e7f5bfb7ae
This feature adds the ability to run Keystone in each Subcloud and implements a Distributed Service Catalog such that the Central Region Keystone ONLY contains the Identity endpoint for each subcloud. The DC Manager and DC Orchestration framework then does a 2 stage lookup to first procure a token from the subcloud and then use that for further communication with that subcloud. This delivery adds the following: - New DC Orch Identity Proxy SM service - Keystone manifest changes to run init_keystone in Subcloud to spawn a local Keystone instance - Modify System Controller Identity endpoints 5000 to 25000, i.e binding to DC-Orch-API-Proxy - DC Manager and DC Orch Changes to do a 2-stage lookup on subclouds (Distributed Service Catalog) - Cherry pick Endpoint Filter Group patches into Openstack client - Add Resource Sync for Keystone Users, Projects and Roles and reporting to DC Manager - Add Auditing for Keystone Users, Projects and Roles on Central Region and Subclouds - Lab Setup changes to configure Tenant users and projects against the Keystone DC Proxy (port 25000) so that these may be synced to subclouds. Story: 2002842 Task: 22785 Change-Id: I2db7610532d1835246b29bedf2cb719669f11935 Signed-off-by: Andy Ning <andy.ning@windriver.com> Signed-off-by: Jack Ding <jack.ding@windriver.com>
157 lines
4.8 KiB
Puppet
157 lines
4.8 KiB
Puppet
class platform::dcorch::params (
|
|
$api_port = 8118,
|
|
$region_name = undef,
|
|
$domain_name = undef,
|
|
$domain_admin = undef,
|
|
$domain_pwd = undef,
|
|
$service_name = 'dcorch',
|
|
$default_endpoint_type = "internalURL",
|
|
$service_create = false,
|
|
$neutron_api_proxy_port = 29696,
|
|
$nova_api_proxy_port = 28774,
|
|
$sysinv_api_proxy_port = 26385,
|
|
$cinder_api_proxy_port = 28776,
|
|
$cinder_enable_ports = false,
|
|
$patch_api_proxy_port = 25491,
|
|
$identity_api_proxy_port = 25000,
|
|
) {
|
|
include ::platform::params
|
|
|
|
include ::platform::network::mgmt::params
|
|
$api_host = $::platform::network::mgmt::params::controller_address
|
|
}
|
|
|
|
|
|
class platform::dcorch
|
|
inherits ::platform::dcorch::params {
|
|
if $::platform::params::distributed_cloud_role =='systemcontroller' {
|
|
include ::platform::params
|
|
include ::platform::amqp::params
|
|
|
|
if $::platform::params::init_database {
|
|
include ::dcorch::db::postgresql
|
|
}
|
|
|
|
class { '::dcorch':
|
|
rabbit_host => $::platform::amqp::params::host_url,
|
|
rabbit_port => $::platform::amqp::params::port,
|
|
rabbit_userid => $::platform::amqp::params::auth_user,
|
|
rabbit_password => $::platform::amqp::params::auth_password,
|
|
proxy_bind_host => $api_host,
|
|
proxy_remote_host => $api_host,
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
class platform::dcorch::firewall
|
|
inherits ::platform::dcorch::params {
|
|
if $::platform::params::distributed_cloud_role =='systemcontroller' {
|
|
include ::openstack::cinder::params
|
|
platform::firewall::rule { 'dcorch-api':
|
|
service_name => 'dcorch',
|
|
ports => $api_port,
|
|
}
|
|
platform::firewall::rule { 'dcorch-sysinv-api-proxy':
|
|
service_name => 'dcorch-sysinv-api-proxy',
|
|
ports => $sysinv_api_proxy_port,
|
|
}
|
|
platform::firewall::rule { 'dcorch-nova-api-proxy':
|
|
service_name => 'dcorch-nova-api-proxy',
|
|
ports => $nova_api_proxy_port,
|
|
}
|
|
platform::firewall::rule { 'dcorch-neutron-api-proxy':
|
|
service_name => 'dcorch-neutron-api-proxy',
|
|
ports => $neutron_api_proxy_port,
|
|
}
|
|
if $::openstack::cinder::params::service_enabled {
|
|
platform::firewall::rule { 'dcorch-cinder-api-proxy':
|
|
service_name => 'dcorch-cinder-api-proxy',
|
|
ports => $cinder_api_proxy_port,
|
|
}
|
|
}
|
|
platform::firewall::rule { 'dcorch-patch-api-proxy':
|
|
service_name => 'dcorch-patch-api-proxy',
|
|
ports => $patch_api_proxy_port,
|
|
}
|
|
platform::firewall::rule { 'dcorch-identity-api-proxy':
|
|
service_name => 'dcorch-identity-api-proxy',
|
|
ports => $identity_api_proxy_port,
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
class platform::dcorch::haproxy
|
|
inherits ::platform::dcorch::params {
|
|
if $::platform::params::distributed_cloud_role =='systemcontroller' {
|
|
include ::openstack::cinder::params
|
|
platform::haproxy::proxy { 'dcorch-neutron-api-proxy':
|
|
server_name => 's-dcorch-neutron-api-proxy',
|
|
public_port => $neutron_api_proxy_port,
|
|
private_port => $neutron_api_proxy_port,
|
|
}
|
|
platform::haproxy::proxy { 'dcorch-nova-api-proxy':
|
|
server_name => 's-dcorch-nova-api-proxy',
|
|
public_port => $nova_api_proxy_port,
|
|
private_port => $nova_api_proxy_port,
|
|
}
|
|
platform::haproxy::proxy { 'dcorch-sysinv-api-proxy':
|
|
server_name => 's-dcorch-sysinv-api-proxy',
|
|
public_port => $sysinv_api_proxy_port,
|
|
private_port => $sysinv_api_proxy_port,
|
|
}
|
|
if $::openstack::cinder::params::service_enabled {
|
|
platform::haproxy::proxy { 'dcorch-cinder-api-proxy':
|
|
server_name => 's-cinder-dc-api-proxy',
|
|
public_port => $cinder_api_proxy_port,
|
|
private_port => $cinder_api_proxy_port,
|
|
}
|
|
}
|
|
platform::haproxy::proxy { 'dcorch-patch-api-proxy':
|
|
server_name => 's-dcorch-patch-api-proxy',
|
|
public_port => $patch_api_proxy_port,
|
|
private_port => $patch_api_proxy_port,
|
|
}
|
|
platform::haproxy::proxy { 'dcorch-identity-api-proxy':
|
|
server_name => 's-dcorch-identity-api-proxy',
|
|
public_port => $identity_api_proxy_port,
|
|
private_port => $identity_api_proxy_port,
|
|
}
|
|
}
|
|
}
|
|
|
|
class platform::dcorch::engine
|
|
inherits ::platform::dcorch::params {
|
|
if $::platform::params::distributed_cloud_role =='systemcontroller' {
|
|
include ::dcorch::engine
|
|
}
|
|
}
|
|
|
|
class platform::dcorch::snmp
|
|
inherits ::platform::dcorch::params {
|
|
if $::platform::params::distributed_cloud_role =='systemcontroller' {
|
|
class { '::dcorch::snmp':
|
|
bind_host => $api_host,
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
class platform::dcorch::api_proxy
|
|
inherits ::platform::dcorch::params {
|
|
if $::platform::params::distributed_cloud_role =='systemcontroller' {
|
|
if ($::platform::dcorch::params::service_create and
|
|
$::platform::params::init_keystone) {
|
|
include ::dcorch::keystone::auth
|
|
}
|
|
|
|
class { '::dcorch::api_proxy':
|
|
bind_host => $api_host,
|
|
}
|
|
|
|
include ::platform::dcorch::firewall
|
|
include ::platform::dcorch::haproxy
|
|
}
|
|
}
|