91053af09d
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
255 lines
10 KiB
YAML
255 lines
10 KiB
YAML
heat_template_version: ocata
|
|
|
|
description: >
|
|
OpenStack Glance API service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
Debug:
|
|
default: ''
|
|
description: Set to True to enable debugging on all services.
|
|
type: string
|
|
GlancePassword:
|
|
description: The password for the glance service and db account, used by the glance services.
|
|
type: string
|
|
hidden: true
|
|
GlanceWorkers:
|
|
default: ''
|
|
description: |
|
|
Number of API worker processes for Glance. If left unset (empty string), the
|
|
default value will result in the configuration being left unset and a
|
|
system-dependent default value will be chosen (e.g.: number of
|
|
processors). Please note that this will create a large number of
|
|
processes on systems with a large number of CPUs resulting in excess
|
|
memory consumption. It is recommended that a suitable non-default value
|
|
be selected on such systems.
|
|
type: string
|
|
MonitoringSubscriptionGlanceApi:
|
|
default: 'overcloud-glance-api'
|
|
type: string
|
|
GlanceApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.glance.api
|
|
path: /var/log/glance/api.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
CephClientUserName:
|
|
default: openstack
|
|
type: string
|
|
Debug:
|
|
default: ''
|
|
description: Set to True to enable debugging on all services.
|
|
type: string
|
|
GlanceNotifierStrategy:
|
|
description: Strategy to use for Glance notification queue
|
|
type: string
|
|
default: noop
|
|
GlanceLogFile:
|
|
description: The filepath of the file to use for logging messages from Glance.
|
|
type: string
|
|
default: ''
|
|
GlanceBackend:
|
|
default: swift
|
|
description: The short name of the Glance backend to use. Should be one
|
|
of swift, rbd, or file
|
|
type: string
|
|
constraints:
|
|
- allowed_values: ['swift', 'file', 'rbd']
|
|
GlanceNfsEnabled:
|
|
default: false
|
|
description: >
|
|
When using GlanceBackend 'file', mount NFS share for image storage.
|
|
type: boolean
|
|
GlanceNfsShare:
|
|
default: ''
|
|
description: >
|
|
NFS share to mount for image storage (when GlanceNfsEnabled is true)
|
|
type: string
|
|
GlanceNfsOptions:
|
|
default: 'intr,context=system_u:object_r:glance_var_lib_t:s0'
|
|
description: >
|
|
NFS mount options for image storage (when GlanceNfsEnabled is true)
|
|
type: string
|
|
GlanceRbdPoolName:
|
|
default: images
|
|
type: string
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
RabbitClientPort:
|
|
default: 5672
|
|
description: Set rabbit subscriber port, change this if using SSL
|
|
type: number
|
|
RabbitClientUseSSL:
|
|
default: false
|
|
description: >
|
|
Rabbit client subscriber parameter to specify
|
|
an SSL connection to the RabbitMQ host.
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
GlanceApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Glance API.
|
|
e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
|
|
conditions:
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
|
|
TLSProxyBase:
|
|
type: OS::TripleO::Services::TLSProxyBase
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Glance API role.
|
|
value:
|
|
service_name: glance_api
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
|
|
logging_source: {get_param: GlanceApiLoggingSource}
|
|
logging_groups:
|
|
- glance
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [TLSProxyBase, role_data, config_settings]
|
|
- glance::api::database_connection:
|
|
list_join:
|
|
- ''
|
|
- - {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
- '://glance:'
|
|
- {get_param: GlancePassword}
|
|
- '@'
|
|
- {get_param: [EndpointMap, MysqlInternal, host]}
|
|
- '/glance'
|
|
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
|
|
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
|
|
glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
|
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
glance::api::enable_v1_api: false
|
|
glance::api::enable_v2_api: true
|
|
glance::api::authtoken::password: {get_param: GlancePassword}
|
|
glance::api::enable_proxy_headers_parsing: true
|
|
glance::api::debug: {get_param: Debug}
|
|
glance::api::workers: {get_param: GlanceWorkers}
|
|
glance::policy::policies: {get_param: GlanceApiPolicies}
|
|
tripleo.glance_api.firewall_rules:
|
|
'112 glance_api':
|
|
dport:
|
|
- 9292
|
|
- 13292
|
|
glance::api::authtoken::project_name: 'service'
|
|
glance::api::pipeline: 'keystone'
|
|
glance::api::show_image_direct_url: true
|
|
# NOTE: bind IP is found in Heat replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
tripleo::profile::base::glance::api::tls_proxy_bind_ip:
|
|
get_param: [ServiceNetMap, GlanceApiNetwork]
|
|
tripleo::profile::base::glance::api::tls_proxy_fqdn:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
|
tripleo::profile::base::glance::api::tls_proxy_port:
|
|
get_param: [EndpointMap, GlanceInternal, port]
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLs
|
|
# proxy in front.
|
|
glance::api::bind_host:
|
|
if:
|
|
- use_tls_proxy
|
|
- 'localhost'
|
|
- {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
|
glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
|
|
glance_log_file: {get_param: GlanceLogFile}
|
|
glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
|
glance::backend::swift::swift_store_user: service:glance
|
|
glance::backend::swift::swift_store_key: {get_param: GlancePassword}
|
|
glance::backend::swift::swift_store_create_container_on_put: true
|
|
glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
|
|
glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
|
|
glance_backend: {get_param: GlanceBackend}
|
|
glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
|
|
glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
|
|
glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
|
|
glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
|
glance::notify::rabbitmq::notification_driver: messagingv2
|
|
tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
|
|
tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
|
|
tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
|
|
service_config_settings:
|
|
keystone:
|
|
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
|
|
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
|
|
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
|
|
glance::keystone::auth::password: {get_param: GlancePassword }
|
|
glance::keystone::auth::region: {get_param: KeystoneRegion}
|
|
glance::keystone::auth::tenant: 'service'
|
|
mysql:
|
|
glance::db::mysql::password: {get_param: GlancePassword}
|
|
glance::db::mysql::user: glance
|
|
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
glance::db::mysql::dbname: glance
|
|
glance::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
step_config: |
|
|
include ::tripleo::profile::base::glance::api
|
|
upgrade_tasks:
|
|
- name: Check if glance_api is deployed
|
|
command: systemctl is-enabled openstack-glance-api
|
|
tags: common
|
|
ignore_errors: True
|
|
register: glance_api_enabled
|
|
#(TODO) Remove all glance-registry bits in Pike.
|
|
- name: Check if glance_registry is deployed
|
|
command: systemctl is-enabled openstack-glance-registry
|
|
tags: common
|
|
ignore_errors: True
|
|
register: glance_registry_enabled
|
|
- name: "PreUpgrade step0,validation: Check service openstack-glance-api is running"
|
|
shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b'
|
|
tags: step0,validation
|
|
when: glance_api_enabled.rc == 0
|
|
- name: Stop glance_api service
|
|
tags: step1
|
|
when: glance_api_enabled.rc == 0
|
|
service: name=openstack-glance-api state=stopped
|
|
- name: Stop and disable glance registry (removed for Ocata)
|
|
tags: step1
|
|
when: glance_registry_enabled.rc == 0
|
|
service: name=openstack-glance-registry state=stopped enabled=no
|