Sync openstack modules.

Update ironic to 10b056b50847863f44f24c5663c31384fd130169

10b056b50847863f44f24c5663c31384fd130169 [inspector] allow sending random kernel arguments to the IPA

Change-Id: If276324913c3cfb29e8adced0ae07c08707e7fd0

Update neutron to 4cf267714f0f8d28f38e2cd96cb25d8967ec3be7

4cf267714f0f8d28f38e2cd96cb25d8967ec3be7 Add ensure_*aas_package booleans for ::neutron::server

Change-Id: I4bdfba7367399e12d7cbebcd33a04577841271e0

Update tripleo to dbfada57bc9a24c7ad0aa5c7d3689683bdcc0a54

dbfada57bc9a24c7ad0aa5c7d3689683bdcc0a54 Merge "Upgrade all packages after puppet managed ones" into stable/liberty
de9e808af2f790a5bb2aabf51a8ad1241c3359da Merge "Enable X-Forwarded-Proto header for keystone admin endpoint" into stable/liberty
1e587ec106ba7b65b55cffab3686f4b62be1b4e8 Merge "Enable X-Forwarded-Proto header for Heat and Nova" into stable/liberty
75e74262a6278b34751162d5937197237ef8ec97 Merge "Allows customization of the HAProxy default timeouts" into stable/liberty
d931860c8565d29fc91d6505345bb85a17d05b44 Enable X-Forwarded-Proto header for Heat and Nova
c86f77fa3eb1e474eee0ac899f25a2eb03def06f Upgrade all packages after puppet managed ones
39dab0e5e3b9d1c3bb1dad709dacc9d237bcc645 Enable X-Forwarded-Proto header for keystone admin endpoint
513d33345816cf353c617393cb7f1a59fb339658 Allows customization of the HAProxy default timeouts

Change-Id: Ie3c06fae935827a830aa3cb418bbb6098b9f4dc8

Update openstack_extras to 63bebcae6cc4b8396434756b38a3547f9c73de9a

63bebcae6cc4b8396434756b38a3547f9c73de9a Add project_name parameter for auth_file

Change-Id: Iaf674e1e7dbda3bafb4975f60f2a26826de3ea9a

Puppetfile

@@ -91,7 +91,7 @@ mod 'inifile',
   :git => 'https://github.com/puppetlabs/puppetlabs-inifile.git'
 
 mod 'ironic',
-  :commit => '754a156d6a9f1175a454789c53f2e288e7ec8e21',
+  :commit => '10b056b50847863f44f24c5663c31384fd130169',
   :git => 'https://github.com/openstack/puppet-ironic.git'
 
 mod 'java',
@@ -155,7 +155,7 @@ mod 'nagios',
   :git => 'https://github.com/gildub/puppet-nagios-openstack.git'
 
 mod 'neutron',
-  :commit => 'a83bfe12562273a9e7bbba3ade9d8028bb6edd9d',
+  :commit => '4cf267714f0f8d28f38e2cd96cb25d8967ec3be7',
   :git => 'https://github.com/openstack/puppet-neutron.git'
 
 mod 'nova',
@@ -175,7 +175,7 @@ mod 'opendaylight',
   :git => 'https://github.com/dfarrell07/puppet-opendaylight.git'
 
 mod 'openstack_extras',
-  :commit => '9dbbbe3f40d62e391e1dd682975cd5fed8b6d64a',
+  :commit => '63bebcae6cc4b8396434756b38a3547f9c73de9a',
   :git => 'https://github.com/openstack/puppet-openstack_extras.git'
 
 mod 'openstacklib',
@@ -255,7 +255,7 @@ mod 'tomcat',
   :git => 'https://github.com/puppetlabs/puppetlabs-tomcat.git'
 
 mod 'tripleo',
-  :commit => 'bd23dab3bbc710c72c481953f2cf13f8c51120ad',
+  :commit => 'dbfada57bc9a24c7ad0aa5c7d3689683bdcc0a54',
   :git => 'https://github.com/openstack/puppet-tripleo.git'
 
 mod 'trove',

ironic/manifests/inspector.pp

@@ -138,6 +138,10 @@
 #   Comma-separated list of processing hooks to append to the default list.
 #   Defaults to undef
 #
+# [*ramdisk_kernel_args*]
+#   String with kernel arguments to send to the ramdisk on boot.
+#   Defaults to undef
+#
 class ironic::inspector (
   $package_ensure                  = 'present',
   $enabled                         = true,
@@ -169,6 +173,7 @@
   $sync_db                         = true,
   $ramdisk_collectors              = 'default',
   $additional_processing_hooks     = undef,
+  $ramdisk_kernel_args             = undef,
 ) {
 
   include ::ironic::params

ironic/spec/classes/ironic_inspector_spec.rb

@@ -143,6 +143,7 @@
           :swift_auth_url               => 'http://192.168.0.1:5000/v2.0',
           :pxe_transfer_protocol        => 'http',
           :additional_processing_hooks  => 'hook1,hook2',
+          :ramdisk_kernel_args          => 'foo=bar',
         )
       end
       it 'should replace default parameter with new value' do
@@ -171,7 +172,7 @@
           'content' => /ipxe/,
         )
         is_expected.to contain_file('/httpboot/inspector.ipxe').with_content(
-            /kernel http:\/\/192.168.0.1:8088\/agent.kernel ipa-inspection-callback-url=http:\/\/192.168.0.1:5050\/v1\/continue ipa-inspection-collectors=default/
+            /kernel http:\/\/192.168.0.1:8088\/agent.kernel ipa-inspection-callback-url=http:\/\/192.168.0.1:5050\/v1\/continue ipa-inspection-collectors=default.* foo=bar/
         )
       end
     end

ironic/templates/inspector_ipxe.erb

@@ -2,6 +2,6 @@
 
 dhcp
 
-kernel http://<%= @dnsmasq_local_ip %>:8088/agent.kernel ipa-inspection-callback-url=http://<%= @dnsmasq_local_ip %>:5050/v1/continue ipa-inspection-collectors=<%= @ramdisk_collectors %> systemd.journald.forward_to_console=yes BOOTIF=${mac}
+kernel http://<%= @dnsmasq_local_ip %>:8088/agent.kernel ipa-inspection-callback-url=http://<%= @dnsmasq_local_ip %>:5050/v1/continue ipa-inspection-collectors=<%= @ramdisk_collectors %> systemd.journald.forward_to_console=yes BOOTIF=${mac} <%= @ramdisk_kernel_args %>
 initrd http://<%= @dnsmasq_local_ip %>:8088/agent.ramdisk
 boot

ironic/templates/inspector_pxelinux_cfg.erb

@@ -2,5 +2,5 @@ default inspector
 
 label inspector
 kernel agent.kernel
-append initrd=agent.ramdisk ipa-inspection-callback-url=http://<%= @dnsmasq_local_ip %>:5050/v1/continue ipa-inspection-collectors=<%= @ramdisk_collectors %> systemd.journald.forward_to_console=yes
+append initrd=agent.ramdisk ipa-inspection-callback-url=http://<%= @dnsmasq_local_ip %>:5050/v1/continue ipa-inspection-collectors=<%= @ramdisk_collectors %> systemd.journald.forward_to_console=yes <%= @ramdisk_kernel_args %>
 ipappend 3

neutron/manifests/agents/vpnaas.pp

@@ -91,12 +91,12 @@
   }
 
   if $::neutron::params::vpnaas_agent_package {
-    Package['neutron']            -> Package['neutron-vpnaas-agent']
-    package { 'neutron-vpnaas-agent':
-      ensure => $package_ensure,
-      name   => $::neutron::params::vpnaas_agent_package,
-      tag    => ['openstack', 'neutron-package'],
-    }
+    Package['neutron'] -> Package['neutron-vpnaas-agent']
+    ensure_resource( 'package', 'neutron-vpnaas-agent', {
+      'ensure' => $package_ensure,
+      'name'   => $::neutron::params::vpnaas_agent_package,
+      'tag'    => ['openstack', 'neutron-package'],
+    })
   }
 
   if $manage_service {

neutron/manifests/server.pp

@@ -200,6 +200,54 @@
 #   (optional) Drivers list to use to send the update notification
 #   Defaults to ['message_queue'].
 #
+# [*ensure_vpnaas_package*]
+#   (optional) Ensures installation of VPNaaS package before starting API service.
+#   Set to true to ensure installation of the package that is required to start neutron service if service_plugin is enabled.
+#   Defaults to false.
+#
+# [*ensure_fwaas_package*]
+#   (optional) Ensures installation of FWaaS package before starting API service.
+#   Set to true to ensure installation of the package that is required to start neutron service if service_plugin is enabled.
+#   Defaults to false.
+#
+# [*ensure_lbaas_package*]
+#   (optional) Ensures installation of LBaaS package before starting API service.
+#   Set to true to ensure installation of the package that is required to start neutron service if service_plugin is enabled.
+#   Defaults to false.
+#
+# [*vpnaas_agent_package*]
+#   (optional) Use VPNaaS agent package instead of L3 agent package on debian platforms
+#   RedHat platforms won't take care of this parameter
+#   true/false
+#   Defaults to false
+# === Deprecated Parameters
+#
+# [*identity_uri*]
+#   Deprecated. Auth plugins based authentication should be used instead
+#   (optional) Complete admin Identity API endpoint.
+#   Defaults to: 'http://localhost:35357/'
+#
+# [*auth_region*]
+#   Deprecated. Auth plugins based authentication should be used instead
+#   (optional) The authentication region. Note this value is case-sensitive and
+#   must match the endpoint region defined in Keystone.
+#   Defaults to $::os_service_default
+#
+# [*auth_tenant*]
+#   Deprecated. Auth plugins based authentication should be used instead
+#   (optional) The tenant of the auth user
+#   Defaults to services
+#
+# [*auth_user*]
+#   Deprecated. Auth plugins based authentication should be used instead
+#   (optional) The name of the auth user
+#   Defaults to neutron
+#
+# [*auth_password*]
+#   Deprecated. Auth plugins based authentication should be used instead
+#   (optional) The password to use for authentication (keystone)
+#   Defaults to false. Set a value unless you are using noauth
+#
 class neutron::server (
   $package_ensure                   = 'present',
   $enabled                          = true,
@@ -231,6 +279,10 @@
   $min_l3_agents_per_router         = 2,
   $l3_ha_net_cidr                   = '169.254.192.0/18',
   $qos_notification_drivers         = ['message_queue'],
+  $ensure_vpnaas_package            = false,
+  $ensure_fwaas_package             = false,
+  $ensure_lbaas_package             = false,
+  $vpnaas_agent_package             = false,
   # DEPRECATED PARAMETERS
   $auth_host                        = 'localhost',
   $auth_port                        = '35357',
@@ -248,6 +300,50 @@
   include ::neutron::policy
   require keystone::python
 
+  if $ensure_fwaas_package {
+    if ($::osfamily == 'Debian') {
+      # Debian platforms
+      if $vpnaas_agent_package {
+        ensure_resource( 'package', $::neutron::params::vpnaas_agent_package, {
+          'ensure' => $neutron::package_ensure,
+          'tag'    => ['openstack', 'neutron-package'],
+        })
+        Package[$::neutron::params::vpnaas_agent_package] -> Neutron_fwaas_service_config<||>
+      } else {
+        ensure_resource( 'package', 'neutron-fwaas' , {
+          'name'   => $::neutron::params::fwaas_package,
+          'ensure' => $neutron::package_ensure,
+          'tag'    => ['openstack', 'neutron-package'],
+        })
+      }
+    } elsif($::osfamily == 'Redhat') {
+      # RH platforms
+      ensure_resource( 'package', 'neutron-fwaas', {
+        'name'   => $::neutron::params::fwaas_package,
+        'ensure' => $neutron::package_ensure,
+        'tag'    => ['openstack', 'neutron-package'],
+      })
+    }
+  }
+
+  if $ensure_vpnaas_package {
+    ensure_resource( 'package', 'neutron-vpnaas-agent', {
+      'ensure' => $package_ensure,
+      'name'   => $::neutron::params::vpnaas_agent_package,
+      'tag'    => ['openstack', 'neutron-package'],
+    })
+  }
+
+  if $ensure_lbaas_package {
+    ensure_resource( 'package', 'neutron-lbaas-agent', {
+      'ensure' => $package_ensure,
+      'name'   => $::neutron::params::lbaas_agent_package,
+      'tag'    => ['openstack', 'neutron-package'],
+    })
+  }
+
+
+
   Neutron_config<||>     ~> Service['neutron-server']
   Neutron_api_config<||> ~> Service['neutron-server']
   Class['neutron::policy'] ~> Service['neutron-server']

neutron/spec/classes/neutron_server_spec.rb

@@ -231,6 +231,21 @@
     it_raises 'a Puppet::Error', /auth_password must be set/
   end
 
+  shared_examples_for 'VPNaaS, FWaaS and LBaaS package installation' do
+    before do
+      params.merge!(
+        :ensure_vpnaas_package => true,
+        :ensure_fwaas_package  => true,
+        :ensure_lbaas_package  => true
+      )
+    end
+    it 'should install *aaS packages' do
+      is_expected.to contain_package('neutron-lbaas-agent')
+      is_expected.to contain_package('neutron-fwaas')
+      is_expected.to contain_package('neutron-vpnaas-agent')
+    end
+  end
+
   shared_examples_for 'a neutron server without database synchronization' do
     before do
       params.merge!(

openstack_extras/manifests/auth_file.pp

@@ -32,6 +32,11 @@
 #   (optional) Tenant for this account as defined in keystone
 #   Defaults to 'openstack'.
 #
+# [*project_name*]
+#   (optional) Project for this account as defined in keystone
+#   Use instead of tenant_name for when using identity v3.
+#   Defaults to undef.
+#
 # [*region_name*]
 #   (optional) Openstack region to use
 #   Defaults to 'RegionOne'.
@@ -75,6 +80,7 @@
   $service_endpoint         = 'http://127.0.0.1:35357/v2.0/',
   $username                 = 'admin',
   $tenant_name              = 'openstack',
+  $project_name             = undef,
   $region_name              = 'RegionOne',
   $use_no_cache             = true,
   $cinder_endpoint_type     = 'publicURL',

openstack_extras/spec/classes/openstack_extras_auth_file_spec.rb

@@ -36,6 +36,7 @@
         :service_endpoint         => 'http://127.0.0.2:35357/v2.0/',
         :username                 => 'myuser',
         :tenant_name              => 'mytenant',
+        :project_name             => 'myproject',
         :region_name              => 'myregion',
         :use_no_cache             => 'false',
         :cinder_endpoint_type     => 'internalURL',
@@ -53,6 +54,7 @@
         'export OS_SERVICE_ENDPOINT=\'http://127.0.0.2:35357/v2.0/\'',
         'export OS_NO_CACHE=\'false\'',
         'export OS_TENANT_NAME=\'mytenant\'',
+        'export OS_PROJECT_NAME=\'myproject\'',
         'export OS_USERNAME=\'myuser\'',
         'export OS_PASSWORD=\'admin\'',
         'export OS_AUTH_URL=\'http://127.0.0.2:5000/v2.0/\'',

openstack_extras/templates/openrc.erb

@@ -5,6 +5,9 @@ export OS_SERVICE_ENDPOINT='<%= @service_endpoint %>'
 <% end -%>
 export OS_NO_CACHE='<%= @use_no_cache %>'
 export OS_TENANT_NAME='<%= @tenant_name %>'
+<% if @project_name -%>
+export OS_PROJECT_NAME='<%= @project_name %>'
+<% end -%>
 export OS_USERNAME='<%= @username %>'
 export OS_PASSWORD='<%= @password.gsub(/'/){ %q(\') } %>'
 export OS_AUTH_URL='<%= @auth_url %>'

tripleo/manifests/loadbalancer.pp

@@ -35,6 +35,10 @@
 #  The value to use as maxconn in the haproxy default config section.
 #  Defaults to 4096
 #
+# [*haproxy_default_timeout*]
+#  The value to use as timeout in the haproxy default config section.
+#  Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ]
+#
 # [*haproxy_log_address*]
 #  The IPv4, IPv6 or filesystem socket path of the syslog server.
 #  Defaults to '/dev/log'
@@ -254,6 +258,7 @@
   $haproxy_service_manage    = true,
   $haproxy_global_maxconn    = 20480,
   $haproxy_default_maxconn   = 4096,
+  $haproxy_default_timeout   = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ],
   $haproxy_log_address       = '/dev/log',
   $controller_host           = undef,
   $controller_hosts          = undef,
@@ -584,6 +589,7 @@
     }
     $heat_options = {
       'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
+      'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
     }
     $heat_cw_bind_opts = {
       "${heat_api_vip}:8003" => [],
@@ -651,7 +657,7 @@
       'mode'    => 'tcp',
       'log'     => 'global',
       'retries' => '3',
-      'timeout' => [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ],
+      'timeout' => $haproxy_default_timeout,
       'maxconn' => $haproxy_default_maxconn,
     },
   }
@@ -676,6 +682,10 @@
     haproxy::listen { 'keystone_admin':
       bind             => $keystone_admin_bind_opts,
       collect_exported => false,
+      mode             => 'http', # Needed for http-request option
+      options          => {
+          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+      },
     }
     haproxy::balancermember { 'keystone_admin':
       listening_service => 'keystone_admin',
@@ -797,6 +807,10 @@
     haproxy::listen { 'nova_osapi':
       bind             => $nova_osapi_bind_opts,
       collect_exported => false,
+      mode             => 'http',
+      options          => {
+          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+      },
     }
     haproxy::balancermember { 'nova_osapi':
       listening_service => 'nova_osapi',

tripleo/manifests/packages.pp

@@ -45,7 +45,26 @@
 
   if $enable_upgrade {
     Package <| |> { ensure => 'latest' }
+
+    case $::osfamily {
+      'RedHat': {
+        $pkg_upgrade_cmd = 'yum -y update'
+      }
+      default: {
+        warning('Please specify a package upgrade command for distribution.')
+      }
+    }
+
+    exec { 'package-upgrade':
+      command => $pkg_upgrade_cmd,
+      path    => '/usr/bin',
+    }
+    # A resource chain to ensure the upgrade ordering we want:
+    # 1) upgrade puppet managed packages (will trigger puppet dependencies)
+    # 2) then upgrade all packages via exec
+    # 3) then restart services
+    Package <| |> -> Exec['package-upgrade'] -> Service <| |>
+
   }
 
 }
-