Lightweight composition layer for Puppet TripleO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

api.pp 6.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169
  1. # Copyright 2016 Red Hat, Inc.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  4. # not use this file except in compliance with the License. You may obtain
  5. # a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  11. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  12. # License for the specific language governing permissions and limitations
  13. # under the License.
  14. #
  15. # == Class: tripleo::profile::base::nova::api
  16. #
  17. # Nova API profile for tripleo
  18. #
  19. # [*bootstrap_node*]
  20. # (Optional) The hostname of the node responsible for bootstrapping tasks
  21. # Defaults to hiera('nova_api_short_bootstrap_node_name')
  22. #
  23. # [*certificates_specs*]
  24. # (Optional) The specifications to give to certmonger for the certificate(s)
  25. # it will create.
  26. # Example with hiera:
  27. # apache_certificates_specs:
  28. # httpd-internal_api:
  29. # hostname: <overcloud controller fqdn>
  30. # service_certificate: <service certificate path>
  31. # service_key: <service key path>
  32. # principal: "haproxy/<overcloud controller fqdn>"
  33. # Defaults to hiera('apache_certificate_specs', {}).
  34. #
  35. # [*enable_internal_tls*]
  36. # (Optional) Whether TLS in the internal network is enabled or not.
  37. # Defaults to hiera('enable_internal_tls', false)
  38. #
  39. # [*nova_api_network*]
  40. # (Optional) The network name where the nova API endpoint is listening on.
  41. # This is set by t-h-t.
  42. # Defaults to hiera('nova_api_network', undef)
  43. #
  44. # [*nova_api_wsgi_enabled*]
  45. # (Optional) Whether or not deploy Nova API in WSGI with Apache.
  46. # Nova Team discourages it.
  47. # Defaults to hiera('nova_wsgi_enabled', false)
  48. #
  49. # [*nova_metadata_wsgi_enabled*]
  50. # (Optional) Whether or not deploy Nova Metadata in WSGI with Apache.
  51. # Defaults to hiera('nova_metadata_wsgi_enabled', false)
  52. #
  53. # [*nova_metadata_network*]
  54. # DEPRECATED: (Optional) The network name where the nova metadata endpoint is listening on.
  55. # This is set by t-h-t.
  56. # Defaults to hiera('nova_metadata_network', undef)
  57. #
  58. # [*step*]
  59. # (Optional) The current step in deployment. See tripleo-heat-templates
  60. # for more details.
  61. # Defaults to hiera('step')
  62. #
  63. # [*metadata_tls_proxy_bind_ip*]
  64. # DEPRECATED: IP on which the TLS proxy will listen on. Required only if
  65. # enable_internal_tls is set.
  66. # Defaults to undef
  67. #
  68. # [*metadata_tls_proxy_fqdn*]
  69. # DEPRECATED: fqdn on which the tls proxy will listen on. required only used if
  70. # enable_internal_tls is set.
  71. # defaults to undef
  72. #
  73. # [*metadata_tls_proxy_port*]
  74. # DEPRECATED: port on which the tls proxy will listen on. Only used if
  75. # enable_internal_tls is set.
  76. # defaults to 8080
  77. #
  78. class tripleo::profile::base::nova::api (
  79. $bootstrap_node = hiera('nova_api_short_bootstrap_node_name', undef),
  80. $certificates_specs = hiera('apache_certificates_specs', {}),
  81. $enable_internal_tls = hiera('enable_internal_tls', false),
  82. $nova_api_network = hiera('nova_api_network', undef),
  83. $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false),
  84. $nova_metadata_wsgi_enabled = hiera('nova_metadata_wsgi_enabled', false),
  85. $nova_metadata_network = hiera('nova_metadata_network', undef),
  86. $step = Integer(hiera('step')),
  87. $metadata_tls_proxy_bind_ip = undef,
  88. $metadata_tls_proxy_fqdn = undef,
  89. $metadata_tls_proxy_port = 8775,
  90. ) {
  91. if $::hostname == downcase($bootstrap_node) {
  92. $sync_db = true
  93. } else {
  94. $sync_db = false
  95. }
  96. include ::tripleo::profile::base::nova
  97. include ::tripleo::profile::base::nova::authtoken
  98. if $step >= 3 and $sync_db {
  99. include ::nova::cell_v2::simple_setup
  100. }
  101. if $step >= 4 or ($step >= 3 and $sync_db) {
  102. if $enable_internal_tls and !$nova_api_wsgi_enabled and !$nova_metadata_wsgi_enabled {
  103. if !$nova_metadata_network {
  104. fail('nova_metadata_network is not set in the hieradata.')
  105. }
  106. $metadata_tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate']
  107. $metadata_tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key']
  108. ::tripleo::tls_proxy { 'nova-metadata-api':
  109. servername => $metadata_tls_proxy_fqdn,
  110. ip => $metadata_tls_proxy_bind_ip,
  111. port => $metadata_tls_proxy_port,
  112. tls_cert => $metadata_tls_certfile,
  113. tls_key => $metadata_tls_keyfile,
  114. }
  115. Tripleo::Tls_proxy['nova-metadata-api'] ~> Anchor<| title == 'nova::service::begin' |>
  116. }
  117. class { '::nova::api':
  118. sync_db => $sync_db,
  119. sync_db_api => $sync_db,
  120. nova_metadata_wsgi_enabled => $nova_metadata_wsgi_enabled,
  121. }
  122. include ::nova::cors
  123. include ::nova::network::neutron
  124. }
  125. # Temporarily disable Nova API deployed in WSGI
  126. # https://bugs.launchpad.net/nova/+bug/1661360
  127. if $nova_api_wsgi_enabled {
  128. if $enable_internal_tls {
  129. if !$nova_api_network {
  130. fail('nova_api_network is not set in the hieradata.')
  131. }
  132. $tls_certfile = $certificates_specs["httpd-${nova_api_network}"]['service_certificate']
  133. $tls_keyfile = $certificates_specs["httpd-${nova_api_network}"]['service_key']
  134. } else {
  135. $tls_certfile = undef
  136. $tls_keyfile = undef
  137. }
  138. if $step >= 4 or ($step >= 3 and $sync_db) {
  139. include ::tripleo::profile::base::apache
  140. class { '::nova::wsgi::apache_api':
  141. ssl_cert => $tls_certfile,
  142. ssl_key => $tls_keyfile,
  143. }
  144. }
  145. }
  146. if $step >= 5 {
  147. if hiera('nova_enable_db_archive', true) {
  148. include ::nova::cron::archive_deleted_rows
  149. if hiera('nova_enable_db_purge', true) {
  150. include ::nova::cron::purge_shadow_tables
  151. }
  152. }
  153. # At step 5, we consider all nova-compute services started and registred to nova-conductor
  154. # So we want to update Nova Cells database to be aware of these hosts by executing the
  155. # nova-cell_v2-discover_hosts command again.
  156. # Doing it on a single nova-api node to avoid race condition.
  157. if $sync_db {
  158. Exec<| title == 'nova-cell_v2-discover_hosts' |> { refreshonly => false }
  159. }
  160. }
  161. }