91053af09d
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
139 lines
5.4 KiB
YAML
139 lines
5.4 KiB
YAML
heat_template_version: ocata
|
|
|
|
description: >
|
|
Gnocchi service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
GnocchiPassword:
|
|
description: The password for the gnocchi service and db account.
|
|
type: string
|
|
hidden: true
|
|
GnocchiBackend:
|
|
default: swift
|
|
description: The short name of the Gnocchi backend to use. Should be one
|
|
of swift, rbd, or file
|
|
type: string
|
|
constraints:
|
|
- allowed_values: ['swift', 'file', 'rbd']
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionGnocchiApi:
|
|
default: 'overcloud-gnocchi-api'
|
|
type: string
|
|
GnocchiApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.gnocchi.api
|
|
path: /var/log/gnocchi/app.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
GnocchiApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Gnocchi API.
|
|
e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
|
|
resources:
|
|
|
|
GnocchiServiceBase:
|
|
type: ./gnocchi-base.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
|
|
ApacheServiceBase:
|
|
type: ./apache.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Gnocchi role.
|
|
value:
|
|
service_name: gnocchi_api
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
|
|
logging_source: {get_param: GnocchiApiLoggingSource}
|
|
logging_groups:
|
|
- gnocchi
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- get_attr: [GnocchiServiceBase, role_data, config_settings]
|
|
- tripleo.gnocchi_api.firewall_rules:
|
|
'129 gnocchi-api':
|
|
dport:
|
|
- 8041
|
|
- 13041
|
|
gnocchi::api::enabled: true
|
|
gnocchi::api::enable_proxy_headers_parsing: true
|
|
gnocchi::api::service_name: 'httpd'
|
|
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
|
|
gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
|
|
gnocchi::keystone::authtoken::project_name: 'service'
|
|
gnocchi::keystone::authtoken::user_domain_name: 'Default'
|
|
gnocchi::keystone::authtoken::project_domain_name: 'Default'
|
|
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
gnocchi::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
|
|
tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend}
|
|
# NOTE: bind IP is found in Heat replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
|
|
gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi'
|
|
step_config: |
|
|
include ::tripleo::profile::base::gnocchi::api
|
|
service_config_settings:
|
|
keystone:
|
|
gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] }
|
|
gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]}
|
|
gnocchi::keystone::auth::password: {get_param: GnocchiPassword}
|
|
gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] }
|
|
gnocchi::keystone::auth::region: {get_param: KeystoneRegion}
|
|
gnocchi::keystone::auth::tenant: 'service'
|
|
mysql:
|
|
gnocchi::db::mysql::password: {get_param: GnocchiPassword}
|
|
gnocchi::db::mysql::user: gnocchi
|
|
gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
gnocchi::db::mysql::dbname: gnocchi
|
|
gnocchi::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
upgrade_tasks:
|
|
- name: Stop gnocchi_api service (running under httpd)
|
|
tags: step1
|
|
service: name=httpd state=stopped
|