Merge "Provide ability to deploy metrics_qdr using ansible"
This commit is contained in:
commit
6edb6760f1
377
deployment/metrics/qdr-container-ansible.yaml
Normal file
377
deployment/metrics/qdr-container-ansible.yaml
Normal file
@ -0,0 +1,377 @@
|
||||
---
|
||||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
Qpid dispatch router service for metrics and monitoring purposes
|
||||
|
||||
parameters:
|
||||
ContainerMetricsQdrImage:
|
||||
description: image
|
||||
type: string
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
EnableInternalTLS:
|
||||
default: false
|
||||
type: boolean
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults
|
||||
in the resource registry.
|
||||
type: json
|
||||
InternalTLSCAFile:
|
||||
default: /etc/ipa/ca.crt
|
||||
description: Specifies the default CA cert to use if TLS is used for services in
|
||||
the internal network.
|
||||
type: string
|
||||
MetricsQdrAddresses:
|
||||
default:
|
||||
- distribution: multicast
|
||||
prefix: collectd
|
||||
- distribution: multicast
|
||||
prefix: ceilometer/metering.sample
|
||||
- distribution: multicast
|
||||
prefix: ceilometer/event.sample
|
||||
description: Addresses configuration (array of hashes).
|
||||
type: json
|
||||
MetricsQdrAuthenticateClient:
|
||||
default: false
|
||||
description: Authenticate the client using SSL/TLS
|
||||
type: boolean
|
||||
MetricsQdrAutoLinks:
|
||||
default: []
|
||||
description: AutoLinks for the Configured Addresses
|
||||
type: json
|
||||
MetricsQdrConnectors:
|
||||
default: []
|
||||
description: Connectors configuration (array of hashes).
|
||||
type: json
|
||||
MetricsQdrExternalEndpoint:
|
||||
default: false
|
||||
description: Whether QDR should listen on external network interface. To enable
|
||||
listening on external network one must deploy QDRs in mesh mode.
|
||||
type: boolean
|
||||
MetricsQdrLoggingSource:
|
||||
default:
|
||||
file: /var/log/containers/qdrouterd/metrics_qdr.log
|
||||
startmsg.regex: '^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}(.[0-9]+
|
||||
\+[0-9]+)? [A-Z]+ \([a-z]+\) '
|
||||
tag: openstack.nova.consoleauth
|
||||
type: json
|
||||
MetricsQdrPassword:
|
||||
default: guest
|
||||
description: Password which should be used to authenticate to the deployed qdrouterd.
|
||||
hidden: true
|
||||
type: string
|
||||
MetricsQdrPort:
|
||||
default: 5666
|
||||
description: Service name or port number on which the qdrouterd will accept connections.
|
||||
type: number
|
||||
MetricsQdrSSLProfiles:
|
||||
default:
|
||||
- name: sslProfile
|
||||
description: SSL Profiles for the connectors (array of hashes).
|
||||
type: json
|
||||
MetricsQdrSaslMechanisms:
|
||||
default: ANONYMOUS
|
||||
description: List of accepted SASL auth mechanisms for listener in format of comma
|
||||
separated list.
|
||||
type: string
|
||||
MetricsQdrSslCertDb:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
description: Path to SSL certificate db for listener.
|
||||
type: string
|
||||
MetricsQdrSslCertFile:
|
||||
default: '/etc/pki/tls/certs/metrics_qdr.crt'
|
||||
description: Path to SSL certificate file for listener.
|
||||
type: string
|
||||
MetricsQdrSslKeyFile:
|
||||
default: '/etc/pki/tls/private/metrics_qdr.key'
|
||||
description: Path to SSL private key file for listener.
|
||||
type: string
|
||||
MetricsQdrSslPassword:
|
||||
default: ''
|
||||
description: SSL password to be supplied for listener.
|
||||
type: string
|
||||
MetricsQdrSslPwFile:
|
||||
default: ''
|
||||
description: Path to SSL password file for certificate key for listener.
|
||||
type: string
|
||||
MetricsQdrTrustedCerts:
|
||||
default: ''
|
||||
description: Path to file containing trusted certificates for listener.
|
||||
type: string
|
||||
MetricsQdrUseEncryption:
|
||||
default: false
|
||||
description: Set to true if it is required to encrypt connection to the peer for
|
||||
listener. Not currently implemented, use EnableInternalTLS instead. This option can be ignored.
|
||||
type: boolean
|
||||
MetricsQdrUseSSL:
|
||||
default: false
|
||||
description: Set to true if it is required to use SSL or TLS on the connection for
|
||||
the local listener. !WARNING! Currently breaks connections from collectd and ceilometer.
|
||||
type: boolean
|
||||
MetricsQdrUsername:
|
||||
default: guest
|
||||
description: Username which should be used to authenticate to the deployed qdrouterd.
|
||||
type: string
|
||||
MonitoringSubscriptionQdr:
|
||||
default: overcloud-qdr
|
||||
type: string
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set via parameter_defaults
|
||||
in the resource registry. This mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
|
||||
##############################################################################
|
||||
# The existing MetricsQdr parameters will be combined with
|
||||
# MetricsQdrVars in the MetricsQdrParametersValue below. Eventually,
|
||||
# these legacy parameters will be deprecated in favour of passing the
|
||||
# parameters into the MetricsQdrVars param below.
|
||||
# For backwards compatibility these legacy params will be accepted, but will
|
||||
# be overwritten by any element passed to MetricsQdrVars.
|
||||
# New configs should add the vars directly into the
|
||||
# MetricsQdrVars parameter, which will not require anymore
|
||||
# changes in THT to add new params.
|
||||
##############################################################################
|
||||
MetricsQdrVars:
|
||||
default: {}
|
||||
description: Hash of qdr variables used to configure the qdr role.
|
||||
tags:
|
||||
- role_specific
|
||||
type: json
|
||||
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
role_specific_required: {not: {equals: [{ get_param: [RoleParameters, MetricsQdrVars] }, ""]}}
|
||||
|
||||
|
||||
resources:
|
||||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
MetricsQdrParametersValue:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
map_merge:
|
||||
- tripleo_metrics_qdr_connectors: { get_param: MetricsQdrConnectors }
|
||||
tripleo_metrics_qdr_autolink_addresses: { get_param: MetricsQdrAutoLinks }
|
||||
tripleo_metrics_qdr_addresses: { get_param: MetricsQdrAddresses }
|
||||
tripleo_metrics_qdr_listener_port: { get_param: MetricsQdrPort }
|
||||
tripleo_metrics_qdr_ssl_profiles: { get_param: MetricsQdrSSLProfiles }
|
||||
tripleo_metrics_qdr_listener_auth_peer: { get_param: MetricsQdrAuthenticateClient }
|
||||
tripleo_metrics_qdr_listener_require_ssl: { get_param: MetricsQdrUseSSL }
|
||||
tripleo_metrics_qdr_listener_sasl_mech: { get_param: MetricsQdrSaslMechanisms }
|
||||
tripleo_metrics_qdr_listener_ssl_cert_db: { get_param: MetricsQdrSslCertDb }
|
||||
tripleo_metrics_qdr_listener_ssl_cert_file: { get_param: MetricsQdrSslCertFile }
|
||||
tripleo_metrics_qdr_listener_ssl_key_file: { get_param: MetricsQdrSslKeyFile }
|
||||
tripleo_metrics_qdr_listener_use_encryption: { get_param: MetricsQdrUseEncryption }
|
||||
tripleo_enable_internal_tls: { get_param: EnableInternalTLS }
|
||||
###### *CS These vars might need more work, still need to double-check
|
||||
# TODO: May need to re-implement logic for this one (currently a hardcoded path in the ansible I think?)
|
||||
tripleo_internal_tlscafile: { get_param: InternalTLSCAFile }
|
||||
|
||||
# TODO: In puppet these two are used to create a sasldb user[1][2]. The qdr-config-ansible-role needs to be updated to handle this.
|
||||
# [1] https://review.opendev.org/plugins/gitiles/openstack/puppet-tripleo/+/refs/heads/master/manifests/profile/base/metrics/qdr.pp#224
|
||||
# [2] https://review.opendev.org/plugins/gitiles/openstack/puppet-qdr/+/refs/heads/master/lib/puppet/provider/qdr_user/sasl.rb
|
||||
tripleo_metrics_qdr_username: { get_param: MetricsQdrUsername }
|
||||
tripleo_metrics_qdr_password: { get_param: MetricsQdrPassword }
|
||||
|
||||
# RFE to add support for these SSL related options? Each of them exists in puppet-qdr[1s] but are unused[2s]
|
||||
# [1] https://review.opendev.org/plugins/gitiles/openstack/puppet-qdr/+/refs/heads/master/manifests/init.pp#170
|
||||
# [2] https://github.com/openstack/puppet-qdr/search?q=listener_ssl_pw_file
|
||||
tripleo_metrics_qdr_listener_ssl_pw_file: { get_param: MetricsQdrSslPwFile }
|
||||
|
||||
# [1] https://review.opendev.org/plugins/gitiles/openstack/puppet-qdr/+/refs/heads/master/manifests/init.pp#171
|
||||
# [2] https://github.com/openstack/puppet-qdr/search?q=listener_ssl_password
|
||||
tripleo_metrics_qdr_listener_ssl_password: { get_param: MetricsQdrSslPassword }
|
||||
|
||||
# [1] https://review.opendev.org/plugins/gitiles/openstack/puppet-qdr/+/refs/heads/master/manifests/init.pp#172
|
||||
# [2] https://github.com/openstack/puppet-qdr/search?q=listener_trusted_certs
|
||||
tripleo_metrics_qdr_listener_trusted_certs: { get_param: MetricsQdrTrustedCerts }
|
||||
######
|
||||
- { get_param: MetricsQdrVars }
|
||||
- if:
|
||||
- role_specific_required
|
||||
- { get_param: [RoleParameters, MetricsQdrVars] }
|
||||
- {}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the metrics Qdr role.
|
||||
value:
|
||||
service_name: qdr
|
||||
firewall_rules:
|
||||
map_merge:
|
||||
- '109 metrics qdr':
|
||||
dport:
|
||||
- {get_param: MetricsQdrPort}
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
||||
template:
|
||||
'109 accept internal metrics qdr ctlplane subnet <%net_cidr%>':
|
||||
dport:
|
||||
- 5667
|
||||
- 5668
|
||||
|
||||
# For sensu
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
|
||||
|
||||
# See https://docs.openstack.org/tripleo-docs/latest/developer/tht_walkthrough/tls_for_services.html
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- service: metrics_qdr
|
||||
network:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
type: node
|
||||
- null
|
||||
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/metrics_qdr.json:
|
||||
command: /usr/sbin/qdrouterd -c /etc/qpid-dispatch/qdrouterd.conf
|
||||
config_files:
|
||||
- dest: /etc/qpid-dispatch/
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
source: /var/lib/kolla/config_files/src/*
|
||||
- dest: /
|
||||
merge: true
|
||||
optional: true
|
||||
preserve_properties: true
|
||||
source: /var/lib/kolla/config_files/src-tls/*
|
||||
permissions:
|
||||
- owner: qdrouterd:qdrouterd
|
||||
path: /var/lib/qdrouterd
|
||||
recurse: true
|
||||
- owner: qdrouterd:qdrouterd
|
||||
path: /var/log/qdrouterd
|
||||
recurse: true
|
||||
- optional: true
|
||||
owner: qdrouterd:qdrouterd
|
||||
path: /etc/pki/tls/certs/metrics_qdr.crt
|
||||
- optional: true
|
||||
owner: qdrouterd:qdrouterd
|
||||
path: /etc/pki/tls/private/metrics_qdr.key
|
||||
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
tripleo_logging_sources_metrics_qdr:
|
||||
- {get_param: MetricsQdrLoggingSource}
|
||||
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::haproxy::metrics_qdr: {get_param: MetricsQdrExternalEndpoint}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
# These two are used here: https://review.opendev.org/plugins/gitiles/openstack/puppet-tripleo/+/refs/heads/master/files/certmonger-metrics-qdr-refresh.sh#8
|
||||
tripleo::metrics::qdr::service_certificate: { get_param: MetricsQdrSslCertFile }
|
||||
tripleo::metrics::qdr::service_key: { get_param: MetricsQdrSslKeyFile }
|
||||
# This one is used here: https://review.opendev.org/plugins/gitiles/openstack/puppet-tripleo/+/refs/heads/master/manifests/profile/base/certmonger_user.pp#193
|
||||
tripleo::profile::base::metrics::qdr::certificate_specs:
|
||||
service_certificate: { get_param: MetricsQdrSslCertFile }
|
||||
service_key: { get_param: MetricsQdrSslKeyFile }
|
||||
postsave_cmd: "/usr/bin/certmonger-metrics-qdr-refresh.sh"
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "metrics_qdr/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK:
|
||||
get_param:
|
||||
- ServiceNetMap
|
||||
- str_replace:
|
||||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
- # Empty then
|
||||
docker_config:
|
||||
step_1:
|
||||
metrics_qdr:
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
healthcheck:
|
||||
test: /openstack/healthcheck
|
||||
image:
|
||||
get_param: ContainerMetricsQdrImage
|
||||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
start_order: 1
|
||||
user: qdrouterd
|
||||
volumes:
|
||||
list_concat:
|
||||
- get_attr:
|
||||
- ContainersCommon
|
||||
- volumes
|
||||
- - /var/lib/kolla/config_files/metrics_qdr.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/ansible-generated/metrics_qdr:/var/lib/kolla/config_files/src:ro
|
||||
- /var/lib/metrics_qdr:/var/lib/qdrouterd:z
|
||||
- /var/log/containers/metrics_qdr:/var/log/qdrouterd:z
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- - /etc/pki/tls/certs/metrics_qdr.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/metrics_qdr.crt:ro
|
||||
- /etc/pki/tls/private/metrics_qdr.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/metrics_qdr.key:ro
|
||||
- null
|
||||
|
||||
host_prep_tasks:
|
||||
- name: Create required host directories for QDR
|
||||
file:
|
||||
mode: '{{ item.mode|default(omit) }}'
|
||||
path: '{{ item.path }}'
|
||||
setype: '{{ item.setype }}'
|
||||
state: directory
|
||||
with_items:
|
||||
- path: /var/log/containers/metrics_qdr
|
||||
setype: container_file_t
|
||||
mode: '0750'
|
||||
- path: /var/lib/metrics_qdr
|
||||
setype: container_file_t
|
||||
mode: '0750'
|
||||
- path: /var/lib/config-data/ansible-generated/metrics_qdr
|
||||
setype: container_file_t
|
||||
mode: '0750'
|
||||
|
||||
deploy_steps_tasks:
|
||||
- name: QDR Config on step 1
|
||||
when: step == '1'
|
||||
include_role:
|
||||
name: tripleo_metrics_qdr
|
||||
tasks_from: create_config
|
||||
vars:
|
||||
- {get_attr: [MetricsQdrParametersValue, value]}
|
@ -63,7 +63,8 @@ parameters:
|
||||
description: Connectors configuration (array of hashes).
|
||||
type: json
|
||||
MetricsQdrSSLProfiles:
|
||||
default: []
|
||||
default:
|
||||
- name: sslProfile
|
||||
description: SSL Profiles for the connectors (array of hashes).
|
||||
type: json
|
||||
MetricsQdrAddresses:
|
||||
@ -82,13 +83,13 @@ parameters:
|
||||
type: json
|
||||
MetricsQdrUseSSL:
|
||||
default: false
|
||||
description: Set to true if it is required to use SSL or TLS on
|
||||
the connection for listener.
|
||||
description: Set to true if it is required to use SSL or TLS on the connection for
|
||||
the local listener. !WARNING! Currently breaks connections from collectd and ceilometer.
|
||||
type: boolean
|
||||
MetricsQdrUseEncryption:
|
||||
default: false
|
||||
description: Set to true if it is required to encrypt connection to the peer
|
||||
for listener.
|
||||
description: Set to true if it is required to encrypt connection to the peer for
|
||||
listener. Not currently implemented, use EnableInternalTLS instead. This option can be ignored.
|
||||
type: boolean
|
||||
MetricsQdrSaslMechanisms:
|
||||
default: 'ANONYMOUS'
|
||||
@ -96,15 +97,15 @@ parameters:
|
||||
of comma separated list.
|
||||
type: string
|
||||
MetricsQdrSslCertDb:
|
||||
default: ''
|
||||
default: '/etc/ipa/ca.crt'
|
||||
description: Path to SSL certificate db for listener.
|
||||
type: string
|
||||
MetricsQdrSslCertFile:
|
||||
default: ''
|
||||
default: '/etc/pki/tls/certs/metrics_qdr.crt'
|
||||
description: Path to SSL certificate file for listener.
|
||||
type: string
|
||||
MetricsQdrSslKeyFile:
|
||||
default: ''
|
||||
default: '/etc/pki/tls/private/metrics_qdr.key'
|
||||
description: Path to SSL private key file for listener.
|
||||
type: string
|
||||
MetricsQdrSslPwFile:
|
||||
@ -120,14 +121,13 @@ parameters:
|
||||
description: Path to file containing trusted certificates for listener.
|
||||
type: string
|
||||
MetricsQdrAuthenticateClient:
|
||||
default: 'no'
|
||||
default: false
|
||||
description: Authenticate the client using SSL/TLS
|
||||
type: string
|
||||
type: boolean
|
||||
MetricsQdrExternalEndpoint:
|
||||
default: false
|
||||
description: |
|
||||
Whether QDR should listen on external network interface. To enable listening
|
||||
on external network one must deploy QDRs in mesh mode.
|
||||
description: Whether QDR should listen on external network interface. To enable
|
||||
listening on external network one must deploy QDRs in mesh mode.
|
||||
type: boolean
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
@ -213,8 +213,8 @@ outputs:
|
||||
tripleo::profile::base::metrics::qdr::listener_require_ssl:
|
||||
if:
|
||||
- listener_ssl_enabled
|
||||
- 'yes'
|
||||
- 'no'
|
||||
- true
|
||||
- false
|
||||
tripleo::profile::base::metrics::qdr::listener_require_encrypt: {get_param: MetricsQdrUseEncryption}
|
||||
tripleo::profile::base::metrics::qdr::listener_sasl_mech: {get_param: MetricsQdrSaslMechanisms}
|
||||
tripleo::profile::base::metrics::qdr::listener_ssl_cert_db: {get_param: MetricsQdrSslCertDb}
|
||||
|
20
environments/metrics/qdr-edge-only-ansible.yaml
Normal file
20
environments/metrics/qdr-edge-only-ansible.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
## This environment serves the purpose of enabling deployment of QPID dispatch routers (aka QDR).
|
||||
## Each overcloud node will have one local qdrouterd service running and operating in edge mode,
|
||||
## eg. sending received data straight to defined MetricsQdrConnectors
|
||||
|
||||
|
||||
resource_registry:
|
||||
OS::TripleO::Services::MetricsQdr: ../../deployment/metrics/qdr-container-ansible.yaml
|
||||
|
||||
parameter_defaults:
|
||||
|
||||
# Exercise the new, preferred interface
|
||||
MetricsQdrVars:
|
||||
tripleo_metrics_qdr_deployment_mode: edge-only
|
||||
|
||||
# qdr_connectors:
|
||||
# - host: qdr-normal-sa-telemetry.apps.remote.tld
|
||||
# port: 443
|
||||
# role: edge
|
||||
# sslProfile: sslProfile
|
||||
# verifyHostname: false
|
26
environments/metrics/qdr-form-controller-mesh-ansible.yaml
Normal file
26
environments/metrics/qdr-form-controller-mesh-ansible.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
## This environment serves the purpose of enabling deployment of QPID dispatch routers (aka QDR).
|
||||
## Each overcloud node will have one local qdrouterd service running and forming a mesh topology,
|
||||
## eg. QDRs running on controllers will operate in interior router mode, with connections to defined MetricsQdrConnectors
|
||||
## and QDRs running on other node types will connect in edge mode to the interior routers running on the controllers.
|
||||
|
||||
|
||||
|
||||
resource_registry:
|
||||
OS::TripleO::Services::MetricsQdr: ../../deployment/metrics/qdr-container-ansible.yaml
|
||||
|
||||
parameter_defaults:
|
||||
# Exercise the new, preferred interface
|
||||
MetricsQdrVars:
|
||||
# *CS Q: Does it make sense to split the QDR into two services?
|
||||
# OS::TripleO::Services::MetricsQdrMesh
|
||||
# OS::TripleO::Services::MetricsEdge
|
||||
# When the automation configures the edge mode nodes it would need to check to see if MetricsQdrMesh is
|
||||
# deployed anywhere and then behave accordingly (replace STF connection with connection into mesh).
|
||||
tripleo_metrics_qdr_deployment_mode: controller-mesh
|
||||
|
||||
# qdr_connectors:
|
||||
# - host: qdr-normal-sa-telemetry.apps.remote.tld
|
||||
# port: 443
|
||||
# role: inter-router
|
||||
# sslProfile: sslProfile
|
||||
# verifyHostname: false
|
Loading…
Reference in New Issue
Block a user