88daf0d5da
- Move out cors config from tripleo-ui to be in services. - Configure allowed_origin to '*' for the containerized undercloud (when TripleO UI is containerized) - Default param for allowed_origin is unset for security reasons. Change-Id: Iee983d84c78fe055f295eedfadde336b25a5d6a1
275 lines
11 KiB
YAML
275 lines
11 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack Swift Proxy service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
SwiftPassword:
|
|
description: The password for the swift service account
|
|
type: string
|
|
hidden: true
|
|
SwiftProxyNodeTimeout:
|
|
default: 60
|
|
description: Timeout for requests going from swift-proxy to swift a/c/o services.
|
|
type: number
|
|
SwiftWorkers:
|
|
default: auto
|
|
description: Number of workers for Swift service.
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionSwiftProxy:
|
|
default: 'overcloud-swift-proxy'
|
|
type: string
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
SwiftCeilometerPipelineEnabled:
|
|
description: Set to False to disable the swift proxy ceilometer pipeline.
|
|
default: false
|
|
type: boolean
|
|
SwiftCeilometerIgnoreProjects:
|
|
default: ['service']
|
|
description: Comma-seperated list of project names to ignore.
|
|
type: comma_delimited_list
|
|
SwiftEncryptionEnabled:
|
|
description: Set to True to enable data-at-rest encryption in Swift
|
|
default: false
|
|
type: boolean
|
|
RabbitClientPort:
|
|
default: 5672
|
|
description: Set rabbit subscriber port, change this if using SSL
|
|
type: number
|
|
RabbitClientUseSSL:
|
|
default: false
|
|
description: >
|
|
Rabbit client subscriber parameter to specify
|
|
an SSL connection to the RabbitMQ host.
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
SwiftCorsAllowedOrigin:
|
|
type: string
|
|
default: ''
|
|
description: Indicate whether this resource may be shared with the domain received in the request
|
|
"origin" header.
|
|
|
|
conditions:
|
|
|
|
ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, true]}
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]}
|
|
cors_allowed_origin_unset: {equals : [{get_param: SwiftCorsAllowedOrigin}, '']}
|
|
|
|
resources:
|
|
SwiftBase:
|
|
type: ./swift-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
TLSProxyBase:
|
|
type: OS::TripleO::Services::TLSProxyBase
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Swift proxy service.
|
|
value:
|
|
service_name: swift_proxy
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [SwiftBase, role_data, config_settings]
|
|
- get_attr: [TLSProxyBase, role_data, config_settings]
|
|
-
|
|
if:
|
|
- cors_allowed_origin_unset
|
|
- {}
|
|
- swift::proxy::cors_allow_origin: {get_param: SwiftCorsAllowedOrigin}
|
|
- swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
swift::proxy::authtoken::password: {get_param: SwiftPassword}
|
|
swift::proxy::authtoken::project_name: 'service'
|
|
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
|
|
swift::proxy::workers: {get_param: SwiftWorkers}
|
|
-
|
|
if:
|
|
- ceilometer_pipeline_enabled
|
|
-
|
|
swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
|
|
swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
|
|
swift::proxy::ceilometer::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
swift::proxy::ceilometer::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
swift::proxy::ceilometer::password: {get_param: SwiftPassword}
|
|
swift::proxy::ceilometer::ignore_projects: {get_param: SwiftCeilometerIgnoreProjects}
|
|
swift::proxy::ceilometer::nonblocking_notify: true
|
|
swift::proxy::ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
|
- {}
|
|
- swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
|
|
tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort}
|
|
tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL}
|
|
tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
|
|
tripleo.swift_proxy.firewall_rules:
|
|
'122 swift proxy':
|
|
dport:
|
|
- 8080
|
|
- 13808
|
|
swift::proxy::keystone::operator_roles:
|
|
- admin
|
|
- swiftoperator
|
|
- ResellerAdmin
|
|
swift::proxy::versioned_writes::allow_versioned_writes: true
|
|
- if:
|
|
- swift_encryption_enabled
|
|
-
|
|
swift::keymaster::key_id: 'test_id'
|
|
swift::keymaster::username: 'swift'
|
|
swift::keymaster::password: {get_param: SwiftPassword}
|
|
swift::keymaster::project_name: 'service'
|
|
swift::keymaster::project_domain_id: 'default'
|
|
swift::keymaster::user_domain_id: 'default'
|
|
swift::keymaster::auth_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri]}
|
|
- {}
|
|
- swift::proxy::pipeline:
|
|
yaql:
|
|
expression: $.data.pipeline.where($ != '')
|
|
data:
|
|
pipeline:
|
|
- 'catch_errors'
|
|
- 'healthcheck'
|
|
- 'proxy-logging'
|
|
- 'cache'
|
|
- 'ratelimit'
|
|
- 'bulk'
|
|
- 'tempurl'
|
|
- 'formpost'
|
|
- 'authtoken'
|
|
- 'keystone'
|
|
- 'staticweb'
|
|
- 'copy'
|
|
- 'container_quotas'
|
|
- 'account_quotas'
|
|
- 'slo'
|
|
- 'dlo'
|
|
- 'versioned_writes'
|
|
-
|
|
if:
|
|
- ceilometer_pipeline_enabled
|
|
- 'ceilometer'
|
|
- ''
|
|
-
|
|
if:
|
|
- swift_encryption_enabled
|
|
- 'kms_keymaster'
|
|
- ''
|
|
-
|
|
if:
|
|
- swift_encryption_enabled
|
|
- 'encryption'
|
|
- ''
|
|
- 'proxy-logging'
|
|
- 'proxy-server'
|
|
swift::proxy::account_autocreate: true
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
|
tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
|
tripleo::profile::base::swift::proxy::tls_proxy_port:
|
|
get_param: [EndpointMap, SwiftInternal, port]
|
|
swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
|
|
swift::proxy::proxy_local_net_ip:
|
|
if:
|
|
- use_tls_proxy
|
|
- 'localhost'
|
|
- str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
|
step_config: |
|
|
include ::tripleo::profile::base::swift::proxy
|
|
service_config_settings:
|
|
keystone:
|
|
swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
|
|
swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
|
|
swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
|
|
swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
|
|
swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
|
|
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
|
|
swift::keystone::auth::password: {get_param: SwiftPassword}
|
|
swift::keystone::auth::region: {get_param: KeystoneRegion}
|
|
swift::keystone::auth::tenant: 'service'
|
|
swift::keystone::auth::configure_s3_endpoint: false
|
|
swift::keystone::auth::operator_roles:
|
|
- admin
|
|
- swiftoperator
|
|
- ResellerAdmin
|
|
upgrade_tasks:
|
|
- name: Stop swift_proxy service
|
|
when: step|int == 1
|
|
service: name=openstack-swift-proxy state=stopped
|
|
metadata_settings:
|
|
get_attr: [TLSProxyBase, role_data, metadata_settings]
|