Refactor nova db config

It is best to avoid placing db creds on the compute nodes to limit the
exposure if an attacker succeeds in gaining access to the hypervisor
host.

Related patches in puppet-nova remove the credentials from nova.conf
however the current scope of db credential hieradata is all nova tripleo
services - so it will but written to the hieradata keys on compute
nodes.

This patch refactors the nova hieradata structure, splitting the
nova-api/nova database hieradata out into individual templates and
selectively including only where necessary, ensuring we have no db
creds on a compute node (unless it is an all-in-one api+compute node).

Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c
Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a
Closes-bug: #1871482

deployment/nova/nova-api-container-puppet.yaml

@@ -152,6 +152,27 @@ resources:
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+  NovaApiDBClient:
+    type: ./nova-apidb-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+  NovaDBClient:
+    type: ./nova-db-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+
 outputs:
   role_data:
     description: Role data for the Nova API role.
@@ -180,6 +201,8 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [NovaBase, role_data, config_settings]
+          - get_attr: [NovaApiDBClient, role_data, config_settings]
+          - get_attr: [NovaDBClient, role_data, config_settings]
           - get_attr: [NovaApiLogging, config_settings]
           - apache::default_vhost: false
             nova::keystone::authtoken::project_name: 'service'
@@ -231,19 +254,14 @@ outputs:
               nova::wsgi::apache_api::workers: {get_param: NovaWorkers}
 
       service_config_settings:
+        rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
+        mysql:
+          map_merge:
+            - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
+            - get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
         rsyslog:
           tripleo_logging_sources_nova_api:
             - {get_param: NovaApiLoggingSource}
-        mysql:
-          map_merge:
-          - {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
-          - nova::db::mysql_api::password: {get_param: NovaPassword}
-            nova::db::mysql_api::user: nova_api
-            nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
-            nova::db::mysql_api::dbname: nova_api
-            nova::db::mysql_api::allowed_hosts:
-              - '%'
-              - "%{hiera('mysql_bind_host')}"
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: nova

deployment/nova/nova-apidb-client-puppet.yaml

@@ -0,0 +1,78 @@
+heat_template_version: rocky
+
+description: >
+  OpenStack Nova database client service.
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  NovaPassword:
+    description: The password for the nova service and db account
+    type: string
+    hidden: true
+  EnableSQLAlchemyCollectd:
+    type: boolean
+    description: >
+        Set to true to enable the SQLAlchemy-collectd server plugin
+    default: false
+
+conditions:
+  enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
+
+outputs:
+  role_data:
+    description: Role data for the Nova base service.
+    value:
+      config_settings:
+        nova::api_database_connection:
+          make_url:
+            scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
+            username: nova_api
+            password: {get_param: NovaPassword}
+            host: {get_param: [EndpointMap, MysqlInternal, host]}
+            path: /nova_api
+            query:
+              if:
+                - enable_sqlalchemy_collectd
+                -
+                    read_default_file: /etc/my.cnf.d/tripleo.cnf
+                    read_default_group: tripleo
+                    plugin: collectd
+                    collectd_program_name: nova_api
+                    collectd_host: localhost
+                -
+                    read_default_file: /etc/my.cnf.d/tripleo.cnf
+                    read_default_group: tripleo
+      service_config_settings:
+        mysql:
+          nova::db::mysql_api::password: {get_param: NovaPassword}
+          nova::db::mysql_api::user: nova_api
+          nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+          nova::db::mysql_api::dbname: nova_api
+          nova::db::mysql_api::allowed_hosts:
+            - '%'
+            - "%{hiera('mysql_bind_host')}"

deployment/nova/nova-base-puppet.yaml

@@ -59,10 +59,6 @@ parameters:
     default: 'br-int'
     description: Name of integration bridge used by Open vSwitch
     type: string
-  DatabaseSyncTimeout:
-    default: 300
-    description: DB Sync Timeout default
-    type: number
   Debug:
     type: boolean
     default: false
@@ -294,66 +290,6 @@ outputs:
           nova::placement::region_name: {get_param: KeystoneRegion}
           nova::placement::valid_interfaces: {get_param: PlacementAPIInterface}
           nova::os_region_name: {get_param: KeystoneRegion}
-          nova::database_connection:
-            make_url:
-              scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]}
-              username: nova
-              password: {get_param: NovaPassword}
-              host: {get_param: [EndpointMap, MysqlCellInternal, host]}
-              path: /nova
-              query:
-                if:
-                  - enable_sqlalchemy_collectd
-                  -
-                      read_default_file: /etc/my.cnf.d/tripleo.cnf
-                      read_default_group: tripleo
-                      plugin: collectd
-                      collectd_program_name: nova
-                      collectd_host: localhost
-                  -
-                      read_default_file: /etc/my.cnf.d/tripleo.cnf
-                      read_default_group: tripleo
-
-          nova::cell0_database_connection:
-            make_url:
-              scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
-              username: nova
-              password: {get_param: NovaPassword}
-              host: {get_param: [EndpointMap, MysqlInternal, host]}
-              path: /nova_cell0
-              query:
-                if:
-                  - enable_sqlalchemy_collectd
-                  -
-                      read_default_file: /etc/my.cnf.d/tripleo.cnf
-                      read_default_group: tripleo
-                      plugin: collectd
-                      collectd_program_name: nova_cell0
-                      collectd_host: localhost
-                  -
-                      read_default_file: /etc/my.cnf.d/tripleo.cnf
-                      read_default_group: tripleo
-
-          nova::api_database_connection:
-            make_url:
-              scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
-              username: nova_api
-              password: {get_param: NovaPassword}
-              host: {get_param: [EndpointMap, MysqlInternal, host]}
-              path: /nova_api
-              query:
-                if:
-                  - enable_sqlalchemy_collectd
-                  -
-                      read_default_file: /etc/my.cnf.d/tripleo.cnf
-                      read_default_group: tripleo
-                      plugin: collectd
-                      collectd_program_name: nova_api
-                      collectd_host: localhost
-                  -
-                      read_default_file: /etc/my.cnf.d/tripleo.cnf
-                      read_default_group: tripleo
-
           nova::logging::debug:
             if:
             - service_debug_unset
@@ -375,8 +311,6 @@ outputs:
           nova::network::neutron::auth_type: 'v3password'
           nova::db::database_db_max_retries: -1
           nova::db::database_max_retries: -1
-          nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout}
-          nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout}
           nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
           nova::cache::enabled: true
           nova::cache::backend: 'dogpile.cache.memcached'
@@ -420,9 +354,5 @@ outputs:
           - {}
           - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
       service_config_settings:
-        mysql:
+        rabbitmq:
-          # NOTE(aschultz): this should be configurable if/when we support more
-          # complex cell v2 configurations. For now, this is the default cell
-          # created for the cell v2 configuration
-          nova::db::mysql_api::setup_cell0: true
           nova::rabbit_use_ssl: {get_param: RpcUseSSL}

deployment/nova/nova-compute-container-puppet.yaml

@@ -538,16 +538,13 @@ resources:
   ContainersCommon:
     type: ../containers-common.yaml
 
-  MySQLClient:
-    type: ../../deployment/database/mysql-client.yaml
-
   NovaComputeCommon:
     type: ./nova-compute-common-container-puppet.yaml
     properties:
-      EndpointMap: {get_param: EndpointMap}
       ServiceData: {get_param: ServiceData}
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
@@ -851,14 +848,11 @@ outputs:
       puppet_config:
         config_volume: nova_libvirt
         puppet_tags: nova_config,nova_paste_api_ini
-        step_config:
+        step_config: |
-          list_join:
+          # TODO(emilien): figure how to deal with libvirt profile.
-            - "\n"
+          # We'll probably treat it like we do with Neutron plugins.
-            - - # TODO(emilien): figure how to deal with libvirt profile.
+          # Until then, just include it in the default nova-compute role.
-                # We'll probably treat it like we do with Neutron plugins.
+          include tripleo::profile::base::nova::compute::libvirt
-                # Until then, just include it in the default nova-compute role.
-                include tripleo::profile::base::nova::compute::libvirt
-              - {get_attr: [MySQLClient, role_data, step_config]}
         config_image: {get_param: ContainerNovaLibvirtConfigImage}
       kolla_config:
         /var/lib/kolla/config_files/nova_compute.json:
@@ -984,7 +978,6 @@ outputs:
                       list_concat:
                         - {get_attr: [ContainersCommon, volumes]}
                         -
-                          - /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro
                           - /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro
                           - /var/log/containers/nova:/var/log/nova
                           - /var/lib/container-config-scripts/:/container-config-scripts/

deployment/nova/nova-conductor-container-puppet.yaml

@@ -58,9 +58,14 @@ parameters:
     description: The password for the nova service and db account
     type: string
     hidden: true
+  NovaAdditionalCell:
+    default: false
+    description: Whether this is an cell additional to the default cell.
+    type: boolean
 
 conditions:
   nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+  is_not_additional_cell: {equals: [{get_param: NovaAdditionalCell}, false]}
 
 resources:
 
@@ -86,6 +91,27 @@ resources:
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+  NovaApiDBClient:
+    type: ./nova-apidb-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+  NovaDBClient:
+    type: ./nova-db-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+
 outputs:
   role_data:
     description: Role data for the Nova Conductor service.
@@ -94,27 +120,28 @@ outputs:
       monitoring_subscription: {get_param: MonitoringSubscriptionNovaConductor}
       config_settings:
         map_merge:
-          - {get_attr: [NovaBase, role_data, config_settings]}
+          - get_attr: [NovaBase, role_data, config_settings]
-          - {get_attr: [NovaLogging, config_settings]}
+          # FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell
+          # however cell conductor currently requires api db access for affinity checks
+          - get_attr: [NovaApiDBClient, role_data, config_settings]
+          - get_attr: [NovaDBClient, role_data, config_settings]
+          - get_attr: [NovaLogging, config_settings]
           -
             if:
             - nova_workers_zero
             - {}
             - nova::conductor::workers: {get_param: NovaWorkers}
       service_config_settings:
+        rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
+        mysql:
+          map_merge:
+            # FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell
+            # however cell conductor currently requires api db access for affinity checks
+            - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
+            - get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
         rsyslog:
           tripleo_logging_sources_nova_conductor:
             - {get_param: NovaConductorLoggingSource}
-        mysql:
-          map_merge:
-          - {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
-          - nova::db::mysql::password: {get_param: NovaPassword}
-            nova::db::mysql::user: nova
-            nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
-            nova::db::mysql::dbname: nova
-            nova::db::mysql::allowed_hosts:
-              - '%'
-              - "%{hiera('mysql_bind_host')}"
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: nova
@@ -158,7 +185,14 @@ outputs:
                   - /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
                   - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro
             user: root
-            command: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync'"
+            command:
+              str_replace:
+                template: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync DB_SYNC_ARGS'"
+                params:
+                  if:
+                    - is_not_additional_cell
+                    - DB_SYNC_ARGS: ""
+                    - DB_SYNC_ARGS: "--local_cell"
             environment:
               TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
         step_4:

deployment/nova/nova-db-client-puppet.yaml

@@ -0,0 +1,80 @@
+heat_template_version: rocky
+
+description: >
+  OpenStack Nova database client service.
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  NovaPassword:
+    description: The password for the nova service and db account
+    type: string
+    hidden: true
+  EnableSQLAlchemyCollectd:
+    type: boolean
+    description: >
+        Set to true to enable the SQLAlchemy-collectd server plugin
+    default: false
+
+conditions:
+  enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
+
+outputs:
+  role_data:
+    description: Role data for the Nova base service.
+    value:
+      config_settings:
+        nova::database_connection:
+          make_url:
+            scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]}
+            username: nova
+            password: {get_param: NovaPassword}
+            host: {get_param: [EndpointMap, MysqlCellInternal, host]}
+            path: /nova
+            query:
+              if:
+                - enable_sqlalchemy_collectd
+                -
+                    read_default_file: /etc/my.cnf.d/tripleo.cnf
+                    read_default_group: tripleo
+                    plugin: collectd
+                    collectd_program_name: nova
+                    collectd_host: localhost
+                -
+                    read_default_file: /etc/my.cnf.d/tripleo.cnf
+                    read_default_group: tripleo
+      service_config_settings:
+        mysql:
+          nova::db::mysql::password: {get_param: NovaPassword}
+          nova::db::mysql::user: nova
+          nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
+          nova::db::mysql::dbname: nova
+          nova::db::mysql::allowed_hosts:
+            - '%'
+            - "%{hiera('mysql_bind_host')}"
+
+

deployment/nova/nova-ironic-container-puppet.yaml

@@ -83,16 +83,13 @@ resources:
   ContainersCommon:
     type: ../containers-common.yaml
 
-  MySQLClient:
-    type: ../../deployment/database/mysql-client.yaml
-
   NovaComputeCommon:
     type: ./nova-compute-common-container-puppet.yaml
     properties:
-      EndpointMap: {get_param: EndpointMap}
       ServiceData: {get_param: ServiceData}
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
@@ -106,6 +103,7 @@ resources:
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+
 outputs:
   role_data:
     description: Role data for the Nova Compute service.
@@ -131,11 +129,8 @@ outputs:
       puppet_config:
         config_volume: nova
         puppet_tags: nova_config,nova_paste_api_ini
-        step_config:
+        step_config: |
-          list_join:
+          include tripleo::profile::base::nova::compute::ironic
-              - "\n"
-              - - include tripleo::profile::base::nova::compute::ironic
-                - {get_attr: [MySQLClient, role_data, step_config]}
         config_image: {get_param: ContainerNovaConfigImage}
       kolla_config:
         /var/lib/kolla/config_files/nova_ironic.json:

deployment/nova/nova-libvirt-container-puppet.yaml

@@ -340,9 +340,6 @@ resources:
   ContainersCommon:
     type: ../containers-common.yaml
 
-  MySQLClient:
-    type: ../../deployment/database/mysql-client.yaml
-
   NovaLibvirtLogging:
     type: OS::TripleO::Services::Logging::NovaLibvirt
 
@@ -356,6 +353,7 @@ resources:
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+
 outputs:
   role_data:
     description: Role data for the Libvirt service.
@@ -558,11 +556,8 @@ outputs:
       puppet_config:
         config_volume: nova_libvirt
         puppet_tags: libvirtd_config,virtlogd_config,nova_config,file,libvirt_tls_password
-        step_config:
+        step_config: |
-          list_join:
+           include tripleo::profile::base::nova::libvirt
-            - "\n"
-            - - include tripleo::profile::base::nova::libvirt
-              - {get_attr: [MySQLClient, role_data, step_config]}
         config_image: {get_param: ContainerNovaLibvirtConfigImage}
       kolla_config:
         /var/lib/kolla/config_files/nova_libvirt.json:

deployment/nova/nova-manager-container-puppet.yaml

@@ -56,6 +56,7 @@ resources:
       EndpointMap: {get_param: EndpointMap}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
+      NovaAdditionalCell: false # API DB access required
 
 
 outputs:

deployment/nova/nova-metadata-container-puppet.yaml

@@ -81,6 +81,7 @@ conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
   is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
+  is_not_cell_local: {equals: [{get_param: NovaLocalMetadataPerCell}, false]}
 
 resources:
 
@@ -114,6 +115,27 @@ resources:
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+  NovaApiDBClient:
+    type: ./nova-apidb-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+  NovaDBClient:
+    type: ./nova-db-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+
 outputs:
   role_data:
     description: Role data for the Nova Metadata service.
@@ -128,6 +150,11 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [NovaBase, role_data, config_settings]
+          - if:
+            - is_not_cell_local
+            - get_attr: [NovaApiDBClient, role_data, config_settings]
+            - {}
+          - get_attr: [NovaDBClient, role_data, config_settings]
           - get_attr: [ApacheServiceBase, role_data, config_settings]
           - get_attr: [NovaMetadataLogging, config_settings]
           - apache::default_vhost: false
@@ -168,19 +195,17 @@ outputs:
             - nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
             - {}
       service_config_settings:
+        rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
+        mysql:
+          map_merge:
+            - if:
+              - is_not_cell_local
+              - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
+              - {}
+            - get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
         rsyslog:
           tripleo_logging_sources_nova_metadata:
             - {get_param: NovaMetadataLoggingSource}
-        mysql:
-          map_merge:
-            - {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
-            - nova::db::mysql_api::password: {get_param: NovaPassword}
-              nova::db::mysql_api::user: nova_api
-              nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
-              nova::db::mysql_api::dbname: nova_api
-              nova::db::mysql_api::allowed_hosts:
-                - '%'
-                - "%{hiera('mysql_bind_host')}"
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: nova_metadata

deployment/nova/nova-scheduler-container-puppet.yaml

@@ -142,6 +142,26 @@ resources:
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+  NovaApiDBClient:
+    type: ./nova-apidb-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+  NovaDBClient:
+    type: ./nova-db-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
 
 outputs:
   role_data:
@@ -151,8 +171,10 @@ outputs:
       monitoring_subscription: {get_param: MonitoringSubscriptionNovaScheduler}
       config_settings:
         map_merge:
-          - {get_attr: [NovaBase, role_data, config_settings]}
+          - get_attr: [NovaBase, role_data, config_settings]
-          - {get_attr: [NovaLogging, config_settings]}
+          - get_attr: [NovaApiDBClient, role_data, config_settings]
+          - get_attr: [NovaDBClient, role_data, config_settings]
+          - get_attr: [NovaLogging, config_settings]
           - nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters}
             nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters}
             nova::scheduler::filter::scheduler_max_attempts: {get_param: NovaSchedulerMaxAttempts}
@@ -168,6 +190,11 @@ outputs:
             - {}
             - nova::scheduler::workers: {get_param: NovaSchedulerWorkers}
       service_config_settings:
+        rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
+        mysql:
+          map_merge:
+            - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
+            - get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
         rsyslog:
           tripleo_logging_sources_nova_scheduler:
             - {get_param: NovaSchedulerLoggingSource}

deployment/nova/nova-vnc-proxy-container-puppet.yaml

@@ -138,6 +138,17 @@ resources:
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+  NovaDBClient:
+    type: ./nova-db-client-puppet.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+
 outputs:
   role_data:
     description: Role data for the Nova Vncproxy service.
@@ -150,7 +161,9 @@ outputs:
             - 13080
       config_settings:
         map_merge:
-          - {get_attr: [NovaLogging, config_settings]}
+          - get_attr: [NovaBase, role_data, config_settings]
+          - get_attr: [NovaDBClient, role_data, config_settings]
+          - get_attr: [NovaLogging, config_settings]
           - nova::vncproxy::enabled: true
             nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyCellPublic, protocol]}
             nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyCellPublic, host_nobrackets]}
@@ -226,6 +239,10 @@ outputs:
                         NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
               - {}
       service_config_settings:
+        rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
+        mysql:
+          map_merge:
+            - get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
         rsyslog:
           tripleo_logging_sources_nova_vnc_proxy:
             - {get_param: NovaVncproxyLoggingSource}