heat_template_version: rocky description: > OpenStack containerized swift proxy service parameters: DockerSwiftProxyImage: description: image type: string DockerSwiftConfigImage: description: The container image to use for the swift config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json SwiftEncryptionEnabled: description: Set to True to enable data-at-rest encryption in Swift default: false type: boolean DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. SwiftPassword: description: The password for the swift service account type: string hidden: true SwiftProxyNodeTimeout: default: 60 description: Timeout for requests going from swift-proxy to swift a/c/o services. type: number SwiftWorkers: default: 0 description: Number of workers for Swift service. type: string KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint MonitoringSubscriptionSwiftProxy: default: 'overcloud-swift-proxy' type: string SwiftCeilometerPipelineEnabled: description: Set to False to disable the swift proxy ceilometer pipeline. default: false type: boolean SwiftCeilometerIgnoreProjects: default: ['service'] description: Comma-seperated list of project names to ignore. type: comma_delimited_list RpcPort: default: 5672 description: The network port for messaging backend type: number RpcUserName: default: guest description: The username for messaging backend type: string RpcPassword: description: The password for messaging backend type: string hidden: true RpcUseSSL: default: false description: > Messaging client subscriber parameter to specify an SSL connection to the messaging host. type: string EnableInternalTLS: type: boolean default: false SwiftCorsAllowedOrigin: type: string default: '' description: Indicate whether this resource may be shared with the domain received in the request "origin" header. parameter_groups: - label: deprecated description: | The following parameters are deprecated and will be removed. They should not be relied on for new deployments. If you have concerns regarding deprecated parameters, please contact the TripleO development team on IRC or the OpenStack mailing list. parameters: - RpcPort - RpcUserName - RpcPassword conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]} ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, true]} use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} cors_allowed_origin_unset: {equals : [{get_param: SwiftCorsAllowedOrigin}, '']} swift_workers_zero: {equals : [{get_param: SwiftWorkers}, '0']} resources: ContainersCommon: type: ../containers-common.yaml SwiftBase: type: ./swift-base.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} TLSProxyBase: type: OS::TripleO::Services::TLSProxyBase properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: description: Role data for the swift proxy. value: service_name: swift_proxy monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy} config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - get_attr: [TLSProxyBase, role_data, config_settings] - if: - cors_allowed_origin_unset - {} - swift::proxy::cors_allow_origin: {get_param: SwiftCorsAllowedOrigin} - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::password: {get_param: SwiftPassword} swift::proxy::authtoken::project_name: 'service' swift::proxy::s3token::auth_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]} swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} - if: - swift_workers_zero - {} - swift::proxy::workers: {get_param: SwiftWorkers} - if: - ceilometer_pipeline_enabled - swift::proxy::ceilometer::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::ceilometer::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::ceilometer::password: {get_param: SwiftPassword} swift::proxy::ceilometer::ignore_projects: {get_param: SwiftCeilometerIgnoreProjects} swift::proxy::ceilometer::nonblocking_notify: true - {} - swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RpcUseSSL} tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled} tripleo::swift_proxy::firewall_rules: '122 swift proxy': dport: - 8080 - 13808 swift::proxy::keystone::operator_roles: - admin - swiftoperator - ResellerAdmin swift::proxy::versioned_writes::allow_versioned_writes: true - if: - swift_encryption_enabled - swift::keymaster::key_id: 'test_id' swift::keymaster::username: 'swift' swift::keymaster::password: {get_param: SwiftPassword} swift::keymaster::project_name: 'service' swift::keymaster::project_domain_id: 'default' swift::keymaster::user_domain_id: 'default' swift::keymaster::auth_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri]} - {} - swift::proxy::pipeline: yaql: expression: $.data.pipeline.where($ != '') data: pipeline: - 'catch_errors' - 'healthcheck' - 'proxy-logging' - 'cache' - 'ratelimit' - 'bulk' - 'tempurl' - 'formpost' - 'authtoken' - 's3api' - 's3token' - 'keystone' - 'staticweb' - 'copy' - 'container_quotas' - 'account_quotas' - 'slo' - 'dlo' - 'versioned_writes' - if: - ceilometer_pipeline_enabled - 'ceilometer' - '' - if: - swift_encryption_enabled - 'kms_keymaster' - '' - if: - swift_encryption_enabled - 'encryption' - '' - 'proxy-logging' - 'proxy-server' swift::proxy::account_autocreate: true # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR tripleo::profile::base::swift::proxy::tls_proxy_bind_ip: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} tripleo::profile::base::swift::proxy::tls_proxy_fqdn: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} tripleo::profile::base::swift::proxy::tls_proxy_port: get_param: [EndpointMap, SwiftInternal, port] swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]} swift::proxy::proxy_local_net_ip: if: - use_tls_proxy - 'localhost' - str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} service_config_settings: keystone: swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]} swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]} swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]} swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]} swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]} swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} swift::keystone::auth::password: {get_param: SwiftPassword} swift::keystone::auth::region: {get_param: KeystoneRegion} swift::keystone::auth::tenant: 'service' swift::keystone::auth::configure_s3_endpoint: false swift::keystone::auth::operator_roles: - admin - swiftoperator - ResellerAdmin # BEGIN DOCKER SETTINGS puppet_config: config_volume: swift puppet_tags: swift_config,swift_proxy_config,swift_keymaster_config step_config: | include ::tripleo::profile::base::swift::proxy config_image: {get_param: DockerSwiftConfigImage} kolla_config: /var/lib/kolla/config_files/swift_proxy.json: command: /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true /var/lib/kolla/config_files/swift_proxy_tls_proxy.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true container_config_scripts: create_swift_secret.sh: mode: "0700" content: | #!/bin/bash export OS_PROJECT_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_domain_id) export OS_USER_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster user_domain_id) export OS_PROJECT_NAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_name) export OS_USERNAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster username) export OS_PASSWORD=$(crudini --get /etc/swift/keymaster.conf kms_keymaster password) export OS_AUTH_URL=$(crudini --get /etc/swift/keymaster.conf kms_keymaster auth_endpoint) export OS_AUTH_TYPE=password export OS_IDENTITY_API_VERSION=3 echo "Check if secret already exists" secret_href=$(openstack secret list --name swift_root_secret_uuid) rc=$? if [[ $rc != 0 ]]; then echo "Failed to check secrets, check if Barbican in enabled and responding properly" exit $rc; fi if [ -z "$secret_href" ]; then echo "Create new secret" order_href=$(openstack secret order create --name swift_root_secret_uuid --payload-content-type="application/octet-stream" --algorithm aes --bit-length 256 --mode ctr key -f value -c "Order href") fi set_swift_keymaster_key_id.sh: mode: "0700" content: | #!/bin/bash export OS_PROJECT_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_domain_id) export OS_USER_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster user_domain_id) export OS_PROJECT_NAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_name) export OS_USERNAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster username) export OS_PASSWORD=$(crudini --get /etc/swift/keymaster.conf kms_keymaster password) export OS_AUTH_URL=$(crudini --get /etc/swift/keymaster.conf kms_keymaster auth_endpoint) export OS_AUTH_TYPE=password export OS_IDENTITY_API_VERSION=3 echo "retrieve key_id" loop_wait=2 for i in {0..5}; do #TODO update uuid from mistral here too secret_href=$(openstack secret list --name swift_root_secret_uuid) if [ "$secret_href" ]; then echo "set key_id in keymaster.conf" secret_href=$(openstack secret list --name swift_root_secret_uuid -f value -c "Secret href") crudini --set /etc/swift/keymaster.conf kms_keymaster key_id ${secret_href##*/} exit 0 else echo "no key, wait for $loop_wait and check again" sleep $loop_wait ((loop_wait++)) fi done echo "Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly" exit 1 docker_config: step_4: map_merge: - if: - swift_encryption_enabled - create_swift_secret: # NOTE: Barbican should be started before creating secrets start_order: 0 image: &swift_proxy_image {get_param: DockerSwiftProxyImage} net: host detach: false volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:ro - /var/lib/container-config-scripts/create_swift_secret.sh:/create_swift_secret.sh:ro user: root command: "/usr/bin/bootstrap_host_exec swift_proxy /create_swift_secret.sh" - {} - if: - swift_encryption_enabled - set_swift_secret: start_order: 1 image: *swift_proxy_image net: host detach: false volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw - /var/lib/container-config-scripts/set_swift_keymaster_key_id.sh:/set_swift_keymaster_key_id.sh:ro user: root command: "/set_swift_keymaster_key_id.sh" environment: # NOTE: this should force this container to re-run on each # update (scale-out, etc.) - list_join: - '' - - 'TRIPLEO_DEPLOY_IDENTIFIER=' - {get_param: DeployIdentifier} - {} - swift_proxy: image: *swift_proxy_image start_order: 2 net: host user: swift restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro - /run:/run - /srv/node:/srv/node - /dev:/dev environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - if: - internal_tls_enabled - swift_proxy_tls_proxy: image: *swift_proxy_image net: host user: root restart: always volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/swift_proxy_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - {} host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" with_items: - { 'path': /srv/node, 'setype': svirt_sandbox_file_t } - { 'path': /var/log/swift, 'setype': svirt_sandbox_file_t } - stat: path=/var/log/swift register: swift_log_stat - name: Create swift logging symlink file: src: /var/log/swift dest: /var/log/containers/swift state: link when: swift_log_stat.stat.exists - name: Check if rsyslog exists shell: systemctl list-unit-files --type=service | grep -q rsyslog register: rsyslog_config failed_when: rsyslog_config.rc == 2 - block: - name: Forward logging to swift.log file copy: content: | # Fix for https://bugs.launchpad.net/tripleo/+bug/1776180 local2.* /var/log/swift/swift.log & stop dest: /etc/rsyslog.d/openstack-swift.conf register: logconfig - name: Restart rsyslogd service after logging conf change service: name=rsyslog state=restarted when: - logconfig is changed when: rsyslog_config.rc == 0 metadata_settings: get_attr: [TLSProxyBase, role_data, metadata_settings] post_upgrade_tasks: - when: step|int == 1 import_role: name: tripleo-docker-rm vars: containers_to_rm: list_concat: - - swift_proxy - - if: - internal_tls_enabled - - swift_proxy_tls_proxy - null fast_forward_upgrade_tasks: - when: - step|int == 0 - release == 'ocata' block: - name: Check if swift-proxy or swift-object-expirer are deployed command: systemctl is-enabled --quiet "{{ item }}" ignore_errors: True register: swift_proxy_services_enabled_result with_items: - openstack-swift-proxy - openstack-swift-object-expirer - name: Set fact swift_proxy_services_enabled set_fact: swift_proxy_services_enabled: "{{ swift_proxy_services_enabled_result }}" - name: Stop swift-proxy and swift-object-expirer services service: name={{ item.item }} state=stopped enabled=no with_items: "{{ swift_proxy_services_enabled.results }}" when: - step|int == 1 - release == 'ocata' - item.rc == 0