heat_template_version: wallaby

description: >
  Qpid dispatch router service for metrics and monitoring purposes

parameters:
  ContainerMetricsQdrImage:
    description: image
    type: string
  ContainerMetricsQdrConfigImage:
    description: The container image to use for the qdrouterd config_volume
    type: string
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry. Use
                 parameter_merge_strategies to merge it with the defaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  MonitoringSubscriptionQdr:
    default: 'overcloud-qdr'
    type: string
  MetricsQdrLoggingSource:
    type: json
    default:
      tag: openstack.nova.consoleauth
      file: /var/log/containers/metrics_qdr/metrics_qdr.log
      startmsg.regex: '^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}(.[0-9]+ \\+[0-9]+)? [A-Z]+ \\([a-z]+\\) '
  MetricsQdrPort:
    default: 5666
    description: Service name or port number on which the qdrouterd will accept
                 connections.
    type: number
  MetricsQdrUsername:
    default: 'guest'
    description: Username which should be used to authenticate to the deployed
                 qdrouterd.
    type: string
  MetricsQdrPassword:
    default: 'guest'
    description: Password which should be used to authenticate to the deployed
                 qdrouterd.
    type: string
    hidden: true
  MetricsQdrConnectors:
    default: []
    description: Connectors configuration (array of hashes).
    type: json
  MetricsQdrSSLProfiles:
    default:
      - name: sslProfile
    description: SSL Profiles for the connectors (array of hashes).
    type: json
  MetricsQdrAddresses:
    default:
      - prefix: 'collectd'
        distribution: multicast
      - prefix: 'ceilometer/metering.sample'
        distribution: multicast
      - prefix: 'ceilometer/event.sample'
        distribution: multicast
    description: Addresses configuration (array of hashes).
    type: json
  MetricsQdrAutoLinks:
    default: []
    description: AutoLinks for the Configured Addresses
    type: json
  MetricsQdrUseSSL:
    default: false
    description: Set to true if it is required to use SSL or TLS on the connection for
      the local listener. !WARNING! Currently breaks connections from collectd and ceilometer.
    type: boolean
  MetricsQdrUseEncryption:
    default: false
    description: Set to true if it is required to encrypt connection to the peer for
      listener. Not currently implemented, use EnableInternalTLS instead. This option can be ignored.
    type: boolean
  MetricsQdrSaslMechanisms:
    default: 'ANONYMOUS'
    description: List of accepted SASL auth mechanisms for listener in format
                 of comma separated list.
    type: string
  MetricsQdrSslCertDb:
    default: '/etc/ipa/ca.crt'
    description: Path to SSL certificate db for listener.
    type: string
  MetricsQdrSslCertFile:
    default: '/etc/pki/tls/certs/metrics_qdr.crt'
    description: Path to SSL certificate file for listener.
    type: string
  MetricsQdrSslKeyFile:
    default: '/etc/pki/tls/private/metrics_qdr.key'
    description: Path to SSL private key file for listener.
    type: string
  MetricsQdrSslPwFile:
    default: ''
    description: Path to SSL password file for certificate key for listener.
    type: string
  MetricsQdrSslPassword:
    default: ''
    description: SSL password to be supplied for listener.
    type: string
  MetricsQdrTrustedCerts:
    default: ''
    description: Path to file containing trusted certificates for listener.
    type: string
  MetricsQdrAuthenticateClient:
    default: false
    description: Authenticate the client using SSL/TLS
    type: boolean
  MetricsQdrExternalEndpoint:
    default: false
    description: Whether QDR should listen on external network interface. To enable
      listening on external network one must deploy QDRs in mesh mode.
    type: boolean
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  EnableInternalTLS:
    type: boolean
    default: false
  EnableSTF:
    default: false
    description: Set to true to enable configuration for STF client.
    type: boolean
  CertificateKeySize:
    type: string
    default: '2048'
    description: Specifies the private key size used when creating the
                 certificate.
  QdrCertificateKeySize:
    type: string
    default: ''
    description: Override the private key size used when creating the
                 certificate for this service

conditions:
  key_size_override_set:
    not: {equals: [{get_param: QdrCertificateKeySize}, '']}

resources:
  ContainersCommon:
    type: ../containers-common.yaml

outputs:
  role_data:
    description: Role data for the metrics Qdr role.
    value:
      service_name: metrics_qdr
      firewall_rules:
        map_merge:
          - '109 metrics qdr':
              dport:
                - {get_param: MetricsQdrPort}
          - map_merge:
              repeat:
                for_each:
                  <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
                template:
                  '109 accept internal metrics qdr ctlplane subnet <%net_cidr%>':
                    dport:
                      - 5667
                      - 5668
      monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
      service_config_settings:
        rsyslog:
          tripleo_logging_sources_metrics_qdr:
            - {get_param: MetricsQdrLoggingSource}
      config_settings:
        map_merge:
          - tripleo::profile::base::metrics::qdr::listener_addr:
              str_replace:
                template:
                  "%{hiera('$NETWORK')}"
                params:
                  $NETWORK:
                    get_param:
                      - ServiceNetMap
                      - str_replace:
                          template: "ROLENAMEMetricsQdrNetwork"
                          params:
                            ROLENAME: {get_param: RoleName}
            tripleo::haproxy::metrics_qdr: {get_param: MetricsQdrExternalEndpoint}
            tripleo::profile::base::metrics::qdr::listener_port: {get_param: MetricsQdrPort}
            tripleo::profile::base::metrics::qdr::username: {get_param: MetricsQdrUsername}
            tripleo::profile::base::metrics::qdr::password: {get_param: MetricsQdrPassword}
            tripleo::profile::base::metrics::qdr::connectors: {get_param: MetricsQdrConnectors}
            tripleo::profile::base::metrics::qdr::addresses: {get_param: MetricsQdrAddresses}
            tripleo::profile::base::metrics::qdr::autolink_addresses: {get_param: MetricsQdrAutoLinks}
            # ssl support
            tripleo::profile::base::metrics::qdr::listener_require_ssl: {get_param: MetricsQdrUseSSL}
            tripleo::profile::base::metrics::qdr::listener_require_encrypt: {get_param: MetricsQdrUseEncryption}
            tripleo::profile::base::metrics::qdr::listener_sasl_mech: {get_param: MetricsQdrSaslMechanisms}
            tripleo::profile::base::metrics::qdr::listener_ssl_cert_db: {get_param: MetricsQdrSslCertDb}
            tripleo::profile::base::metrics::qdr::listener_ssl_cert_file: {get_param: MetricsQdrSslCertFile}
            tripleo::profile::base::metrics::qdr::listener_ssl_key_file: {get_param: MetricsQdrSslKeyFile}
            tripleo::profile::base::metrics::qdr::listener_ssl_pw_file: {get_param: MetricsQdrSslPwFile}
            tripleo::profile::base::metrics::qdr::listener_ssl_password: {get_param: MetricsQdrSslPassword}
            tripleo::profile::base::metrics::qdr::listener_trusted_certs: {get_param: MetricsQdrTrustedCerts}
            qdr::log_enable: 'info+'
            qdr::log_output: '/var/log/qdrouterd/metrics_qdr.log'
            qdr::listener_auth_peer: {get_param: MetricsQdrAuthenticateClient}
            tripleo::profile::base::metrics::qdr::ssl_profiles:
              if:
                - {get_param: EnableInternalTLS}
                - list_concat:
                  - get_param: MetricsQdrSSLProfiles
                  - - name: 'tlsProfile'
                      certFile: '/etc/pki/tls/certs/metrics_qdr.crt'
                      keyFile: '/etc/pki/tls/private/metrics_qdr.key'
                      caCertFile: {get_param: InternalTLSCAFile}
                - {get_param: MetricsQdrSSLProfiles}
          - if:
            - {get_param: EnableSTF}
            - tripleo::profile::base::metrics::qdr::interior_mesh_nodes: ''
              tripleo::profile::base::metrics::qdr::router_mode: edge
      metadata_settings:
        if:
          - {get_param: EnableInternalTLS}
          - - service: metrics_qdr
              network:
                get_param:
                  - ServiceNetMap
                  - str_replace:
                      template: "ROLENAMEMetricsQdrNetwork"
                      params:
                        ROLENAME: {get_param: RoleName}
              type: node
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: metrics_qdr
        step_config: |
          include tripleo::profile::base::metrics::qdr
        config_image: {get_param: ContainerMetricsQdrConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/metrics_qdr.json:
          command: /usr/sbin/qdrouterd -c /etc/qpid-dispatch/qdrouterd.conf
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
            - source: "/var/lib/kolla/config_files/src-tls/*"
              dest: "/"
              merge: true
              preserve_properties: true
              optional: true
          permissions:
            - path: /var/lib/qdrouterd
              owner: qdrouterd:qdrouterd
              recurse: true
            - path: /etc/pki/tls/certs/metrics_qdr.crt
              owner: qdrouterd:qdrouterd
              optional: true
            - path: /etc/pki/tls/private/metrics_qdr.key
              owner: qdrouterd:qdrouterd
              optional: true
      docker_config:
        step_1:
          metrics_qdr_init_logs:
            start_order: 0
            detach: false
            image: &qdrouterd_image {get_param: ContainerMetricsQdrImage}
            net: none
            privileged: false
            user: root
            volumes:
              - /var/log/containers/metrics_qdr:/var/log/qdrouterd:z
            command: ['/bin/bash', '-c', 'chown -R qdrouterd:qdrouterd /var/log/qdrouterd']
          metrics_qdr:
            start_order: 1
            image: *qdrouterd_image
            net: host
            user: qdrouterd
            privileged: false
            restart: always
            healthcheck:
              test: /openstack/healthcheck
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
                -
                  - /var/lib/kolla/config_files/metrics_qdr.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/metrics_qdr:/var/lib/kolla/config_files/src:ro
                  - /var/lib/metrics_qdr:/var/lib/qdrouterd:z
                  - /var/log/containers/metrics_qdr:/var/log/qdrouterd:z
                - if:
                  - {get_param: EnableInternalTLS}
                  - - /etc/pki/tls/certs/metrics_qdr.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/metrics_qdr.crt:ro
                    - /etc/pki/tls/private/metrics_qdr.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/metrics_qdr.key:ro
            environment:
              KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
      deploy_steps_tasks:
        - name: Certificate generation
          when:
            - step|int == 1
            - enable_internal_tls
          block:
            - include_role:
                name: linux-system-roles.certificate
              vars:
                certificate_requests:
                  - name: metrics_qdr
                    dns:
                      str_replace:
                        template: "{{fqdn_NETWORK}}"
                        params:
                          NETWORK:
                            get_param:
                              - ServiceNetMap
                              - str_replace:
                                  template: "ROLENAMEMetricsQdrNetwork"
                                  params:
                                    ROLENAME: {get_param: RoleName}
                    principal:
                      str_replace:
                        template: "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}"
                        params:
                          NETWORK:
                            get_param:
                              - ServiceNetMap
                              - str_replace:
                                  template: "ROLENAMEMetricsQdrNetwork"
                                  params:
                                    ROLENAME: {get_param: RoleName}
                    run_after: |
                      container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep metrics_qdr)
                      service_crt="/etc/pki/tls/certs/metrics_qdr.crt"
                      service_key="/etc/pki/tls/private/metrics_qdr.key
                      # Copy the new cert from the mount-point to the real path
                      {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
                      # Copy the new key from the mount-point to the real path
                      {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
                      # Set appropriate permissions
                      {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
                      {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
                      # Trigger a container restart to read the new certificate
                      {{container_cli}} restart "$container_name"
                    key_size:
                      if:
                        - key_size_override_set
                        - {get_param: QdrCertificateKeySize}
                        - {get_param: CertificateKeySize}
                    ca: ipa
      host_prep_tasks:
        - name: create persistent logs directory
          file:
            path: "{{ item.path }}"
            state: directory
            setype: "{{ item.setype }}"
            mode: "{{ item.mode|default(omit) }}"
          with_items:
            - { 'path': /var/log/containers/metrics_qdr, 'setype': container_file_t, 'mode': '0750' }
            - { 'path': /var/lib/metrics_qdr, 'setype': container_file_t }