Mv Nova, Neutron, Horizon out of controller.yaml

This patch moves the settings for Nova, Neutron, and Horizon
out of controller.yaml.

Also fixes the NovaPassword settings in nova-base.yaml
so they don't use get_input.

Also, creates a new apache.yaml base service to contain shared
apache settings for several services which use Apache for WSGI.

Co-Authored-By: Giulio Fidente <gfidente@redhat.com>

Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e
Related-bug: #1604414
This commit is contained in:
Dan Prince 2016-08-26 12:41:53 -04:00
parent a02cee9e3b
commit e3cb92a5db
15 changed files with 232 additions and 162 deletions

View File

@ -13,6 +13,7 @@ parameters:
ServiceNetMapDefaults: ServiceNetMapDefaults:
default: default:
ApacheNetwork: internal_api
NeutronTenantNetwork: tenant NeutronTenantNetwork: tenant
CeilometerApiNetwork: internal_api CeilometerApiNetwork: internal_api
AodhApiNetwork: internal_api AodhApiNetwork: internal_api

View File

@ -130,6 +130,7 @@ resource_registry:
# services # services
OS::TripleO::Services: puppet/services/services.yaml OS::TripleO::Services: puppet/services/services.yaml
OS::TripleO::Services::Apache: puppet/services/apache.yaml
OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
OS::TripleO::Services::CephMon: OS::Heat::None OS::TripleO::Services::CephMon: OS::Heat::None
OS::TripleO::Services::CephOSD: OS::Heat::None OS::TripleO::Services::CephOSD: OS::Heat::None

View File

@ -435,7 +435,6 @@ resources:
properties: properties:
CloudDomain: {get_param: CloudDomain} CloudDomain: {get_param: CloudDomain}
controllerExtraConfig: {get_param: controllerExtraConfig} controllerExtraConfig: {get_param: controllerExtraConfig}
HorizonSecret: {get_resource: HorizonSecret}
PcsdPassword: {get_resource: PcsdPassword} PcsdPassword: {get_resource: PcsdPassword}
RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]} RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]} RedisVirtualIPUri: {get_attr: [RedisVirtualIP, ip_address_uri]}

View File

@ -83,10 +83,6 @@ parameters:
type: string type: string
constraints: constraints:
- custom_constraint: nova.flavor - custom_constraint: nova.flavor
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
controllerImage: controllerImage:
type: string type: string
default: overcloud-full default: overcloud-full
@ -96,10 +92,6 @@ parameters:
default: 'REBUILD_PRESERVE_EPHEMERAL' default: 'REBUILD_PRESERVE_EPHEMERAL'
description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt. description: What policy to use when reconstructing instances. REBUILD for rebuilds, REBUILD_PRESERVE_EPHEMERAL to preserve /mnt.
type: string type: string
InstanceNameTemplate:
default: 'instance-%08x'
description: Template string to be used to generate instance names
type: string
KeyName: KeyName:
default: default default: default
description: Name of an existing Nova key pair to enable SSH access to the instances description: Name of an existing Nova key pair to enable SSH access to the instances
@ -110,39 +102,14 @@ parameters:
default: false default: false
description: Whether to manage IPtables rules. description: Whether to manage IPtables rules.
type: boolean type: boolean
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
PurgeFirewallRules: PurgeFirewallRules:
default: false default: false
description: Whether IPtables rules should be purged before setting up the new ones. description: Whether IPtables rules should be purged before setting up the new ones.
type: boolean type: boolean
NeutronMetadataProxySharedSecret:
description: Shared secret to prevent spoofing
type: string
hidden: true
NeutronPassword:
description: The password for the neutron service and db account, used by neutron agents.
type: string
hidden: true
NeutronPublicInterface: NeutronPublicInterface:
default: nic1 default: nic1
description: What interface to bridge onto br-ex for network nodes. description: What interface to bridge onto br-ex for network nodes.
type: string type: string
NovaEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Nova database.
type: boolean
NovaIPv6:
default: false
description: Enable IPv6 features in Nova
type: boolean
NovaPassword:
description: The password for the nova service and db account, used by nova-api.
type: string
hidden: true
PcsdPassword: PcsdPassword:
type: string type: string
description: The password for the 'pcsd' user. description: The password for the 'pcsd' user.
@ -162,10 +129,6 @@ parameters:
default: {} default: {}
description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})' description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
type: json type: json
UpgradeLevelNovaCompute:
type: string
description: Nova Compute upgrade level
default: ''
ServiceNetMap: ServiceNetMap:
default: {} default: {}
description: Mapping of service_name -> network name. Typically set description: Mapping of service_name -> network name. Typically set
@ -392,43 +355,15 @@ resources:
server: {get_resource: Controller} server: {get_resource: Controller}
input_values: input_values:
bootstack_nodeid: {get_attr: [Controller, name]} bootstack_nodeid: {get_attr: [Controller, name]}
horizon_secret: {get_param: HorizonSecret}
debug: {get_param: Debug} debug: {get_param: Debug}
keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
keystone_ec2_uri: { get_param: [EndpointMap, KeystoneEC2, uri] }
enable_fencing: {get_param: EnableFencing} enable_fencing: {get_param: EnableFencing}
enable_load_balancer: {get_param: EnableLoadBalancer} enable_load_balancer: {get_param: EnableLoadBalancer}
manage_firewall: {get_param: ManageFirewall} manage_firewall: {get_param: ManageFirewall}
purge_firewall_rules: {get_param: PurgeFirewallRules} purge_firewall_rules: {get_param: PurgeFirewallRules}
neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
nova_ipv6: {get_param: NovaIPv6}
corosync_ipv6: {get_param: CorosyncIPv6} corosync_ipv6: {get_param: CorosyncIPv6}
memcached_ipv6: {get_param: MemcachedIPv6}
nova_password: {get_param: NovaPassword}
upgrade_level_nova_compute: {get_param: UpgradeLevelNovaCompute}
instance_name_template: {get_param: InstanceNameTemplate}
fencing_config: {get_param: FencingConfig} fencing_config: {get_param: FencingConfig}
pcsd_password: {get_param: PcsdPassword} pcsd_password: {get_param: PcsdPassword}
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
glance_api_servers: { get_param: [EndpointMap, GlanceInternal, uri]}
neutron_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]}
nova_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaApiNetwork]}]}
nova_metadata_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaMetadataNetwork]}]}
horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
horizon_subnet:
str_replace:
template: "['SUBNET']"
params:
SUBNET:
get_attr:
- NetIpMap
- net_ip_map
- str_replace:
template: "NETWORK_subnet"
params:
NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
redis_vip: {get_param: RedisVirtualIP} redis_vip: {get_param: RedisVirtualIP}
ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]} ironic_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, IronicApiNetwork]}]}
@ -489,37 +424,14 @@ resources:
tripleo::fencing::config: {get_input: fencing_config} tripleo::fencing::config: {get_input: fencing_config}
# Neutron # Neutron
neutron::bind_host: {get_input: neutron_api_network}
neutron::agents::metadata::metadata_ip: {get_input: neutron_api_network}
snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name} snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name}
snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password} snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password}
# Nova
nova::upgrade_level_compute: {get_input: upgrade_level_nova_compute}
nova::use_ipv6: {get_input: nova_ipv6}
nova::api::api_bind_address: {get_input: nova_api_network}
nova::api::metadata_listen: {get_input: nova_metadata_network}
nova::glance_api_servers: {get_input: glance_api_servers}
nova::api::neutron_metadata_proxy_shared_secret: {get_input: neutron_metadata_proxy_shared_secret}
nova::api::instance_name_template: {get_input: instance_name_template}
nova::vncproxy::host: {get_input: nova_api_network}
nova_enable_db_purge: {get_input: nova_enable_db_purge}
# Horizon
apache::mod::remoteip::proxy_ips: {get_input: horizon_subnet}
apache::ip: {get_input: horizon_network}
horizon::django_debug: {get_input: debug}
horizon::secret_key: {get_input: horizon_secret}
horizon::bind_address: {get_input: horizon_network}
horizon::keystone_url: {get_input: keystone_auth_uri}
# Redis # Redis
redis_vip: {get_input: redis_vip} redis_vip: {get_input: redis_vip}
# Firewall # Firewall
tripleo::firewall::manage_firewall: {get_input: manage_firewall} tripleo::firewall::manage_firewall: {get_input: manage_firewall}
tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules} tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
# Misc # Misc
memcached_ipv6: {get_input: memcached_ipv6}
tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}

View File

@ -27,6 +27,13 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords} DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap} EndpointMap: {get_param: EndpointMap}
ApacheServiceBase:
type: ./apache.yaml
properties:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
outputs: outputs:
role_data: role_data:
description: Role data for the Aodh API service. description: Role data for the Aodh API service.
@ -35,6 +42,7 @@ outputs:
config_settings: config_settings:
map_merge: map_merge:
- get_attr: [AodhBase, role_data, config_settings] - get_attr: [AodhBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- aodh::wsgi::apache::ssl: false - aodh::wsgi::apache::ssl: false
aodh::api::service_name: 'httpd' aodh::api::service_name: 'httpd'
tripleo.aodh_api.firewall_rules: tripleo.aodh_api.firewall_rules:

View File

@ -0,0 +1,40 @@
heat_template_version: 2016-10-14
description: >
Apache service configured with Puppet. Note this is typically included
automatically via other services which run via Apache.
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: Role data for the Apache role.
value:
service_name: apache
config_settings:
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
apache_remote_proxy_ips_network:
str_replace:
template: "NETWORK_subnet"
params:
NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"

View File

@ -28,6 +28,13 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords} DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap} EndpointMap: {get_param: EndpointMap}
ApacheServiceBase:
type: ./apache.yaml
properties:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
outputs: outputs:
role_data: role_data:
description: Role data for the Ceilometer API role. description: Role data for the Ceilometer API role.
@ -35,6 +42,7 @@ outputs:
service_name: ceilometer_api service_name: ceilometer_api
config_settings: config_settings:
map_merge: map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [CeilometerServiceBase, role_data, config_settings] - get_attr: [CeilometerServiceBase, role_data, config_settings]
- tripleo.ceilometer_api.firewall_rules: - tripleo.ceilometer_api.firewall_rules:
'124 ceilometer': '124 ceilometer':

View File

@ -35,6 +35,7 @@ parameters:
description: Keystone region for endpoint description: Keystone region for endpoint
resources: resources:
GnocchiServiceBase: GnocchiServiceBase:
type: ./gnocchi-base.yaml type: ./gnocchi-base.yaml
properties: properties:
@ -42,6 +43,13 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords} DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap} EndpointMap: {get_param: EndpointMap}
ApacheServiceBase:
type: ./apache.yaml
properties:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
outputs: outputs:
role_data: role_data:
description: Role data for the Gnocchi role. description: Role data for the Gnocchi role.
@ -49,6 +57,7 @@ outputs:
service_name: gnocchi_api service_name: gnocchi_api
config_settings: config_settings:
map_merge: map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [GnocchiServiceBase, role_data, config_settings] - get_attr: [GnocchiServiceBase, role_data, config_settings]
- tripleo.gnocchi_api.firewall_rules: - tripleo.gnocchi_api.firewall_rules:
'129 gnocchi-api': '129 gnocchi-api':

View File

@ -1,4 +1,4 @@
heat_template_version: 2016-04-08 heat_template_version: 2016-10-14
description: > description: >
Horizon service configured with Puppet Horizon service configured with Puppet
@ -10,6 +10,10 @@ parameters:
via parameter_defaults in the resource registry. This via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults. mapping overrides those in ServiceNetMapDefaults.
type: json type: json
Debug:
default: ''
description: Set to True to enable debugging on all services.
type: string
DefaultPasswords: DefaultPasswords:
default: {} default: {}
type: json type: json
@ -22,11 +26,20 @@ parameters:
default: '*' default: '*'
description: A list of IP/Hostname allowed to connect to horizon description: A list of IP/Hostname allowed to connect to horizon
type: comma_delimited_list type: comma_delimited_list
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
NeutronMechanismDrivers: NeutronMechanismDrivers:
default: 'openvswitch' default: 'openvswitch'
description: | description: |
The mechanism drivers for the Neutron tenant network. The mechanism drivers for the Neutron tenant network.
type: comma_delimited_list type: comma_delimited_list
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
outputs: outputs:
role_data: role_data:
@ -51,5 +64,29 @@ outputs:
add_listen: false add_listen: false
priority: 10 priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
apache::ip: {get_param: [ServiceNetMap, HorizonNetwork]}
apache_remote_proxy_ips_network:
str_replace:
template: "NETWORK_subnet"
params:
NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::django_debug: {get_param: Debug}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
horizon::secret_key:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: HorizonSecret}
- {get_param: [DefaultPasswords, horizon_secret]}
memcached_ipv6: {get_param: MemcachedIPv6}
step_config: | step_config: |
include ::tripleo::profile::base::horizon include ::tripleo::profile::base::horizon

View File

@ -84,81 +84,94 @@ parameters:
type: string type: string
description: Set the number of workers for keystone::wsgi::apache description: Set the number of workers for keystone::wsgi::apache
default: '"%{::processorcount}"' default: '"%{::processorcount}"'
resources:
ApacheServiceBase:
type: ./apache.yaml
properties:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
outputs: outputs:
role_data: role_data:
description: Role data for the Keystone role. description: Role data for the Keystone role.
value: value:
service_name: keystone service_name: keystone
config_settings: config_settings:
keystone::database_connection: config_settings:
list_join: map_merge:
- '' - get_attr: [ApacheServiceBase, role_data, config_settings]
- - {get_param: [EndpointMap, MysqlInternal, protocol]} - keystone::database_connection:
- '://keystone:' list_join:
- {get_param: AdminToken} - ''
- '@' - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- {get_param: [EndpointMap, MysqlInternal, host]} - '://keystone:'
- '/keystone' - {get_param: AdminToken}
keystone::admin_token: {get_param: AdminToken} - '@'
keystone::roles::admin::password: {get_param: AdminPassword} - {get_param: [EndpointMap, MysqlInternal, host]}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} - '/keystone'
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::admin_token: {get_param: AdminToken}
keystone::enable_proxy_headers_parsing: true keystone::roles::admin::password: {get_param: AdminPassword}
keystone::debug: {get_param: Debug} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone::db::mysql::password: {get_param: AdminToken} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::rabbit_userid: {get_param: RabbitUserName} keystone::enable_proxy_headers_parsing: true
keystone::rabbit_password: {get_param: RabbitPassword} keystone::debug: {get_param: Debug}
keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} keystone::db::mysql::password: {get_param: AdminToken}
keystone::rabbit_port: {get_param: RabbitClientPort} keystone::rabbit_userid: {get_param: RabbitUserName}
keystone::notification_driver: {get_param: KeystoneNotificationDriver} keystone::rabbit_password: {get_param: RabbitPassword}
keystone::notification_format: {get_param: KeystoneNotificationFormat} keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
keystone::roles::admin::email: {get_param: AdminEmail} keystone::rabbit_port: {get_param: RabbitClientPort}
keystone::roles::admin::password: {get_param: AdminPassword} keystone::notification_driver: {get_param: KeystoneNotificationDriver}
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} keystone::notification_format: {get_param: KeystoneNotificationFormat}
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} keystone::roles::admin::email: {get_param: AdminEmail}
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} keystone::roles::admin::password: {get_param: AdminPassword}
keystone::endpoint::region: {get_param: KeystoneRegion} keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
keystone::db::mysql::user: keystone keystone::endpoint::region: {get_param: KeystoneRegion}
keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
keystone::db::mysql::dbname: keystone keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
keystone::db::mysql::allowed_hosts: keystone::db::mysql::user: keystone
- '%' keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
- "%{hiera('mysql_bind_host')}" keystone::db::mysql::dbname: keystone
keystone::rabbit_heartbeat_timeout_threshold: 60 keystone::db::mysql::allowed_hosts:
keystone::cron::token_flush::maxdelay: 3600 - '%'
keystone::roles::admin::service_tenant: 'service' - "%{hiera('mysql_bind_host')}"
keystone::roles::admin::admin_tenant: 'admin' keystone::rabbit_heartbeat_timeout_threshold: 60
keystone::cron::token_flush::destination: '/dev/null' keystone::cron::token_flush::maxdelay: 3600
keystone::config::keystone_config: keystone::roles::admin::service_tenant: 'service'
ec2/driver: keystone::roles::admin::admin_tenant: 'admin'
value: 'keystone.contrib.ec2.backends.sql.Ec2' keystone::cron::token_flush::destination: '/dev/null'
keystone::service_name: 'httpd' keystone::config::keystone_config:
keystone::wsgi::apache::ssl: false ec2/driver:
value: 'keystone.contrib.ec2.backends.sql.Ec2'
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} keystone::service_name: 'httpd'
# override via extraconfig: keystone::wsgi::apache::ssl: false
keystone::wsgi::apache::threads: 1
keystone::db::database_db_max_retries: -1 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
keystone::db::database_max_retries: -1 # override via extraconfig:
tripleo.keystone.firewall_rules: keystone::wsgi::apache::threads: 1
'111 keystone': keystone::db::database_db_max_retries: -1
dport: keystone::db::database_max_retries: -1
- 5000 tripleo.keystone.firewall_rules:
- 13000 '111 keystone':
- 35357 dport:
- 13357 - 5000
# NOTE: bind IP is found in Heat replacing the network name with the - 13000
# local node IP for the given network; replacement examples - 35357
# (eg. for internal_api): - 13357
# internal_api -> IP # NOTE: bind IP is found in Heat replacing the network name with the
# internal_api_uri -> [IP] # local node IP for the given network; replacement examples
# internal_api_subnet - > IP/CIDR # (eg. for internal_api):
# NOTE: this applies to all 4 bind IP settings below... # internal_api -> IP
keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} # internal_api_uri -> [IP]
keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} # internal_api_subnet - > IP/CIDR
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} # NOTE: this applies to all 4 bind IP settings below...
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
step_config: | step_config: |
include ::tripleo::profile::base::keystone include ::tripleo::profile::base::keystone

View File

@ -111,5 +111,11 @@ outputs:
'106 vrrp': '106 vrrp':
proto: vrrp proto: vrrp
neutron::server::router_distributed: {get_param: NeutronEnableDVR} neutron::server::router_distributed: {get_param: NeutronEnableDVR}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]}
step_config: | step_config: |
include tripleo::profile::base::neutron::server include tripleo::profile::base::neutron::server

View File

@ -53,5 +53,11 @@ outputs:
neutron::agents::metadata::auth_password: {get_param: NeutronPassword} neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
neutron::agents::metadata::auth_tenant: 'service' neutron::agents::metadata::auth_tenant: 'service'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
neutron::agents::metadata::metadata_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]}
step_config: | step_config: |
include tripleo::profile::base::neutron::metadata include tripleo::profile::base::neutron::metadata

View File

@ -30,6 +30,19 @@ parameters:
type: string type: string
default: 'regionOne' default: 'regionOne'
description: Keystone region for endpoint description: Keystone region for endpoint
NeutronMetadataProxySharedSecret:
description: Shared secret to prevent spoofing
type: string
hidden: true
InstanceNameTemplate:
default: 'instance-%08x'
description: Template string to be used to generate instance names
type: string
NovaEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Nova database.
type: boolean
resources: resources:
NovaBase: NovaBase:
@ -75,5 +88,16 @@ outputs:
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion} nova::keystone::auth::region: {get_param: KeystoneRegion}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
nova::api::api_bind_address: {get_param: [ServiceNetMap, NovaApiNetwork]}
nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
step_config: | step_config: |
include tripleo::profile::base::nova::api include tripleo::profile::base::nova::api

View File

@ -95,14 +95,14 @@ outputs:
- '@' - '@'
- {get_param: [EndpointMap, MysqlInternal, host]} - {get_param: [EndpointMap, MysqlInternal, host]}
- '/nova_api' - '/nova_api'
nova::db::mysql::password: {get_input: nova_password} nova::db::mysql::password: {get_param: NovaPassword}
nova::db::mysql::user: nova nova::db::mysql::user: nova
nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
nova::db::mysql::dbname: nova nova::db::mysql::dbname: nova
nova::db::mysql::allowed_hosts: nova::db::mysql::allowed_hosts:
- '%' - '%'
- "%{hiera('mysql_bind_host')}" - "%{hiera('mysql_bind_host')}"
nova::db::mysql_api::password: {get_input: nova_password} nova::db::mysql_api::password: {get_param: NovaPassword}
nova::db::mysql_api::user: nova_api nova::db::mysql_api::user: nova_api
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
nova::db::mysql_api::dbname: nova_api nova::db::mysql_api::dbname: nova_api

View File

@ -46,5 +46,11 @@ outputs:
'[': '' '[': ''
']': '' ']': ''
nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]}
step_config: | step_config: |
include tripleo::profile::base::nova::vncproxy include tripleo::profile::base::nova::vncproxy