In current setup some Contrail services belong to the wrong roles.
The Contrail control plane can be impacted if the Analytics database has problems.
Furthermore contrail tripleo puppet modules are being refactored to conform to the
new interface of the puppet-contrail modules.
Closes-Bug: 1659560
Change-Id: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
This uses the tls_proxy resource added in a previous commit [1] in
front of the neutron server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to
clean it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
This uses the tls_proxy resource added in the previous commit [1] in
front of the Glance API server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to clean
it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e
Change-Id: Id35a846d43ecae8903a0d58306d9803d5ea00bee
Glance Registry has been removed in TripleO. So we can clean
puppet-tripleo and remove last bits that used to deploy this service.
Change-Id: Iea8f6340349ab366606205305a3ec9a6e4f11ba6
etcd is used by networking-vpp ML2 driver as the messaging mechanism. This
patch adds etcd service which can be used by other services.
Implements: blueprint fdio-integration-tripleo
Change-Id: Idaa3e3deddf9be3d278e90b569466c2717e2d517
Signed-off-by: Feng Pan <fpan@redhat.com>
Having these available from t-h-t, we should be able to use these now.
Change-Id: I7272df25c4fdba152fe15d40444311bc35ace4d9
Depends-On: Id0d34c7c3939ee81126ffd26d0658c0a87805a44
This change adds haproxy rules for galera and redis. They are not there
because these haproxy entries do not use the ::tripleo::haproxy::endpoint
function which does this automatically.
Rabbit does not need them because it does not go through haproxy.
Closes-Bug: #1654280
Change-Id: If995d5c36341f3c089cbda9a0827ea28c19c796b
This migrates the haproxy config for ODL to use the
tripleo::haproxy::endpoint class. This class automatically configures
firewall rules for each haproxy endpoint. Also removes listening on
public network for IP and adds listening on ctlplane network for admin
access.
Partial-Bug: 1651476
Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f
Signed-off-by: Tim Rozet <trozet@redhat.com>
This only takes effect is internal-tls is used, and forces haproxy to
do proper verifications of the SSL certificates provided by the
servers.
bp tls-via-certmonger
Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642
This allows us to use the composable services interfaces to handle
providing the IP address for northd, and will be more flexible in
the event folks want to deploy northd/ovndb on a different node to
the neutron plugin.
This also adds ovn_northd to the haproxy configuration so we can access
it via the ovn_northd_vip in other service profiles. Note we need
to ensure the haproxy config only hits the bootstrap node as northd
won't be running on the other nodes.
Change-Id: I9af7bd837c340c3df016fc7ad4238b2941ba7a95
Partial-Bug: #1634171
HAProxy won't pass X-Forwarded-Proto to these services in mode tcp, so we need
to switch it to http in order for it to work and for the services to properly
set the protocol in the links they serve.
Change-Id: Ib10282159fb9269eebe81af23171ec9fb1297cd0
Closes-Bug: #1640126
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan
deployments ends up being the wrong interface. The public VIP interface
was also defaulted to 'br-ex' which would be incorrect for vlan based
deployments. Since a user has already given the nic template (and in
most cases the subnet that corresponds to the nic) the installer should
be able to figure out which interface the public/control vip should be
on.
These changes enable that type of auto-detection, unless a user
explicitly overrides the heat parameters for ControlVirtualInterface and
PublicVirtualInterface. Also removes calling keepalived from haproxy
now that the services are composed separately on the Controller role.
Partial-Bug: 1606632
Change-Id: I05105fce85be8ace986db351cdca2916f405ed04
Signed-off-by: Tim Rozet <trozet@redhat.com>
The default port of the MidoNet Cluster (formerly known as MidoNet API)
is now 8181 instead of 8081.
Since this parameter is configurable through the settings, the default
value for the port has been added to the $service_ports array.
Change-Id: I2785d3109993bca0bd68077ff55cfeafbf594e19
We have a variable in hiera which tells us if the keepalived
service is enabled, so use it here. Without this any deployment
disabling OS::TripleO::Services::Keepalived will fail.
Change-Id: I90faf51881bd05920067c1e1d82baf5d7586af23
Closes-Bug: #1642677
This optionally enables TLS for Barbican API in the internal network.
If internal TLS is enabled, each node that is serving the Barbican API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
The lastest patchset of https://review.openstack.org/393361 was actually
not working.
The `if defined` idiom depends on *evaluation* order.
At the time it's red in the haproxy.pp class, the line that loads the
class 'haproxy' has still not yet been reached and thus the `defined`
result is false. The constraint is not added.
For this reason, the use of `defined` in module is not advised by
puppetlabs[1].
[1] https://docs.puppet.com/puppet/latest/reference/function.html#defined
Change-Id: Ibd352cb313f8863d62db8987419378bed5b87256
Relates-To: #1638029
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in
order to return links with the correct protocol when SSL is enabled.
This enables it in HAProxy
Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8
Closes-Bug: #1640126
In HA deployments, we now check mysql nodes every 1s and removed them
immediately if they are failed. Previously we would check every 2s and
allow them to fail 5 checks before being removed, producing errors from
other OpenStack services for 10s, which causes confusion and delay for
operators.
Additionally, these check options are now also a class parameter so can
be overridden by operators.
Closes-Bug: #1639189
Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
It's been proposed this may help with the
('Connection aborted.', BadStatusLine("''",)) errors.
This patch increase queue, server and client timeouts to 2m (default is 1m)
Related-Bug: #1638908
Change-Id: Ie4f059f3fad2271bb472697e85ede296eee91f5d
This optionally enables TLS for Cinder API in the internal network.
If internal TLS is enabled, each node that is serving the Cinder API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863
