1642 Commits

Author SHA1 Message Date
Jenkins
2fc81bef2f Merge "Disable Options Indexes in horizon" 2016-11-22 04:15:23 +00:00
Jenkins
c8b6918776 Merge "Enable enforce_password_check" 2016-11-21 16:33:14 +00:00
Steven Hardy
0f742c7ec9 Disable keepalived for HA deployments via t-h-t
Currently this is disabled via a conditional in the keepalived
profile in puppet-tripleo, but this will be incompatible with
the planned composable upgrades implementation.  Instead we should
disable the service template by mapping to OS::Heat::None, and
ensure the haproxy manifest uses the t-h-t generated hiera value
keepalived_enabled instead of hard-coding a hiera override in the
haproxy template.

Change-Id: I85a8b1cca7268506de22adfb3a8ce7faa4f157ef
Partial-Bug: #1642936
Depends-On: I90faf51881bd05920067c1e1d82baf5d7586af23
2016-11-18 11:45:57 +00:00
Jenkins
80187a2e19 Merge "Use j2 loops in post.j2.yaml" 2016-11-18 11:08:16 +00:00
Andreas Karis
0213ae9bd5 Disable Options Indexes in horizon
Security scanners complain that directory listings are enabled in horizon.

Change-Id: I1d7cfcb3521e8235a99bc452f1b7b92c20ce72ac
Closes-Bug: #1637576
2016-11-17 19:31:05 -05:00
Luke Hinds
ca122325dd Enable enforce_password_check
By setting ENFORCE_PASSWORD_CHECK to `True`, it displays an 'Admin
Password' field on the Change Password form to verify that it is indeed
the admin logged-in who wants to change the password.

Change-Id: Ib11bef93b6b0c74063052875fa361290bf1e92fd
Depends-On: If7af97df7a011569a7e14fbab4f880688d7b82c3
Closes-Bug: #1640806
2016-11-17 13:28:14 +00:00
Jenkins
e171ef1b68 Merge "Do not manage overcloud repositories when using external Ceph" 2016-11-16 16:23:14 +00:00
Jenkins
e6ddc5fe34 Merge "Use keystone profile parameter to pass heat password" 2016-11-16 16:22:49 +00:00
John Fulton
277fbae321 Do not manage overcloud repositories when using external Ceph
ceph::profile::params::manage_repo should default to false when
using external Ceph.

Overcloud Ceph clients use Ceph packages, which may be provided by
the 'ceph' metapackage, but not for all repos, see related bug. So,
this change also includes a list of packages as a workaround as
used in change Ie55d22301dd22102d471e6002dfcaad4bfadd5f6.

Change-Id: I338e51637aa39d3f7bbbad0263740f728d42cb9b
Closes-bug: 1641989
Related-Bug: 1629933
2016-11-16 10:42:29 +00:00
Juan Antonio Osorio Robles
42f835e68b Use keystone profile parameter to pass heat password
Instead of relying on an explicit hiera call to get the stack domain
password, this uses the keystone parameter to introduce that value
instead.

Change-Id: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
2016-11-16 08:32:26 +02:00
Dan Prince
8ab22a95da Nova base cleanups for hiera json hook
This patch resolves an issue with nova-base.yaml that prevents
it from working with the new heat hiera agent hook (which
uses Json instead of Yaml).

It updates the service so that we only set the upgrade level if it
is not an empty string.

Partial-bug: #1596373

Change-Id: I595f2e16c33a6f935c7ca8935fec445d19c7b8f3
2016-11-15 22:08:14 -05:00
Dan Prince
133edad130 Horizon service cleanups for hiera json hook
This patch resolves a few issues I noticed when porting our
Horizon service to support the new heat hiera agent hook (which
uses Json instead of Yaml).

 -we only need to set django_debug if the string is non-empty. This
  should match previous behavior.

 -remove the duplicated NeutronMechanismDrivers setting. This is already
  managed in the neutron services and shouldn't be set here.

Change-Id: I473e110bb9b14cb8f57d41c4fc398871548726b0
Partial-bug: #1596373
2016-11-15 22:08:14 -05:00
Jenkins
713a2e88c1 Merge "Revert "Adjust MTU to compensate for VLAN tag issue"" 2016-11-16 00:38:32 +00:00
Jenkins
f79b6b479a Merge "Enable internal TLS for Barbican API" 2016-11-15 18:25:02 +00:00
Jenkins
2f0dcc43b9 Merge "Define keystone token provider" 2016-11-15 14:57:27 +00:00
Jenkins
3ed9b510d3 Merge "Disable password reveal in horizon" 2016-11-15 13:07:57 +00:00
Alex Schultz
59997c5e86 Define keystone token provider
In order to eventually enable fernet tokens for keystone, we need to be
specify the token provider. This change codifies the current default
used by TripleO of uuid tokens and fernet token setup disabled.

Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a
Closes-Bug: #1641763
2016-11-14 17:04:39 -07:00
Jenkins
f7cf9d8fc1 Merge "Fix typo in Keystone Sensu subscription" 2016-11-14 17:02:23 +00:00
Jenkins
8f9b77ada8 Merge "Use default Sensu redact" 2016-11-14 13:18:42 +00:00
Jenkins
9797d93561 Merge "Fixes missing OVS Firewall config with OpenDaylight" 2016-11-14 07:36:34 +00:00
Juan Antonio Osorio Robles
23ca447f77 Enable internal TLS for Barbican API
This adds the necessary hieradata for enabling TLS in the internal
network for Barbican API.

bp tls-via-certmonger
Depends-On: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9

Change-Id: Ib100faa9dc222f836695a0e8f6e101dc7637d1d6
2016-11-14 09:09:52 +02:00
Jenkins
b339ee8331 Merge "Configure civetweb bind socket via puppet-tripleo" 2016-11-12 13:11:42 +00:00
Jenkins
865345db0b Merge "Neutron L3 service cleanups for hiera json hook" 2016-11-11 21:19:03 +00:00
Jenkins
e90a43895b Merge "Enable internal TLS for Cinder API" 2016-11-11 21:04:52 +00:00
Jenkins
d3acb7983f Merge "Handle null role_data in services" 2016-11-11 19:20:08 +00:00
Tim Rozet
a5cec52a6c Fixes missing OVS Firewall config with OpenDaylight
Currently OVS tunnel firewall rules are held within the neutron ovs
agent service heat template.  That service is not used with ODL, so
consequently ODL was missing the VXLAN and GRE firewall rules and
traffic would not pass between nodes.  This adds the missing rules to
the OpenDaylight OVS service.

Closes-Bug: 1641191

Change-Id: Icfd7db6a3e8fcdd02646fb7e413f40f26b03b994
Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-11 13:59:06 -05:00
Giulio Fidente
76b0edcb77 Configure civetweb bind socket via puppet-tripleo
When the civetweb binding IP is version 6 it needs to be enclosed
in brackets or the bind socket parsing fails. The mangling happens
in puppet-tripleo, this change updates the templates to push the
appropriate hiera keys.

Change-Id: Ic7004d768ed5e0f2382ffaa57961ea0ef9162527
Closes-Bug: #1636515
Depends-On: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
2016-11-11 15:03:25 +00:00
Martin Mágr
c921b15c90 Use default Sensu redact
By default sensu-puppet is overring default list of varibles which should
be redacted. This patch enables to configure redact list and uses default
value given by [1]. This patch also serves as a workaround until [2]
is merged in the module itself (or in case it won't get merged).

[1] https://sensuapp.org/docs/0.24/reference/clients.html
[2] https://github.com/sensu/sensu-puppet/pull/580

Closes-Bug: #1641080
Closes-Bug: rhbz#1392473
Change-Id: I21201f734d2fbf5f571091603126cf11cfdd8c40
2016-11-11 11:16:02 +01:00
Jenkins
8a2542757a Merge "Fixes incorrect reference to OpendaylightApiNetwork" 2016-11-10 18:08:11 +00:00
Jenkins
1e11964372 Merge "Ensure heat-domain hiera is in nodes that contain keystone" 2016-11-10 18:07:58 +00:00
Martin Mágr
e2ebc8ea11 Fix typo in Keystone Sensu subscription
Closes-Bug: rhbz#1392428
Closes-Bug: #1640834
Change-Id: I2a1a869493ccb4c8d5b9aea26b8ef947750d2cfe
2016-11-10 16:26:56 +01:00
Steven Hardy
d96b58b112 Use j2 loops in post.j2.yaml
Simplify this file by removing the hard-coded resources and instead
generate the resources for each step via a loop.

Change-Id: Id89863b9e75769e1a85ebe8bfa4a554f7b38e357
2016-11-10 14:27:36 +00:00
Dan Prince
36aa652247 Neutron L3 service cleanups for hiera json hook
This patch resolves a few issues I noticed when porting our
Neutron L3 service to support the new heat hiera agent hook (which
uses Json instead of Yaml).

 - If NeutronExternalNetworkBridge is an emptry string '' Json was
   dropping the single quotes thus causing the bridge to get set
   incorrectly in the config file. To correct this we use a heat
   conditional to avoid setting the external bridge (the '' default
   is what we want in this case) if the bridge is an empty string.

Change-Id: I5037cbde6b76a37a4c22c4616278420e9d759109
Partial-bug: #1596373
2016-11-10 07:44:15 -05:00
Dan Prince
93b4d836ee Handle null role_data in services
This patch updates the Yaql expressions that work on role_data
so that they evaluate properly when the get_attr for role_data
is null.

I hit issues using this for the heat undercloud installer and this
seems to resolve them.

Change-Id: I0493d0525cd3ad280339f26ef9d3aa311af9962e
2016-11-10 07:42:13 -05:00
Jenkins
2ad72b7e96 Merge "Add firewall rules for manila api service" 2016-11-10 08:53:40 +00:00
Tom Barron
96a458d52d Add firewall rules for manila api service
When the manila api service is deployed
on a different role than the controller the
iptables rules on that role fail to ACCEPT
tcp at the manila API ports.

Add tripleo.manila_api.firewall_rules to
the relevant puppet services module.

Change-Id: I1c5459f5ba989657fd99fd72c7ac9f8781cc7206
Closes-Bug: #1640568
2016-11-09 14:09:44 -05:00
Jenkins
1efaa8c6a2 Merge "Reload haproxy configuration as a post-deployment step" 2016-11-09 18:10:35 +00:00
Jenkins
3ddf0dd3ef Merge "set url_base option in static web middleware" 2016-11-09 16:30:18 +00:00
Alex Schultz
465d91380c Disable password reveal in horizon
To improve security,  we should disable the password reveal option in
horizon by default. An end user can override this options via their own
custom hiera if they would ultimately like to have this functionality.

Change-Id: Ie88dac5610840eb4b327252b32dc469099ba5f5f
Depends-On: Iacf899d595a2a3c522df1b96ca527731937ec698
Closes-Bug: 1640492
2016-11-09 08:22:44 -07:00
Jenkins
8e84a58749 Merge "Defaults kernel.pid_max to 1048576" 2016-11-09 13:45:28 +00:00
Jenkins
f118fc0619 Merge "Enable internal TLS for Nova API" 2016-11-09 13:30:18 +00:00
Jenkins
465324cb6a Merge "Add Sahara plugins list as a configurable parameter" 2016-11-09 10:51:12 +00:00
Thiago da Silva
14829560b6 set url_base option in static web middleware
Depends-On: Icf45cf2aece398b836c87ddffde5d3056e96dc4d

Change-Id: I3577dc38a0b52092ee5e98a381eb52c3d2768c10
Signed-off-by: Thiago da Silva <thiago@redhat.com>
2016-11-08 16:37:51 -05:00
Jenkins
56bbb9f0ce Merge "Enable internal TLS for gnocchi" 2016-11-08 16:22:00 +00:00
Jenkins
f01f9e4cbe Merge "Do not reference CephBase from CephExternal service" 2016-11-08 15:29:01 +00:00
Carlos Camacho
17e727d716 Reload haproxy configuration as a post-deployment step
After deploying a fresh installed Overcloud or updating the stack
the haproxy configuration is updated correctly but no change in the
HA proxy stats happens.

This submission will add the missing resources to run pre and post
puppet tasks.

Closes-bug: 1640175

Change-Id: I2f08704daeee502c618256695a30ce244a1d7ba5
2016-11-08 13:56:18 +00:00
Giulio Fidente
b1624dd33d Use --globoff when downloading artifacts
We do not encode the chars like [] possibly found in  the artifacts
URL, so curl tries to glob against IPv6 addresses in brackets. This
change adds --globoff to the curl options so that IPv6 addresses in
brackets are not misinterpreted.

Closes-Bug: 1640148
Change-Id: Ic86ba1e5fb674bc15b4bcc6bd3ea9e943c4fbf8e
2016-11-08 12:19:27 +00:00
Juan Antonio Osorio Robles
665fad1e4c Enable internal TLS for Cinder API
This adds the necessary hieradata for enabling TLS in the internal
network for Cinder API.

bp tls-via-certmonger
Depends-On: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863

Change-Id: I126e890076bc96b1cd166a919eff6aa1bb80510b
2016-11-08 11:51:18 +00:00
Tim Rozet
d3f75f6329 Fixes incorrect reference to OpendaylightApiNetwork
The renaming of the network to conform to correct case parsing was done
and converted OpenDaylightApiNetwork -> OpendaylightApiNetwork.  There
was still a reference to the old network name which would result in an
empty value being pass to odl_bind_ip.

Closes-Bug: 1639944

Change-Id: I17fe348c4651420112b9b37711654a454e30b291
Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-07 16:34:45 -05:00
Juan Antonio Osorio Robles
ed95fda7ed Ensure heat-domain hiera is in nodes that contain keystone
The commit that this depends on only works if heat is deployed in the
same node as keystone. Once we deploy them in different nodes, keystone
won't be able to retrieve the appropriate hieradata. This fixes that by
setting the appropriate hieradata to be deployed on the keystone service
by the heat profiles.

Change-Id: I1f08db68a14486526879d1a5a1ff78cb17686924
Depends-On: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe
2016-11-07 16:59:20 +00:00