When containerizing mistral-executor, we need to mount /var/lib/mistral so
our operators can get the config-download logs when the undercloud is
containerized and config-download is used to deploy the overcloud.
To help our operators, we also create /var/lib/mistral/readme.txt so
they know where to find the config-download data.
Change-Id: I8d31d5fec2721c6e4f82b1ad2169a7635cb57600
Closes-Bug: #1749823
YAQL introduced a backward incompatible change in one of its minor
versions:
3fb9178401 (diff-f36776b660e5fe4f88e3295e5b751396R215)
It changes the expected behavior of groupBy() aggregator, so we need to
update our queries otherwise it fails with a "list index out of range"
error.
Change-Id: I2ca2ebb2c8d22aeedbcb6920072db5b6dba3311b
Closes-Bug: #1750032
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
See context here: Ia5cc7b34ebee8cf2f49300ce23050370d5f1038a
This user will be useful for containerized undercloud, to maintain
parity with what was done in instack-undercloud.
Depends-On: Ia5cc7b34ebee8cf2f49300ce23050370d5f1038a
Depends-On: Ifd1bec1262dfbd213810bb2b4d561f47bf010e69
Change-Id: I48ab4a0ba0240e931391602943b471b5b6ec8e80
When deploying a containerized undercloud, we need the same
configuration as we used to have in instack-undercloud.
For max_messages_post_size, we used to have 1048576 due to the high size
of the messages with config-download.
Let's sync the config here, so we can deploy an overcloud with
config-download when a containerized undercloud is used.
Change-Id: Ib43c811d9ea4e71558c15c78cfb9999f738b8098
Wires in the use of ../network/ports/external_from_pool.yaml
so that we can control the named 'public_virtual_ip' created in
overcloud.yaml when using Undercloud SSL.
By default this has previously gone to the ctlplane IP for the
Undercloud itself. When SSL is enabled we want it set to a different
VIP managed by Haproxy/keepalived. If SSL is disabled
python-tripleoclient just sets it to the ctlplane so the previous
behavior is preserved.
Change-Id: Id8127efc658f4bae3176d7394a32face6030303c
The default control plane subnet name is "ctlplane-subnet", so let's
create the right subnet for the containerized undercloud.
Note: the subnet can't be overriden (yet) but for now we rely on the
default.
Change-Id: I15954bced81ef6c3e1a1f4a73bc989f33d08d6f7
Relocate the list of docker volumes used by the CinderVolume and
CinderBackup services so that a common list can be used in both HA and
non-HA deployments. For HA, the list is passed to puppet-tripleo via
hiera data.
Closes-Bug: #1748290
Depends-On: I4ba0d78ad17183b97290b853a6c103e55bc8977c
Change-Id: I41d6ff1dc60a799cec18fbeb64c8b63961953388
We want to configure a TLS url for the underclouds stackrc
when a user specified or generated TLS certificate is used.
This patch updates the existing check so that
the PublicSSLCertificateAutogenerated paremeter is also used
when deciding if the SSL URL should be enabled.
Change-Id: I7561b5de7749ca57f8ac8056b470228e1026eb31
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Dan Prince <dprince@redhat.com>
Co-Authored-By: Ian Main <imain@redhat.com>
Change-Id: Icca382db28e4ea57f3cbf24e9e794b428b824db5
Some work is being done in I46fce28926cb5a881f7384948480266712ae75e3
to secure SNMP on a specific network but until then we need to stop
opening the services so cloud providers won't report any security issue
for TripleO jobs.
Change-Id: Icd8a6ddda6152186d6be4a227f6449232fecba5e
Related-Bug: #1749324
Currently when deploying with TLS for internal API traffic, Neutron is
not configured to securely communicate with OVSDB. In regular OVS agent
deployments OVS listens on ptcp and accepts any incoming connection. In
ODL deployments OVS is configured to only listen for pssl connections.
To allow Neutron agents to communicate with OVSDB in pssl, Neutron needs
to be configured with SSL key/certificate in order to connect to OVS.
This patch adds key/certificate generation for NeutronBase service to be
consumed by any agent. The only agent required with ODL is DHCP, so
this patch only addresses configuring SSL there. However, a future
patch could enable SSL for default ML2/OVS agent deployments as well by
building off of this change.
Note, by default OVSDB listens on port 6640. This does not work in ODL
deployments when ODL is on the control node because ODL also listens
on port 6640. Therefore from the ODL service, the ovsdb_connection
setting for DHCP agent is modified when ODL is deployed.
Depends-On: I82281eefa1aa81207ccd8ea565cffc6ca0ec48de
Depends-On: I4bbaf00f0776cab0be34d814a541fb2fd1e64326
Closes-Bug: 1746762
Change-Id: I97352027d7f750d0820610fb9e06f82b47e77056
Signed-off-by: Tim Rozet <trozet@redhat.com>
This change allows FASTFORWARDUPGRADE to be fed to puppet-tripleo
allowing mainifests to act according when applied during FFU.
Change-Id: I8792937c2524c31becfb8a9f28047b73617c0fc3
This change converts the existing NIC templates to jinja2 in
order to dynamically render the ports and networks according
to the network_data.yaml. If networks are added to the
network_data.yaml file, parameters will be added to all
NIC templates. The YAML files (as output from jinja with
the default network_data.yaml) are present as an example.
The roles in roles_data.yaml are used to produce NIC configs
for the standard and custom composable roles. In order to
keep the ordering of NICs the same in the multiple-nics
templates, the order of networks was changed in the
network_data.yaml file. This is reflected in the network
templates, and in some of the files that is the only
change.
The roles and roles_data.yaml were modified to include
a legacy name for the NIC config templates for the
built-in roles Controller, Compute, Object Storage,
Block Storage, Ceph Storage, Compute-DPDK, and
Networker roles. There will now be a file produced
with the legacy name, but also one produced with the
<role>-role.j2.yaml format (along with environment
files to help use the new filenames).
Note this change also fixes some typos as well as
a number of templates that had VLANs with device:
entries which were ignored.
Closes-Bug: 1737041
Depends-On: I49c0245c36de3103671080fd1c8cfb3432856f35
Change-Id: I3bdb7d00dab5a023dd8b9c94c0f89f84357ae7a4
This patch enables health checks execution for all Barbican docker container.
Change-Id: I2e542fa0adb52447abb251910f3ff1095289c726
Depends-On: Ic0573f6dfe550dd7f5d6bc579b3b44a60d4bf1fc
This makes it clearer that the previous task failed, which isn't
immediately evident from the ansible task output due to the failed_when
on those tasks.
Change-Id: I765208d5865f6e5a292e5b52c572e2e79540c663
Closes-Bug: #1748443
When copying templates or files with the
process-templates.py's shutil, ignore cases when
the source and the destination are same files.
This allows the following scenario:
- Symlink t-h-t from the installed package to a work dir
- Process j2 templates with overwrite in the work dir
Required-by: https://review.openstack.org/#/c/542875
Change-Id: I9a9c32f05fde325709998f4fe8bc7fef6c25b5c5
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>