91053af09d
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
145 lines
5.3 KiB
YAML
145 lines
5.3 KiB
YAML
heat_template_version: ocata
|
|
|
|
description: >
|
|
Openstack Heat API service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
HeatWorkers:
|
|
default: 0
|
|
description: Number of workers for Heat service.
|
|
type: number
|
|
HeatPassword:
|
|
description: The password for the Heat service and db account, used by the Heat services.
|
|
type: string
|
|
hidden: true
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionHeatApi:
|
|
default: 'overcloud-heat-api'
|
|
type: string
|
|
HeatApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.heat.api
|
|
path: /var/log/heat/heat-api.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
HeatApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Heat API.
|
|
e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
|
|
conditions:
|
|
heat_workers_zero: {equals : [{get_param: HeatWorkers}, 0]}
|
|
|
|
resources:
|
|
|
|
ApacheServiceBase:
|
|
type: ./apache.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
HeatBase:
|
|
type: ./heat-base.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Heat API role.
|
|
value:
|
|
service_name: heat_api
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
|
|
logging_source: {get_param: HeatApiLoggingSource}
|
|
logging_groups:
|
|
- heat
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [HeatBase, role_data, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- tripleo.heat_api.firewall_rules:
|
|
'125 heat_api':
|
|
dport:
|
|
- 8004
|
|
- 13004
|
|
heat::api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]}
|
|
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
|
|
heat::policy::policies: {get_param: HeatApiPolicies}
|
|
heat::api::service_name: 'httpd'
|
|
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
heat::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, HeatApiNetwork]}
|
|
heat::wsgi::apache_api::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
|
|
-
|
|
if:
|
|
- heat_workers_zero
|
|
- {}
|
|
- heat::wsgi::apache_api::workers: {get_param: HeatWorkers}
|
|
step_config: |
|
|
include ::tripleo::profile::base::heat::api
|
|
service_config_settings:
|
|
keystone:
|
|
map_merge:
|
|
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
|
|
- heat::keystone::auth::tenant: 'service'
|
|
heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]}
|
|
heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]}
|
|
heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
|
|
heat::keystone::auth::password: {get_param: HeatPassword}
|
|
heat::keystone::auth::region: {get_param: KeystoneRegion}
|
|
upgrade_tasks:
|
|
- name: Check is heat_api is deployed
|
|
command: systemctl is-enabled openstack-heat-api
|
|
tags: common
|
|
ignore_errors: True
|
|
register: heat_api_enabled
|
|
- name: "PreUpgrade step0,validation: Check service openstack-heat-api is running"
|
|
shell: /usr/bin/systemctl show 'openstack-heat-api' --property ActiveState | grep '\bactive\b'
|
|
when: heat_api_enabled.rc == 0
|
|
tags: step0,validation
|
|
- name: check for heat_api running under apache (post upgrade)
|
|
tags: step1
|
|
shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_wsgi"
|
|
register: heat_api_apache
|
|
ignore_errors: true
|
|
- name: Stop heat_api service (running under httpd)
|
|
tags: step1
|
|
service: name=httpd state=stopped
|
|
when: heat_api_apache.rc == 0
|
|
- name: Stop and disable heat_api service (pre-upgrade not under httpd)
|
|
tags: step1
|
|
when: heat_api_enabled.rc == 0
|
|
service: name=openstack-heat-api state=stopped enabled=no
|