tripleo-heat-templates/deployment/cephadm/ceph-mgr.yaml
Takashi Kajinami a3dd023773 Define frontend firewall rules separately
This change ensures that firewall rules for haproxy endpoints are
enabled properly even when haproxy and api services are running in
different nodes.

With this change, firewall rule for ssl endpoints are removed from base
firewall rules because these ports are used by haproxy and not used by
api services.

Also, the adhoc implementation to run firewall configurations first is
refactored by the new host_firewall_tasks key. This allows us to
implement tasks to configure firewall in the corresponding resource
template.

Closes-Bug: #1961799
Depends-on: https://review.opendev.org/831547
Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
2022-04-28 04:23:41 +00:00

178 lines
6.0 KiB
YAML

heat_template_version: wallaby
description: >
Ceph Manager service.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
CephDashboardAdminUser:
default: 'admin'
description: Admin user for the dashboard component
type: string
CephDashboardAdminPassword:
description: Admin password for the dashboard component
type: string
hidden: true
CephEnableDashboard:
type: boolean
default: false
description: Parameter used to trigger the dashboard deployment.
CephDashboardPort:
type: number
default: 8444
description: Parameter that defines the ceph dashboard port.
CephDashboardAdminRO:
type: boolean
default: true
description: Parameter used to set a read-only admin user.
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled:
and:
- {get_param: CephEnableDashboard}
- {get_param: EnableInternalTLS}
key_size_override_set:
not: {equals: [{get_param: CephCertificateKeySize}, '']}
resources:
CephBase:
type: ./ceph-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
CephMgrAnsibleVars:
type: OS::Heat::Value
properties:
type: json
value:
vars:
tripleo_cephadm_dashboard_admin_user: {get_param: CephDashboardAdminUser}
tripleo_cephadm_dashboard_admin_password: {get_param: CephDashboardAdminPassword}
tripleo_cephadm_dashboard_port: {get_param: CephDashboardPort}
tripleo_cephadm_dashboard_admin_user_ro: {get_param: CephDashboardAdminRO}
tripleo_cephadm_dashboard_protocol:
if:
- internal_tls_enabled
- 'https'
- 'http'
outputs:
role_data:
description: Role data for the Ceph Manager service.
value:
service_name: ceph_mgr
firewall_rules:
'113 ceph_mgr':
dport:
list_concat:
- - '6800-7300'
- if:
- {get_param: CephEnableDashboard}
- - {get_param: CephDashboardPort}
firewall_frontend_rules:
if:
- {get_param: CephEnableDashboard}
- '100 ceph_dashboard':
dport:
- {get_param: CephDashboardPort}
upgrade_tasks: []
puppet_config: {}
docker_config: {}
external_deploy_tasks:
list_concat:
- {get_attr: [CephBase, role_data, external_deploy_tasks]}
- if:
- {get_param: CephEnableDashboard}
- - name: set tripleo-ansible ceph dashboard vars
when: step|int == 1
set_fact:
ceph_dashboard_vars:
if:
- internal_tls_enabled
- map_merge:
- {get_attr: [CephMgrAnsibleVars, value, vars]}
- tripleo_cephadm_dashboard_crt: /etc/pki/tls/certs/ceph_dashboard.crt
- tripleo_cephadm_dashboard_key: /etc/pki/tls/private/ceph_dashboard.key
- tripleo_cephadm_dashboard_grafana_api_no_ssl_verify: true
- {get_attr: [CephMgrAnsibleVars, value, vars]}
metadata_settings:
if:
- internal_tls_enabled
- - service: ceph_dashboard
network: {get_param: [ServiceNetMap, CephDashboardNetwork]}
type: node
deploy_steps_tasks:
if:
- internal_tls_enabled
- - name: Certificate generation
when:
- step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_dashboard
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
principal:
str_replace:
template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
run_after: |
# Get mgr systemd unit
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
# Restart the mgr systemd unit
if [ -n "$mgr_unit" ]; then
systemctl restart "$mgr_unit"
fi
key_size:
if:
- key_size_override_set
- {get_param: CephCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa