diff --git a/Puppetfile b/Puppetfile index 5f94bdaa..d49e5d2d 100644 --- a/Puppetfile +++ b/Puppetfile @@ -40,7 +40,7 @@ mod 'keystone', :ref => '4b2623d4ec41957b0274d8a457e3019fdf1e342b' mod 'neutron', :git => 'git://github.com/enovance/puppet-neutron.git', - :ref => 'd5628a9ca16140e3c08c98d56feecaf56e898f35' + :ref => '183541d3890cd212db5a581470bdf98c21c40ad7' mod 'nova', :git => 'git://github.com/enovance/puppet-nova.git', :ref => 'cc1a2a348a7953298c75881a5c4afafeb3d0a4e4' @@ -80,6 +80,9 @@ mod 'cassandra', mod 'concat', :git => 'git://github.com/enovance/puppet-concat.git', :ref => 'ab06c2b8c09d9da82b53a62a5389427720519cd5' +mod 'contrail', + :git => 'git://github.com/enovance/puppet-contrail.git', + :ref => '2b135d5b9f00c26b357bf2f55082701f01e0670a' mod 'corosync', :git => 'git://github.com/enovance/puppetlabs-corosync.git', :ref => '7bbdcd8c57beab6ba24b06ef5aaee2462f8d3d24' diff --git a/files/qemu/qemu.conf b/files/qemu/qemu.conf index 5090f409..93f1ff42 100644 --- a/files/qemu/qemu.conf +++ b/files/qemu/qemu.conf @@ -8,4 +8,4 @@ cgroup_device_acl = [ "/dev/ptmx", "/dev/kvm", "/dev/kqemu", "/dev/rtc", "/dev/hpet", "/dev/net/tun", ] -clear_emulator_capabilities = 0 +clear_emulator_capabilities = 1 diff --git a/manifests/compute/hypervisor.pp b/manifests/compute/hypervisor.pp index a04c064b..cef7ab55 100644 --- a/manifests/compute/hypervisor.pp +++ b/manifests/compute/hypervisor.pp @@ -122,6 +122,10 @@ # (optional) Hostname or IP used to connect to console service. # Defaults to false (use nova_public_host) # +# [*include_vswitch*] +# (optional) Should the class cloud::network::vswitch should be included. +# Defaults to true +# # [*firewall_settings*] # (optional) Allow to add custom parameters to firewall rules # Should be an hash. @@ -147,6 +151,7 @@ class cloud::compute::hypervisor( $manage_tso = true, $nova_shell = false, $firewall_settings = {}, + $include_vswitch = true, # when using NFS storage backend $nfs_enabled = false, $nfs_device = false, @@ -158,7 +163,10 @@ class cloud::compute::hypervisor( include 'cloud::params' include 'cloud::telemetry' include 'cloud::network' - include 'cloud::network::vswitch' + + if $include_vswitch { + include 'cloud::network::vswitch' + } if $libvirt_type == 'kvm' and ! $::vtx { fail('libvirt_type is set to KVM and VTX seems to be disabled on this node.') diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 74b1aa8e..2bdee0bf 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -626,6 +626,7 @@ class cloud::loadbalancer( ){ include cloud::params + include cloud::network::contrail::haproxy $common_tcp_options = { 'mode' => 'tcp', diff --git a/manifests/network.pp b/manifests/network.pp index b4873ab7..53ea908f 100644 --- a/manifests/network.pp +++ b/manifests/network.pp @@ -53,9 +53,14 @@ # # [*plugin*] # (optional) Neutron plugin name -# Supported values: 'ml2', 'n1kv'. +# Supported values: 'ml2', 'n1kv', 'opencontrail'. # Defaults to 'ml2' # +# [*service_plugins*] +# (optional) List of service plugin entrypoints to be loaded from the neutron +# service_plugins namespace +# Defaults to ['neutron.services.loadbalancer.plugin.LoadBalancerPlugin','neutron.services.metering.metering_plugin.MeteringPlugin','neutron.services.l3_router.l3_router_plugin.L3RouterPlugin'] +# class cloud::network( $verbose = true, $debug = true, @@ -66,6 +71,7 @@ class cloud::network( $log_facility = 'LOG_LOCAL0', $dhcp_lease_duration = '120', $plugin = 'ml2', + $service_plugins = ['neutron.services.loadbalancer.plugin.LoadBalancerPlugin','neutron.services.metering.metering_plugin.MeteringPlugin','neutron.services.l3_router.l3_router_plugin.L3RouterPlugin'], ) { # Disable twice logging if syslog is enabled @@ -88,6 +94,9 @@ class cloud::network( 'n1kv': { $core_plugin = 'neutron.plugins.cisco.network_plugin.PluginV2' } + 'opencontrail': { + $core_plugin = 'neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2' + } default: { fail("${plugin} plugin is not supported.") } @@ -106,7 +115,7 @@ class cloud::network( use_syslog => $use_syslog, dhcp_agents_per_network => '2', core_plugin => $core_plugin, - service_plugins => ['neutron.services.loadbalancer.plugin.LoadBalancerPlugin','neutron.services.metering.metering_plugin.MeteringPlugin','neutron.services.l3_router.l3_router_plugin.L3RouterPlugin'], + service_plugins => $service_plugins, log_dir => $log_dir, dhcp_lease_duration => $dhcp_lease_duration, report_interval => '30', diff --git a/manifests/network/contrail/analytics.pp b/manifests/network/contrail/analytics.pp new file mode 100644 index 00000000..2a19b810 --- /dev/null +++ b/manifests/network/contrail/analytics.pp @@ -0,0 +1,59 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::network::contrail::analytics +# +# Install a Contrail analytics node +# +# === Parameters: +# +# [*bind_ip*] +# (optional) Address on which the Contrail analytics api is listening on +# Defaults to '127.0.0.1' +# +# [*port*] +# (optional) Port where Contrail analytics api is bound to +# Used for firewall purpose. +# Default to 8081 +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class cloud::network::contrail::analytics ( + $bind_ip = '127.0.0.1', + $port = 8081, + $firewall_settings = {}, +){ + + include ::contrail::analytics + + @@haproxy::balancermember{"${::fqdn}-contrail-analytics-api": + listening_service => 'contrail_analytics_api', + server_names => $::hostname, + ipaddresses => $bind_ip, + ports => $port, + options => 'check inter 2000 rise 2 fall 5' + } + + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow contrail analytics access': + port => [$port, '8086'], + extras => $firewall_settings, + } + } + +} diff --git a/manifests/network/contrail/config.pp b/manifests/network/contrail/config.pp new file mode 100644 index 00000000..cc0c543d --- /dev/null +++ b/manifests/network/contrail/config.pp @@ -0,0 +1,78 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::network::contrail::config +# +# Install a Contrail config node +# +# === Parameters: +# +# [*api_bind_ip*] +# (optional) Address on which the Contrail config api is listening on +# Defaults to '127.0.0.1' +# +# [*discovery_bind_ip*] +# (optional) Address on which the Contrail discovery is listening on +# Defaults to '127.0.0.1' +# +# [*api_port*] +# (optional) Port where Contrail config api is bound to +# Used for firewall purpose. +# Default to 9100 +# +# [*discovery_port*] +# (optional) Port where Contrail discovery is bound to +# Used for firewall purpose. +# Default to 9110 +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class cloud::network::contrail::config ( + $api_bind_ip = '127.0.0.1', + $discovery_bind_ip = '127.0.0.1', + $api_port = 9100, + $discovery_port = 9110, + $firewall_settings = {}, +){ + + include ::contrail::config + + @@haproxy::balancermember{"${::fqdn}-contrail-config-api": + listening_service => 'contrail_config_api', + server_names => $::hostname, + ipaddresses => $api_bind_ip, + ports => $api_port, + options => 'check inter 2000 rise 2 fall 5' + } + + @@haproxy::balancermember{"${::fqdn}-contrail-config-discovery": + listening_service => 'contrail_config_discovery', + server_names => $::hostname, + ipaddresses => $discovery_bind_ip, + ports => $discovery_port, + options => 'check inter 2000 rise 2 fall 5' + } + + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow contrail config access': + port => ['8443', '8087', '8088', $discovery_port, $api_port], + extras => $firewall_settings, + } + } + +} diff --git a/manifests/network/contrail/control.pp b/manifests/network/contrail/control.pp new file mode 100644 index 00000000..76bf5d1b --- /dev/null +++ b/manifests/network/contrail/control.pp @@ -0,0 +1,40 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::network::contrail::control +# +# Install a Contrail control node +# +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class cloud::network::contrail::control ( + $firewall_settings = {}, +){ + + include ::contrail::control + + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow contrail control access': + port => ['8083', '5269', '8092', '8093'], + extras => $firewall_settings, + } + } + +} diff --git a/manifests/network/contrail/database.pp b/manifests/network/contrail/database.pp new file mode 100644 index 00000000..d8be7be0 --- /dev/null +++ b/manifests/network/contrail/database.pp @@ -0,0 +1,46 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::network::contrail::database +# +# Install a Contrail database node +# +# === Parameters: +# +# [*port*] +# (optional) Port where Kafka is bound to +# Used for firewall purpose. +# Default to 9042 +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class cloud::network::contrail::database ( + $port = 9042, + $firewall_settings = {}, +){ + + include ::contrail::database + + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow contrail database access': + port => $port, + extras => $firewall_settings, + } + } + +} diff --git a/manifests/network/contrail/haproxy.pp b/manifests/network/contrail/haproxy.pp new file mode 100644 index 00000000..41ab345f --- /dev/null +++ b/manifests/network/contrail/haproxy.pp @@ -0,0 +1,183 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::network::contrail::haproxy +# +# Create the haproxy stanzas for Contrail related services +# +# === Parameters: +# +# [*contrail_analytics_api*] +# (optional) Enable or not Contrail analytics api public binding. +# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false. +# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options. +# If set to false, no binding will be configure +# Defaults to false +# +# [*contrail_config_api*] +# (optional) Enable or not Contrail config api binding. +# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false. +# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options. +# If set to false, no binding will be configure. +# Defaults to false +# +# [*contrail_config_discovery*] +# (optional) Enable or not Contrail discoverybinding. +# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false. +# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options. +# If set to false, no binding will be configure. +# Defaults to false +# +# [*contrail_webui_http*] +# (optional) Enable or not Contrail webui http binding. +# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false. +# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options. +# If set to false, no binding will be configure. +# Defaults to true +# +# [*contrail_webui_https*] +# (optional) Enable or not Contrail webui https binding. +# If true, both public and internal will attempt to be created except if vip_internal_ip is set to false. +# If set to ['10.0.0.1'], only IP in the array (or in the string) will be configured in the pool. They must be part of keepalived_ip options. +# If set to false, no binding will be configure +# Defaults to true +# +# [*contrail_analytics_api_bind_options*] +# (optional) A hash of options that are inserted into the HAproxy listening +# service configuration block. +# Defaults to [] +# +# [*contrail_config_api_bind_options*] +# (optional) A hash of options that are inserted into the HAproxy listening +# service configuration block. +# Defaults to [] +# +# [*contrail_config_discovery_bind_options*] +# (optional) A hash of options that are inserted into the HAproxy listening +# service configuration block. +# Defaults to [] +# +# [*contrail_webui_http_bind_options*] +# (optional) A hash of options that are inserted into the HAproxy listening +# service configuration block. +# Defaults to [] +# +# [*contrail_webui_https_bind_options*] +# (optional) A hash of options that are inserted into the HAproxy listening +# service configuration block. +# Defaults to [] +# +# [*contrail_analytics_api_port*] +# (optional) TCP port to connect to Contrail analytics api from public network +# Defaults to '8081' +# +# [*contrail_config_api_port*] +# (optional) TCP port to connect to Contrail config api from public network +# Defaults to '8082' +# +# [*contrail_config_discovery_port*] +# (optional) TCP port to connect to Contrail discovery from public network +# Defaults to '5998' +# +# [*contrail_webui_http_port*] +# (optional) TCP port to connect to Contrail webui http from public network +# Defaults to '8079' +# +# [*contrail_webui_https_port*] +# (optional) TCP port to connect to Contrail webui https from public network +# Defaults to '8143' +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class cloud::network::contrail::haproxy ( + $contrail_analytics_api = false, + $contrail_config_api = false, + $contrail_config_discovery = false, + $contrail_webui_http = false, + $contrail_webui_https = false, + $contrail_analytics_api_bind_options = [], + $contrail_config_api_bind_options = [], + $contrail_config_discovery_bind_options = [], + $contrail_webui_http_bind_options = [], + $contrail_webui_https_bind_options = [], + $contrail_analytics_api_port = 8081, + $contrail_config_api_port = 8082, + $contrail_config_discovery_port = 5998, + $contrail_webui_http_port = 8079, + $contrail_webui_https_port = 8143, + $firewall_settings = {}, +){ + + cloud::loadbalancer::binding { 'contrail_analytics_api': + ip => $contrail_analytics_api, + port => $contrail_analytics_api_port, + bind_options => $contrail_analytics_api_bind_options, + firewall_settings => $firewall_settings, + options => { + 'balance' => 'roundrobin', + 'option' => ['nolinger', 'tcp-check'], + 'default-server' => 'error-limit 1 on-error mark-down', + }, + } + + cloud::loadbalancer::binding { 'contrail_config_api': + ip => $contrail_config_api, + port => $contrail_config_api_port, + bind_options => $contrail_config_api_bind_options, + firewall_settings => $firewall_settings, + options => { + 'balance' => 'roundrobin', + 'option' => ['nolinger'], + }, + } + + cloud::loadbalancer::binding { 'contrail_config_discovery': + ip => $contrail_config_discovery, + port => $contrail_config_discovery_port, + bind_options => $contrail_config_discovery_bind_options, + firewall_settings => $firewall_settings, + options => { + 'balance' => 'roundrobin', + 'option' => ['nolinger'], + }, + } + + cloud::loadbalancer::binding { 'contrail_webui_http': + ip => $contrail_webui_http, + port => $contrail_webui_http_port, + bind_options => $contrail_webui_http_bind_options, + firewall_settings => $firewall_settings, + options => { + 'balance' => 'source', + }, + } + + cloud::loadbalancer::binding { 'contrail_webui_https': + ip => $contrail_webui_https, + port => $contrail_webui_https_port, + bind_options => $contrail_webui_https_bind_options, + httpchk => 'ssl-hello-chk', + firewall_settings => $firewall_settings, + options => { + 'mode' => 'tcp', + 'balance' => 'source', + 'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }', + } + } + +} diff --git a/manifests/network/contrail/rabbitmq.pp b/manifests/network/contrail/rabbitmq.pp new file mode 100644 index 00000000..cae9b4ec --- /dev/null +++ b/manifests/network/contrail/rabbitmq.pp @@ -0,0 +1,79 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::network::contrail::rabbitmq +# +# This resource creates RabbitMQ resources for Contrail +# +# == Parameters: +# +# [*user*] +# (optional) The username to use when connecting to Rabbit +# Defaults to 'contrail' +# +# [*password*] +# (optional) The password to use when connecting to Rabbit +# Defaults to 'contrailpassword' +# +# [*vhost*] +# (optional) The virtual host to use when connecting to Rabbit +# Defaults to '/' +# +# [*is_admin*] +# (optional) If the user should be admin or not +# Defaults to true +# +# [*configure_permission*] +# (optional) Define configure permission +# Defaults to '.*' +# +# [*write_permission*] +# (optional) Define write permission +# Defaults to '.*' +# +# [*read_permission*] +# (optional) Define read permission +# Defaults to '.*' +# +class cloud::network::contrail::rabbitmq ( + $user = 'contrail', + $password = 'contrailpassword', + $vhost = '/', + $is_admin = true, + $configure_permission = '.*', + $write_permission = '.*', + $read_permission = '.*', +) { + + rabbitmq_user { $user : + admin => $is_admin, + password => $password, + provider => 'rabbitmqctl', + } + + if !defined(Rabbitmq_vhost[$vhost]) { + rabbitmq_vhost { $vhost : + provider => 'rabbitmqctl', + } + } + + rabbitmq_user_permissions { "${user}@${vhost}" : + configure_permission => $configure_permission, + write_permission => $write_permission, + read_permission => $read_permission, + provider => 'rabbitmqctl', + } + +} diff --git a/manifests/network/contrail/vrouter.pp b/manifests/network/contrail/vrouter.pp new file mode 100644 index 00000000..2a2a0177 --- /dev/null +++ b/manifests/network/contrail/vrouter.pp @@ -0,0 +1,27 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::network::contrail::vrouter +# +# Install a Contrail vrouter agent on the node +# +# === Parameters: +# +class cloud::network::contrail::vrouter ( +){ + + include ::contrail::vrouter + +} diff --git a/manifests/network/contrail/webui.pp b/manifests/network/contrail/webui.pp new file mode 100644 index 00000000..c725d764 --- /dev/null +++ b/manifests/network/contrail/webui.pp @@ -0,0 +1,79 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::network::contrail::webui +# +# Install a Contrail webui node +# +# === Parameters: +# +# [*http_bind_ip*] +# (optional) Address on which the Contrail webui http service is listening on +# Defaults to '127.0.0.1' +# +# [*https_bind_ip*] +# (optional) Address on which the Contrail webui https service is listening on +# Defaults to '127.0.0.1' +# +# [*http_port*] +# (optional) Port where Contrail webui http service is bound to +# Used for firewall purpose. +# Default to 9100 +# +# [*https_port*] +# (optional) Port where Contrail webui https is bound to +# Used for firewall purpose. +# Default to 9110 +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class cloud::network::contrail::webui ( + $http_bind_ip = '127.0.0.1', + $https_bind_ip = '127.0.0.1', + $http_port = 8080, + $https_port = 8143, + $firewall_settings = {}, + $firewall_settings = {}, +){ + + include ::contrail::webui + + @@haproxy::balancermember{"${::fqdn}-contrail-webui-http": + listening_service => 'contrail_webui_http', + server_names => $::hostname, + ipaddresses => $http_bind_ip, + ports => $http_port, + options => 'check inter 2000 rise 2 fall 5' + } + + @@haproxy::balancermember{"${::fqdn}-contrail-webui-https": + listening_service => 'contrail_webui_https', + server_names => $::hostname, + ipaddresses => $https_bind_ip, + ports => $https_port, + options => 'check inter 2000 rise 2 fall 5' + } + + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow contrail webui access': + port => [$http_port, $https_port], + extras => $firewall_settings, + } + } + +} diff --git a/manifests/network/controller.pp b/manifests/network/controller.pp index cb79f6c7..a53c7855 100644 --- a/manifests/network/controller.pp +++ b/manifests/network/controller.pp @@ -108,7 +108,7 @@ # # [*plugin*] # (optional) Neutron plugin name -# Supported values: 'ml2', 'n1kv'. +# Supported values: 'ml2', 'n1kv', 'opencontrail'. # Defaults to 'ml2' # # [*l3_ha*] @@ -124,6 +124,18 @@ # (optional) TCP port to connect to Keystone API from admin network # Defaults to '35357' # +# [*ks_keystone_admin_user*] +# (optional) Admin user to connect to Keystone API +# Defaults to 'admin' +# +# [*ks_keystone_admin_password*] +# (optional) Password for admin user to connect to Keystone API +# Defaults to 'password' +# +# [*ks_keystone_admin_token*] +# (optional) Token to connect to Keystone API as admin user +# Defaults to undef +# # [*provider_vlan_ranges*] # (optionnal) VLAN range for provider networks # Defaults to ['physnet1:1000:2999'] @@ -151,7 +163,25 @@ # [*vni_ranges*] # (optional) VxLan Network ID range. used by the ml2 plugin # List of colon-separated id ranges -# Defautls to ['1:10000'] +# Defaults to ['1:10000'] +# +# [*contrail_api_server_ip*] +# (optional) IP address of the Contrail API +# Defaults to 127.0.0.1 +# +# [*contrail_api_server_port*] +# (optional) Port of the Contrail API +# Defaults to 8082 +# +# [*contrail_multi_tenancy*] +# (optional) Should Contrail support multi tenancy +# Boolean. +# Defaults to true +# +# [*contrail_extensions*] +# (optional) Array of extensions enabled for Contrail +# Array of extensions +# Defaults to [''] # # [*mechanism_drivers*] # (optional) Neutron mechanism drivers to run @@ -160,43 +190,52 @@ # Defaults to ['linuxbridge', 'openvswitch','l2population'] # class cloud::network::controller( - $neutron_db_host = '127.0.0.1', - $neutron_db_user = 'neutron', - $neutron_db_password = 'neutronpassword', - $neutron_db_idle_timeout = 5000, - $ks_neutron_password = 'neutronpassword', - $ks_keystone_admin_host = '127.0.0.1', - $ks_keystone_admin_proto = 'http', - $ks_keystone_public_port = 5000, - $ks_neutron_public_port = 9696, - $api_eth = '127.0.0.1', - $ks_admin_tenant = 'admin', - $nova_url = 'http://127.0.0.1:8774/v2', - $nova_admin_auth_url = 'http://127.0.0.1:5000/v2.0', - $nova_admin_username = 'nova', - $nova_admin_tenant_name = 'services', - $nova_admin_password = 'novapassword', - $nova_region_name = 'RegionOne', - $manage_ext_network = false, - $firewall_settings = {}, - $flat_networks = ['public'], - $tenant_network_types = ['gre'], - $type_drivers = ['gre', 'vlan', 'flat'], - $provider_vlan_ranges = ['physnet1:1000:2999'], - $plugin = 'ml2', - $mechanism_drivers = ['linuxbridge', 'openvswitch','l2population'], - $l3_ha = false, - $router_distributed = false, + $neutron_db_host = '127.0.0.1', + $neutron_db_user = 'neutron', + $neutron_db_password = 'neutronpassword', + $neutron_db_idle_timeout = 5000, + $ks_neutron_password = 'neutronpassword', + $ks_keystone_admin_host = '127.0.0.1', + $ks_keystone_admin_proto = 'http', + $ks_keystone_admin_port = 35357, + $ks_keystone_admin_user = 'admin', + $ks_admin_tenant = 'admin', + $ks_keystone_admin_password = 'password', + $ks_keystone_admin_token = undef, + $ks_keystone_public_port = 5000, + $ks_neutron_public_port = 9696, + $api_eth = '127.0.0.1', + $nova_url = 'http://127.0.0.1:8774/v2', + $nova_admin_auth_url = 'http://127.0.0.1:5000/v2.0', + $nova_admin_username = 'nova', + $nova_admin_tenant_name = 'services', + $nova_admin_password = 'novapassword', + $nova_region_name = 'RegionOne', + $manage_ext_network = false, + $firewall_settings = {}, + $flat_networks = ['public'], + $tenant_network_types = ['gre'], + $type_drivers = ['gre', 'vlan', 'flat'], + $provider_vlan_ranges = ['physnet1:1000:2999'], + $plugin = 'ml2', + $mechanism_drivers = ['linuxbridge', 'openvswitch','l2population'], + $l3_ha = false, + $router_distributed = false, # only needed by cisco n1kv plugin - $n1kv_vsm_ip = '127.0.0.1', - $n1kv_vsm_password = 'secrete', - $ks_keystone_admin_port = 35357, + $n1kv_vsm_ip = '127.0.0.1', + $n1kv_vsm_password = 'secrete', # only needed by ml2 plugin - $tunnel_id_ranges = ['1:10000'], - $vni_ranges = ['1:10000'], + $tunnel_id_ranges = ['1:10000'], + $vni_ranges = ['1:10000'], + # only needed by opencontrail plugin + $contrail_api_server_ip = '127.0.0.1', + $contrail_api_server_port = '8082', + $contrail_multi_tenancy = true, + $contrail_extensions = [''], ) { include 'cloud::network' + include ::neutron::quota $encoded_user = uriescape($neutron_db_user) $encoded_password = uriescape($neutron_db_password) @@ -258,6 +297,21 @@ class cloud::network::controller( } } + 'opencontrail': { + $core_plugin = 'neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2' + class { 'neutron::plugins::opencontrail': + api_server_ip => $contrail_api_server_ip , + api_server_port => $contrail_api_server_port, + multi_tenancy => $contrail_multi_tenancy, + contrail_extensions => $contrail_extensions, + keystone_auth_url => "${ks_keystone_admin_proto}://${ks_keystone_admin_host}:${ks_keystone_admin_port}/v2.0/", + keystone_admin_user => $ks_keystone_admin_user, + keystone_admin_tenant_name => $ks_admin_tenant, + keystone_admin_password => $ks_keystone_admin_password, + keystone_admin_token => $ks_keystone_admin_token, + } + } + default: { fail("${plugin} plugin is not supported.") } diff --git a/manifests/network/metadata.pp b/manifests/network/metadata.pp index 4f0c22d3..56d55437 100644 --- a/manifests/network/metadata.pp +++ b/manifests/network/metadata.pp @@ -76,18 +76,15 @@ class cloud::network::metadata( include 'cloud::network::vswitch' class { 'neutron::agents::metadata': - enabled => $enabled, - shared_secret => $neutron_metadata_proxy_shared_secret, - debug => $debug, - metadata_ip => $nova_metadata_server, - auth_url => "${ks_keystone_admin_proto}://${ks_keystone_admin_host}:${ks_keystone_admin_port}/v2.0", - auth_password => $ks_neutron_password, - auth_region => $auth_region, - metadata_workers => $::processorcount - } - - neutron_metadata_agent_config { - 'DEFAULT/nova_metadata_protocol': value => $ks_nova_internal_proto; + enabled => $enabled, + shared_secret => $neutron_metadata_proxy_shared_secret, + debug => $debug, + metadata_ip => $nova_metadata_server, + auth_url => "${ks_keystone_admin_proto}://${ks_keystone_admin_host}:${ks_keystone_admin_port}/v2.0", + auth_password => $ks_neutron_password, + auth_region => $auth_region, + metadata_workers => $::processorcount, + metadata_protocol => $ks_nova_internal_proto, } } diff --git a/spec/classes/cloud_network_contrail_analytics_spec.rb b/spec/classes/cloud_network_contrail_analytics_spec.rb new file mode 100644 index 00000000..ec177223 --- /dev/null +++ b/spec/classes/cloud_network_contrail_analytics_spec.rb @@ -0,0 +1,80 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for cloud::network::contrail::analytics +# + +require 'spec_helper' + +describe 'cloud::network::contrail::analytics' do + + shared_examples_for 'contrail-analytics server' do + + let :params do + { } + end + + it 'configure contrail-analytics' do + is_expected.to contain_class('contrail::analytics') + end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure contrail-analytics firewall rules' do + is_expected.to contain_firewall('100 allow contrail analytics access').with( + :port => ['8081', '8086'], + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure contrail-analytics firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow contrail analytics access').with( + :port => ['8081', '8086'], + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'contrail-analytics server' + end + +end diff --git a/spec/classes/cloud_network_contrail_config_spec.rb b/spec/classes/cloud_network_contrail_config_spec.rb new file mode 100644 index 00000000..05e57b15 --- /dev/null +++ b/spec/classes/cloud_network_contrail_config_spec.rb @@ -0,0 +1,80 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for cloud::network::contrail::config +# + +require 'spec_helper' + +describe 'cloud::network::contrail::config' do + + shared_examples_for 'contrail-config server' do + + let :params do + { } + end + + it 'configure contrail-config' do + is_expected.to contain_class('contrail::config') + end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure contrail-config firewall rules' do + is_expected.to contain_firewall('100 allow contrail config access').with( + :port => ['8443', '8087', '8088', '9110', '9100'], + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure contrail-config firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow contrail config access').with( + :port => ['8443', '8087', '8088', '9110', '9100'], + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'contrail-config server' + end + +end diff --git a/spec/classes/cloud_network_contrail_database_spec.rb b/spec/classes/cloud_network_contrail_database_spec.rb new file mode 100644 index 00000000..22914815 --- /dev/null +++ b/spec/classes/cloud_network_contrail_database_spec.rb @@ -0,0 +1,80 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for cloud::network::contrail::database +# + +require 'spec_helper' + +describe 'cloud::network::contrail::database' do + + shared_examples_for 'contrail-database server' do + + let :params do + { } + end + + it 'configure contrail-database' do + is_expected.to contain_class('contrail::database') + end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure contrail-database firewall rules' do + is_expected.to contain_firewall('100 allow contrail database access').with( + :port => '9042', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure contrail-database firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow contrail database access').with( + :port => '9042', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'contrail-database server' + end + +end diff --git a/spec/classes/cloud_network_contrail_haproxy_spec.rb b/spec/classes/cloud_network_contrail_haproxy_spec.rb new file mode 100644 index 00000000..55a41c4d --- /dev/null +++ b/spec/classes/cloud_network_contrail_haproxy_spec.rb @@ -0,0 +1,65 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for cloud::network::contrail::haproxy +# + +require 'spec_helper' + +describe 'cloud::network::contrail::haproxy' do + + shared_examples_for 'contrail-haproxy stanzas' do + + let :params do + { } + end + + it { is_expected.to contain_cloud__loadbalancer__binding('contrail_analytics_api').with( + :port => '8081' + )} + + it { is_expected.to contain_cloud__loadbalancer__binding('contrail_config_api').with( + :port => '8082' + )} + + it { is_expected.to contain_cloud__loadbalancer__binding('contrail_config_discovery').with( + :port => '5998' + )} + + it { is_expected.to contain_cloud__loadbalancer__binding('contrail_webui_http').with( + :port => '8079' + )} + + it { is_expected.to contain_cloud__loadbalancer__binding('contrail_webui_https').with( + :port => '8143' + )} + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'contrail-haproxy stanzas' + end + +end diff --git a/spec/classes/cloud_network_contrail_rabbitmq_spec.rb b/spec/classes/cloud_network_contrail_rabbitmq_spec.rb new file mode 100644 index 00000000..15c55f25 --- /dev/null +++ b/spec/classes/cloud_network_contrail_rabbitmq_spec.rb @@ -0,0 +1,65 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for cloud::network::contrail::rabbitmq +# + +require 'spec_helper' + +describe 'cloud::network::contrail::rabbitmq' do + + shared_examples_for 'contrail-rabbitmq settings' do + + let :params do + { } + end + + + it 'configure the contrail rabbitmq-user' do + is_expected.to contain_rabbitmq_user('contrail').with( + :admin => 'true', + :password => 'contrailpassword', + :provider => 'rabbitmqctl', + ) + end + + it 'configure the contrail rabbitmq-user-permissions' do + is_expected.to contain_rabbitmq_user_permissions('contrail@/').with( + :configure_permission => '.*', + :write_permission => '.*', + :read_permission => '.*', + :provider => 'rabbitmqctl', + ) + end + + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'contrail-rabbitmq settings' + end + +end diff --git a/spec/classes/cloud_network_contrail_vrouter_spec.rb b/spec/classes/cloud_network_contrail_vrouter_spec.rb new file mode 100644 index 00000000..ef265168 --- /dev/null +++ b/spec/classes/cloud_network_contrail_vrouter_spec.rb @@ -0,0 +1,50 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for cloud::network::contrail::vrouter +# + +require 'spec_helper' + +describe 'cloud::network::contrail::vrouter' do + + shared_examples_for 'contrail-vrouter server' do + + let :params do + { } + end + + it 'configure contrail-vrouter' do + is_expected.to contain_class('contrail::vrouter') + end + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'contrail-vrouter server' + end + +end diff --git a/spec/classes/cloud_network_contrail_webui_spec.rb b/spec/classes/cloud_network_contrail_webui_spec.rb new file mode 100644 index 00000000..48045c5e --- /dev/null +++ b/spec/classes/cloud_network_contrail_webui_spec.rb @@ -0,0 +1,80 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for cloud::network::contrail::webui +# + +require 'spec_helper' + +describe 'cloud::network::contrail::webui' do + + shared_examples_for 'contrail-webui server' do + + let :params do + { } + end + + it 'configure contrail-webui' do + is_expected.to contain_class('contrail::webui') + end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure contrail-webui firewall rules' do + is_expected.to contain_firewall('100 allow contrail webui access').with( + :port => ['8080', '8143'], + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure contrail-webui firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow contrail webui access').with( + :port => ['8080', '8143'], + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'contrail-webui server' + end + +end