heat_template_version: rocky description: > OpenStack Octavia API service. parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json OctaviaUserName: description: The username for the Octavia database and keystone accounts. type: string default: 'octavia' OctaviaPassword: description: The password for the Octavia database and keystone accounts. type: string hidden: true OctaviaProjectName: description: The project name for the keystone Octavia account. type: string default: 'service' KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint MonitoringSubscriptionOctaviaApi: default: 'overcloud-octavia-api' type: string OctaviaApiLoggingSource: type: json default: tag: openstack.octavia.api path: /var/log/octavia/api.log OctaviaApiPolicies: description: | A hash of policies to configure for Octavia API. e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json EnableInternalTLS: type: boolean default: false conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: TLSProxyBase: type: OS::TripleO::Services::TLSProxyBase properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} OctaviaBase: type: ./octavia-base.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} OctaviaController: type: ./octavia-controller.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the Octavia API service. value: service_name: octavia_api monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi} config_settings: map_merge: - get_attr: [OctaviaBase, role_data, config_settings] - get_attr: [OctaviaController, role_data, config_settings] - get_attr: [TLSProxyBase, role_data, config_settings] - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } octavia::policy::policies: {get_param: OctaviaApiPolicies} octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName} octavia::keystone::authtoken::password: {get_param: OctaviaPassword} octavia::api::sync_db: true tripleo::octavia_api::firewall_rules: '120 octavia api': dport: - 9876 - 13876 # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR tripleo::profile::base::octavia::api::tls_proxy_bind_ip: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]} tripleo::profile::base::octavia::api::tls_proxy_fqdn: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]} tripleo::profile::base::octavia::api::tls_proxy_port: get_param: [EndpointMap, OctaviaInternal, port] # Bind to localhost if internal TLS is enabled, since we put a TLS # proxy in front. octavia::api::host: if: - use_tls_proxy - '127.0.0.1' - str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]} step_config: | include tripleo::profile::base::octavia::api service_config_settings: fluentd: tripleo_fluentd_groups_octavia_api: - octavia tripleo_fluentd_sources_octavia_api: - {get_param: OctaviaApiLoggingSource} keystone: octavia::keystone::auth::tenant: {get_param: OctaviaProjectName} octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]} octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] } octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] } octavia::keystone::auth::password: {get_param: OctaviaPassword} octavia::keystone::auth::region: {get_param: KeystoneRegion} mysql: octavia::db::mysql::password: {get_param: OctaviaPassword} octavia::db::mysql::user: {get_param: OctaviaUserName} octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} octavia::db::mysql::dbname: octavia octavia::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" metadata_settings: get_attr: [TLSProxyBase, role_data, metadata_settings]