openstack/tripleo-heat-templates
Code Issues Proposed changes
27788212cc
tripleo-heat-templates/deployment/neutron/neutron-metadata-container-puppet.yaml
ramishra 7f195ff9a8 Remove DefaultPasswords interface 
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30

240 lines
8.9 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
OpenStack containerized Neutron Metadata agent
parameters:
ContainerNeutronMetadataImage:
description: image
type: string
ContainerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
NeutronMetadataAgentLoggingSource:
type: json
default:
tag: openstack.neutron.agent.metadata
file: /var/log/containers/neutron/metadata-agent.log
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
NeutronMetadataProxySharedSecret:
description: Shared secret to prevent spoofing
type: string
hidden: true
NeutronWorkers:
default: ''
description: |
Sets the number of worker processes for the neutron metadata agent. The
default value results in the configuration being left unset and a
system-dependent default will be chosen (usually the number of
processors). Please note that this can result in a large number of
processes and memory consumption on systems with a large core count. On
such systems it is recommended that a non-default value be selected that
matches the load requirements.
type: string
NeutronPassword:
description: The password for the neutron service and db account, used by neutron agents.
type: string
hidden: true
MonitoringSubscriptionNeutronMetadata:
default: 'overcloud-neutron-metadata'
type: string
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
NeutronMetadataAgentDebug:
default: ''
description: Set to True to enable debugging for Neutron Metadata agent.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
EnableInternalTLS:
type: boolean
default: false
conditions:
neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
service_debug_unset: {equals: [{get_param: NeutronMetadataAgentDebug}, '']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
resources:
ContainersCommon:
type: ../containers-common.yaml
NeutronBase:
type: ./neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronCommon
properties:
NeutronServiceName: metadata-agent
outputs:
role_data:
description: Role data for Neutron Metadata agent
value:
service_name: neutron_metadata
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronMetadata}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [NeutronLogging, config_settings]
- neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::agents::metadata::auth_tenant: 'service'
neutron::agents::metadata::debug:
if:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronMetadataAgentDebug}
neutron::agents::metadata::metadata_host:
str_replace:
template:
"%{hiera('cloud_name_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
neutron::agents::metadata::metadata_protocol:
if:
- internal_tls_enabled
- 'https'
- 'http'
-
if:
- neutron_workers_unset
- {}
- neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers}
-
if:
- is_neutron_shared_metadata_notempty
- neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
- {}
service_config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, service_config_settings]
- rsyslog:
tripleo_logging_sources_neutron_metadata:
- {get_param: NeutronMetadataAgentLoggingSource}
puppet_config:
puppet_tags: neutron_config,neutron_metadata_agent_config
config_volume: neutron
step_config: |
include tripleo::profile::base::neutron::metadata
config_image: {get_param: ContainerNeutronConfigImage}
kolla_config:
/var/lib/kolla/config_files/neutron_metadata_agent.json:
command:
list_join:
- ' '
- - /usr/bin/neutron-metadata-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-metadata-agent
- get_attr: [NeutronLogging, cmd_extra_args]
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /var/lib/neutron
owner: neutron:neutron
recurse: true
docker_config:
step_4:
neutron_metadata_agent:
start_order: 10
image: {get_param: ContainerNeutronMetadataImage}
net: host
pid: host
privileged: true
restart: always
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
-
- /var/lib/kolla/config_files/neutron_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /var/lib/neutron:/var/lib/neutron:shared,z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
get_attr: [NeutronBase, role_data, metadata_settings]
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - name: create /var/lib/neutron
file:
path: /var/lib/neutron
state: directory
setype: container_file_t
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks: []
post_upgrade_tasks:
- name: Check for neutron user
getent:
database: passwd
key: neutron
fail_key: false
- name: Set neutron_user_avail
set_fact:
neutron_user_avail: "{{ getent_passwd is defined }}"
- when:
- step|int == 2
- neutron_user_avail|bool
block:
- name: Ensure r/w access for existing files after upgrade
become: true
shell: |
umask 0002
setfacl -d -R -m u:neutron:rwx /var/lib/neutron
setfacl -R -m u:neutron:rw /var/lib/neutron
find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
- name: Provide access to domain sockets
become: true
shell: |
umask 0002
setfacl -m u:neutron:rwx "{{ item }}"
with_items:
- /var/lib/neutron/metadata_proxy
- /var/lib/neutron/keepalived-state-change
- /var/lib/neutron
# These files are not necessarily present
failed_when: false
View Git Blame Copy Permalink