Merge "Mv Nova, Neutron, Horizon out of controller.yaml"

network/service_net_map.yaml

@@ -13,6 +13,7 @@ parameters:
 
   ServiceNetMapDefaults:
     default:
+      ApacheNetwork: internal_api
       NeutronTenantNetwork: tenant
       CeilometerApiNetwork: internal_api
       AodhApiNetwork: internal_api

overcloud-resource-registry-puppet.yaml

@@ -130,6 +130,7 @@ resource_registry:
 
   # services
   OS::TripleO::Services: puppet/services/services.yaml
+  OS::TripleO::Services::Apache: puppet/services/apache.yaml
   OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
   OS::TripleO::Services::CephMon: OS::Heat::None
   OS::TripleO::Services::CephOSD: OS::Heat::None

overcloud.yaml

@@ -435,7 +435,6 @@ resources:
         properties:
           CloudDomain: {get_param: CloudDomain}
           controllerExtraConfig: {get_param: controllerExtraConfig}
-          HorizonSecret: {get_resource: HorizonSecret}
           PcsdPassword: {get_resource: PcsdPassword}
           RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
           RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]}

puppet/controller.yaml

@@ -83,10 +83,6 @@ parameters:
     type: string
     constraints:
       - custom_constraint: nova.flavor
-  HorizonSecret:
-    description: Secret key for Django
-    type: string
-    hidden: true
   controllerImage:
     type: string
     default: overcloud-full
@@ -96,10 +92,6 @@ parameters:
     default: 'REBUILD_PRESERVE_EPHEMERAL'
     description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt.
     type: string
-  InstanceNameTemplate:
-    default: 'instance-%08x'
-    description: Template string to be used to generate instance names
-    type: string
   KeyName:
     default: default
     description: Name of an existing Nova key pair to enable SSH access to the instances
@@ -110,39 +102,14 @@ parameters:
     default: false
     description: Whether to manage IPtables rules.
     type: boolean
-  MemcachedIPv6:
-    default: false
-    description: Enable IPv6 features in Memcached.
-    type: boolean
   PurgeFirewallRules:
     default: false
     description: Whether IPtables rules should be purged before setting up the new ones.
     type: boolean
-  NeutronMetadataProxySharedSecret:
-    description: Shared secret to prevent spoofing
-    type: string
-    hidden: true
-  NeutronPassword:
-    description: The password for the neutron service and db account, used by neutron agents.
-    type: string
-    hidden: true
   NeutronPublicInterface:
     default: nic1
     description: What interface to bridge onto br-ex for network nodes.
     type: string
-  NovaEnableDBPurge:
-    default: true
-    description: |
-        Whether to create cron job for purging soft deleted rows in Nova database.
-    type: boolean
-  NovaIPv6:
-    default: false
-    description: Enable IPv6 features in Nova
-    type: boolean
-  NovaPassword:
-    description: The password for the nova service and db account, used by nova-api.
-    type: string
-    hidden: true
   PcsdPassword:
     type: string
     description: The password for the 'pcsd' user.
@@ -162,10 +129,6 @@ parameters:
     default: {}
     description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
     type: json
-  UpgradeLevelNovaCompute:
-    type: string
-    description: Nova Compute upgrade level
-    default: ''
   ServiceNetMap:
     default: {}
     description: Mapping of service_name -> network name. Typically set
@@ -392,43 +355,15 @@ resources:
       server: {get_resource: Controller}
       input_values:
         bootstack_nodeid: {get_attr: [Controller, name]}
-        horizon_secret: {get_param: HorizonSecret}
         debug: {get_param: Debug}
-        keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
-        keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-        keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] }
         enable_fencing: {get_param: EnableFencing}
         enable_load_balancer: {get_param: EnableLoadBalancer}
         manage_firewall: {get_param: ManageFirewall}
         purge_firewall_rules: {get_param: PurgeFirewallRules}
-        neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
-        nova_enable_db_purge: {get_param: NovaEnableDBPurge}
-        nova_ipv6: {get_param: NovaIPv6}
         corosync_ipv6: {get_param: CorosyncIPv6}
-        memcached_ipv6: {get_param: MemcachedIPv6}
-        nova_password: {get_param: NovaPassword}
-        upgrade_level_nova_compute: {get_param: UpgradeLevelNovaCompute}
-        instance_name_template: {get_param: InstanceNameTemplate}
         fencing_config: {get_param: FencingConfig}
         pcsd_password: {get_param: PcsdPassword}
         enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
-        glance_api_servers: { get_param: [EndpointMap, GlanceInternal, uri]}
-        neutron_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]}
-        nova_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaApiNetwork]}]}
-        nova_metadata_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaMetadataNetwork]}]}
-        horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
-        horizon_subnet:
-          str_replace:
-            template: "['SUBNET']"
-            params:
-              SUBNET:
-                get_attr:
-                  - NetIpMap
-                  - net_ip_map
-                  - str_replace:
-                      template: "NETWORK_subnet"
-                      params:
-                        NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
         redis_vip: {get_param: RedisVirtualIP}
         ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]}
 
@@ -489,37 +424,14 @@ resources:
                 tripleo::fencing::config: {get_input: fencing_config}
 
                 # Neutron
-                neutron::bind_host: {get_input: neutron_api_network}
-                neutron::agents::metadata::metadata_ip: {get_input: neutron_api_network}
                 snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name}
                 snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password}
-
-                # Nova
-                nova::upgrade_level_compute: {get_input: upgrade_level_nova_compute}
-                nova::use_ipv6: {get_input: nova_ipv6}
-                nova::api::api_bind_address: {get_input: nova_api_network}
-                nova::api::metadata_listen: {get_input: nova_metadata_network}
-                nova::glance_api_servers: {get_input: glance_api_servers}
-                nova::api::neutron_metadata_proxy_shared_secret: {get_input: neutron_metadata_proxy_shared_secret}
-                nova::api::instance_name_template: {get_input: instance_name_template}
-                nova::vncproxy::host: {get_input: nova_api_network}
-                nova_enable_db_purge: {get_input: nova_enable_db_purge}
-
-                # Horizon
-                apache::mod::remoteip::proxy_ips: {get_input: horizon_subnet}
-                apache::ip: {get_input: horizon_network}
-                horizon::django_debug: {get_input: debug}
-                horizon::secret_key: {get_input: horizon_secret}
-                horizon::bind_address: {get_input: horizon_network}
-                horizon::keystone_url: {get_input: keystone_auth_uri}
-
                 # Redis
                 redis_vip: {get_input: redis_vip}
                 # Firewall
                 tripleo::firewall::manage_firewall: {get_input: manage_firewall}
                 tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
                 # Misc
-                memcached_ipv6: {get_input: memcached_ipv6}
                 tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
                 tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
 

puppet/services/aodh-api.yaml

@@ -27,6 +27,13 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
 
+  ApacheServiceBase:
+    type: ./apache.yaml
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+
 outputs:
   role_data:
     description: Role data for the Aodh API service.
@@ -35,6 +42,7 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [AodhBase, role_data, config_settings]
+          - get_attr: [ApacheServiceBase, role_data, config_settings]
           - aodh::wsgi::apache::ssl: false
             aodh::api::service_name: 'httpd'
             tripleo.aodh_api.firewall_rules:

puppet/services/apache.yaml

@@ -0,0 +1,40 @@
+heat_template_version: 2016-10-14
+
+description: >
+  Apache service configured with Puppet. Note this is typically included
+  automatically via other services which run via Apache.
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the Apache role.
+    value:
+      service_name: apache
+      config_settings:
+        # for the given network; replacement examples (eg. for internal_api):
+        # internal_api -> IP
+        # internal_api_uri -> [IP]
+        # internal_api_subnet - > IP/CIDR
+        apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
+        apache_remote_proxy_ips_network:
+          str_replace:
+            template: "NETWORK_subnet"
+            params:
+              NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
+        apache::mod::remoteip::proxy_ips:
+          - "%{hiera('apache_remote_proxy_ips_network')}"

puppet/services/ceilometer-api.yaml

@@ -28,6 +28,13 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
 
+  ApacheServiceBase:
+    type: ./apache.yaml
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+
 outputs:
   role_data:
     description: Role data for the Ceilometer API role.
@@ -35,6 +42,7 @@ outputs:
       service_name: ceilometer_api
       config_settings:
         map_merge:
+          - get_attr: [ApacheServiceBase, role_data, config_settings]
           - get_attr: [CeilometerServiceBase, role_data, config_settings]
           - tripleo.ceilometer_api.firewall_rules:
               '124 ceilometer':

puppet/services/gnocchi-api.yaml

@@ -35,6 +35,7 @@ parameters:
     description: Keystone region for endpoint
 
 resources:
+
   GnocchiServiceBase:
     type: ./gnocchi-base.yaml
     properties:
@@ -42,6 +43,13 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
 
+  ApacheServiceBase:
+    type: ./apache.yaml
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+
 outputs:
   role_data:
     description: Role data for the Gnocchi role.
@@ -49,6 +57,7 @@ outputs:
       service_name: gnocchi_api
       config_settings:
         map_merge:
+          - get_attr: [ApacheServiceBase, role_data, config_settings]
           - get_attr: [GnocchiServiceBase, role_data, config_settings]
           - tripleo.gnocchi_api.firewall_rules:
               '129 gnocchi-api':

puppet/services/horizon.yaml

@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
 
 description: >
   Horizon service configured with Puppet
@@ -10,6 +10,10 @@ parameters:
                  via parameter_defaults in the resource registry.  This
                  mapping overrides those in ServiceNetMapDefaults.
     type: json
+  Debug:
+    default: ''
+    description: Set to True to enable debugging on all services.
+    type: string
   DefaultPasswords:
     default: {}
     type: json
@@ -22,11 +26,20 @@ parameters:
     default: '*'
     description: A list of IP/Hostname allowed to connect to horizon
     type: comma_delimited_list
+  HorizonSecret:
+    description: Secret key for Django
+    type: string
+    hidden: true
+    default: ''
   NeutronMechanismDrivers:
     default: 'openvswitch'
     description: |
         The mechanism drivers for the Neutron tenant network.
     type: comma_delimited_list
+  MemcachedIPv6:
+    default: false
+    description: Enable IPv6 features in Memcached.
+    type: boolean
 
 outputs:
   role_data:
@@ -51,5 +64,29 @@ outputs:
           add_listen: false
           priority: 10
           access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
+        # NOTE: bind IP is found in Heat replacing the network name with the local node IP
+        # for the given network; replacement examples (eg. for internal_api):
+        # internal_api -> IP
+        # internal_api_uri -> [IP]
+        # internal_api_subnet - > IP/CIDR
+        apache::ip: {get_param: [ServiceNetMap, HorizonNetwork]}
+        apache_remote_proxy_ips_network:
+          str_replace:
+            template: "NETWORK_subnet"
+            params:
+              NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
+        apache::mod::remoteip::proxy_ips:
+          - "%{hiera('apache_remote_proxy_ips_network')}"
+        horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
+        horizon::django_debug: {get_param: Debug}
+        horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+        horizon::secret_key:
+          yaql:
+            expression: $.data.passwords.where($ != '').first()
+            data:
+              passwords:
+                - {get_param: HorizonSecret}
+                - {get_param: [DefaultPasswords, horizon_secret]}
+        memcached_ipv6: {get_param: MemcachedIPv6}
       step_config: |
         include ::tripleo::profile::base::horizon

puppet/services/keystone.yaml

@@ -84,81 +84,94 @@ parameters:
     type: string
     description: Set the number of workers for keystone::wsgi::apache
     default: '"%{::processorcount}"'
+
+resources:
+
+  ApacheServiceBase:
+    type: ./apache.yaml
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+
 outputs:
   role_data:
     description: Role data for the Keystone role.
     value:
       service_name: keystone
       config_settings:
-        keystone::database_connection:
+      config_settings:
-          list_join:
+        map_merge:
-            - ''
+          - get_attr: [ApacheServiceBase, role_data, config_settings]
-            - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+          - keystone::database_connection:
-              - '://keystone:'
+              list_join:
-              - {get_param: AdminToken}
+                - ''
-              - '@'
+                - - {get_param: [EndpointMap, MysqlInternal, protocol]}
-              - {get_param: [EndpointMap, MysqlInternal, host]}
+                  - '://keystone:'
-              - '/keystone'
+                  - {get_param: AdminToken}
-        keystone::admin_token: {get_param: AdminToken}
+                  - '@'
-        keystone::roles::admin::password: {get_param: AdminPassword}
+                  - {get_param: [EndpointMap, MysqlInternal, host]}
-        keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
+                  - '/keystone'
-        keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
+            keystone::admin_token: {get_param: AdminToken}
-        keystone::enable_proxy_headers_parsing: true
+            keystone::roles::admin::password: {get_param: AdminPassword}
-        keystone::debug: {get_param: Debug}
+            keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
-        keystone::db::mysql::password: {get_param: AdminToken}
+            keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
-        keystone::rabbit_userid: {get_param: RabbitUserName}
+            keystone::enable_proxy_headers_parsing: true
-        keystone::rabbit_password: {get_param: RabbitPassword}
+            keystone::debug: {get_param: Debug}
-        keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+            keystone::db::mysql::password: {get_param: AdminToken}
-        keystone::rabbit_port: {get_param: RabbitClientPort}
+            keystone::rabbit_userid: {get_param: RabbitUserName}
-        keystone::notification_driver: {get_param: KeystoneNotificationDriver}
+            keystone::rabbit_password: {get_param: RabbitPassword}
-        keystone::notification_format: {get_param: KeystoneNotificationFormat}
+            keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
-        keystone::roles::admin::email: {get_param: AdminEmail}
+            keystone::rabbit_port: {get_param: RabbitClientPort}
-        keystone::roles::admin::password: {get_param: AdminPassword}
+            keystone::notification_driver: {get_param: KeystoneNotificationDriver}
-        keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
+            keystone::notification_format: {get_param: KeystoneNotificationFormat}
-        keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            keystone::roles::admin::email: {get_param: AdminEmail}
-        keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            keystone::roles::admin::password: {get_param: AdminPassword}
-        keystone::endpoint::region: {get_param: KeystoneRegion}
+            keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
-        keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
+            keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-        keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
+            keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
-        keystone::db::mysql::user: keystone
+            keystone::endpoint::region: {get_param: KeystoneRegion}
-        keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+            keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
-        keystone::db::mysql::dbname: keystone
+            keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
-        keystone::db::mysql::allowed_hosts:
+            keystone::db::mysql::user: keystone
-          - '%'
+            keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
-          - "%{hiera('mysql_bind_host')}"
+            keystone::db::mysql::dbname: keystone
-        keystone::rabbit_heartbeat_timeout_threshold: 60
+            keystone::db::mysql::allowed_hosts:
-        keystone::cron::token_flush::maxdelay: 3600
+              - '%'
-        keystone::roles::admin::service_tenant: 'service'
+              - "%{hiera('mysql_bind_host')}"
-        keystone::roles::admin::admin_tenant: 'admin'
+            keystone::rabbit_heartbeat_timeout_threshold: 60
-        keystone::cron::token_flush::destination: '/dev/null'
+            keystone::cron::token_flush::maxdelay: 3600
-        keystone::config::keystone_config:
+            keystone::roles::admin::service_tenant: 'service'
-          ec2/driver:
+            keystone::roles::admin::admin_tenant: 'admin'
-            value: 'keystone.contrib.ec2.backends.sql.Ec2'
+            keystone::cron::token_flush::destination: '/dev/null'
-        keystone::service_name: 'httpd'
+            keystone::config::keystone_config:
-        keystone::wsgi::apache::ssl: false
+              ec2/driver:
-
+                value: 'keystone.contrib.ec2.backends.sql.Ec2'
-        keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
+            keystone::service_name: 'httpd'
-        # override via extraconfig:
+            keystone::wsgi::apache::ssl: false
-        keystone::wsgi::apache::threads: 1
+    
-        keystone::db::database_db_max_retries: -1
+            keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
-        keystone::db::database_max_retries: -1
+            # override via extraconfig:
-        tripleo.keystone.firewall_rules:
+            keystone::wsgi::apache::threads: 1
-          '111 keystone':
+            keystone::db::database_db_max_retries: -1
-            dport:
+            keystone::db::database_max_retries: -1
-              - 5000
+            tripleo.keystone.firewall_rules:
-              - 13000
+              '111 keystone':
-              - 35357
+                dport:
-              - 13357
+                  - 5000
-        # NOTE: bind IP is found in Heat replacing the network name with the
+                  - 13000
-        # local node IP for the given network; replacement examples
+                  - 35357
-        # (eg. for internal_api):
+                  - 13357
-        # internal_api -> IP
+            # NOTE: bind IP is found in Heat replacing the network name with the
-        # internal_api_uri -> [IP]
+            # local node IP for the given network; replacement examples
-        # internal_api_subnet - > IP/CIDR
+            # (eg. for internal_api):
-        # NOTE: this applies to all 4 bind IP settings below...
+            # internal_api -> IP
-        keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+            # internal_api_uri -> [IP]
-        keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            # internal_api_subnet - > IP/CIDR
-        keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            # NOTE: this applies to all 4 bind IP settings below...
-        keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+            keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+            keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
       step_config: |
         include ::tripleo::profile::base::keystone

puppet/services/neutron-api.yaml

@@ -111,5 +111,11 @@ outputs:
               '106 vrrp':
                 proto: vrrp
             neutron::server::router_distributed: {get_param: NeutronEnableDVR}
+            # NOTE: bind IP is found in Heat replacing the network name with the local node IP
+            # for the given network; replacement examples (eg. for internal_api):
+            # internal_api -> IP
+            # internal_api_uri -> [IP]
+            # internal_api_subnet - > IP/CIDR
+            neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]}
       step_config: |
         include tripleo::profile::base::neutron::server

puppet/services/neutron-metadata.yaml

@@ -53,5 +53,11 @@ outputs:
             neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
             neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
             neutron::agents::metadata::auth_tenant: 'service'
+            # NOTE: bind IP is found in Heat replacing the network name with the local node IP
+            # for the given network; replacement examples (eg. for internal_api):
+            # internal_api -> IP
+            # internal_api_uri -> [IP]
+            # internal_api_subnet - > IP/CIDR
+            neutron::agents::metadata::metadata_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]}
       step_config: |
         include tripleo::profile::base::neutron::metadata

puppet/services/nova-api.yaml

@@ -30,6 +30,19 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  NeutronMetadataProxySharedSecret:
+    description: Shared secret to prevent spoofing
+    type: string
+    hidden: true
+  InstanceNameTemplate:
+    default: 'instance-%08x'
+    description: Template string to be used to generate instance names
+    type: string
+  NovaEnableDBPurge:
+    default: true
+    description: |
+        Whether to create cron job for purging soft deleted rows in Nova database.
+    type: boolean
 
 resources:
   NovaBase:
@@ -75,5 +88,16 @@ outputs:
             nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
             nova::keystone::auth::password: {get_param: NovaPassword}
             nova::keystone::auth::region: {get_param: KeystoneRegion}
+            # NOTE: bind IP is found in Heat replacing the network name with the local node IP
+            # for the given network; replacement examples (eg. for internal_api):
+            # internal_api -> IP
+            # internal_api_uri -> [IP]
+            # internal_api_subnet - > IP/CIDR
+            nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]}
+            nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+            nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
+            nova::api::instance_name_template: {get_param: InstanceNameTemplate}
+            nova_enable_db_purge: {get_param: NovaEnableDBPurge}
+
       step_config: |
         include tripleo::profile::base::nova::api

puppet/services/nova-base.yaml

@@ -95,14 +95,14 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/nova_api'
-        nova::db::mysql::password: {get_input: nova_password}
+        nova::db::mysql::password: {get_param: NovaPassword}
         nova::db::mysql::user: nova
         nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
         nova::db::mysql::dbname: nova
         nova::db::mysql::allowed_hosts:
           - '%'
           - "%{hiera('mysql_bind_host')}"
-        nova::db::mysql_api::password: {get_input: nova_password}
+        nova::db::mysql_api::password: {get_param: NovaPassword}
         nova::db::mysql_api::user: nova_api
         nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
         nova::db::mysql_api::dbname: nova_api

puppet/services/nova-vncproxy.yaml

@@ -46,5 +46,11 @@ outputs:
                   '[': ''
                   ']': ''
             nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]}
+            # NOTE: bind IP is found in Heat replacing the network name with the local node IP
+            # for the given network; replacement examples (eg. for internal_api):
+            # internal_api -> IP
+            # internal_api_uri -> [IP]
+            # internal_api_subnet - > IP/CIDR
+            nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]}
       step_config: |
         include tripleo::profile::base::nova::vncproxy