Mv pacemaker and firewall out of controller

This patch moves settings for pacemaker and the tripleo firewall out of controller.yaml. Related bug: #1604414 Change-Id: I0164717bfd79cdea3de8eb7a64771028bea201ac
2016-08-26 13:48:39 -04:00 · 2016-08-26 13:48:39 -04:00 · 827d110a34
parent 7ab48cc832
commit 827d110a34
4 changed files with 67 additions and 78 deletions
--- a/overcloud.yaml
+++ b/overcloud.yaml
@ -440,9 +440,7 @@ resources:
        properties:
          CloudDomain: {get_param: CloudDomain}
          controllerExtraConfig: {get_param: controllerExtraConfig}
-          PcsdPassword: {get_resource: PcsdPassword}
          RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
-          RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]}
          ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]}
          EndpointMap: {get_attr: [EndpointMap, endpoint_map]}
          Hostname:
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@ -23,18 +23,10 @@ parameters:
        ...
      }
    type: json
-  CorosyncIPv6:
-    default: false
-    description: Enable IPv6 in Corosync
-    type: boolean
  Debug:
    default: ''
    description: Set to True to enable debugging on all services.
    type: string
-  EnableFencing:
-    default: false
-    description: Whether to enable fencing in Pacemaker or not.
-    type: boolean
  EnableLoadBalancer:
    default: true
    description: Whether to deploy a LoadBalancer on the Controller
@ -45,38 +37,6 @@ parameters:
      Additional hieradata to inject into the cluster, note that
      ControllerExtraConfig takes precedence over ExtraConfig.
    type: json
-  FencingConfig:
-    default: {}
-    description: |
-      Pacemaker fencing configuration. The JSON should have
-      the following structure:
-        {
-          "devices": [
-            {
-              "agent": "AGENT_NAME",
-              "host_mac": "HOST_MAC_ADDRESS",
-              "params": {"PARAM_NAME": "PARAM_VALUE"}
-            }
-          ]
-        }
-      For instance:
-        {
-          "devices": [
-            {
-              "agent": "fence_xvm",
-              "host_mac": "52:54:00:aa:bb:cc",
-              "params": {
-                "multicast_address": "225.0.0.12",
-                "port": "baremetal_0",
-                "manage_fw": true,
-                "manage_key_file": true,
-                "key_file": "/etc/fence_xvm.key",
-                "key_file_password": "abcdef"
-              }
-            }
-          ]
-        }
-    type: json
  OvercloudControlFlavor:
    description: Flavor for control nodes to request when deploying.
    default: baremetal
@ -98,33 +58,13 @@ parameters:
    type: string
    constraints:
      - custom_constraint: nova.keypair
-  ManageFirewall:
-    default: false
-    description: Whether to manage IPtables rules.
-    type: boolean
-  PurgeFirewallRules:
-    default: false
-    description: Whether IPtables rules should be purged before setting up the new ones.
-    type: boolean
  NeutronPublicInterface:
    default: nic1
    description: What interface to bridge onto br-ex for network nodes.
    type: string
-  PcsdPassword:
-    type: string
-    description: The password for the 'pcsd' user.
-    hidden: true
-  RedisPassword:
-    description: The password for Redis
-    type: string
-    hidden: true
  RedisVirtualIP:
    type: string
    default: ''  # Has to be here because of the ignored empty value bug
-  RedisVirtualIPUri:
-    type: string
-    default: ''  # Has to be here because of the ignored empty value bug
-    description: An IP address which is wrapped in brackets in case of IPv6
  SwiftRawDisks:
    default: {}
    description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
@ -358,17 +298,9 @@ resources:
      server: {get_resource: Controller}
      input_values:
        bootstack_nodeid: {get_attr: [Controller, name]}
-        debug: {get_param: Debug}
-        enable_fencing: {get_param: EnableFencing}
        enable_load_balancer: {get_param: EnableLoadBalancer}
-        manage_firewall: {get_param: ManageFirewall}
-        purge_firewall_rules: {get_param: PurgeFirewallRules}
-        corosync_ipv6: {get_param: CorosyncIPv6}
-        fencing_config: {get_param: FencingConfig}
-        pcsd_password: {get_param: PcsdPassword}
        enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
        redis_vip: {get_param: RedisVirtualIP}
-        ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]}

  # Map heat metadata into hiera datafiles
  ControllerConfig:
@ -421,17 +353,10 @@ resources:
                bootstack_nodeid: {get_input: bootstack_nodeid}

                # Pacemaker
-                enable_fencing: {get_input: enable_fencing}
                enable_load_balancer: {get_input: enable_load_balancer}
-                hacluster_pwd: {get_input: pcsd_password}
-                corosync_ipv6: {get_input: corosync_ipv6}
-                tripleo::fencing::config: {get_input: fencing_config}

                # Redis
                redis_vip: {get_input: redis_vip}
-                # Firewall
-                tripleo::firewall::manage_firewall: {get_input: manage_firewall}
-                tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
                # Misc
                tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
                tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14

 description: >
  Pacemaker service configured with Puppet
@ -21,6 +21,51 @@ parameters:
  MonitoringSubscriptionPacemaker:
    default: 'overcloud-pacemaker'
    type: string
+  CorosyncIPv6:
+    default: false
+    description: Enable IPv6 in Corosync
+    type: boolean
+  EnableFencing:
+    default: false
+    description: Whether to enable fencing in Pacemaker or not.
+    type: boolean
+  PcsdPassword:
+    type: string
+    description: The password for the 'pcsd' user for pacemaker.
+    hidden: true
+    default: ''
+  FencingConfig:
+    default: {}
+    description: |
+      Pacemaker fencing configuration. The JSON should have
+      the following structure:
+        {
+          "devices": [
+            {
+              "agent": "AGENT_NAME",
+              "host_mac": "HOST_MAC_ADDRESS",
+              "params": {"PARAM_NAME": "PARAM_VALUE"}
+            }
+          ]
+        }
+      For instance:
+        {
+          "devices": [
+            {
+              "agent": "fence_xvm",
+              "host_mac": "52:54:00:aa:bb:cc",
+              "params": {
+                "multicast_address": "225.0.0.12",
+                "port": "baremetal_0",
+                "manage_fw": true,
+                "manage_key_file": true,
+                "key_file": "/etc/fence_xvm.key",
+                "key_file_password": "abcdef"
+              }
+            }
+          ]
+        }
+    type: json

 outputs:
  role_data:
@ -44,5 +89,15 @@ outputs:
          '131 pacemaker udp':
            proto: 'udp'
            dport: 5405
+        corosync_ipv6: {get_param: CorosyncIPv6}
+        tripleo::fencing::config: {get_param: FencingConfig}
+        enable_fencing: {get_param: EnableFencing}
+        hacluster_pwd:
+          yaql:
+            expression: $.data.passwords.where($ != '').first()
+            data:
+              passwords:
+                - {get_param: PcsdPassword}
+                - {get_param: [DefaultPasswords, pcsd_password]}
      step_config: |
        include ::tripleo::profile::base::pacemaker
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@ -18,11 +18,22 @@ parameters:
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
+  ManageFirewall:
+    default: false
+    description: Whether to manage IPtables rules.
+    type: boolean
+  PurgeFirewallRules:
+    default: false
+    description: Whether IPtables rules should be purged before setting up the new ones.
+    type: boolean

 outputs:
  role_data:
    description: Role data for the TripleO firewall settings
    value:
      service_name: tripleo_firewall
+      config_settings:
+        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
+        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
      step_config: |
        include ::tripleo::firewall