [*admin_token*]
-#  (optional) admin token
-#  String value.
-#  Defaults to hiera('contrail::admin_token'),
-#
 # [*admin_user*]
 #  (optional) admin user name.
 #  String value.
 #  Defaults to hiera('contrail::admin_user'),
 #
+# [*api_server*]
+#  (optional) IP address of api server
+#  String value.
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*api_port*]
+#  (optional) port of api server
+#  String value.
+#  Defaults to hiera('contrail::api_port')
+#
 # [*auth_host*]
 #  (optional) keystone server ip address
 #  String (IPv4) value.
@ -68,13 +60,33 @@
 # [*disc_server_ip*]
 #  (optional) IPv4 address of discovery server.
 #  String (IPv4) value.
-#  Defaults to hiera('contrail::disc_server_ip'),
+#  Defaults to hiera('contrail_config_vip')
 #
 # [*disc_server_port*]
 #  (optional) port Discovery server listens on.
 #  Integer value.
 #  Defaults to hiera('contrail::disc_server_port'),
 #
+# [*host_ip*]
+#  (optional) IP address of host
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::control::host_ip')
+#
+# [*ibgp_auto_mesh*]
+#  (optional) iBPG auto mesh
+#  String value.
+#  Defaults to true
+#
+# [*ifmap_password*]
+#  (optional) ifmap password
+#  String value.
+#  Defaults to hiera('contrail::ifmap_password'),
+#
+# [*ifmap_username*]
+#  (optional) ifmap username
+#  String value.
+#  Defaults to hiera('contrail::ifmap_username'),
+#
 # [*insecure*]
 #  (optional) insecure mode.
 #  Defaults to hiera('contrail::insecure'),
@ -84,70 +96,103 @@
 #  String (IPv4) value + port
 #  Defaults to hiera('contrail::memcached_servers'),
 #
+# [*public_vip*]
+#  (optional) Public Virtual IP address
+#  String (IPv4) value
+#  Defaults to hiera('public_virtual_ip')
+#
+# [*router_asn*]
+#  (optional) Autonomus System Number
+#  String value
+#  Defaults to hiera('contrail::control::asn')
+#
+# [*secret*]
+#  (optional) RNDC secret for named
+#  String value
+#  Defaults to hiera('contrail::control::rndc_secret')
+#
+# [*step*]
+#  (optional) Step stack is in
+#  Integer value.
+#  Defaults to hiera('step')
+#
 class tripleo::network::contrail::control(
-  $host_ip,
-  $ifmap_password,
-  $ifmap_username,
-  $admin_password = hiera('contrail::admin_password'),
+  $step              = hiera('step'),
+  $admin_password    = hiera('contrail::admin_password'),
  $admin_tenant_name = hiera('contrail::admin_tenant_name'),
-  $admin_token = hiera('contrail::admin_token'),
-  $admin_user = hiera('contrail::admin_user'),
-  $auth_host = hiera('contrail::auth_host'),
-  $auth_port = hiera('contrail::auth_port'),
-  $auth_protocol = hiera('contrail::auth_protocol'),
-  $disc_server_ip = hiera('contrail::disc_server_ip'),
-  $disc_server_port = hiera('contrail::disc_server_port'),
-  $insecure = hiera('contrail::insecure'),
+  $admin_user        = hiera('contrail::admin_user'),
+  $api_server        = hiera('contrail_config_vip'),
+  $api_port          = hiera('contrail::api_port'),
+  $auth_host         = hiera('contrail::auth_host'),
+  $auth_port         = hiera('contrail::auth_port'),
+  $auth_protocol     = hiera('contrail::auth_protocol'),
+  $disc_server_ip    = hiera('contrail_config_vip'),
+  $disc_server_port  = hiera('contrail::disc_server_port'),
+  $host_ip           = hiera('contrail::control::host_ip'),
+  $ibgp_auto_mesh    = true,
+  $ifmap_password    = hiera('contrail::control::host_ip'),
+  $ifmap_username    = hiera('contrail::control::host_ip'),
+  $insecure          = hiera('contrail::insecure'),
  $memcached_servers = hiera('contrail::memcached_server'),
+  $public_vip        = hiera('public_virtual_ip'),
+  $router_asn        = hiera('contrail::control::asn'),
+  $secret            = hiera('contrail::control::rndc_secret'),
 )
 {
-  class {'::contrail::keystone':
-    keystone_config => {
-      'KEYSTONE' => {
-        'admin_tenant_name' => $admin_tenant_name,
-        'admin_token'       => $admin_token,
-        'admin_password'    => $admin_password,
-        'admin_user'        => $admin_user,
-        'auth_host'         => $auth_host,
-        'auth_port'         => $auth_port,
-        'auth_protocol'     => $auth_protocol,
-        'insecure'          => $insecure,
-        'memcached_servers' => $memcached_servers,
+  $control_ifmap_user     = "${ifmap_username}.control"
+  $control_ifmap_password = "${ifmap_username}.control"
+  $dns_ifmap_user         = "${ifmap_username}.dns"
+  $dns_ifmap_password     = "${ifmap_username}.dns"
+
+  if $step >= 3 {
+    class {'::contrail::control':
+      secret                 => $secret,
+      control_config         => {
+        'DEFAULT'   => {
+          'hostip' => $host_ip,
+        },
+        'DISCOVERY' => {
+          'port'   => $disc_server_port,
+          'server' => $disc_server_ip,
+        },
+        'IFMAP'     => {
+          'password' => $control_ifmap_user,
+          'user'     => $control_ifmap_password,
+        },
      },
-    },
-  } ->
-  class {'::contrail::control':
-    control_config         => {
-      'DEFAULTS'  => {
-        'hostip' => $host_ip,
+      dns_config             => {
+        'DEFAULT'   => {
+          'hostip'      => $host_ip,
+          'rndc_secret' => $secret,
+        },
+        'DISCOVERY' => {
+          'port'   => $disc_server_port,
+          'server' => $disc_server_ip,
+        },
+        'IFMAP'     => {
+          'password' => $dns_ifmap_user,
+          'user'     => $dns_ifmap_password,
+        }
      },
-      'DISCOVERY' => {
-        'port'   => $disc_server_port,
-        'server' => $disc_server_ip,
+      control_nodemgr_config => {
+        'DISCOVERY' => {
+          'port'   => $disc_server_port,
+          'server' => $disc_server_ip,
+        },
      },
-      'IFMAP'     => {
-        'password' => $ifmap_password,
-        'user'     => $ifmap_username,
-      },
-    },
-    dns_config             => {
-      'DEFAULTS'  => {
-        'hostip' => $host_ip,
-      },
-      'DISCOVERY' => {
-        'port'   => $disc_server_port,
-        'server' => $disc_server_ip,
-      },
-      'IFMAP'     => {
-        'password' => $ifmap_password,
-        'user'     => $ifmap_username,
-      }
-    },
-    control_nodemgr_config => {
-      'DISCOVERY' => {
-        'port'   => $disc_server_port,
-        'server' => $disc_server_ip,
-      },
-    },
+    }
+  }
+  if $step >= 5 {
+    class {'::contrail::control::provision_control':
+      api_address                => $api_server,
+      api_port                   => $api_port,
+      control_node_address       => $host_ip,
+      control_node_name          => $::hostname,
+      ibgp_auto_mesh             => $ibgp_auto_mesh,
+      keystone_admin_user        => $admin_user,
+      keystone_admin_password    => $admin_password,
+      keystone_admin_tenant_name => $admin_tenant_name,
+      router_asn                 => $router_asn,
+    }
  }
 }
--- a/manifests/network/contrail/database.pp
+++ b/manifests/network/contrail/database.pp
@ -13,41 +13,154 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 #
-# == Class: tripleo::network::contrail::control
+# == Class: tripleo::network::contrail::database
 #
-# Configure Contrail Control services
+# Configure Contrail Database services
 #
 # == Parameters:
 #
-# [*host_ip*]
-#  (required) host IP address of Database node
+# [*admin_password*]
+#  (optional) admin password
+#  String value.
+#  Defaults to hiera('contrail::admin_password')
+#
+# [*admin_tenant_name*]
+#  (optional) admin tenant name.
+#  String value.
+#  Defaults to hiera('contrail::admin_tenant_name')
+#
+# [*admin_token*]
+#  (optional) admin token
+#  String value.
+#  Defaults to hiera('contrail::admin_token')
+#
+# [*admin_user*]
+#  (optional) admin user name.
+#  String value.
+#  Defaults to hiera('contrail::admin_user')
+#
+# [*api_server*]
+#  (optional) VIP of Config API
 #  String (IPv4) value.
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*api_port*]
+#  (optional) Port of Config API
+#  String value.
+#  Defaults to hiera('contrail::api_port')
+#
+# [*auth_host*]
+#  (optional) keystone server ip address
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::auth_host')
+#
+# [*cassandra_servers*]
+#  (optional) List IPs+port of Cassandra servers
+#  Array of strings value.
+#  Defaults to hiera('contrail_database_node_ips')
 #
 # [*disc_server_ip*]
 #  (optional) IPv4 address of discovery server.
 #  String (IPv4) value.
-#  Defaults to hiera('contrail::disc_server_ip')
+#  Defaults to hiera('contrail_config_vip'),
 #
 # [*disc_server_port*]
 #  (optional) port Discovery server listens on.
 #  Integer value.
 #  Defaults to hiera('contrail::disc_server_port')
 #
+# [*host_ip*]
+#  (required) host IP address of Database node
+#  String (IPv4) value.
+#
+# [*host_name*]
+#  (optional) host name of Database node
+#  String value.
+#  Defaults to $::hostname
+#
+# [*public_vip*]
+#  (optional) Public virtual ip
+#  String value.
+#  Defaults to hiera('public_virtual_ip')
+#
+# [*step*]
+#  (optional) Step stack is in
+#  Integer value.
+#  Defaults to hiera('step')
+#
+# [*zookeeper_client_ip*]
+#  (optional) Zookeeper listen address
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::database::host_ip')
+#
+# [*zookeeper_hostnames*]
+#  (optional) Zookeeper hostname list
+#  Array of string value.
+#  Defaults to hiera('contrail_database_short_node_names')
+#
+# [*zookeeper_server_ips*]
+#  (optional) Zookeeper ip list
+#  Array of string (IPv4) values
+#  Defaults to hiera('contrail_database_node_ips')
+#
 class tripleo::network::contrail::database(
-  $host_ip,
-  $disc_server_ip = hiera('contrail::disc_server_ip'),
-  $disc_server_port = hiera('contrail::disc_server_port'),
+  $step                 = hiera('step'),
+  $admin_password       = hiera('contrail::admin_password'),
+  $admin_tenant_name    = hiera('contrail::admin_tenant_name'),
+  $admin_token          = hiera('contrail::admin_token'),
+  $admin_user           = hiera('contrail::admin_user'),
+  $api_server           = hiera('contrail_config_vip'),
+  $api_port             = hiera('contrail::api_port'),
+  $auth_host            = hiera('contrail::auth_host'),
+  $cassandra_servers    = hiera('contrail_database_node_ips'),
+  $disc_server_ip       = hiera('contrail_config_vip'),
+  $disc_server_port     = hiera('contrail::disc_server_port'),
+  $host_ip              = hiera('contrail::database::host_ip'),
+  $host_name            = $::hostname,
+  $public_vip           = hiera('public_virtual_ip'),
+  $zookeeper_client_ip  = hiera('contrail::database::host_ip'),
+  $zookeeper_hostnames  = hiera('contrail_database_short_node_names'),
+  $zookeeper_server_ips = hiera('contrail_database_node_ips'),
 )
 {
-  class {'::contrail::database':
-    database_nodemgr_config => {
-      'DEFAULTS'  => {
-        'hostip' => $host_ip,
-      },
-      'DISCOVERY' => {
-        'port'   => $disc_server_port,
-        'server' => $disc_server_ip,
-      },
-    },
+  if $step == 2 {
+    class {'::contrail::database':
+      database_params => {
+        'auth_host'             => $auth_host,
+        'api_server'            => $api_server,
+        'admin_password'        => $admin_password,
+        'admin_tenant_name'     => $admin_tenant_name,
+        'admin_token'           => $admin_token,
+        'admin_user'            => $admin_user,
+        'cassandra_servers'     => $cassandra_servers,
+        'host_ip'               => $host_ip,
+        'disc_server_ip'        => $disc_server_ip,
+        'disc_server_port'      => $disc_server_port,
+        'zookeeper_client_ip'   => $zookeeper_client_ip,
+        'zookeeper_hostnames'   => $zookeeper_hostnames,
+        'zookeeper_server_ips'  => $zookeeper_server_ips,
+        database_nodemgr_config => {
+          'DEFAULT'   => {
+            'hostip' => $host_ip,
+          },
+          'DISCOVERY' => {
+            'port'   => $disc_server_port,
+            'server' => $disc_server_ip,
+          },
+        },
+      }
+    }
+  }
+  if $step >= 5 {
+    class {'::contrail::database::provision_database':
+      api_address                => $api_server,
+      api_port                   => $api_port,
+      database_node_address      => $host_ip,
+      database_node_name         => $host_name,
+      keystone_admin_user        => $admin_user,
+      keystone_admin_password    => $admin_password,
+      keystone_admin_tenant_name => $admin_tenant_name,
+      openstack_vip              => $public_vip,
+    }
  }
 }
--- a/manifests/network/contrail/heat.pp
+++ b/manifests/network/contrail/heat.pp
@ -0,0 +1,86 @@
+#
+# Copyright (C) 2015 Juniper Networks
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::network::contrail::heat
+#
+# Configure Contrail Heat plugin
+#
+# == Parameters:
+#
+# [*admin_password*]
+#  (optional) admin password
+#  String value.
+#  Defaults to hiera('contrail::admin_password')
+#
+# [*admin_tenant_name*]
+#  (optional) admin tenant name.
+#  String value.
+#  Defaults to hiera('contrail::admin_tenant_name')
+#
+# [*admin_user*]
+#  (optional) admin user name.
+#  String value.
+#  Defaults to hiera('contrail::admin_user')
+#
+# [*api_server*]
+#  (optional) IP address of api server
+#  String value.
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*api_port*]
+#  (optional) port of api server
+#  String value.
+#  Defaults to hiera('contrail::api_port')
+#
+# [*auth_host*]
+#  (optional) keystone server ip address
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::auth_host')
+#
+# [*step*]
+#  (optional) Step stack is in
+#  Integer value.
+#  Defaults to hiera('step')
+#
+# [*use_ssl*]
+#  (optional) switch for ssl usage
+#  String value.
+#  Defaults to 'False'
+#
+class tripleo::network::contrail::heat(
+  $step = hiera('step'),
+  $admin_password         = hiera('contrail::admin_password'),
+  $admin_user             = hiera('contrail::admin_user'),
+  $api_server             = hiera('contrail_config_vip'),
+  $api_port               = 8082,
+  $auth_host              = hiera('contrail::auth_host'),
+  $use_ssl                = 'False',
+)
+{
+
+  class {'::contrail::heat':
+    heat_config            => {
+      'clients_contrail' => {
+        'api_base_url' => '/',
+        'api_server'   => $api_server,
+        'api_port'     => $api_port,
+        'auth_host_ip' => $auth_host,
+        'user'         => $admin_user,
+        'password'     => $admin_password,
+        'use_ssl'      => $use_ssl,
+      },
+    },
+  }
+}
--- a/manifests/network/contrail/neutron_plugin.pp
+++ b/manifests/network/contrail/neutron_plugin.pp
@ -0,0 +1,231 @@
+# This class installs and configures Opencontrail Neutron Plugin.
+#
+# === Parameters
+#
+# [*admin_password*]
+#  (optional) admin password
+#  String value.
+#  Defaults to hiera('contrail::admin_password')
+#
+# [*admin_tenant_name*]
+#  (optional) admin tenant name.
+#  String value.
+#  Defaults to hiera('contrail::admin_tenant_name')
+#
+# [*admin_token*]
+#  (optional) admin token
+#  String value.
+#  Defaults to hiera('contrail::admin_token')
+#
+# [*admin_user*]
+#  (optional) admin user name.
+#  String value.
+#  Defaults to hiera('contrail::admin_user')
+#
+# [*api_server*]
+#  (optional) IP address of api server
+#  String value.
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*api_port*]
+#  (optional) port of api server
+#  String value.
+#  Defaults to hiera('contrail::api_port')
+#
+# [*auth_host*]
+#  (optional) keystone server ip address
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::auth_host')
+#
+# [*auth_port*]
+#  (optional) keystone port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port')
+#
+# [*auth_port_ssl*]
+#  (optional) keystone ssl port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port_ssl')
+#
+# [*auth_protocol*]
+#  (optional) authentication protocol.
+#  String value.
+#  Defaults to hiera('contrail::auth_protocol')
+#
+# [*ca_file*]
+#  (optional) ca file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
+# [*cert_file*]
+#  (optional) cert file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
+# [*api_server_ip*]
+#   IP address of the API Server
+#   Defaults to $::os_service_default
+#
+# [*api_server_port*]
+#   Port of the API Server.
+#   Defaults to $::os_service_default
+#
+# [*contrail_extensions*]
+#   Array of OpenContrail extensions to be supported
+#   Defaults to $::os_service_default
+#   Example:
+#
+#     class {'neutron::plugins::opencontrail' :
+#       contrail_extensions => ['ipam:neutron_plugin_contrail.plugins.opencontrail.contrail_plugin_ipam.NeutronPluginContrailIpam']
+#     }
+#
+# [*keystone_auth_url*]
+#   Url of the keystone auth server
+#   Defaults to $::os_service_default
+#
+# [*keystone_admin_user*]
+#   Admin user name
+#   Defaults to $::os_service_default
+#
+# [*keystone_admin_tenant_name*]
+#   Admin_tenant_name
+#   Defaults to $::os_service_default
+#
+# [*keystone_admin_password*]
+#   Admin password
+#   Defaults to $::os_service_default
+#
+# [*keystone_admin_token*]
+#   Admin token
+#   Defaults to $::os_service_default
+#
+# [*package_ensure*]
+#   (optional) Ensure state for package.
+#   Defaults to 'present'.
+#
+# [*purge_config*]
+#   (optional) Whether to set only the specified config options
+#   in the opencontrail config.
+#   Defaults to false.
+#
+class tripleo::network::contrail::neutron_plugin (
+  $contrail_extensions    = hiera('contrail::vrouter::contrail_extensions'),
+  $admin_password         = hiera('contrail::admin_password'),
+  $admin_tenant_name      = hiera('contrail::admin_tenant_name'),
+  $admin_token            = hiera('contrail::admin_token'),
+  $admin_user             = hiera('contrail::admin_user'),
+  $api_server             = hiera('contrail_config_vip'),
+  $api_port               = hiera('contrail::api_port'),
+  $auth_host              = hiera('contrail::auth_host'),
+  $auth_port              = hiera('contrail::auth_port'),
+  $auth_port_ssl          = hiera('contrail::auth_port_ssl'),
+  $auth_protocol          = hiera('contrail::auth_protocol'),
+  $ca_file                = hiera('tripleo::haproxy::service_certificate',false),
+  $cert_file              = hiera('tripleo::haproxy::service_certificate',false),
+  $purge_config           = false,
+  $package_ensure         = 'present',
+) {
+
+  include ::neutron::deps
+  include ::neutron::params
+
+  validate_array($contrail_extensions)
+
+  package { 'neutron-plugin-contrail':
+    ensure => $package_ensure,
+    name   => $::neutron::params::opencontrail_plugin_package,
+    tag    => ['neutron-package', 'openstack'],
+  }
+  package {'python-contrail':
+    ensure => installed,
+  }
+
+  ensure_resource('file', '/etc/neutron/plugins/opencontrail', {
+    ensure => directory,
+    owner  => 'root',
+    group  => 'neutron',
+    mode   => '0640'}
+  )
+
+  if $::osfamily == 'Debian' {
+    file_line { '/etc/default/neutron-server:NEUTRON_PLUGIN_CONFIG':
+      path  => '/etc/default/neutron-server',
+      match => '^NEUTRON_PLUGIN_CONFIG=(.*)$',
+      line  => "NEUTRON_PLUGIN_CONFIG=${::neutron::params::opencontrail_config_file}",
+      tag   => 'neutron-file-line',
+    }
+  }
+
+  if $::osfamily == 'Redhat' {
+    file { '/etc/neutron/plugin.ini':
+      ensure  => link,
+      target  => $::neutron::params::opencontrail_config_file,
+      require => Package[$::neutron::params::opencontrail_plugin_package],
+      tag     => 'neutron-config-file',
+    }
+    $api_paste_config_file = '/usr/share/neutron/api-paste.ini'
+  }
+  ini_setting { 'filter:user_token':
+    ensure  => present,
+    path    => $api_paste_config_file,
+    section => 'filter:user_token',
+    setting => 'paste.filter_factory',
+    value   => 'neutron_plugin_contrail.plugins.opencontrail.neutron_middleware:token_factory',
+  }
+  ini_setting { 'composite:neutronapi_v2_0':
+    ensure  => present,
+    path    => $api_paste_config_file,
+    section => 'composite:neutronapi_v2_0',
+    setting => 'keystone',
+    value   => 'user_token cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0',
+  }
+  resources { 'neutron_plugin_opencontrail':
+    purge => $purge_config,
+  }
+
+  exec { 'add neutron user to haproxy group':
+    command => '/usr/sbin/usermod -a -G haproxy neutron',
+  }
+
+  if $auth_protocol == 'https' {
+    $auth_url = join([$auth_protocol,'://',$auth_host,':',$auth_port_ssl,'/v2.0'])
+    neutron_plugin_opencontrail {
+      'APISERVER/api_server_ip':           value => $api_server;
+      'APISERVER/api_server_port':         value => $api_port;
+      'APISERVER/contrail_extensions':     value => join($contrail_extensions, ',');
+      'KEYSTONE/auth_url':                 value => $auth_url;
+      'KEYSTONE/admin_user' :              value => $admin_user;
+      'KEYSTONE/admin_tenant_name':        value => $admin_tenant_name;
+      'KEYSTONE/admin_password':           value => $admin_password, secret =>true;
+      'KEYSTONE/admin_token':              value => $admin_token, secret =>true;
+      'KEYSTONE/cafile':                   value => $ca_file;
+      'KEYSTONE/certfile':                 value => $cert_file;
+      'keystone_authtoken/admin_user':     value => $admin_user;
+      'keystone_authtoken/admin_tenant':   value => $admin_tenant_name;
+      'keystone_authtoken/admin_password': value => $admin_password, secret =>true;
+      'keystone_authtoken/auth_host':      value => $auth_host;
+      'keystone_authtoken/auth_protocol':  value => $auth_protocol;
+      'keystone_authtoken/auth_port':      value => $auth_port_ssl;
+      'keystone_authtoken/cafile':         value => $ca_file;
+      'keystone_authtoken/certfile':       value => $cert_file;
+    }
+  } else {
+    $auth_url = join([$auth_protocol,'://',$auth_host,':',$auth_port,'/v2.0'])
+    neutron_plugin_opencontrail {
+      'APISERVER/api_server_ip':           value => $api_server;
+      'APISERVER/api_server_port':         value => $api_port;
+      'APISERVER/contrail_extensions':     value => join($contrail_extensions, ',');
+      'KEYSTONE/auth_url':                 value => $auth_url;
+      'KEYSTONE/admin_user' :              value => $admin_user;
+      'KEYSTONE/admin_tenant_name':        value => $admin_tenant_name;
+      'KEYSTONE/admin_password':           value => $admin_password, secret =>true;
+      'KEYSTONE/admin_token':              value => $admin_token, secret =>true;
+      'keystone_authtoken/admin_user':     value => $admin_user;
+      'keystone_authtoken/admin_tenant':   value => $admin_tenant_name;
+      'keystone_authtoken/admin_password': value => $admin_password, secret =>true;
+      'keystone_authtoken/auth_host':      value => $auth_host;
+      'keystone_authtoken/auth_protocol':  value => $auth_protocol;
+      'keystone_authtoken/auth_port':      value => $auth_port;
+    }
+  }
+}
--- a/manifests/network/contrail/provision.pp
+++ b/manifests/network/contrail/provision.pp
@ -0,0 +1,96 @@
+#
+# Copyright (C) 2015 Juniper Networks
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::network::contrail::provision
+#
+# Provisions Contrail Control and link local services
+#
+# == Parameters:
+#
+# [*host_ip*]
+#  (required) host IP address of Control
+#  String (IPv4) value.
+#
+# [*admin_password*]
+#  (optional) admin password
+#  String value.
+#  Defaults to hiera('contrail::admin_password'),
+#
+# [*admin_tenant_name*]
+#  (optional) admin tenant name.
+#  String value.
+#  Defaults to hiera('contrail::admin_tenant_name'),
+#
+# [*admin_token*]
+#  (optional) admin token
+#  String value.
+#  Defaults to hiera('contrail::admin_token'),
+#
+# [*admin_user*]
+#  (optional) admin user name.
+#  String value.
+#  Defaults to hiera('contrail::admin_user'),
+#
+# [*api_server*]
+#  (optional) IP address of api server
+#  String value.
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*auth_host*]
+#  (optional) keystone server ip address
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::auth_host'),
+#
+# [*auth_port*]
+#  (optional) keystone port.
+#  Defaults to hiera('contrail::auth_port'),
+#
+# [*auth_protocol*]
+#  (optional) authentication protocol.
+#  Defaults to hiera('contrail::auth_protocol'),
+#
+# [*step*]
+#  (optional) Step stack is in
+#  Integer value.
+#  Defaults to hiera('step')
+#
+class tripleo::network::contrail::provision(
+  $step             = hiera('step'),
+  $admin_password = hiera('contrail::admin_password'),
+  $admin_tenant_name = hiera('contrail::admin_tenant_name'),
+  $admin_token = hiera('contrail::admin_token'),
+  $admin_user = hiera('contrail::admin_user'),
+  $auth_host = hiera('contrail::auth_host'),
+  $auth_port = hiera('contrail::auth_port'),
+  $auth_protocol = hiera('contrail::auth_protocol'),
+  $api_server = hiera('contrail_config_vip'),
+)
+{
+  if $step >= 5 {
+    class {'::contrail::control::provision_control':
+      api_address                => $api_server,
+      keystone_admin_user        => $admin_user,
+      keystone_admin_password    => $admin_password,
+      keystone_admin_tenant_name => $admin_tenant_name,
+    }
+    class {'::contrail::control::provision_linklocal':
+      api_address                => $api_server,
+      keystone_admin_user        => $admin_user,
+      keystone_admin_password    => $admin_password,
+      keystone_admin_tenant_name => $admin_tenant_name,
+      ipfabric_service_ip        => $api_server,
+    }
+  }
+}
--- a/manifests/network/contrail/vrouter.pp
+++ b/manifests/network/contrail/vrouter.pp
@ -0,0 +1,302 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::neutron::opencontrail::vrouter
+#
+# Opencontrail profile to run the contrail vrouter
+#
+# === Parameters
+#
+# [*step*]
+#   (Optional) The current step of the deployment
+#   Defaults to hiera('step')
+#
+# [*admin_password*]
+#  (optional) admin password
+#  String value.
+#  Defaults to hiera('contrail::admin_password')
+#
+# [*admin_tenant_name*]
+#  (optional) admin tenant name.
+#  String value.
+#  Defaults to hiera('contrail::admin_tenant_name')
+#
+# [*admin_token*]
+#  (optional) admin token
+#  String value.
+#  Defaults to hiera('contrail::admin_token')
+#
+# [*admin_user*]
+#  (optional) admin user name.
+#  String value.
+#  Defaults to hiera('contrail::admin_user')
+#
+# [*api_server*]
+#  (optional) IP address of api server
+#  String value.
+#  Defaults to hiera('contrail_config_vip')
+#
+# [*api_port*]
+#  (optional) port of api server
+#  String value.
+#  Defaults to hiera('contrail::api_port')
+#
+# [*auth_host*]
+#  (optional) keystone server ip address
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::auth_host')
+#
+# [*auth_port*]
+#  (optional) keystone port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port')
+#
+# [*auth_port_ssl*]
+#  (optional) keystone ssl port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port_ssl')
+#
+# [*auth_protocol*]
+#  (optional) authentication protocol.
+#  String value.
+#  Defaults to hiera('contrail::auth_protocol')
+#
+# [*ca_file*]
+#  (optional) ca file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
+# [*cert_file*]
+#  (optional) cert file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
+# [*control_server*]
+#  (optional) Contrail control server IP
+#  Array of String (IPv4) value.
+#  Defaults to hiera('contrail_control_node_ips')
+#
+# [*disc_server_ip*]
+#  (optional) IPv4 address of discovery server.
+#  String (IPv4) value.
+#  Defaults to hiera('contrail_config_vip'),
+#
+# [*disc_server_port*]
+#  (optional) port Discovery server listens on.
+#  Integer value.
+#  Defaults to hiera('contrail::disc_server_port')
+#
+# [*gateway*]
+#  (optional) Default GW for vrouter
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::vrouter::gateway')
+#
+# [*host_ip*]
+#  (optional) host IP address of vrouter
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::vrouter::host_ip')
+#
+# [*insecure*]
+#  (optional) insecure connections allowed
+#  String value.
+#  Defaults to hiera('contrail::insecure')
+#
+# [*memcached_servers*]
+#  (optional) memcached server ip
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::memcached_server')
+#
+# [*metadata_secret*]
+#  (optional) secret for metadata
+#  String value.
+#  Defaults to hiera('contrail::vrouter::metadata_proxy_shared_secret')
+#
+# [*netmask*]
+#  (optional) netmask for vrouter interface
+#  String (IPv4) value.
+#  Defaults to hiera('contrail::vrouter::netmask')
+#
+# [*physical_interface*]
+#  (optional) vrouter interface
+#  String value.
+#  Defaults to hiera('contrail::vrouter::physical_interface')
+#
+# [*public_vip*]
+#  (optional) Public VIP to Keystone
+#  String (IPv4) value.
+#  Defaults to hiera('public_virtual_ip')
+#
+# [*is_tsn*]
+#  (optional) Turns vrouter into TSN
+#  String value.
+#  Defaults to hiera('contrail::vrouter::is_tsn',false)
+#
+class tripleo::network::contrail::vrouter (
+  $step               = hiera('step'),
+  $admin_password     = hiera('contrail::admin_password'),
+  $admin_tenant_name  = hiera('contrail::admin_tenant_name'),
+  $admin_token        = hiera('contrail::admin_token'),
+  $admin_user         = hiera('contrail::admin_user'),
+  $api_port           = hiera('contrail::api_port'),
+  $api_server         = hiera('contrail_config_vip'),
+  $auth_host          = hiera('contrail::auth_host'),
+  $auth_port          = hiera('contrail::auth_port'),
+  $auth_port_ssl      = hiera('contrail::auth_port_ssl'),
+  $auth_protocol      = hiera('contrail::auth_protocol'),
+  $ca_file            = hiera('contrail::service_certificate',false),
+  $cert_file          = hiera('contrail::service_certificate',false),
+  $control_server     = hiera('contrail_control_node_ips'),
+  $disc_server_ip     = hiera('contrail_config_vip'),
+  $disc_server_port   = hiera('contrail::disc_server_port'),
+  $gateway            = hiera('contrail::vrouter::gateway'),
+  $host_ip            = hiera('contrail::vrouter::host_ip'),
+  $insecure           = hiera('contrail::insecure'),
+  $memcached_servers  = hiera('contrail::memcached_server'),
+  $metadata_secret    = hiera('contrail::vrouter::metadata_proxy_shared_secret'),
+  $netmask            = hiera('contrail::vrouter::netmask'),
+  $physical_interface = hiera('contrail::vrouter::physical_interface'),
+  $public_vip         = hiera('public_virtual_ip'),
+  $is_tsn             = hiera('contrail::vrouter::is_tsn',false),
+) {
+    $cidr = netmask_to_cidr($netmask)
+    notify { 'cidr':
+      message => $cidr,
+    }
+    $macaddress = inline_template("<%= scope.lookupvar('::macaddress_${physical_interface}') -%>")
+    #include ::contrail::vrouter
+    # NOTE: it's not possible to use this class without a functional
+    # contrail controller up and running
+    $control_server_list = join($control_server, ' ')
+    if $auth_protocol == 'https' {
+      $keystone_config = {
+        'KEYSTONE' => {
+          'admin_password'    => $admin_password,
+          'admin_tenant_name' => $admin_tenant_name,
+          'admin_token'       => $admin_token,
+          'admin_user'        => $admin_user,
+          'auth_host'         => $auth_host,
+          'auth_port'         => $auth_port_ssl,
+          'auth_protocol'     => $auth_protocol,
+          'insecure'          => $insecure,
+          'memcached_servers' => $memcached_servers,
+          'certfile'          => $cert_file,
+          'cafile'            => $ca_file,
+        },
+      }
+      $vnc_api_lib_config = {
+        'auth' => {
+          'AUTHN_SERVER'   => $public_vip,
+          'AUTHN_PORT'     => $auth_port_ssl,
+          'AUTHN_PROTOCOL' => $auth_protocol,
+          'certfile'       => $cert_file,
+          'cafile'         => $ca_file,
+        },
+      }
+    } else {
+    $keystone_config = {
+        'KEYSTONE' => {
+          'admin_password'    => $admin_password,
+          'admin_tenant_name' => $admin_tenant_name,
+          'admin_token'       => $admin_token,
+          'admin_user'        => $admin_user,
+          'auth_host'         => $auth_host,
+          'auth_port'         => $auth_port,
+          'auth_protocol'     => $auth_protocol,
+          'insecure'          => $insecure,
+          'memcached_servers' => $memcached_servers,
+        },
+      }
+      $vnc_api_lib_config = {
+        'auth' => {
+          'AUTHN_SERVER' => $public_vip,
+        },
+      }
+    }
+    if $is_tsn {
+      $vrouter_agent_config = {
+        'DEBUG'  => {
+          'agent_mode' => 'tsn',
+        },
+        'CONTROL-NODE'  => {
+          'server' => $control_server_list,
+        },
+        'VIRTUAL-HOST-INTERFACE'  => {
+          'compute_node_address' => $host_ip,
+          'gateway'              => $gateway,
+          'ip'                   => "${host_ip}/${cidr}",
+          'name'                 => 'vhost0',
+          'physical_interface'   => $physical_interface,
+        },
+        'METADATA' => {
+          'metadata_proxy_secret' => $metadata_secret,
+        },
+        'DISCOVERY' => {
+          'server' => $disc_server_ip,
+          'port'   => $disc_server_port,
+        },
+      }
+    } else {
+      $vrouter_agent_config = {
+        'CONTROL-NODE'  => {
+          'server' => $control_server_list,
+        },
+        'VIRTUAL-HOST-INTERFACE'  => {
+          'compute_node_address' => $host_ip,
+          'gateway'              => $gateway,
+          'ip'                   => "${host_ip}/${cidr}",
+          'name'                 => 'vhost0',
+          'physical_interface'   => $physical_interface,
+        },
+        'METADATA' => {
+          'metadata_proxy_secret' => $metadata_secret,
+        },
+        'DISCOVERY' => {
+          'server' => $disc_server_ip,
+          'port'   => $disc_server_port,
+        },
+      }
+    }
+    class {'::contrail::vrouter':
+      discovery_ip           => $disc_server_ip,
+      gateway                => $gateway,
+      host_ip                => $host_ip,
+      is_tsn                 => $is_tsn,
+      macaddr                => $macaddress,
+      mask                   => $cidr,
+      netmask                => $netmask,
+      physical_interface     => $physical_interface,
+      vhost_ip               => $host_ip,
+      keystone_config        => $keystone_config,
+      vrouter_agent_config   => $vrouter_agent_config,
+      vrouter_nodemgr_config => {
+        'DISCOVERY' => {
+          'server' => $disc_server_ip,
+          'port'   => $disc_server_port,
+        },
+      },
+      vnc_api_lib_config     => $vnc_api_lib_config,
+    }
+  if $step >= 5 {
+    class {'::contrail::vrouter::provision_vrouter':
+      api_address                => $api_server,
+      api_port                   => $api_port,
+      host_ip                    => $host_ip,
+      node_name                  => $::hostname,
+      keystone_admin_user        => $admin_user,
+      keystone_admin_password    => $admin_password,
+      keystone_admin_tenant_name => $admin_tenant_name,
+      is_tsn                     => $is_tsn,
+    }
+  }
+}
--- a/manifests/network/contrail/webui.pp
+++ b/manifests/network/contrail/webui.pp
@ -19,18 +19,6 @@
 #
 # == Parameters:
 #
-# [*contrail_analytics_vip*]
-#  (required) VIP of Contrail Analytics
-#  String (IPv4) value.
-#
-# [*contrail_config_vip*]
-#  (required) VIP of Contrail Config
-#  String (IPv4) value.
-#
-# [*neutron_vip*]
-#  (required) VIP of Neutron
-#  String (IPv4) value.
-#
 # [*admin_password*]
 #  (optional) admin password
 #  String value.
@ -56,11 +44,46 @@
 #  String (IPv4) value.
 #  Defaults to hiera('contrail::auth_host')
 #
+# [*auth_port_public*]
+#  (optional) keystone port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port_public')
+#
+# [*auth_port_ssl*]
+#  (optional) keystone ssl port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port_ssl')
+#
+# [*auth_port_ssl_public*]
+#  (optional) keystone public ssl port.
+#  Integer value.
+#  Defaults to hiera('contrail::auth_port_ssl_public')
+#
+# [*auth_protocol*]
+#  (optional) authentication protocol.
+#  String value.
+#  Defaults to hiera('contrail::auth_protocol')
+#
+# [*cert_file*]
+#  (optional) cert file name
+#  String value.
+#  Defaults to hiera('contrail::service_certificate',false)
+#
 # [*cassandra_server_list*]
 #  (optional) List IPs+port of Cassandra servers
 #  Array of strings value.
 #  Defaults to hiera('contrail::cassandra_server_list')
 #
+# [*contrail_analytics_vip*]
+#  (optional) VIP of Contrail Analytics
+#  String (IPv4) value.
+#  Defaults to hiera('contrail_analytics_vip')
+#
+# [*contrail_config_vip*]
+#  (optional) VIP of Contrail Config
+#  String (IPv4) value.
+#  Defaults to hiera('contrail_config_vip')
+#
 # [*contrail_webui_http_port*]
 #  (optional) Webui HTTP Port
 #  Integer value.
@ -71,38 +94,55 @@
 #  Integer value.
 #  Defaults to 8143
 #
+# [*neutron_vip*]
+#  (optional) VIP of Neutron
+#  String (IPv4) value.
+#  Defaults to hiera('neutron_api_vip')
+#
 # [*redis_ip*]
 #  (optional) IP of Redis
 #  String (IPv4) value.
 #  Defaults to '127.0.0.1'
 #
 class tripleo::network::contrail::webui(
-  $contrail_analytics_vip,
-  $contrail_config_vip,
-  $neutron_vip,
-  $admin_password = hiera('contrail::admin_password'),
-  $admin_tenant_name = hiera('contrail::admin_tenant_name'),
-  $admin_token = hiera('contrail::admin_token'),
-  $admin_user = hiera('contrail::admin_user'),
-  $auth_host = hiera('contrail::auth_host'),
-  $cassandra_server_list = hiera('contrail::cassandra_server_list'),
-  $contrail_webui_http_port = 8080,
-  $contrail_webui_https_port = 8143,
-  $redis_ip = '127.0.0.1',
+  $admin_password            = hiera('contrail::admin_password'),
+  $admin_tenant_name         = hiera('contrail::admin_tenant_name'),
+  $admin_token               = hiera('contrail::admin_token'),
+  $admin_user                = hiera('contrail::admin_user'),
+  $auth_host                 = hiera('contrail::auth_host'),
+  $auth_protocol             = hiera('contrail::auth_protocol'),
+  $auth_port_public          = hiera('contrail::auth_port_public'),
+  $auth_port_ssl_public      = hiera('contrail::auth_port_ssl_public'),
+  $cassandra_server_list     = hiera('contrail_database_node_ips'),
+  $cert_file                 = hiera('contrail::cert_file'),
+  $contrail_analytics_vip    = hiera('contrail_analytics_vip'),
+  $contrail_config_vip       = hiera('contrail_config_vip'),
+  $contrail_webui_http_port  = hiera('contrail::webui::http_port'),
+  $contrail_webui_https_port = hiera('contrail::webui::https_port'),
+  $neutron_vip               = hiera('neutron_api_vip'),
+  $redis_ip                  = hiera('contrail::webui::redis_ip'),
 )
 {
+  if $auth_protocol == 'https' {
+    $auth_port = $auth_port_ssl_public
+  } else {
+    $auth_port = $auth_port_public
+  }
  class {'::contrail::webui':
-    openstack_vip             => $auth_host,
-    contrail_config_vip       => $contrail_config_vip,
-    contrail_analytics_vip    => $contrail_analytics_vip,
-    neutron_vip               => $neutron_vip,
-    cassandra_ip              => $cassandra_server_list,
-    redis_ip                  => $redis_ip,
-    contrail_webui_http_port  => $contrail_webui_http_port,
-    contrail_webui_https_port => $contrail_webui_https_port,
    admin_user                => $admin_user,
    admin_password            => $admin_password,
    admin_token               => $admin_token,
    admin_tenant_name         => $admin_tenant_name,
+    auth_port                 => $auth_port,
+    auth_protocol             => $auth_protocol,
+    cassandra_ip              => $cassandra_server_list,
+    cert_file                 => $cert_file,
+    contrail_config_vip       => $contrail_config_vip,
+    contrail_analytics_vip    => $contrail_analytics_vip,
+    contrail_webui_http_port  => $contrail_webui_http_port,
+    contrail_webui_https_port => $contrail_webui_https_port,
+    neutron_vip               => $neutron_vip,
+    openstack_vip             => $auth_host,
+    redis_ip                  => $redis_ip,
  }
 }