Merge "Add metadata settings for needed kerberos principals"

extraconfig/nova_metadata/krb-service-principals.yaml

@@ -0,0 +1,84 @@
+heat_template_version: ocata
+description: 'Generates the relevant service principals for a server'
+
+parameters:
+  RoleData:
+     type: json
+     description: the list containing the 'role_data' output for the ServiceChain
+
+  # Coming from parameter_defaults
+  CloudName:
+    default: overcloud.localdomain
+    description: The DNS name of this cloud. E.g. ci-overcloud.tripleo.org
+    type: string
+  CloudNameInternal:
+    default: overcloud.internalapi.localdomain
+    description: >
+      The DNS name of this cloud's internal API endpoint. E.g.
+      'ci-overcloud.internalapi.tripleo.org'.
+    type: string
+  CloudNameStorage:
+    default: overcloud.storage.localdomain
+    description: >
+      The DNS name of this cloud's storage endpoint. E.g.
+      'ci-overcloud.storage.tripleo.org'.
+    type: string
+  CloudNameStorageManagement:
+    default: overcloud.storagemgmt.localdomain
+    description: >
+      The DNS name of this cloud's storage management endpoint. E.g.
+      'ci-overcloud.storagemgmt.tripleo.org'.
+    type: string
+  CloudNameCtlplane:
+    default: overcloud.ctlplane.localdomain
+    description: >
+      The DNS name of this cloud's storage management endpoint. E.g.
+      'ci-overcloud.management.tripleo.org'.
+    type: string
+
+resources:
+
+  IncomingMetadataSettings:
+    type: OS::Heat::Value
+    properties:
+      value:
+        yaql:
+          # Filter null values and values that contain don't contain
+          # 'metadata_settings', get the values from that key and get the
+          # unique ones.
+          expression: list($.data.where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct())
+          data: {get_param: RoleData}
+
+  # Generates entries for nova metadata with the following format:
+  #   'managed_service_<id>' : <service>/<fqdn>
+  # Depending on the requested network
+  IndividualServices:
+    type: OS::Heat::Value
+    properties:
+      value:
+        yaql:
+          expression: let(fqdns => $.data.fqdns) -> dict($.data.metadata.where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))]))
+          data:
+            metadata: {get_attr: [IncomingMetadataSettings, value]}
+            fqdns:
+              external: {get_param: CloudName}
+              internal_api: {get_param: CloudNameInternal}
+              storage: {get_param: CloudNameStorage}
+              storage_mgmt: {get_param: CloudNameStorageManagement}
+              ctlplane: {get_param: CloudNameCtlplane}
+
+  CompactServices:
+    type: OS::Heat::Value
+    properties:
+      value:
+        yaql:
+          expression: dict($.data.where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1]))
+          data: {get_attr: [IncomingMetadataSettings, value]}
+
+outputs:
+  metadata:
+    description: actual metadata entries that will be passed to the server.
+    value:
+      map_merge:
+        - {get_attr: [IndividualServices, value]}
+        - compact_services: {get_attr: [CompactServices, value]}

puppet/services/aodh-api.yaml

@@ -83,3 +83,5 @@ outputs:
         get_attr: [AodhBase, role_data, service_config_settings]
       step_config: |
         include tripleo::profile::base::aodh::api
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]

puppet/services/apache-internal-tls-certmonger.yaml

@@ -21,6 +21,22 @@ parameters:
                  via parameter_defaults in the resource registry.
     type: json
 
+resources:
+
+  ApacheNetworks:
+    type: OS::Heat::Value
+    properties:
+      value:
+        # NOTE(jaosorior) Get unique network names to create
+        # certificates for those. We skip the tenant network since
+        # we don't need a certificate for that, and the external
+        # network will be handled in another template.
+        yaql:
+          expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+          data:
+            map:
+              get_param: ServiceNetMap
+
 outputs:
   role_data:
     description: Role data for the Apache role.
@@ -38,13 +54,12 @@ outputs:
                   hostname: "%{hiera('fqdn_NETWORK')}"
                   principal: "HTTP/%{hiera('fqdn_NETWORK')}"
               for_each:
-                NETWORK:
+                NETWORK: {get_attr: [ApacheNetworks, value]}
-                  # NOTE(jaosorior) Get unique network names to create
+      metadata_settings:
-                  # certificates for those. We skip the tenant network since
+        repeat:
-                  # we don't need a certificate for that, and the external
+          template:
-                  # network will be handled in another template.
+            - service: HTTP
-                  yaql:
+              network: $NETWORK
-                    expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+              type: node
-                    data:
+          for_each:
-                      map:
+            $NETWORK: {get_attr: [ApacheNetworks, value]}
-                        get_param: ServiceNetMap

puppet/services/apache.yaml

@@ -64,3 +64,5 @@ outputs:
             apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
             apache::mod::remoteip::proxy_ips:
               - "%{hiera('apache_remote_proxy_ips_network')}"
+      metadata_settings:
+        get_attr: [ApacheTLS, role_data, metadata_settings]

puppet/services/barbican-api.yaml

@@ -144,3 +144,5 @@ outputs:
             get_param: [EndpointMap, BarbicanInternal, uri]
           cinder::api::keymgr_encryption_auth_url:
             get_param: [EndpointMap, KeystoneV3Internal, uri]
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]

puppet/services/ceilometer-api.yaml

@@ -90,3 +90,5 @@ outputs:
         get_attr: [CeilometerServiceBase, role_data, service_config_settings]
       step_config: |
         include ::tripleo::profile::base::ceilometer::api
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]

puppet/services/cinder-api.yaml

@@ -146,6 +146,8 @@ outputs:
           cinder::db::mysql::allowed_hosts:
             - '%'
             - "%{hiera('mysql_bind_host')}"
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
         - name: check for cinder running under apache (post upgrade)
           tags: step2

puppet/services/database/mysql-internal-tls-certmonger.yaml

@@ -41,3 +41,7 @@ outputs:
               template: "mysql/%{hiera('cloud_name_NETWORK')}"
               params:
                 NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+      metadata_settings:
+        - service: mysql
+          network: {get_param: [ServiceNetMap, MysqlNetwork]}
+          type: vip

puppet/services/database/mysql.yaml

@@ -104,4 +104,6 @@ outputs:
         - name: Start service
           tags: step4
           service: name=mariadb state=started
+      metadata_settings:
+        get_attr: [MySQLTLS, role_data, metadata_settings]
 

puppet/services/gnocchi-api.yaml

@@ -131,3 +131,5 @@ outputs:
           gnocchi::db::mysql::allowed_hosts:
             - '%'
             - "%{hiera('mysql_bind_host')}"
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]

puppet/services/haproxy-internal-tls-certmonger.yaml

@@ -19,6 +19,22 @@ parameters:
                  via parameter_defaults in the resource registry.
     type: json
 
+resources:
+
+  HAProxyNetworks:
+    type: OS::Heat::Value
+    properties:
+      value:
+        # NOTE(jaosorior) Get unique network names to create
+        # certificates for those. We skip the tenant network since
+        # we don't need a certificate for that, and the external
+        # network will be handled in another template.
+        yaql:
+          expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+          data:
+            map:
+              get_param: ServiceNetMap
+
 outputs:
   role_data:
     description: Role data for the HAProxy internal TLS via certmonger role.
@@ -39,13 +55,12 @@ outputs:
                 postsave_cmd: "" # TODO
                 principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
             for_each:
-              NETWORK:
+              NETWORK: {get_attr: [HAProxyNetworks, value]}
-                # NOTE(jaosorior) Get unique network names to create
+      metadata_settings:
-                # certificates for those. We skip the tenant network since
+        repeat:
-                # we don't need a certificate for that, and the external
+          template:
-                # network will be handled in another template.
+          - service: haproxy
-                yaql:
+            network: $NETWORK
-                  expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+            type: vip
-                  data:
+          for_each:
-                    map:
+            $NETWORK: {get_attr: [HAProxyNetworks, value]}
-                      get_param: ServiceNetMap

puppet/services/haproxy-public-tls-certmonger.yaml

@@ -35,3 +35,7 @@ outputs:
           hostname: "%{hiera('cloud_name_external')}"
           postsave_cmd: "" # TODO
           principal: "haproxy/%{hiera('cloud_name_external')}"
+      metadata_settings:
+        - service: haproxy
+          network: external
+          type: vip

puppet/services/haproxy.yaml

@@ -84,3 +84,9 @@ outputs:
         - name: Start haproxy service
           tags: step4 # Needed at step 4 for mysql
           service: name=haproxy state=started
+      metadata_settings:
+        yaql:
+          expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))'
+          data:
+            public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
+            internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}

puppet/services/keystone.yaml

@@ -313,3 +313,8 @@ outputs:
         - name: Sync keystone DB
           tags: step5
           command: keystone-manage db_sync
+        - name: Start keystone service (running under httpd)
+          tags: step6
+          service: name=httpd state=started
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]

puppet/services/nova-api.yaml

@@ -165,3 +165,5 @@ outputs:
           nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
           nova::keystone::auth::password: {get_param: NovaPassword}
           nova::keystone::auth::region: {get_param: KeystoneRegion}
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]

puppet/services/pacemaker/database/mysql.yaml

@@ -53,6 +53,8 @@ outputs:
               get_param: [ServiceNetMap, MysqlNetwork]
       step_config: |
         include ::tripleo::profile::pacemaker::database::mysql
+      metadata_settings:
+        get_attr: [MysqlBase, role_data, metadata_settings]
       upgrade_tasks:
         - name: Check for galera root password
           tags: step0

puppet/services/pacemaker/haproxy.yaml

@@ -40,3 +40,5 @@ outputs:
             tripleo::haproxy::mysql_clustercheck: true
       step_config: |
         include ::tripleo::profile::pacemaker::haproxy
+      metadata_settings:
+        get_attr: [LoadbalancerServiceBase, role_data, metadata_settings]

puppet/services/panko-api.yaml

@@ -82,3 +82,5 @@ outputs:
         get_attr: [PankoBase, role_data, service_config_settings]
       step_config: |
         include tripleo::profile::base::panko::api
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]