This reverts commit 8e104b3c54.
https://review.openstack.org/#/c/559926/ introduced requiring CloudName.
This broke the documented deployment process. I also don't see how
CloudName can be required, but CloudDomain can not.
I don't see a technical reason why we can't keep the default as
localdomain. If necessary, we can instead add a parameter
validation instead of requiring the parameter.
Closes-Bug: #1771627
Depends-On: Ia86842b0b1f42512f25390d6bdb695e0f8133c6d
Change-Id: I2c5b511df50f29c63aa613899c2bebb506360bf4
This is in preparation for TLS by default, since the TLS certificate will
use FQDNs for the SubjectAltName, and that will be verified.
This required for us to change both CloudDomain and CloudName to be
required parameters, and not default them to use localdomain. This is to
avoid folks in real deployments using them in their clouds.
Change-Id: Ic70dd323b33596eaa3fc18bdc69a7c011ccd7fa1
This flag is on by default, and serves to enable (or disable) the
public TLS by default feature.
It differs from the PublicSSLCertificateAutogenerated flag in the fact
that it works with mistral, while PublicSSLCertificateAutogenerated
works with certmonger in the overcloud.
Change-Id: If553ecff26d5ecd529c37ca438e0ba1795e9ecca
It was missing tags which were necessary for the role to get the
appropriate certificate [1]. So, without these tags, the certificate
wasn't persisted in the node, and the job would fail if TLS would be
enabled. This was discovered as part of the "Public TLS by default"
work.
[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/role.role.j2.yaml#L565
Change-Id: I46ee2ef837da51be4db30a8c059b82cb1a8c3606
Instead, rely on local_interface parameter from undercloud.conf like it
was with instack-undercloud.
Depends-On: I94de786a4e2d6bfbc66e08f32ea65c217ea35268
Change-Id: Id46256b66aa43c38a6a6501d2f26dfb85009b1ef
Instead of using host_prep_tasks (which are part of deployment tasks),
we'll use the upgrade tasks that are now well known and tested in
previous releases, when the we containerized the overcloud.
Depends-On: Id25e6280b4b4f060d5e3f78a50ff83aaca9e6b1a
Change-Id: Ic199c7d431e155e2d37996acd0d7b924d14af2b7
The multiple-nics template has a typo which prevents the
default route on br-ex from appearing in the NIC configs.
This change fixes that typo so the multiple-nics templates
work correctly.
Change-Id: Iecf3c0c70d538a1a904c12717af9c37f5d860758
- Enable heat convergence for containerized undercloud
- Set max_json_body_size=4194304 for containerized undercloud.
- Introduce HeatMaxNestedStackDepth parameter.
- Introduce HeatReauthenticationAuthMethod parameter and configure it to
'trusts' for the undercloud.
Change-Id: I044bf29e7ae320a478e0ba0eb12870f47735d4f1
We need to make collectd container start in the same step as Gnocchi,
so that we avoid occasional connection problems with collectd deployed
without working Keystone and Gnocchi.
Change-Id: Ifce5d3a7395d9ddf99e2d9097f71a222e8c64487
When the evacuation of a nova-compute is in progress on a compute node,
starting the nova-compute service on that node would cause a race in
setting task_state [1] and could ultimately lead failures with all
future evacuation attempts on the compute node.
To avoid triggering that situation, introduce a startup wrapper when
Instance HA is enabled. The wrapper loops until the force-down flag is
clear and all evacuation finished, and then starts nova_compute.
[1] If71727cde51c29231dbb9a51c5babbcdfc802bdd
Partial-Bug: #1764883
Co-Authored-By: Andrew Beekhof <abeekhof@redhat.com>
Change-Id: Id1fc820b42fb72fc861fda82b04f6a3fa2b6b6f6
If gnocchi api is not enabled, the db sync cannot be run, as
it will fail due to an invalid config file.
Change-Id: If08b3ef4c87f501cf7fff690441351c74ebc4c98
This will allow webroot plugin for Let's Encrypt to actually work.
The container has no need to write in this location.
Change-Id: Ia76a0cc007abfdec6f25e1371eb696864f2925fd
Closes-Bug: 1768519
Instead of bind-mounting directly into the libvirt container,
follow the established approach for ditributing certificates
in containers.
Change-Id: Icdec38004df28988aa3a62019cb092c59d915f0e
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Instead of serving images via slow and somewhat unreliable iSCSI protocol,
this deploy method makes IPA download them from the undercloud Swift.
Change-Id: Ic569358b781337ec6ba8ba802ada1f940917bd61
Implements: blueprint ironic-direct-deploy
Instead of bind-mounting in RW mode, follow the established
approach for ditributing certificates in containers.
Related-Bug: #1759049
Partial-Bug: #1767998
Change-Id: I6bcb72b8b600b6b1d916b64c161bca22c802cf07
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
This can be used to inject a custom Json blob containing
os-net-config template data for the Undercloud installation.
The intent is to be able to use this alongside of the
net_config_override setting in tripleoclient when installing
the undercloud.
Change-Id: I322570ae958f8e483b8b2a0ad40d1ee83d084372
I934561612d26befd88a9053262836b47bdf4efb0 renamed the rabbit ssl
parameters that we use in the same environment generate but since the
script did not fail, it made it past CI. This change fixes the
RabbitClientUseSsl parameter in the environment to match the new
RpcUseSsl flag and updates the check script to fail if this happens
again.
Change-Id: I47c63875c6934bca2903883787467fc1804ba5da
Closes-Bug: #1768358
Ansible doesn't like it when tasks are empty dicts so let's make sure
we aren't passing an empty dict in to the ansible tasks. Unfortunately
since we're validating non-heat processed yaml, the list_concats end
up being dicts to the yaml validator so we can't just ensure they are
always lists.
Change-Id: I13dcc4f3d4ea2ac4c7ab62887dfea293246f6530
Related-Bug: #1768019
James Slagle
Juan Antonio Osorio Robles
Zuul
Emilien Macchi
Dan Sneddon
Martin Mágr
Carlos Goncalves
Damien Ciabrini
Yolanda Robla
Cédric Jeanneret
Bogdan Dobrelya
Dmitry Tantsur
Dan Prince
Alex Schultz