Fuel 9.0 related changes to support custom auth
- hardcode removed for neutron user and tenant - SSL support added for keystone connections - ceilometer routines updated to support non-ha mode Change-Id: Ia09ae38fe4ceac77c94ff5485da9782a2d4ff785
This commit is contained in:
parent
74d7fee295
commit
c6fbd6f027
|
@ -28,12 +28,7 @@ class contrail::compute::nova {
|
|||
}
|
||||
|
||||
nova_config {
|
||||
'DEFAULT/neutron_url': value => "http://${contrail::mos_mgmt_vip}:9696";
|
||||
'DEFAULT/neutron_admin_auth_url': value => "http://${contrail::mos_mgmt_vip}:35357/v2.0/";
|
||||
'DEFAULT/network_api_class': value => 'nova.network.neutronv2.api.API';
|
||||
'DEFAULT/neutron_admin_tenant_name': value => 'services';
|
||||
'DEFAULT/neutron_admin_username': value => 'neutron';
|
||||
'DEFAULT/neutron_admin_password': value => $contrail::service_token;
|
||||
'DEFAULT/neutron_url_timeout': value => '300';
|
||||
'DEFAULT/firewall_driver': value => 'nova.virt.firewall.NoopFirewallDriver';
|
||||
'DEFAULT/security_group_api': value => 'neutron';
|
||||
|
|
|
@ -36,9 +36,7 @@ class contrail::controller {
|
|||
# Nova configuration
|
||||
nova_config {
|
||||
'DEFAULT/network_api_class': value=> 'nova.network.neutronv2.api.API';
|
||||
'DEFAULT/neutron_url': value => "http://${contrail::mos_mgmt_vip}:9696";
|
||||
'DEFAULT/neutron_url_timeout': value=> '300';
|
||||
'DEFAULT/neutron_admin_auth_url': value=> "http://${contrail::mos_mgmt_vip}:35357/v2.0";
|
||||
'DEFAULT/firewall_driver': value=> 'nova.virt.firewall.NoopFirewallDriver';
|
||||
'DEFAULT/enabled_apis': value=> 'ec2,osapi_compute,metadata';
|
||||
'DEFAULT/security_group_api': value=> 'neutron';
|
||||
|
@ -56,9 +54,6 @@ class contrail::controller {
|
|||
'DEFAULT/service_plugins': value => 'neutron_plugin_contrail.plugins.opencontrail.loadbalancer.plugin.LoadBalancerPlugin';
|
||||
'DEFAULT/allow_overlapping_ips': value => 'True';
|
||||
'service_providers/service_provider': value => 'LOADBALANCER:Opencontrail:neutron_plugin_contrail.plugins.opencontrail.loadbalancer.driver.OpencontrailLoadbalancerDriver:default';
|
||||
'keystone_authtoken/auth_host': value => $contrail::mos_mgmt_vip;
|
||||
'keystone_authtoken/auth_port': value => '35357';
|
||||
'keystone_authtoken/auth_protocol': value => 'http';
|
||||
'QUOTAS/quota_network': value => '-1';
|
||||
'QUOTAS/quota_subnet': value => '-1';
|
||||
'QUOTAS/quota_port': value => '-1';
|
||||
|
@ -78,9 +73,9 @@ class contrail::controller {
|
|||
heat_config {
|
||||
'DEFAULT/plugin_dirs': value => '/usr/lib/heat,/usr/lib/python2.7/dist-packages/contrail_heat';
|
||||
'clients_contrail/contrail-user': value=> 'neutron';
|
||||
'clients_contrail/user': value=> 'neutron';
|
||||
'clients_contrail/user': value=> $contrail::neutron_user;
|
||||
'clients_contrail/password': value=> $contrail::service_token;
|
||||
'clients_contrail/tenant': value=> 'services';
|
||||
'clients_contrail/tenant': value=> $contrail::service_tenant;
|
||||
'clients_contrail/api_server': value=> $contrail::contrail_mgmt_vip;
|
||||
'clients_contrail/auth_host_ip': value=> $contrail::mos_mgmt_vip;
|
||||
'clients_contrail/api_base_url': value=> '/';
|
||||
|
@ -103,14 +98,24 @@ class contrail::controller {
|
|||
file {'/etc/ceilometer/pipeline.yaml':
|
||||
ensure => file,
|
||||
content => template('contrail/pipeline.yaml.erb'),
|
||||
} ~>
|
||||
service {'ceilometer-agent-central':
|
||||
ensure => running,
|
||||
name => 'p_ceilometer-agent-central',
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
provider => 'pacemaker',
|
||||
}
|
||||
if $contrail::ceilometer_ha_mode {
|
||||
service {'ceilometer-agent-central':
|
||||
ensure => running,
|
||||
name => 'p_ceilometer-agent-central',
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
provider => 'pacemaker',
|
||||
subscribe => File['/etc/ceilometer/pipeline.yaml'],
|
||||
}
|
||||
}
|
||||
else {
|
||||
service {['ceilometer-api','ceilometer-polling']:
|
||||
ensure => running,
|
||||
enable => true,
|
||||
subscribe => File['/etc/ceilometer/pipeline.yaml'],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -30,23 +30,52 @@ class contrail {
|
|||
$node_name = hiera('user_node_name')
|
||||
$nodes = hiera('nodes')
|
||||
|
||||
# Network configuration
|
||||
prepare_network_config($network_scheme)
|
||||
$interface = get_network_role_property('neutron/mesh', 'interface')
|
||||
$gateway = $network_scheme['endpoints'][$interface]['gateway']
|
||||
$address = get_network_role_property('neutron/mesh', 'ipaddr')
|
||||
$cidr = get_network_role_property('neutron/mesh', 'cidr')
|
||||
$netmask = get_network_role_property('neutron/mesh', 'netmask')
|
||||
$netmask_short = netmask_to_cidr($netmask)
|
||||
$phys_dev = get_private_ifname($interface)
|
||||
$phys_dev_pci = get_dev_pci_addr($phys_dev)
|
||||
$vrouter_core_mask = pick($settings['vrouter_core_mask'], '0x3')
|
||||
|
||||
# VIPs
|
||||
$mos_mgmt_vip = $network_metadata['vips']['management']['ipaddr']
|
||||
$mos_public_vip = $network_metadata['vips']['public']['ipaddr']
|
||||
|
||||
$contrail_private_vip = $network_metadata['vips']['contrail_priv']['ipaddr']
|
||||
$contrail_mgmt_vip = $contrail_private_vip
|
||||
|
||||
# Public SSL for Contrail WebUI
|
||||
$public_ssl_hash = hiera_hash('public_ssl', {})
|
||||
$ssl_hash = hiera_hash('use_ssl', {})
|
||||
$public_ssl = get_ssl_property($ssl_hash, $public_ssl_hash, 'horizon', 'public', 'usage', false)
|
||||
$public_ssl_path = get_ssl_property($ssl_hash, $public_ssl_hash, 'horizon', 'public', 'path', [''])
|
||||
|
||||
# Internal SSL for keystone connections
|
||||
$keystone_ssl = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'usage', false)
|
||||
$keystone_protocol = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
|
||||
$keystone_address = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$mos_mgmt_vip])
|
||||
$auth_url = "${keystone_protocol}://${keystone_address}:35357/v2.0"
|
||||
|
||||
$neutron_config = hiera_hash('neutron_config', {})
|
||||
$floating_net = try_get_value($neutron_config, 'default_floating_net', 'net04_ext')
|
||||
$private_net = try_get_value($neutron_config, 'default_private_net', 'net04')
|
||||
$default_router = try_get_value($neutron_config, 'default_router', 'router04')
|
||||
$nets = $neutron_config['predefined_networks']
|
||||
$neutron_user = pick($neutron_config['keystone']['admin_user'], 'neutron')
|
||||
$service_token = $neutron_config['keystone']['admin_password']
|
||||
$service_tenant = pick($neutron_config['keystone']['admin_tenant'], 'services')
|
||||
|
||||
$default_ceilometer_hash = { 'enabled' => false }
|
||||
$ceilometer_hash = hiera_hash('ceilometer', $default_ceilometer_hash)
|
||||
$ceilometer_ha_mode = pick($ceilometer_hash['ha_mode'], true)
|
||||
|
||||
$keystone = hiera_hash('keystone', {})
|
||||
$admin_token = $keystone['admin_token']
|
||||
$service_token = $neutron_config['keystone']['admin_password']
|
||||
$metadata_secret = $neutron_config['metadata']['metadata_proxy_shared_secret']
|
||||
|
||||
$admin_settings = hiera_hash('access', {})
|
||||
|
@ -79,19 +108,7 @@ class contrail {
|
|||
$service_ensure = hiera('upgrade',false) ? {
|
||||
true => 'stopped',
|
||||
default => 'running',
|
||||
}
|
||||
|
||||
# Network configuration
|
||||
prepare_network_config($network_scheme)
|
||||
$interface = get_network_role_property('neutron/mesh', 'interface')
|
||||
$gateway = $network_scheme['endpoints'][$interface]['gateway']
|
||||
$address = get_network_role_property('neutron/mesh', 'ipaddr')
|
||||
$cidr = get_network_role_property('neutron/mesh', 'cidr')
|
||||
$netmask = get_network_role_property('neutron/mesh', 'netmask')
|
||||
$netmask_short = netmask_to_cidr($netmask)
|
||||
$phys_dev = get_private_ifname($interface)
|
||||
$phys_dev_pci = get_dev_pci_addr($phys_dev)
|
||||
$vrouter_core_mask = pick($settings['vrouter_core_mask'], '0x3')
|
||||
}
|
||||
|
||||
# DPDK settings
|
||||
$global_dpdk_enabled = $settings['contrail_global_dpdk']
|
||||
|
@ -107,12 +124,6 @@ class contrail {
|
|||
$libvirt_name = 'libvirtd'
|
||||
}
|
||||
|
||||
$mos_mgmt_vip = $network_metadata['vips']['management']['ipaddr']
|
||||
$mos_public_vip = $network_metadata['vips']['public']['ipaddr']
|
||||
|
||||
$contrail_private_vip = $network_metadata['vips']['contrail_priv']['ipaddr']
|
||||
$contrail_mgmt_vip = $contrail_private_vip
|
||||
|
||||
# Settings for RabbitMQ on contrail controllers
|
||||
$rabbit = hiera_hash('rabbit')
|
||||
$rabbit_password = $rabbit['password']
|
||||
|
|
|
@ -31,7 +31,8 @@ class contrail::provision::compute {
|
|||
command => "contrail-provision-vrouter \
|
||||
--api_server_ip ${contrail::contrail_mgmt_vip} --api_server_port 8082 --openstack_ip ${contrail::mos_mgmt_vip} \
|
||||
--oper add --host_name ${::fqdn} --host_ip ${contrail::address} \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password '${contrail::service_token}' --dpdk_enabled \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
--dpdk_enabled \
|
||||
&& touch /opt/contrail/provision-vrouter-DONE",
|
||||
creates => '/opt/contrail/provision-vrouter-DONE',
|
||||
require => File['/opt/contrail'],
|
||||
|
@ -42,7 +43,7 @@ class contrail::provision::compute {
|
|||
command => "contrail-provision-vrouter \
|
||||
--api_server_ip ${contrail::contrail_mgmt_vip} --api_server_port 8082 --openstack_ip ${contrail::mos_mgmt_vip} \
|
||||
--oper add --host_name ${::fqdn} --host_ip ${contrail::address} \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password '${contrail::service_token}' \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
&& touch /opt/contrail/provision-vrouter-DONE",
|
||||
creates => '/opt/contrail/provision-vrouter-DONE',
|
||||
require => File['/opt/contrail'],
|
||||
|
|
|
@ -32,7 +32,7 @@ then exit 1; fi",
|
|||
command => "python /opt/contrail/utils/provision_config_node.py \
|
||||
--api_server_ip ${contrail::contrail_mgmt_vip} --api_server_port 8082 \
|
||||
--oper add --host_name ${::fqdn} --host_ip ${contrail::address} \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password ${contrail::service_token} \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
&& touch /opt/contrail/prov_config_node-DONE",
|
||||
creates => '/opt/contrail/prov_config_node-DONE',
|
||||
} ->
|
||||
|
@ -41,7 +41,7 @@ then exit 1; fi",
|
|||
command => "python /opt/contrail/utils/provision_analytics_node.py \
|
||||
--api_server_ip ${contrail::contrail_mgmt_vip} --api_server_port 8082 \
|
||||
--oper add --host_name ${::fqdn} --host_ip ${contrail::address} \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password ${contrail::service_token} \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
&& touch /opt/contrail/prov_analytics_node-DONE",
|
||||
creates => '/opt/contrail/prov_analytics_node-DONE',
|
||||
}
|
||||
|
@ -53,7 +53,7 @@ then exit 1; fi",
|
|||
--oper add \
|
||||
--linklocal_service_name metadata --linklocal_service_ip 169.254.169.254 --linklocal_service_port 80 \
|
||||
--ipfabric_service_ip ${contrail::mos_mgmt_vip} --ipfabric_service_port 8775 \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password '${contrail::service_token}' \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
&& touch /opt/contrail/prov_metadata_service-DONE",
|
||||
require => Exec['wait_for_api'],
|
||||
creates => '/opt/contrail/prov_metadata_service-DONE',
|
||||
|
|
|
@ -24,7 +24,7 @@ class contrail::provision::control {
|
|||
command => "python /opt/contrail/utils/provision_mx.py \
|
||||
--api_server_ip ${contrail::contrail_mgmt_vip} --api_server_port 8082 \
|
||||
--oper add --router_name ${name} --router_ip ${name} \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password '${contrail::service_token}' \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
&& touch /opt/contrail/prov_external_bgp_${name}-DONE",
|
||||
creates => "/opt/contrail/prov_external_bgp_${name}-DONE",
|
||||
}
|
||||
|
@ -43,7 +43,7 @@ then exit 1; fi",
|
|||
command => "python /opt/contrail/utils/provision_control.py \
|
||||
--api_server_ip ${contrail::contrail_mgmt_vip} --api_server_port 8082 \
|
||||
--oper add --host_name ${::fqdn} --host_ip ${contrail::address} --router_asn ${contrail::asnum} \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password ${contrail::service_token} \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
&& touch /opt/contrail/prov_control_bgp-DONE",
|
||||
creates => '/opt/contrail/prov_control_bgp-DONE',
|
||||
}
|
||||
|
@ -55,4 +55,3 @@ then exit 1; fi",
|
|||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ exec { 'prov_route_target':
|
|||
--routing_instance_name default-domain:${contrail::admin_tenant}:${contrail::floating_net}:${contrail::floating_net} \
|
||||
--route_target_number ${contrail::route_target} --router_asn ${contrail::asnum} \
|
||||
--api_server_ip ${contrail::contrail_mgmt_vip} --api_server_port 8082 \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password '${contrail::service_token}' \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
&& touch /etc/contrail/prov_route_target-DONE",
|
||||
creates => '/etc/contrail/prov_route_target-DONE',
|
||||
require => Contrail::Create_Network[$contrail::floating_net],
|
||||
|
|
|
@ -37,7 +37,7 @@ then exit 1; fi",
|
|||
command => "python /opt/contrail/utils/provision_database_node.py \
|
||||
--api_server_ip ${contrail::contrail_mgmt_vip} --api_server_port 8082 \
|
||||
--oper add --host_name ${::fqdn} --host_ip ${contrail::address} \
|
||||
--admin_user neutron --admin_tenant_name services --admin_password ${contrail::service_token} \
|
||||
--admin_user '${contrail::neutron_user}' --admin_tenant_name '${contrail::service_tenant}' --admin_password '${contrail::service_token}' \
|
||||
&& touch /opt/contrail/prov_database_node-DONE",
|
||||
creates => '/opt/contrail/prov_database_node-DONE',
|
||||
}
|
||||
|
|
|
@ -9,8 +9,8 @@ analytics_api_ip = <%= scope.lookupvar('contrail::contrail_mgmt_vip') %>
|
|||
analytics_api_port = 8081
|
||||
|
||||
[KEYSTONE]
|
||||
auth_url = http://<%= scope.lookupvar('contrail::mos_mgmt_vip') %>:35357/v2.0
|
||||
auth_url = <%= scope.lookupvar('contrail::auth_url') %>
|
||||
admin_token = <%= scope.lookupvar('contrail::admin_token') %>
|
||||
admin_user=neutron
|
||||
admin_user=<%= scope.lookupvar('contrail::neutron_user') %>
|
||||
admin_password=<%= scope.lookupvar('contrail::service_token') %>
|
||||
admin_tenant_name=services
|
||||
admin_tenant_name=<%= scope.lookupvar('contrail::service_tenant') %>
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
[KEYSTONE]
|
||||
auth_host=<%= scope.lookupvar('contrail::mos_mgmt_vip') %>
|
||||
auth_protocol=http
|
||||
auth_protocol=<%= scope.lookupvar('contrail::keystone_protocol') %>
|
||||
auth_port=35357
|
||||
auth_url=http://<%= scope.lookupvar('contrail::mos_mgmt_vip') %>:35357/v2.0
|
||||
admin_user=neutron
|
||||
auth_url=<%= scope.lookupvar('contrail::auth_url') %>
|
||||
admin_user=<%= scope.lookupvar('contrail::neutron_user') %>
|
||||
admin_password=<%= scope.lookupvar('contrail::service_token') %>
|
||||
admin_token=<%= scope.lookupvar('contrail::admin_token') %>
|
||||
admin_tenant_name=services
|
||||
insecure=False
|
||||
admin_tenant_name=<%= scope.lookupvar('contrail::service_tenant') %>
|
||||
insecure=True
|
||||
memcache_servers=127.0.0.1:11211
|
|
@ -6,9 +6,9 @@
|
|||
* Specify the authentication parameters for admin user
|
||||
****************************************************************************/
|
||||
var auth = {};
|
||||
auth.admin_user = 'neutron';
|
||||
auth.admin_user = '<%= scope.lookupvar('contrail::neutron_user') %>';
|
||||
auth.admin_password = '<%= scope.lookupvar('contrail::service_token') %>';
|
||||
auth.admin_token = '<%= scope.lookupvar('contrail::admin_token') %>';
|
||||
auth.admin_tenant_name = 'services';
|
||||
auth.admin_tenant_name = '<%= scope.lookupvar('contrail::service_tenant') %>';
|
||||
|
||||
module.exports = auth;
|
||||
|
|
|
@ -10,7 +10,7 @@ BASE_URL = /
|
|||
; Authentication settings (optional)
|
||||
[auth]
|
||||
AUTHN_TYPE = keystone
|
||||
AUTHN_PROTOCOL = http
|
||||
AUTHN_SERVER = <%= scope.lookupvar('contrail::mos_mgmt_vip') %>
|
||||
AUTHN_PROTOCOL = <%= scope.lookupvar('contrail::keystone_protocol') %>
|
||||
AUTHN_SERVER = <%= scope.lookupvar('contrail::keystone_address') %>
|
||||
AUTHN_PORT = 35357
|
||||
AUTHN_URL = /v2.0/tokens
|
||||
|
|
Loading…
Reference in New Issue