50 Commits

Author SHA1 Message Date
Zuul
8d806277f2 Merge "docs: Add note about internal VIP when HAProxy is disabled" 2021-05-25 12:34:17 +00:00
Mark Goddard
030a9a28d7 docs: Improve policy documentation
Change-Id: Iede747ceaafa54a00186761943fe2f4ac13f9559
2021-04-19 09:39:51 +00:00
Zuul
69b053469f Merge "Add kolla_externally_managed_cert option" 2021-03-26 10:26:11 +00:00
Mark Goddard
db1bc8fc7a docs: Add note about internal VIP when HAProxy is disabled
Change-Id: I08030ac88911d3594c75cb2184767067ad177139
2021-03-25 09:23:26 +00:00
Arthur Outhenin-Chalandre
57220ce1d9 Add kolla_externally_managed_cert option
This option disables copy of certificates from the operator host to
kolla-ansible managed hosts.

This is especially useful if you already have some mechanisms to handle
your certificates directly on your hosts.

Co-Authored-By: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Change-Id: Ie18b2464cb5a65a88c4ac191a921b8074a14f504
2021-03-02 18:09:06 +01:00
Piotr Parczewski
5db72659a0 [docs] Unify project's naming convention
There are inconsitencies across the documentation and the source code files
when it comes to project's name (Kolla Ansible vs. Kolla-Ansible). This
commit aims at unifying it so that the naming becomes consistent everywhere.

Change-Id: I903b2e08f5458b1a1abc4af3abefe20b66c23a54
2021-01-27 20:08:41 +01:00
Victor Morales
520abc8800 Fix api_adress_family typo
Change-Id: Id93e7a91253b46e42d4817785d42ccc52564c330
2020-12-22 18:15:48 -08:00
James Kirsch
93ad57f47e Add support for encrypting backend Neutron API Server
Add TLS support for backend Neutron API Server communication using
HAProxy to perform TLS termination. When used in conjunction with
enabling TLS for service API endpoints, network communication will be
encrypted end to end, from client through HAProxy to the Neutron
service.

Change-Id: Ib333a1f1bd12491df72a9e52d961161210e2d330
Partially-Implements: blueprint add-ssl-internal-network
2020-10-12 17:27:44 +00:00
Zuul
8604dee6b0 Merge "Add support for ACME http-01 challenge" 2020-10-07 23:31:58 +00:00
Radosław Piliszek
2fd72a39e9 Add support for ACME http-01 challenge
All docs are included.

Change-Id: Ie29ff7ca340812c8dc0dac493518c87cf7bf137b
Partially-Implements: blueprint letsencrypt-https
2020-09-26 20:29:20 +02:00
Mark Goddard
761ea9a333 Support TLS encryption of RabbitMQ client-server traffic
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.

The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.

RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.

Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
2020-09-17 12:05:44 +01:00
wu.chunyang
3c312a4d9e remove obsolete configurations
remove cluster_interface from project.
update storage_interface docs.and remove
storage_interface_address variable

Change-Id: I3f811db988234f94b5ed0cc9d24233f70784f58d
2020-08-20 00:06:49 +08:00
James Kirsch
589803c186 Update TLS documentation
Updated TLS documentation to reflect new features and configuration
options added in Ussuri.

Change-Id: I74550eaf394287b14fc521293cc4b5ea8074192c
Partially-Implements: blueprint add-ssl-internal-network
2020-08-04 13:58:39 +01:00
Mark Goddard
3870c74d0b Move TLS documentation to its own page
Moved the TLS documentation from "advanced-configuration" doc to its
own TLS document. This is in preparation for improving it.

Change-Id: I4c83f1810ef1222aaa3560174c1ba39328853c4e
Co-Authored-By: James Kirsch <generalfuzz@gmail.com>
2020-07-27 10:05:58 +00:00
Pierre Riteau
cdd0eb6488 Fix file extension in MariaDB backup docs
Change-Id: I0495c1e33696cea36765f027bc453b9d3e8563e0
2020-05-13 18:47:39 +02:00
Zuul
a44bba845f Merge "Update Advanced Config guide to clarify paths" 2020-05-07 11:41:54 +00:00
James Kirsch
f87814f794 Add support for encrypting Glance api
Add TLS support for Glance api using HAProxy to perform TLS termination.

Change-Id: I77051baaeb5d3f7dd9002262534e7d35f3926809
Partially-Implements: blueprint add-ssl-internal-network
2020-04-30 17:31:58 +01:00
Raimund Hook
08682243ed Update Advanced Config guide to clarify paths
This update clears up an additional path that was mentioned in the
Advanced Configuration documentation, but not actually picked up in the
playbooks.

This specifically affects Service Configuration overrides. The docs have
been cleaned up to reflect the way the playbooks pick up the override
files.

Change-Id: Id15fe139af6462217c2ac26d7d21c5eac5368e12
Closes-Bug: 1873782
Signed-off-by: Raimund Hook <openstack@sting-ray.za.net>
2020-04-20 12:24:16 +01:00
James Kirsch
b475643c11 Add support for encrypting backend Keystone HAProxy traffic
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.

Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
2020-04-09 09:22:55 +00:00
Michal Nasiadka
4e6fe7a6da Remove kolla-ceph
Kolla-Ansible Ceph deployment mechanism has been deprecated in Train [1].

This change removes the Ansible code and associated CI jobs.

[1]: https://review.opendev.org/669214

Change-Id: Ie2167f02ad2f525d3b0f553e2c047516acf55bc2
2020-02-11 11:42:06 +01:00
James Kirsch
d100904f2c Generate self signed TLS certificates
Generate both internal and external self signed TLS certificates.
Duplicate the certificate if internal and external VIPs are the same.

Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74
Partially-Implements: blueprint custom-cacerts
2020-01-28 14:03:33 -08:00
James Kirsch
511ba9f6a2 Copy CA into containers.
When kolla_copy_ca_into_containers is set to "yes", the Certificate
Authority in /etc/kolla/certificates will be copied into service
containers to enable trust for that CA. This is especially useful when
the CA is self signed, and would not be trusted by default.

Partially-Implements: blueprint custom-cacerts

Change-Id: I4368f8994147580460ebe7533850cf63a419d0b4
2020-01-28 14:03:32 -08:00
Radosław Piliszek
8ac5ecb295 CentOS 7 IPv6 doc changes
It advertises C7 as an IPv6-compatible platform.
This is possible thanks to fixes in [1] and [2].

[1] https://review.opendev.org/699458
aka 7054b27dbb8bc893c50f66b492b7e14e5bc92237
[2] https://review.opendev.org/699172
aka 908bffcfc2950e271fee1af24fb174fa6bee4aff

Change-Id: Ia353a1663a16f48ac83e5ee9a2cf1d6e183ac3a3
Closes-bug: #1848444
Closes-bug: #1848452
Related-bug: #1856532
Related-bug: #1856725
2020-01-06 14:58:08 +01:00
Zuul
827d70a985 Merge "Docs: remove some bad recommendations" 2020-01-02 14:28:10 +00:00
Radosław Piliszek
ede61e743b Docs: remove some bad recommendations
Change-Id: I401a073eb6225e90b6f9d6b2a32f33d22d1d7a79
2019-12-20 18:41:59 +01:00
Mark Goddard
7f47ddf7f4 Use mariabackup for database backups
Currently, Xtrabackup is used for database backups. However, Xtrabackup
is not compatible with MariaDB 10.3. This change switches to use
mariabackup [1], which is available in the mariadb image.

The documented full and incremental restore procedures have been
modified to use mariabackup, following [2] and [3].

[1] https://mariadb.com/kb/en/library/mariabackup-overview/
[2] https://mariadb.com/kb/en/library/full-backup-and-restore-with-mariabackup/
[3] https://mariadb.com/kb/en/library/incremental-backup-and-restore-with-mariabackup/

Change-Id: Id52b9b1f7b013277e401b1f6b8aed34473d2b2c4
Closes-Bug: #1843043
Depends-On: https://review.opendev.org/691290
2019-11-01 18:44:10 +00:00
Zuul
d3173fdc89 Merge "Docs: Add IPv6 control plane (address families)" 2019-10-28 07:05:24 +00:00
Radosław Piliszek
277675ede0 Docs: Add IPv6 control plane (address families)
IPv6 control plane implementation [1] follow-up.

[1] Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c

Change-Id: Icc25463320c23fd510073bff0a8144437a3607a6
2019-10-23 10:10:38 +00:00
Zuul
b432431b24 Merge "Typo fix in docs" 2019-10-22 15:12:26 +00:00
Zuul
41c20eaca8 Merge "Update documentation on overriding config files" 2019-10-22 11:16:22 +00:00
Doug Szumski
25dd068834 Typo fix in docs
Change-Id: I80b4fb4addf4c633172f1c1a99cdf6a6feac3145
2019-10-22 11:00:42 +00:00
Gaëtan Trellu
5b0a281d51 Set RabbitMQ cluster_partition_handling to pause_minority
This is to avoid split-brain.

This change also adds relevant docs that sort out the
HA/quorum questions.

Change-Id: I9a8c2ec4dbbd0318beb488548b2cde8f4e487dc1
Closes-Bug: #1837761
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-10-14 10:44:16 +02:00
Doug Szumski
98bed6c2bf Update documentation on overriding config files
The main motivation here is to document a mechanism which can be
used to configure Nova cells on a per-cell basis without introducing
a myriad of additional locations to put config files. The
following changes are made:

- Remove the note about only ini files being supported because
  merge_yaml is now used
- Expand on supported config file locations
- Add a section on using conditionals in the config file

Partially Implements: blueprint support-nova-cells
Change-Id: I92599e501506fdacaf3adb94cc6fffcf6fea2af3
2019-09-17 18:08:43 +01:00
Krzysztof Klimonda
b0ecd8b67c Implement TLS encryption for internal endpoints
This review is the first one in a series of patches and it introduces an
optional encryption for internal openstack endpoints, implementing part
of the add-ssl-internal-network spec.

Change-Id: I6589751626486279bf24725f22e71da8cd7f0a43
2019-08-22 16:39:21 -07:00
binhong.hua
12ff28a693 Make kolla-ansible support extra volumes
When integrating 3rd party component into openstack with kolla-ansible,
maybe have to mount some extra volumes to container.

Change-Id: I69108209320edad4c4ffa37dabadff62d7340939
Implements: blueprint support-extra-volumes
2019-05-17 11:55:04 +08:00
Scott Solkhon
a781c64319 Support separate Swift storage networks
Adds support to seperate Swift access and replication traffic from other storage traffic.

In a deployment where both Ceph and Swift have been deployed,
this changes adds functionalality to support optional seperation
of storage network traffic. This adds two new network interfaces
'swift_storage_interface' and 'swift_replication_interface' which maintain
backwards compatibility.

The Swift access network interface is configured via 'swift_storage_interface',
which defaults to 'storage_interface'. The Swift replication network
interface is configured via 'swift_replication_interface', which
defaults to 'swift_storage_interface'.

If a separate replication network is used, Kolla Ansible now deploys separate
replication servers for the accounts, containers and objects, that listen on
this network. In this case, these services handle only replication traffic, and
the original account-, container- and object- servers only handle storage
user requests.

Change-Id: Ib39e081574e030126f2d08f51de89641ddb0d42e
2019-03-14 14:00:18 +00:00
Zuul
568fd4dcfd Merge "Use correct variable for default certificate paths" 2018-12-02 09:25:42 +00:00
Nick Jones
f704a78029 Add new option to perform an on-demand backup of MariaDB
blueprint database-backup-recovery

Introduce a new option, mariadb_backup, which takes a backup of all
databases hosted in MariaDB.

Backups are performed using XtraBackup, the output of which is saved to
a dedicated Docker volume on the target host (which defaults to the
first node in the MariaDB cluster).

It supports either full (the default) or incremental backups.

Change-Id: Ied224c0d19b8734aa72092aaddd530155999dbc3
2018-11-22 09:20:59 +00:00
jacky06
377222bb00 Add YAML format into docs for policy file
kolla-ansible support yaml format for policy file[1] too, but the
docs missing it, this ps to add it.

[1]: https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L393
Closes-Bug: #1804455

Change-Id: I44eb1d64f9299ccaf99972c8b5354683a3501f6b
2018-11-21 08:34:12 -05:00
caoyuan
9223deeecd Use correct variable for default certificate paths
The variable {{ node_config_directory }} is used for the configuration
directory on the remote hosts, and should not be used for paths on the
deploy host (localhost).

This changes the default value of the TLS certificate and CA file to
reference {{ CONFIG_DIR }}, in line with the directory used for
admin-openrc.sh (as of I0709482ead4b7a67e82796e17f85bde151e71bc0).

This change also introduces a variable, {{ node_config }}, that
references {{ CONFIG_DIR | default('/etc/kolla') }}, to remove
duplication.

Change-Id: Ibd82ac78630ebfff5824c329d7399e1e900c0ee0
Closes-Bug: #1804025
2018-11-19 16:25:28 +00:00
chenxing
eaa9815ad2 Remove '.. end' comments
Following by https://review.openstack.org/#/c/605097/
These were used by now-dead tooling. We can remove them.

Change-Id: I0953751044f038a3fdd1acd49b3d2b053ac4bec8
2018-09-28 10:15:37 +08:00
Zuul
353e20b926 Merge "Following the new PTI for document build" 2018-06-04 11:17:49 +00:00
chenxing
38d5ee66cb Remove duplicated content
Change-Id: I0e8b4b443a0659e75a80de1dd1f6418ff2793d2f
Closes-Bug: #1771257
2018-05-25 15:10:34 +08:00
confi-surya
dbf754655f Following the new PTI for document build
For compliance with the Project Testing Interface [1]
as described in [2]

[1]
https://governance.openstack.org/tc/reference/project-testing-interface.html
[2]
http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html

doc8 command is dropped from docs tox envs.
So this affect nothing and run in PEP8.

Related-Bug: #1765348

Depends-On: Icc7fe3a8f9716281de88825e9d5b2fd84de3d00a
Change-Id: Idf9a16111479ccc64004eac9508da575822a3df5
2018-05-21 10:51:59 +01:00
wu.chunyang
39933699bb Add cpu_mode into deployment-philosophy.rst
With libvirt 2.0, when using qemu cpu mode is not properly
evaluated and need to be set to cpu_mode = none.

Add this option when kvm is not supported, otherwise user
will still facing errors when launching instances over qemu.

Change-Id: I1e25fc5429b92f77ce87f537467f97b510fa154a
2018-03-26 01:55:28 +00:00
chenxing
73f2bce552 Upgrade the rst convention of the Admin Guide
We upgrade the rst convention by following Documentation Contributor
Guide[1].

[1] https://docs.openstack.org/doc-contrib-guide

Change-Id: I89e437b83b0e6a7c1bbfbf4a02a530be072eca91
Partially-Implements: blueprint optimize-the-documentation-format
2018-01-26 19:34:51 +08:00
Zuul
884b82bdab Merge "add official default cpu allocation ratio." 2017-12-13 15:48:20 +00:00
Dai Dang Van
392bf3710c Add note about overwriting policy.json file
Change-Id: I133bd7ed5ac62b9614dece70ceb8016398c138f6
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
Closes-Bug: #1722744
2017-12-06 02:37:01 +00:00
yanpeifei
5b266b5d58 add official default cpu allocation ratio.
Everyone know how to override default cpu allocation ratio via it.

Change-Id: I059f5167be170b617a440e2e06b421f9062843a6
2017-10-31 16:25:18 +08:00
Surya Prakash Singh
04fd12b945 Restructured the doc of kolla-ansible
Created the admin directory, remove some files from
user dir and placed into admin and contributor.

For more detail, see the doc migration spec.
http://specs.openstack.org/openstack/docs-specs/specs/pike/os-manuals-migration.html

Change-Id: I84c565d7d14a4d90270a53e14ab93a10f7ffb9b7
Partially-Implements: blueprint ka-queens-doc-restructure
2017-10-05 03:23:23 +00:00