heat_template_version: rocky description: > OpenStack Panko service configured with docker. Note, this service is deprecated in Pike release and will be disabled in future releases. parameters: ContainerPankoApiImage: description: image type: string ContainerPankoConfigImage: description: The container image to use for the panko config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false MonitoringSubscriptionPankoApi: default: 'overcloud-ceilometer-panko-api' type: string PankoApiPolicies: description: | A hash of policies to configure for Panko API. e.g. { panko-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json PankoEventTTL: description: Number of seconds that events are kept in the database default: '86400' type: string PankoPassword: description: The password for the panko services. type: string hidden: true Debug: default: false description: Set to True to enable debugging on all services. type: boolean PankoDebug: default: '' description: Set to True to enable debugging Panko services. type: string constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint EnablePankoExpirer: type: boolean default: true description: Enable panko expirer to periodically delete events from db PankoExpirerMinute: type: string description: > Cron to delete events data from db - Minute default: '1' PankoExpirerHour: type: string description: > Cron to delete events data from db - Hour default: '0' PankoExpirerMonthday: type: string description: > Cron to delete events data from db - Month Day default: '*' PankoExpirerMonth: type: string description: > Cron to delete events data from db - Month default: '*' PankoExpirerWeekday: type: string description: > Cron to delete events from db - Week Day default: '*' conditions: service_debug_unset: {equals : [{get_param: PankoDebug}, '']} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: ContainersCommon: type: ../../containers-common.yaml MySQLClient: type: ../../database/mysql-client.yaml ApacheServiceBase: type: ../../../deployment/apache/apache-baremetal-puppet.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} PankoApiLogging: type: OS::TripleO::Services::Logging::PankoApi outputs: role_data: description: Role data for the Panko API role. value: service_name: panko_api monitoring_subscription: {get_param: MonitoringSubscriptionPankoApi} config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [PankoApiLogging, config_settings] - apache::default_vhost: false panko::wsgi::apache::ssl: {get_param: EnableInternalTLS} panko::wsgi::apache::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} panko::policy::policies: {get_param: PankoApiPolicies} panko::api::service_name: 'httpd' panko::api::enable_proxy_headers_parsing: true panko::api::event_time_to_live: {get_param: PankoEventTTL} tripleo::panko_api::firewall_rules: '140 panko-api': dport: - 8977 - 13977 panko::api::host: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR panko::wsgi::apache::bind_host: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PankoApiNetwork]} enable_panko_expirer: {get_param: EnablePankoExpirer} panko::db::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} username: panko password: {get_param: PankoPassword} host: {get_param: [EndpointMap, MysqlInternal, host]} path: /panko query: read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo panko::logging::debug: if: - service_debug_unset - {get_param: Debug } - {get_param: PankoDebug } panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::keystone::authtoken::project_name: 'service' panko::keystone::authtoken::user_domain_name: 'Default' panko::keystone::authtoken::project_domain_name: 'Default' panko::keystone::authtoken::password: {get_param: PankoPassword} panko::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::auth::auth_password: {get_param: PankoPassword} panko::auth::auth_region: {get_param: KeystoneRegion} panko::auth::auth_tenant_name: 'service' panko::expirer::minute: {get_param: PankoExpirerMinute} panko::expirer::hour: {get_param: PankoExpirerHour} panko::expirer::monthday: {get_param: PankoExpirerMonthday} panko::expirer::month: {get_param: PankoExpirerMonth} panko::expirer::weekday: {get_param: PankoExpirerWeekday} service_config_settings: keystone: panko::keystone::auth::public_url: {get_param: [EndpointMap, PankoPublic, uri]} panko::keystone::auth::internal_url: {get_param: [EndpointMap, PankoInternal, uri]} panko::keystone::auth::admin_url: {get_param: [EndpointMap, PankoAdmin, uri]} panko::keystone::auth::password: {get_param: PankoPassword} panko::keystone::auth::region: {get_param: KeystoneRegion} panko::keystone::auth::tenant: 'service' mysql: panko::db::mysql::user: panko panko::db::mysql::password: {get_param: PankoPassword} panko::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} panko::db::mysql::dbname: panko panko::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS # puppet_config: config_volume: panko puppet_tags: panko_api_paste_ini,panko_config step_config: list_join: - "\n" - - "include tripleo::profile::base::panko::api" - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: ContainerPankoConfigImage} kolla_config: /var/lib/kolla/config_files/panko_api.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /var/log/panko owner: panko:panko recurse: true /var/lib/kolla/config_files/panko_api_cron.json: command: /usr/sbin/crond -n config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /var/log/panko owner: panko:panko recurse: true docker_config: step_2: get_attr: [PankoApiLogging, docker_config, step_2] step_3: panko_db_sync: image: &panko_api_image {get_param: ContainerPankoApiImage} net: host detach: false privileged: false user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [PankoApiLogging, volumes]} - - /var/lib/config-data/panko/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/panko/etc/panko:/etc/panko:ro command: # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part # of the bash -c invocation, so we include them in the quoted db sync command. Hence the # final single quote that's part of the list_join. list_join: - ' ' - - "/usr/bin/bootstrap_host_exec panko_api su panko -s /bin/bash -c '/usr/bin/panko-dbsync" - {get_attr: [PankoApiLogging, cmd_extra_args]} - "'" step_4: panko_api: start_order: 2 image: *panko_api_image net: host privileged: false restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [PankoApiLogging, volumes]} - - /var/lib/kolla/config_files/panko_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/panko/:/var/lib/kolla/config_files/src:ro - if: - internal_tls_enabled - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - '' - if: - internal_tls_enabled - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - '' environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS panko_api_cron: image: *panko_api_image net: host user: root privileged: false restart: always healthcheck: test: '/usr/share/openstack-tripleo-common/healthcheck/cron panko' volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [PankoApiLogging, volumes]} - - /var/lib/kolla/config_files/panko_api_cron.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/panko/:/var/lib/kolla/config_files/src:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: {get_attr: [PankoApiLogging, host_prep_tasks]} metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] post_upgrade_tasks: - when: step|int == 1 import_role: name: tripleo-docker-rm vars: containers_to_rm: - panko_api - panko_api_cron tripleo_container_cli: "docker" external_upgrade_tasks: - when: - step|int == 1 tags: - never - system_upgrade_transfer_data - system_upgrade_stop_services block: - name: Stop panko containers import_role: name: tripleo-container-stop vars: tripleo_containers_to_stop: - panko_api - panko_api_cron tripleo_delegate_to: "{{ groups['panko_api'] | default([]) }}"