Each puppet module provides the sync_db parameter to run commands to
initialize database schema. This change ensures the feature is disabled
as we have independent tasks to run the same.
Change-Id: I8ccf4ddd40a0d1a9bff9c1ca001284eda25dc9b2
This changes the listen/bind address for the designate's miniDNS
instances from "all" to the internal API network. It also properly
configures the designate BIND backend to be on the external network.
(Both will default to ctlplane if it is absent)
Change-Id: I5e900354676a30ae8cf53d0a2f4db0201f05207d
Configure logging for the designate bind backend. Adds
DesignateBindQueryLogging to enable query logging.
Change-Id: I50ba4689b8113a22b7f134508d390f9dbbd2b254
We may want to be able to specific different containers at a role level.
This requires switching the container image parameters to be role
specific too allow for role based overrides.
Change-Id: I4090e889a32abd51e7c11139737a7a18e27d18e7
According to the parameter description, www_authenticate_uri should be
complete public Identity endpoint, which is accessible by all end
users.
This change replaces internal endpoint by public endpoint to meet that
requirement.
Closes-Bug: #1955397
Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382
When SRBAC is enforced(*1), keystone requires one of the following
conditions for validate token api.
1) The user has the service role assigned
2) The user is a system reader
3) The user generated the token
When authtoken middleware validates tokens in requests, it uses service
users to call the validate_token API of Keystone. In this case
the condition 3 is never met(The token is generated by an external user
while it is validated by the service user used in API). In addition,
currently all credentials used for authtoken middleware are
project-scoped, not system-scoped, so condition 2 is never met(*2) if
SRBAC is enforced.
This change adds the project-scoped service role to all service
users so that all service users can use the validate_token API even
if SRBAC is enforced. An alternative approach would be assign
the system-scoped reader role for these users and replace credentials
for authtoken middleware by system scoped one, but we are likely to
need additional considerations to establish proper design of
system-scoped role assignment.
(*1)
When scope evaluation is enforced(enforce_scope=True) and new rules
are enforced(enforce_new_defaults=True)
(*2)
There are a few exceptions like the nova user which already have
the project-scoped service role to use the service token feature.
Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24
Give the designate bind instance it's own persistent storage path to
avoid collisions with non-tripleo-owned bind instances.
Change-Id: Id05b48c97d5d9f2cdeba5dfad67616bf97b7fcae
Openstack users are configured with openstacklib, which in turns
drive puppet-mysql to create several DB user for each db service:
<service>@'%' <service>@<ip> and <service>@<mysql_vip>.
We create several users because we use two different parameters
host and allowed_hosts in openstacklib, which only has the effect
of creating a list of users per openstack service.
However since we always create a user '%', this wildcard host
will always allow connection to the DB, so the other users are
currently not useful as they don't get any additional grants or
restrictions.
Simplify the entire mysql user creation to only generate one
user per service, with a wildcard host.
Change-Id: I928b03f06c702a13f4bd957eaa79153aa711cee4
Closes-Bug: #1943440
Closes-Bug: #1943330
Configure api_base_uri to DesignateEndpoint URI because default
127.0.0.1:9001 is returned instead of a valid endpoint URI. This
behavior breaks openstacksdk starting with 0.31.2 but wasn't seen
with previous version.
Change-Id: Ie531ea68a3d8e98e40a58d9c5ee484eb134abb96
Adds a parameter for configuring the managed resource email address used
to configure the email address included in DNS zone SOAs.
Change-Id: Ic7a0f5d21f138b9e522e8729163e01bfb9ae69dc
Most of the services are either missing or using deprecated tags for
paste deploy configuration. Add those for us to be able to customize
paste deploy.
Also, removes the unnecessary tag from nova-compute.
Change-Id: I699b9283c7dbdb59923007488b4ac6c359d6eced
This patch adds support for conditionally setting a minimum allowed TTL value with designate.
Note: also cleans up a previous conditional to take advantage of a new
wallaby heat template syntax for if's that don't have an 'else'.
Change-Id: Id80e5b07ff3080835162c2a301a7a48be9787959
Many of the designate services perform background syncrhonization
tasks and can lag a bit on shutdown, especially on heavily loaded or
large scale systems. Increasing the stop grace periods reduces the
likelihood that the system might get into a non-consistent state or a
state where a great deal of reconciling needs to occur on restart.
Change-Id: If521662eb4c47ada45cf0a9edd0a58db8a1d038d
... so that Designate API can detect the actual endpoint and client
ip.
Depends-on: https://review.opendev.org/800740
Change-Id: Ice5d00a8fab57a8533df287fc0ab98c84eb2cc2d
Sometimes we need to tune the rpc_response_timeout parameter to avoid
frequent error caused by tiemout, and it's useful to provide a native
interface to tune the timeout values.
Change-Id: I4e5c122540ff66a2782e557eb246adffcac16c99
The Rabbit* parameters in designate templates were deprecated when
the Rabbit* parameters were deprecated[1] in all template files, but
these parameters were not removed by the clean up commit later.
This change removes these leftovers because these parameters have
been ineffective for a while.
[1] 405366fa32583e88c34417e5f46fa574ed8f4e98
Change-Id: If071cb8b99698f511d692263f196e1a9f9c78b1e
A lot of work has been done on designate in the wallaby cycle and its
basic functionality deploys normally. There is an active team working on
the component and the deployment support.
Change-Id: I5cda7df93cc56dd9691a9d5857de455d0f539897
Designate is a great service but unfortunatly, we don't have
full time maintainers therefore we can't certify the service will be
tested and work correctly.
In this patch, we create an experimental folder and put Designate in it.
Change-Id: I8a587ebdca2c7e64ab8348155cf75c2dbb65a5ed
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the designate Producer, Worker, and Mdns services.
Change-Id: Ibbd14996eb6fc9b2e45dd9f24d3b7156c42da990
Related-Blueprint: services-yaml-flattening
This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the designate API, Central, and Sink services.
Related-Blueprint: services-yaml-flattening
Change-Id: I1c18780b252ce118836462b0857040fe1a3e8789