Added Keystone, Glance, Cinder, Nova, Neutron API services & Added...

Added Keystone, Glance, Cinder, Nova, Neutron API services & Added Galera/RabbitMQ to Load-Balancing.
(The commit is pretty big, sorry about that, I'm still bootstrapping the project)

Puppetfile

@@ -18,11 +18,13 @@ mod 'camptocamp-kmod',
     :git => 'https://github.com/camptocamp/puppet-kmod.git'
 mod 'adrien-network',
     :git => 'https://github.com/puppet-community/puppet-network.git'
+mod 'puppetlabs-apt',
+    :git => 'https://github.com/puppetlabs/puppetlabs-apt.git'
 
 # Role Controller
-mod 'puppetlabs-mysql', # This is only required because of https://github.com/michaeltchapman/puppet-galera/pull/22
+mod 'puppetlabs-mysql',
     :git => 'https://github.com/puppetlabs/puppetlabs-mysql.git',
-    :ref => '2.2.0'
+    :ref => '2.3.0' # This is only required because of https://github.com/michaeltchapman/puppet-galera/pull/22
 mod 'michaeltchapman-galera',
     :git => 'https://github.com/michaeltchapman/puppet-galera.git'
 mod 'garethr-erlang', # Required by rabbitmq
@@ -37,3 +39,52 @@ mod 'stackforge-ceph',
 # Role Endpoint
 mod 'puppetlabs-haproxy',
     :git => 'https://github.com/puppetlabs/puppetlabs-haproxy.git'
+
+## The core OpenStack modules
+mod "keystone",
+  :git => "git://github.com/stackforge/puppet-keystone",
+  :ref => "master"
+
+mod "swift",
+  :git => "git://github.com/stackforge/puppet-swift",
+  :ref => "master"
+
+mod "glance",
+  :git => "git://github.com/stackforge/puppet-glance",
+  :ref => "master"
+
+mod "cinder",
+  :git => "git://github.com/stackforge/puppet-cinder",
+  :ref => "master"
+
+mod "neutron",
+  :git => "git://github.com/stackforge/puppet-neutron",
+  :ref => "master"
+
+mod "nova",
+  :git => "git://github.com/stackforge/puppet-nova",
+  :ref => "master"
+
+mod "heat",
+  :git => "git://github.com/stackforge/puppet-heat",
+  :ref => "master"
+
+mod "ceilometer",
+  :git => "git://github.com/stackforge/puppet-ceilometer",
+  :ref => "master"
+
+mod "horizon",
+  :git => "git://github.com/stackforge/puppet-horizon",
+  :ref => "master"
+
+mod "openstacklib",
+  :git => "git://github.com/stackforge/puppet-openstacklib",
+  :ref => "master"
+
+mod "tempest",
+  :git => "git://github.com/stackforge/puppet-tempest",
+  :ref => "master"
+
+mod "vswitch",
+  :git => "git://github.com/stackforge/puppet-vswitch",
+  :ref => "master"

examples/common.yaml

+iaas::region: "polytech"
+
 # Node
 iaas::profile::base::netmask: 255.255.192.0
 iaas::profile::base::gateway: 192.168.0.1
@@ -7,19 +9,60 @@ iaas::profile::base::ssh_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAo/JkbGO
 iaas::profile::base::ntp_servers: [puppet]
 
 # Endpoints
+iaas::role::endpoint::main_address: endpoint-1 # The main address used to access the cluster / the load-balancers ;; should point to the dns round-robin for endpoints
 iaas::role::endpoint::haproxy_port: [8140]
 
-# Controller
-iaas::role::controller::servers: [192.168.3.1, 192.168.3.2, 192.168.3.3]
-iaas::role::controller::server_hosts: [controller-1, controller-2, controller-3]
+# Galera MySQL
+iaas::profile::database::servers: [controller-1, controller-2, controller-3]
+iaas::profile:database::galera_master: controller-1
+iaas::profile:database::galera_password: test
+
+iaas::mysql::allowed_hosts: ["%"] # Remove % in production env and replace by something like : endpoint-1, endpoint-2
+iaas::mysql::keystone::user: keystone
+iaas::mysql::keystone::password: keystone
+iaas::mysql::glance::user: glance
+iaas::mysql::glance::password: glance
+iaas::mysql::cinder::user: cinder
+iaas::mysql::cinder::password: cinder
+iaas::mysql::nova::user: nova
+iaas::mysql::nova::password: nova
+iaas::mysql::neutron::user: neutron
+iaas::mysql::neutron::password: neutron
+
+# Rabbitmq
+iaas::profile::rabbitmq::servers: [controller-1, controller-2, controller-3]
+iaas::profile::rabbitmq::user: openstack
+iaas::profile::rabbitmq::password: iaas
+iaas::profile::rabbitmq::erlang: GWFFDKEXVWEMGMFLSFQX
+
+# Keystone
+iaas::profile::keystone::admin_token: '36c428a03be7d4f3cb0c'
+
+iaas::profile::keystone::admin_email: 'me@quentin-machu.fr'
+iaas::profile::keystone::admin_password: 'keystone'
 
-iaas::role::controller::galera_master: controller-1.iaas
-iaas::role::controller::galera_password: iaas
-galera::status::status_allow: localhost
+iaas::profile::keystone::tenants:
+    "test":
+        description: "Test tenant"
 
-iaas::role::controller::rabbitmq_user: openstack
-iaas::role::controller::rabbitmq_password: iaas
-iaas::role::controller::rabbitmq_erlang: GWFFDKEXVWEMGMFLSFQX
+iaas::profile::keystone::users:
+    "test":
+        password: "test"
+        tenant: "test"
+        email: "test@example.com"
+        admin: true
+    "demo":
+        password: "demo"
+        tenant: "test"
+        email: "demo@example.com"
+        admin: false
+
+# Glance
+iaas::profile::glance::keystone_password: glance
+
+# Cinder
+iaas::profile::cinder::password: cinder
+iaas::profile::cinder::volume_size: 8G
 
 # Ceph
 iaas::role::storage::cluster_vlan: 8
@@ -29,7 +72,7 @@ ceph::profile::params:release: 'firefly'
 ceph::profile::params::fsid: '8bd6398b-65a2-4254-bb00-1ff2468d2806'
 ceph::profile::params:authentication_type: 'cephx'
 ceph::profile::params:mon_initial_members: ''
-ceph::profile::params::mon_host: '192.168.1.1:6789, 192.168.1.2:6789, 192.168.1.3:6789'
+ceph::profile::params::mon_host: 'ceph-1:6789, ceph-2:6789, ceph-3:6789'
 ceph::profile::params::osd_pool_default_pg_num: 128
 ceph::profile::params::osd_pool_default_pgp_num: 128
 ceph::profile::params::osd_pool_default_size: 3
@@ -44,6 +87,23 @@ ceph::profile::params::bootstrap_osd_key: 'AQAhksZU+JhpIxAACevduqas0p+fRJDhGLg9l
 ceph::profile::params::bootstrap_mds_key: 'AQApksZUIJhXJxAAEHVW/dbL1OeLA7Om++zdVw=='
 
 ceph::keys::args:
-  client.app:
-    secret: AQCdC8FU+HpKKRAAdjPWy4epdofGDpJQJi9iiA==
+  client.glance:
+    secret: AQBgGdJUCPwjLRAARZ0KEaxewYcYHT3j5Gl5Cg==
     cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=images
+
+# Nova
+iaas::profile::nova::controller::password: nova
+
+# Neutron
+iaas::profile::neutron::password: neutron
+iaas::profile::neutron::secret: neutron
+
+iaas::profile::neutron::server::data_network_address: 10.0.0.0
+iaas::profile::neutron::server::core_plugin: 'neutron.plugins.ml2.plugin.Ml2Plugin'
+iaas::profile::neutron::server::service_plugins:
+  - 'neutron.services.l3_router.l3_router_plugin.L3RouterPlugin'
+  - 'neutron.services.loadbalancer.plugin.LoadBalancerPlugin'
+  - 'neutron.services.vpn.plugin.VPNDriverPlugin'
+  - 'neutron.services.firewall.fwaas_plugin.FirewallPlugin'
+  - 'neutron.services.metering.metering_plugin.MeteringPlugin'

examples/nodes/ceph-1.iaas.yaml

@@ -12,9 +12,19 @@ ceph::profile::params::osds:
     journal:
 
 ceph::keys::args:
-  client.app:
-    secret: AQCdC8FU+HpKKRAAdjPWy4epdofGDpJQJi9iiA==
+  client.glance:
+    secret: AQBgGdJUCPwjLRAARZ0KEaxewYcYHT3j5Gl5Cg==
     cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=images
     inject: true
     inject_as_id: mon.
     inject_keyring: /var/lib/ceph/mon/ceph-%{::hostname}/keyring
+  client.cinder:
+    secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rx pool=images
+    inject: true
+    inject_as_id: mon.
+    inject_keyring: /var/lib/ceph/mon/ceph-%{::hostname}/keyring
+
+#ceph auth get-or-create client.cinder-backup mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=backups'

examples/nodes/ceph-2.iaas.yaml

@@ -12,9 +12,17 @@ ceph::profile::params::osds:
     journal:
 
 ceph::keys::args:
-  client.app:
-    secret: AQCdC8FU+HpKKRAAdjPWy4epdofGDpJQJi9iiA==
+  client.glance:
+    secret: AQBgGdJUCPwjLRAARZ0KEaxewYcYHT3j5Gl5Cg==
     cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=images
+    inject: true
+    inject_as_id: mon.
+    inject_keyring: /var/lib/ceph/mon/ceph-%{::hostname}/keyring
+  client.cinder:
+    secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rx pool=images
     inject: true
     inject_as_id: mon.
     inject_keyring: /var/lib/ceph/mon/ceph-%{::hostname}/keyring

examples/nodes/ceph-3.iaas.yaml

@@ -12,9 +12,17 @@ ceph::profile::params::osds:
     journal:
 
 ceph::keys::args:
-  client.app:
-    secret: AQCdC8FU+HpKKRAAdjPWy4epdofGDpJQJi9iiA==
+  client.glance:
+    secret: AQBgGdJUCPwjLRAARZ0KEaxewYcYHT3j5Gl5Cg==
     cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=images
+    inject: true
+    inject_as_id: mon.
+    inject_keyring: /var/lib/ceph/mon/ceph-%{::hostname}/keyring
+  client.cinder:
+    secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rx pool=images
     inject: true
     inject_as_id: mon.
     inject_keyring: /var/lib/ceph/mon/ceph-%{::hostname}/keyring

examples/nodes/controller-1.iaas.yaml

 # Node
 iaas::profile::base::ipaddress: 192.168.3.1
+
+# Keystone
+iaas::profile::keystone::public_ipaddress: 192.168.3.1
+iaas::profile::keystone::admin_ipaddress: 192.168.3.1
+
+# Glance
+iaas::profile::glance::public_ipaddress: 192.168.3.1
+iaas::profile::glance::admin_ipaddress: 192.168.3.1
+
+# Cinder
+iaas::profile::cinder::public_ipaddress: 192.168.3.1
+iaas::profile::cinder::admin_ipaddress: 192.168.3.1
+iaas::profile::cinder::secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+
+# Neutron
+iaas::profile::neutron::server::public_ipaddress: 192.168.3.1
+iaas::profile::neutron::server::admin_ipaddress: 192.168.3.1
+
+# Ceph keys
+ceph::keys::args:
+  client.glance:
+    secret: AQBgGdJUCPwjLRAARZ0KEaxewYcYHT3j5Gl5Cg==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=images
+    user: glance
+    group: glance
+    mode: '0550'
+  client.cinder:
+    secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rx pool=images
+    user: cinder
+    group: cinder
+    mode: '0550'
+
+# Nova
+iaas::profile::nova::controller::public_ipaddress: 192.168.3.1
+iaas::profile::nova::controller::admin_ipaddress: 192.168.3.1

examples/nodes/controller-2.iaas.yaml

 # Node
 iaas::profile::base::ipaddress: 192.168.3.2
+
+# Keystone
+iaas::profile::keystone::public_ipaddress: 192.168.3.2
+iaas::profile::keystone::admin_ipaddress: 192.168.3.2
+
+# Glance
+iaas::profile::glance::public_ipaddress: 192.168.3.2
+iaas::profile::glance::admin_ipaddress: 192.168.3.2
+
+# Cinder
+iaas::profile::cinder::public_ipaddress: 192.168.3.2
+iaas::profile::cinder::admin_ipaddress: 192.168.3.2
+iaas::profile::cinder::secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+
+# Neutron
+iaas::profile::neutron::server::public_ipaddress: 192.168.3.2
+iaas::profile::neutron::server::admin_ipaddress: 192.168.3.2
+
+# Ceph keys
+ceph::keys::args:
+  client.glance:
+    secret: AQBgGdJUCPwjLRAARZ0KEaxewYcYHT3j5Gl5Cg==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=images
+    user: glance
+    group: glance
+    mode: '0550'
+  client.cinder:
+    secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rx pool=images
+    user: cinder
+    group: cinder
+    mode: '0550'
+
+# Nova
+iaas::profile::nova::controller::public_ipaddress: 192.168.3.2
+iaas::profile::nova::controller::admin_ipaddress: 192.168.3.2

examples/nodes/controller-3.iaas.yaml

 # Node
 iaas::profile::base::ipaddress: 192.168.3.3
+
+# Keystone
+iaas::profile::keystone::public_ipaddress: 192.168.3.3
+iaas::profile::keystone::admin_ipaddress: 192.168.3.3
+
+# Glance
+iaas::profile::glance::public_ipaddress: 192.168.3.3
+iaas::profile::glance::admin_ipaddress: 192.168.3.3
+
+# Cinder
+iaas::profile::cinder::public_ipaddress: 192.168.3.3
+iaas::profile::cinder::admin_ipaddress: 192.168.3.3
+iaas::profile::cinder::secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+
+# Neutron
+iaas::profile::neutron::server::public_ipaddress: 192.168.3.3
+iaas::profile::neutron::server::admin_ipaddress: 192.168.3.3
+
+# Ceph keys
+ceph::keys::args:
+  client.glance:
+    secret: AQBgGdJUCPwjLRAARZ0KEaxewYcYHT3j5Gl5Cg==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=images
+    user: glance
+    group: glance
+    mode: '0550'
+  client.cinder:
+    secret: AQC5UtJUIJ4UMhAASaCGxC6d4wWhDW0GT6/IOA==
+    cap_mon: allow r
+    cap_osd: allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rx pool=images
+    user: cinder
+    group: cinder
+    mode: '0550'
+
+# Nova
+iaas::profile::nova::controller::public_ipaddress: 192.168.3.3
+iaas::profile::nova::controller::admin_ipaddress: 192.168.3.3

manifests/profile/base.pp

@@ -7,6 +7,16 @@ class iaas::profile::base (
   $ssh_public_key,
   $ntp_servers
 ) {
+  # Apt repo
+  apt::source { 'ubuntu-cloud-archive':
+    location => 'http://ubuntu-cloud.archive.canonical.com/ubuntu',
+    release => "${::lsbdistcodename}-updates/juno",
+    repos => 'main',
+    required_packages => 'ubuntu-cloud-keyring',
+  } -> exec { "apt_upgrade":
+    command => "apt-get update && apt-get -y upgrade"
+  }
+
   # Locales
   class { 'locales':
     default_locale  => 'en_US.UTF-8',

manifests/profile/cinder.pp

+class iaas::profile::cinder (
+  $password = undef,
+  $public_ipaddress = undef,
+  $admin_ipaddress = undef,
+  $secret = undef,
+  $volume_size = undef,
+
+  $region = hiera('iaas::region', undef),
+  $endpoint = hiera('iaas::role::endpoint::main_address', undef),
+  $rabbitmq_user = hiera('iaas::profile::rabbitmq::user', undef),
+  $rabbitmq_password = hiera('iaas::profile::rabbitmq::password', undef),
+) {
+  include iaas::resources::connectors
+  iaas::resources::database { 'cinder': }
+
+  class { '::cinder':
+    database_connection => $iaas::resources::connectors::cinder,
+    rabbit_host => $endpoint,
+    rabbit_userid => $rabbitmq_user,
+    rabbit_password => $rabbitmq_password,
+    mysql_module => '2.3',
+    database_idle_timeout => 50, # Important to avoid facing "MySQL server has gone away" while using HAProxy+Galera. Should be < HAProxy server timeout (default: 60s)
+  }
+
+  class { '::cinder::glance':
+    glance_api_servers => [ "${endpoint}:9292" ],
+  }
+
+  class { '::cinder::keystone::auth':
+    password => $password,
+    public_address => $public_ipaddress,
+    admin_address => $admin_ipaddress,
+    internal_address => $admin_ipaddress,
+    region => $region,
+  }
+
+  class { '::cinder::api':
+    keystone_password => $password,
+    keystone_auth_host => $endpoint,
+    enabled => true,
+  }
+
+  class { '::cinder::scheduler':
+    scheduler_driver => 'cinder.scheduler.simple.SimpleScheduler',
+    enabled => true,
+  }
+
+  class { '::cinder::setup_test_volume':
+    volume_name => 'cinder-volumes',
+    size => $volume_size
+  } ->
+
+  class { '::cinder::volume':
+    package_ensure => present,
+    enabled => true,
+  }
+
+  class { '::cinder::volume::rbd':
+    rbd_pool => 'volumes',
+    rbd_user => 'cinder',
+    rbd_secret_uuid => $secret, #FIXME Necessary ?
+  }
+
+  @@haproxy::balancermember { "cinder_api_${::fqdn}":
+    listening_service => 'cinder_api_cluster',
+    server_names => $::hostname,
+    ipaddresses => $public_ipaddress,
+    ports => '8776',
+    options => 'check inter 2000 rise 2 fall 5',
+  }
+}

manifests/profile/database.pp

+class iaas::profile::database (
+  $servers = undef,
+  $galera_master = undef,
+  $galera_password = undef,
+) {
+  class { 'galera':
+    galera_servers => $servers,
+    galera_master => $galera_master,
+    root_password => $galera_password,
+    configure_firewall => false,
+  } -> Service['mysqld'] -> anchor { 'database-service': }
+
+  @@haproxy::balancermember { "galera_${::fqdn}":
+    listening_service => 'galera',
+    server_names      => $::hostname,
+    ipaddresses       => $::ipaddress,
+    ports             => '3306',
+    options           => 'check port 9200 inter 2000 rise 2 fall 5',
+  }
+}

manifests/profile/glance.pp

+class iaas::profile::glance (
+  $keystone_password = undef,
+  $public_ipaddress = undef,
+  $admin_ipaddress = undef,
+
+  $region = hiera('iaas::region', undef),
+  $endpoint = hiera('iaas::role::endpoint::main_address', undef),
+  $rabbitmq_user = hiera('iaas::profile::rabbitmq::user', undef),
+  $rabbitmq_password = hiera('iaas::profile::rabbitmq::password', undef),
+) {
+  include iaas::resources::connectors
+
+  class { 'ceph::profile::client': } ->
+  class { 'ceph::keys': } ->
+
+  class { '::glance::api':
+    keystone_password => $keystone_password,
+    auth_host => $endpoint,
+    keystone_tenant => 'services',
+    keystone_user => 'glance',
+    database_connection => $iaas::resources::connectors::glance,
+    registry_host => 'localhost',
+    mysql_module => '2.3',
+    os_region_name => $region,
+    known_stores => ['rbd'],
+    database_idle_timeout => 50, # Important to avoid facing "MySQL server has gone away" while using HAProxy+Galera. Should be < HAProxy server timeout (default: 60s)
+  }
+
+  class { '::glance::backend::rbd':
+    rbd_store_user => 'glance',
+    rbd_store_ceph_conf => '/etc/ceph/ceph.conf',
+    rbd_store_pool => 'images',
+  }
+
+  class { '::glance::registry':
+    keystone_password => $keystone_password,
+    database_connection => $iaas::resources::connectors::glance,
+    auth_host => $endpoint,
+    keystone_tenant => 'services',
+    keystone_user => 'glance',
+    mysql_module => '2.3',
+    database_idle_timeout => 50, # Important to avoid facing "MySQL server has gone away" while using HAProxy+Galera. Should be < HAProxy server timeout (default: 60s)
+  }
+
+  class { '::glance::notify::rabbitmq':
+    rabbit_userid => $rabbitmq_user,
+    rabbit_password => $rabbitmq_password,
+    rabbit_host => $endpoint,
+  }
+
+  iaas::resources::database { 'glance': }
+
+  class  { '::glance::keystone::auth':
+    password => $keystone_password,
+    public_address => $public_ipaddress,
+    admin_address => $admin_ipaddress,
+    internal_address => $admin_ipaddress,
+    region => $region,
+  }
+
+  @@haproxy::balancermember { "glance_registry_${::fqdn}":
+    listening_service => 'glance_registry_cluster',
+    server_names => $::hostname,
+    ipaddresses => $::ipaddress,
+    ports => '9191',
+    options => 'check inter 2000 rise 2 fall 5',
+  }
+  @@haproxy::balancermember { "glance_api_${::fqdn}":
+    listening_service => 'glance_api_cluster',
+    server_names => $::hostname,
+    ipaddresses => $public_ipaddress,
+    ports => '9292',
+    options => 'check inter 2000 rise 2 fall 5',
+  }
+}

manifests/profile/keystone.pp

+class iaas::profile::keystone (
+  $admin_token = undef,
+  $admin_email = undef,
+  $admin_password = undef,
+  $tenants = undef,
+  $users = undef,
+
+  $public_ipaddress = undef,
+  $admin_ipaddress = undef,
+
+  $region = hiera('iaas::region', undef),
+) {
+  iaas::resources::database { 'keystone': }
+
+  include iaas::resources::connectors
+  class { '::keystone':
+    admin_token => $admin_token,
+    database_connection => $iaas::resources::connectors::keystone,
+    admin_bind_host => '0.0.0.0',
+    mysql_module => '2.3',
+    database_idle_timeout => 50, # Important to avoid facing "MySQL server has gone away" while using HAProxy+Galera. Should be < HAProxy server timeout (default: 60s)
+  }
+
+  class { '::keystone::roles::admin':
+    email => $admin_email,
+    password => $admin_password,
+    admin_tenant => 'admin',
+  }
+
+  class { 'keystone::endpoint':
+    public_url => "${public_ipaddress}",
+    admin_url => "${admin_ipaddress}",
+    internal_url => "${admin_ipaddress}",
+    region => $region,
+  }
+
+  create_resources('iaas::resources::tenant', $tenants)
+  create_resources('iaas::resources::user', $users)
+
+  @@haproxy::balancermember { "keystone_admin_cluster_${::fqdn}":
+    listening_service => 'keystone_admin_cluster',
+    server_names => $::hostname,
+    ipaddresses => $admin_ipaddress,
+    ports => '35357',
+    options => 'check inter 2000 rise 2 fall 5',
+  }
+  @@haproxy::balancermember { "keystone_public_internal_cluster_${::fqdn}":
+    listening_service => 'keystone_public_internal_cluster',
+    server_names => $::hostname,
+    ipaddresses => $public_ipaddress,
+    ports => '5000',
+    options => 'check inter 2000 rise 2 fall 5',
+  }
+}

manifests/profile/neutron/server.pp

+class iaas::profile::neutron::server (
+  $public_ipaddress = undef,
+  $admin_ipaddress = undef,
+
+  $data_network_address = undef,
+  $core_plugin = undef,
+  $service_plugins = undef,
+
+  $neutron_password = hiera('iaas::profile::neutron::password', undef),
+  $nova_password = hiera('iaas::profile::nova::controller::password', undef),
+
+  $region = hiera('iaas::region', undef),
+  $endpoint = hiera('iaas::role::endpoint::main_address', undef),
+  $rabbitmq_user = hiera('iaas::profile::rabbitmq::user', undef),
+  $rabbitmq_password = hiera('iaas::profile::rabbitmq::password', undef),
+) {
+  include iaas::resources::connectors
+  iaas::resources::database { 'neutron': }
+
+  class { '::neutron':
+    core_plugin           => $core_plugin,
+    allow_overlapping_ips => true,
+    rabbit_host           => $endpoint,
+    rabbit_user           => $rabbitmq_user,
+    rabbit_password       => $rabbitmq_password,
+    service_plugins       => $service_plugins,
+  }
+
+  class { '::neutron::keystone::auth':
+    password         => $neutron_password,
+    public_address   => $public_ipaddress,
+    admin_address    => $admin_ipaddress,
+    internal_address => $admin_ipaddress,
+    region           => $region,
+  }
+
+  class { '::neutron::server':
+    auth_host           => $endpoint,
+    auth_password       => $neutron_password,
+    database_connection => $iaas::resources::connectors::neutron,
+    enabled             => true,
+    sync_db             => true,
+    mysql_module        => '2.3',
+    database_idle_timeout => 50, # Important to avoid facing "MySQL server has gone away" while using HAProxy+Galera. Should be < HAProxy server timeout (default: 60s)
+  }
+
+  class { '::neutron::server::notifications':
+    nova_url            => "http://${endpoint}:8774/v2/",
+    nova_admin_auth_url => "http://${endpoint}:35357/v2.0/",
+    nova_admin_password => $nova_password,
+    nova_region_name    => $region,
+  }
+
+  /* On Compute node:
+  class { '::neutron::agents::ml2::ovs':
+    enable_tunneling => true,
+    local_ip         => $data_network_address,
+    enabled          => true,
+    tunnel_types     => ['gre'],
+  }
+
+  class  { '::neutron::plugins::ml2':
+    type_drivers         => ['gre'],
+    tenant_network_types => ['gre'],
+    mechanism_drivers    => ['openvswitch'],
+    tunnel_id_ranges     => ['10:1000']
+  }*/
+
+  Class['::neutron::db::mysql'] -> Exec['neutron-db-sync']
+
+  @@haproxy::balancermember { "neutron_api_${::fqdn}":
+      listening_service => 'neutron_api_cluster',
+      server_names => $::hostname,
+      ipaddresses => $public_ipaddress,
+      ports => '9696',
+      options => 'check inter 2000 rise 2 fall 5',
+    }
+}

manifests/profile/nova/controller.pp

+class iaas::profile::nova::controller (
+  $password = undef,
+  $public_ipaddress = undef,
+  $admin_ipaddress = undef,
+
+  $neutron_secret = hiera('iaas::profile::neutron::secret', undef),
+  $neutron_password = hiera('iaas::profile::neutron::password', undef),
+
+  $region = hiera('iaas::region', undef),
+  $endpoint = hiera('iaas::role::endpoint::main_address', undef),
+  $rabbitmq_user = hiera('iaas::profile::rabbitmq::user', undef),
+  $rabbitmq_password = hiera('iaas::profile::rabbitmq::password', undef),
+) {
+  include iaas::resources::connectors
+  iaas::resources::database { 'nova': }
+
+  class { '::nova::keystone::auth':
+    password => $password,
+    public_address => $public_ipaddress,
+    admin_address => $admin_ipaddress,
+    internal_address => $admin_ipaddress,
+    region => $region,
+  }
+
+  class { '::nova':
+    database_connection => $iaas::resources::connectors::nova,
+    glance_api_servers => $endpoint,
+    memcached_servers => ["localhost:11211"],
+    rabbit_host => $endpoint,
+    rabbit_userid => $rabbitmq_user,
+    rabbit_password => $rabbitmq_password,
+    mysql_module => '2.3',
+    database_idle_timeout => 50, # Important to avoid facing "MySQL server has gone away" while using HAProxy+Galera. Should be < HAProxy server timeout (default: 60s)
+  }
+
+  nova_config { 'DEFAULT/default_floating_pool': value => 'public' }
+
+  class { '::nova::api':
+    enabled => true,
+    admin_password => $password,
+    auth_host => $endpoint,
+    neutron_metadata_proxy_shared_secret => $neutron_secret,
+  }
+
+  class { '::nova::vncproxy':
+    enabled => true,
+    host => $::openstack::config::controller_address_api,
+  }
+
+  class { [ 'nova::scheduler', 'nova::consoleauth', 'nova::conductor']:
+    enabled => true,
+  }
+
+  @@haproxy::balancermember { "nova_api_${::fqdn}":
+    listening_service => 'nova_api_cluster',
+    server_names => $::hostname,
+    ipaddresses => $public_ipaddress,
+    ports => '8774',
+    options => 'check inter 2000 rise 2 fall 5',
+  }
+
+  /*class { '::nova::compute::neutron': }
+
+  class { '::nova::network::neutron':
+    neutron_admin_password => $neutron_password,
+    neutron_region_name => $region,
+    neutron_admin_auth_url => "http://${endpoint}:35357/v2.0",
+    neutron_url => "http://${endpoint}:9696",
+    vif_plugging_is_fatal => false,
+    vif_plugging_timeout => '0',
+  }*/
+}

manifests/profile/rabbitmq.pp

+class iaas::profile::rabbitmq (
+  $servers = undef,
+  $user = undef,
+  $password = undef,
+  $erlang = undef,
+) {
+  class {'erlang': } ->
+  package { 'erlang-base':
+    ensure => 'latest',
+  } ->
+  class { '::rabbitmq':
+    service_ensure => 'running',
+    port => 5672,
+    delete_guest_user => true,
+    config_cluster => true,
+    cluster_nodes => $servers,
+    erlang_cookie => $erlang,
+    cluster_node_type => 'ram',
+    wipe_db_on_cookie_change => true,
+    cluster_partition_handling => 'pause_minority',
+  } ->
+  rabbitmq_user { $user:
+    admin => true,
+    password => $password,
+    provider => 'rabbitmqctl',
+  } ->
+  rabbitmq_user_permissions { "${user}@/":
+    configure_permission => '.*',
+    write_permission => '.*',
+    read_permission => '.*',
+    provider => 'rabbitmqctl',
+  } # -> Anchor<| title == 'nova-start' |> ->
+
+  @@haproxy::balancermember { "rabbitmq_${::fqdn}":
+    listening_service => 'rabbitmq',
+    server_names => $::hostname,
+    ipaddresses => $::ipaddress,
+    ports => '5672',
+    options => 'check inter 2000 rise 2 fall 5',
+  }
+}

manifests/resources/connectors.pp

+class iaas::resources::connectors {
+  $endpoint = hiera('iaas::role::endpoint::main_address', '127.0.0.1')
+
+  $user_keystone = hiera('iaas::mysql::keystone::user', 'keystone')
+  $pass_keystone = hiera('iaas::mysql::keystone::password', 'keystone')
+  $keystone = "mysql://${user_keystone}:${pass_keystone}@${endpoint}/keystone"
+
+  $user_glance = hiera('iaas::mysql::glance::user', 'glance')
+  $pass_glance = hiera('iaas::mysql::glance::password', 'glance')
+  $glance = "mysql://${user_glance}:${pass_glance}@${endpoint}/glance"
+
+  $user_cinder = hiera('iaas::mysql::cinder::user', 'cinder')
+  $pass_cinder = hiera('iaas::mysql::cinder::password', 'cinder')
+  $cinder = "mysql://${user_cinder}:${pass_cinder}@${endpoint}/cinder"
+
+  $user_nova = hiera('iaas::mysql::nova::user', 'nova')
+  $pass_nova = hiera('iaas::mysql::nova::password', 'nova')
+  $nova = "mysql://${user_nova}:${pass_nova}@${endpoint}/nova"
+
+  $user_neutron = hiera('iaas::mysql::neutron::user', 'nova')
+  $pass_neutron = hiera('iaas::mysql::neutron::password', 'nova')
+  $neutron = "mysql://${user_neutron}:${pass_neutron}@${endpoint}/neutron"
+}

manifests/resources/database.pp

+define iaas::resources::database (
+  $user = hiera("iaas::mysql::${title}::user", $title),
+  $password = hiera("iaas::mysql::${title}::password", $title),
+  $allowed_hosts = hiera('iaas::mysql::allowed_hosts', ''),
+) {
+  class { "::${title}::db::mysql":
+    user => $user,
+    password => $password,
+    dbname => $title,
+    host => "localhost",
+    allowed_hosts => $allowed_hosts,
+    mysql_module => '2.3',
+    require => Anchor['database-service'],
+  }
+}

manifests/resources/tenant.pp

+define iaas::resources::tenant (
+  $description,
+  $enabled = true,
+) {
+  keystone_tenant { $name:
+    ensure      => present,
+    description => $description,
+    enabled     => $enabled,
+  }
+}

manifests/resources/user.pp

+define iaas::resources::user (
+  $password,
+  $tenant,
+  $email,
+  $admin   = false,
+  $enabled = true,
+) {
+  keystone_user { $name:
+    ensure   => present,
+    enabled  => $enabled,
+    password => $password,
+    tenant   => $tenant,
+    email    => $email,
+  }
+
+  if $admin == true {
+    keystone_user_role { "${name}@${tenant}":
+      ensure => present,
+      roles  => ['_member_', 'admin'],
+    }
+  } else {
+    keystone_user_role { "${name}@${tenant}":
+      ensure => present,
+      roles  => ['_member_'],
+    }
+  }
+}