Comment 38 for bug 1645570

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/27900
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/6fc11c4e97ffb5ad74044aabf4543312360d0fb7
Submitter: Zuul (<email address hidden>)
Branch: R3.1.1.x

commit 6fc11c4e97ffb5ad74044aabf4543312360d0fb7
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 28 10:49:09 2016 -0800

Make the /etc/contrail/ssl/ directory before copying the ssl certs to the
other cfgm nodes from the first cfgm.

Change-Id: I39022479804f9323b7b5235ce60844d891444dd0
Closes-Bug: 1645433
(cherry picked from commit a2b89e61fa8491ea6c440466b923119523fa6c70)
(cherry picked from commit 08bae9e992d44c70a1580c2e9b8fd593da3d5d73)

fix ceilometer.conf to point to https auth uri in a ssl enabled keystone setup.
fix keystone haproxy backend syntax to support ssl.

Closes-Bug: 1645570
(cherry picked from commit bb6bd44e59de36ae8dfe5b4c18975bbef53d6a00)

Conflicts:
 fabfile/tasks/ssl.py
(cherry picked from commit 0ddd551e0952b9336fb48c9ec3a1e783bb1b15e2)

Conflicts:
 fabfile/tasks/provision.py

Closes-Bug: 1647243
Change-Id: I06740c325a3864b122419ebb7fe77b86cefa23b9
(cherry picked from commit e122c304093be512057e0ffa1d3d4ffb7e08c926)

Removing heartbeat parmameter, so that the default value 60 sec will be used.
If we need to override this value in rabbitmq.config, we also need to set
'rabbit_health_check_interval' in the contrail-api.conf to twice the value of
heartbeat set in rabbitmq.config.

Change-Id: I22fab8a3cc7a0b076ae3f642d16029ba5dab8e2f
Partial-Bug: 1639014
(cherry picked from commit 680ddff12195d1d8d0c00216835c217d0e35893d)

zookeeper is moved to cfgm and cassandra will be running
in both cfgm and database nodes, So making backup_restore
procedure to accomadate this.

Change-Id: I66121bbc28609e8c3d48ba52586580d28606aae9
Closs-Bug: 1636344
(cherry picked from commit d6682ad757e35fa170738570f9a99d1b3ced9947)

Ceilometer config file needs to be populated with
keystone certs or insecure flag for it to communicate
with SSL enabled keystone and check for ceilometer support
in respective nodes.

Change-Id: If736de02b73aefeb477cc73a6c9e92cbf2ec8f38
Closes-Bug: 1645570
(cherry picked from commit 9dca170f34951b9dd2c49ec30fcc3c8a01dc978f)

We have to provison both keystone/config-api as https in contrail-cloud deployment.
In contrail-networking deployments we have option of provisioning config-api
with https and using keystone which is pre provisioned with http.
The deployment of keystone with https and config-api with http is not recommended.

Change-Id: If66b897ba95562150920bcd9843895fb48af743d
Closes-Bug: 639074
(cherry picked from commit 4381787db71425175263d4eb5b8f1d69f6b0eb28)

SSL copy to other nodes in the HA cluster fails during parallel
execution, Fixing it by creating seperate temp files during copy.

Change-Id: I8f25ebaf5970403950e5966fa04ea09810633dfe
Closes-Bug: 1649470
(cherry picked from commit 2b11a3faab03aad2457ed02a23799514d8f2f25b)

Passing new argument first_cfgm_ip to setup-vnc-config entrypoint script.
Which will be used to populate the ContrailPluginIni and create neutron
endpoint in a SSL enabled cluster non HA setup(no VIP).

Change-Id: I3a2ca5c07cd38c8573d1275654dcb53d30cb0059
Partial-Bug: 1649239
(cherry picked from commit a8d340231e5316a0c24f71e9fdd03409316046fc)

Do not override the user specified cfgm host.

Change-Id: I68ab3e474cca8053cead501a93e29b80017f317b
Closes-Bug: 1649679
(cherry picked from commit 1ab03b60e53d9dfeb53678bbb1ecc929ccbbd8e5)

Haproxy fails to start as the keystone certs are not created before
starting haproxy in a HA setup. Fix is to create keystone ssl
certificates before configuring haproxy and skip recreating
certs during openstack setup.

Change-Id: Ibb53ad16c0222ebd3685a03c09398a1067464664
Closes-Bug: 1649787
(cherry picked from commit af5ce5218fc5106c9f32055595fce58e4534caf4)

Dynamically finding the heat service names based on deistribution
using the get_openstack_services to make the restart of heat
services work in both centos/ubuntu platforms.

Change-Id: I6a926fe697f930687dae8f9be388e95a13c6769c
Closes-Bug: 1650784
(cherry picked from commit b814546dcf36affd0e980a93b6b3b1662182ec2f)

Section "Supported Cluster Topologies for High Availability in
http://www.juniper.net/techpubs/en_US/contrail2.1/topics/concept/high-avail-support.html

Ensurind the above supported topologies by comparing the control_data section/env.ha
section and abort provisioning in the pre_check task.

Change-Id: Ie8efa4802c275fcfada7d0b577345019376eddd8
Closes-Bug: 1649457
(cherry picked from commit ad6c942cab8b69c1c54a2b58e8dd9f3d586f9761)

provisioning alarm in all required fab tasks.

Change-Id: Ic2a85caa077faa0da2e9852b613acb9bc2053870
Closes-Bug: 1651572
(cherry picked from commit a0cfdd069210d49ccbd247c0e1e0b2c6b1506534)

In multi interface setup, ssl certs are created with
external vip as commonName and thus it can be used in
haproxy to terminate SSL at external vip frontend.

Closes-Bug: 1656468

Change-Id: I63fe692cebbfa814d97fb38dec4cda70e418dbd4
(cherry picked from commit f60e5a3c0dcb51d7d99f00dc26cc6f7ebe33857f)