9d82364de8
It is best to avoid placing db creds on the compute nodes to limit the exposure if an attacker succeeds in gaining access to the hypervisor host. Related patches in puppet-nova remove the credentials from nova.conf however the current scope of db credential hieradata is all nova tripleo services - so it will but written to the hieradata keys on compute nodes. This patch refactors the nova hieradata structure, splitting the nova-api/nova database hieradata out into individual templates and selectively including only where necessary, ensuring we have no db creds on a compute node (unless it is an all-in-one api+compute node). Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a Closes-bug: #1871482
81 lines
2.5 KiB
YAML
81 lines
2.5 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Nova database client service.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
NovaPassword:
|
|
description: The password for the nova service and db account
|
|
type: string
|
|
hidden: true
|
|
EnableSQLAlchemyCollectd:
|
|
type: boolean
|
|
description: >
|
|
Set to true to enable the SQLAlchemy-collectd server plugin
|
|
default: false
|
|
|
|
conditions:
|
|
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova base service.
|
|
value:
|
|
config_settings:
|
|
nova::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]}
|
|
username: nova
|
|
password: {get_param: NovaPassword}
|
|
host: {get_param: [EndpointMap, MysqlCellInternal, host]}
|
|
path: /nova
|
|
query:
|
|
if:
|
|
- enable_sqlalchemy_collectd
|
|
-
|
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
plugin: collectd
|
|
collectd_program_name: nova
|
|
collectd_host: localhost
|
|
-
|
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
service_config_settings:
|
|
mysql:
|
|
nova::db::mysql::password: {get_param: NovaPassword}
|
|
nova::db::mysql::user: nova
|
|
nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
|
|
nova::db::mysql::dbname: nova
|
|
nova::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
|
|
|