heat_template_version: wallaby description: > OpenStack containerized Placement API service parameters: ContainerPlacementImage: description: image type: string ContainerPlacementConfigImage: description: The container image to use for the placement config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json EnableSQLAlchemyCollectd: type: boolean description: > Set to true to enable the SQLAlchemy-collectd server plugin default: false RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. EnableInternalTLS: type: boolean default: false PlacementWorkers: default: 0 description: Number of workers for Placement services. type: number PlacementPassword: description: The password for the Placement service and db account type: string hidden: true EnforceSecureRbac: type: boolean default: false description: >- Setting this option to True will configure each OpenStack service to enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and `[oslo_policy] enforce_scope` to True. This introduces a consistent set of RBAC personas across OpenStack services that include support for system and project scope, as well as keystone's default roles, admin, member, and reader. Do not enable this functionality until all services in your deployment actually support secure RBAC. KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint MonitoringSubscriptionPlacement: default: 'overcloud-placement' type: string PlacementLoggingSource: type: json default: tag: openstack.placement file: /var/log/containers/httpd/placement_wsgi_error_ssl.log Debug: type: boolean default: false description: Set to True to enable debugging on all services. MemcacheUseAdvancedPool: type: boolean description: | Use the advanced (eventlet safe) memcached client pool. default: true PlacementDebug: default: false description: Set to True to enable debugging Placement services. type: boolean PlacementPolicies: description: | A hash of policies to configure for Placement API. e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json conditions: placement_workers_set: not: {equals : [{get_param: PlacementWorkers}, 0]} resources: ApacheServiceBase: type: ../../deployment/apache/apache-baremetal-puppet.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} ContainersCommon: type: ../containers-common.yaml MySQLClient: type: ../database/mysql-client.yaml PlacementLogging: type: OS::TripleO::Services::Logging::PlacementApi outputs: role_data: description: Role data for the Placement API role. value: service_name: placement firewall_rules: '138 placement': dport: - 8778 - 13778 keystone_resources: placement: endpoints: public: {get_param: [EndpointMap, PlacementPublic, uri]} internal: {get_param: [EndpointMap, PlacementInternal, uri]} admin: {get_param: [EndpointMap, PlacementAdmin, uri]} users: placement: password: {get_param: PlacementPassword} region: {get_param: KeystoneRegion} service: 'placement' monitoring_subscription: {get_param: MonitoringSubscriptionPlacement} config_settings: map_merge: - get_attr: [PlacementLogging, config_settings] - apache::default_vhost: false placement::keystone::authtoken::project_name: 'service' placement::keystone::authtoken::password: {get_param: PlacementPassword} placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} placement::keystone::authtoken::region_name: {get_param: KeystoneRegion} placement::keystone::authtoken::interface: 'internal' placement::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool} placement::policy::enforce_new_defaults: {get_param: EnforceSecureRbac} placement::policy::enforce_scope: {get_param: EnforceSecureRbac} placement::logging::debug: if: - {get_param: PlacementDebug} - true - {get_param: Debug} placement::policy::policies: {get_param: PlacementPolicies} placement::wsgi::apache::api_port: '8778' placement::wsgi::apache::ssl: {get_param: EnableInternalTLS} # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR placement::wsgi::apache::bind_host: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PlacementNetwork]} placement::wsgi::apache::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, PlacementNetwork]} placement::db::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} username: placement password: {get_param: PlacementPassword} host: {get_param: [EndpointMap, MysqlInternal, host]} path: /placement query: if: - {get_param: EnableSQLAlchemyCollectd} - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo plugin: collectd collectd_program_name: placement_api collectd_host: localhost - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo placement::wsgi::apache::workers: if: - placement_workers_set - {get_param: PlacementWorkers} service_config_settings: rsyslog: tripleo_logging_sources_placement: - {get_param: PlacementLoggingSource} mysql: placement::db::mysql::password: {get_param: PlacementPassword} placement::db::mysql::user: placement placement::db::mysql::host: '%' placement::db::mysql::dbname: placement # BEGIN DOCKER SETTINGS puppet_config: config_volume: placement puppet_tags: placement_config step_config: list_join: - "\n" - - {get_attr: [MySQLClient, role_data, step_config]} - "include tripleo::profile::base::placement::api" config_image: {get_param: ContainerPlacementConfigImage} kolla_config: /var/lib/kolla/config_files/placement_api.json: command: /usr/sbin/httpd -DFOREGROUND config_files: &placement_api_config_files - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d" dest: "/etc/httpd/conf.modules.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: &placement_api_permissions - path: /var/log/placement owner: placement:placement recurse: true /var/lib/kolla/config_files/placement_api_db_sync.json: command: "/usr/bin/bootstrap_host_exec placement su placement -s /bin/bash -c '/usr/bin/placement-manage db sync'" config_files: *placement_api_config_files permissions: *placement_api_permissions /var/lib/kolla/config_files/placement_api_wait_for_service.json: command: "/usr/bin/bootstrap_host_exec placement su placement -s /bin/bash -c '/container-config-scripts/pyshim.sh /container-config-scripts/placement_wait_for_service.py'" config_files: *placement_api_config_files permissions: *placement_api_permissions container_config_scripts: map_merge: - {get_attr: [ContainersCommon, container_config_scripts]} - placement_wait_for_service.py: mode: "0755" content: { get_file: ../../container_config_scripts/placement_wait_for_service.py } docker_config: step_2: get_attr: [PlacementLogging, docker_config, step_2] step_3: placement_api_db_sync: start_order: 1 image: &placement_api_image {get_param: ContainerPlacementImage} net: host detach: false user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [PlacementLogging, volumes]} - - /var/lib/kolla/config_files/placement_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/placement:/var/lib/kolla/config_files/src:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} step_4: placement_api: start_order: 1 image: *placement_api_image net: host user: root restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [PlacementLogging, volumes]} - - /var/lib/kolla/config_files/placement_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/placement:/var/lib/kolla/config_files/src:ro - if: - {get_param: EnableInternalTLS} - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS placement_wait_for_service: start_order: 2 image: *placement_api_image user: root net: host privileged: false detach: false volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [PlacementLogging, volumes]} - - /var/lib/kolla/config_files/placement_api_wait_for_service.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/placement:/var/lib/kolla/config_files/src:ro - /var/lib/container-config-scripts/:/container-config-scripts/:z environment: __OS_DEBUG: yaql: expression: str($.data.debug) data: debug: {get_param: Debug} KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: {get_attr: [PlacementLogging, host_prep_tasks]} deploy_steps_tasks: get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks] upgrade_tasks: []