tripleo-heat-templates/puppet/services/swift-proxy.yaml
Emilien Macchi 88daf0d5da Move API cors config to their services
- Move out cors config from tripleo-ui to be in services.
- Configure allowed_origin to '*' for the containerized
  undercloud (when TripleO UI is containerized)
- Default param for allowed_origin is unset for security reasons.

Change-Id: Iee983d84c78fe055f295eedfadde336b25a5d6a1
2018-03-24 03:04:44 +00:00

275 lines
11 KiB
YAML

heat_template_version: queens
description: >
OpenStack Swift Proxy service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
SwiftPassword:
description: The password for the swift service account
type: string
hidden: true
SwiftProxyNodeTimeout:
default: 60
description: Timeout for requests going from swift-proxy to swift a/c/o services.
type: number
SwiftWorkers:
default: auto
description: Number of workers for Swift service.
type: string
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionSwiftProxy:
default: 'overcloud-swift-proxy'
type: string
RabbitPassword:
description: The password for RabbitMQ
type: string
hidden: true
RabbitUserName:
default: guest
description: The username for RabbitMQ
type: string
SwiftCeilometerPipelineEnabled:
description: Set to False to disable the swift proxy ceilometer pipeline.
default: false
type: boolean
SwiftCeilometerIgnoreProjects:
default: ['service']
description: Comma-seperated list of project names to ignore.
type: comma_delimited_list
SwiftEncryptionEnabled:
description: Set to True to enable data-at-rest encryption in Swift
default: false
type: boolean
RabbitClientPort:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
RabbitClientUseSSL:
default: false
description: >
Rabbit client subscriber parameter to specify
an SSL connection to the RabbitMQ host.
type: string
EnableInternalTLS:
type: boolean
default: false
SwiftCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
conditions:
ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, true]}
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]}
cors_allowed_origin_unset: {equals : [{get_param: SwiftCorsAllowedOrigin}, '']}
resources:
SwiftBase:
type: ./swift-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
TLSProxyBase:
type: OS::TripleO::Services::TLSProxyBase
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
description: Role data for the Swift proxy service.
value:
service_name: swift_proxy
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
config_settings:
map_merge:
- get_attr: [SwiftBase, role_data, config_settings]
- get_attr: [TLSProxyBase, role_data, config_settings]
-
if:
- cors_allowed_origin_unset
- {}
- swift::proxy::cors_allow_origin: {get_param: SwiftCorsAllowedOrigin}
- swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
swift::proxy::authtoken::password: {get_param: SwiftPassword}
swift::proxy::authtoken::project_name: 'service'
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
swift::proxy::workers: {get_param: SwiftWorkers}
-
if:
- ceilometer_pipeline_enabled
-
swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
swift::proxy::ceilometer::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
swift::proxy::ceilometer::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
swift::proxy::ceilometer::password: {get_param: SwiftPassword}
swift::proxy::ceilometer::ignore_projects: {get_param: SwiftCeilometerIgnoreProjects}
swift::proxy::ceilometer::nonblocking_notify: true
swift::proxy::ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
- {}
- swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort}
tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL}
tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
tripleo.swift_proxy.firewall_rules:
'122 swift proxy':
dport:
- 8080
- 13808
swift::proxy::keystone::operator_roles:
- admin
- swiftoperator
- ResellerAdmin
swift::proxy::versioned_writes::allow_versioned_writes: true
- if:
- swift_encryption_enabled
-
swift::keymaster::key_id: 'test_id'
swift::keymaster::username: 'swift'
swift::keymaster::password: {get_param: SwiftPassword}
swift::keymaster::project_name: 'service'
swift::keymaster::project_domain_id: 'default'
swift::keymaster::user_domain_id: 'default'
swift::keymaster::auth_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri]}
- {}
- swift::proxy::pipeline:
yaql:
expression: $.data.pipeline.where($ != '')
data:
pipeline:
- 'catch_errors'
- 'healthcheck'
- 'proxy-logging'
- 'cache'
- 'ratelimit'
- 'bulk'
- 'tempurl'
- 'formpost'
- 'authtoken'
- 'keystone'
- 'staticweb'
- 'copy'
- 'container_quotas'
- 'account_quotas'
- 'slo'
- 'dlo'
- 'versioned_writes'
-
if:
- ceilometer_pipeline_enabled
- 'ceilometer'
- ''
-
if:
- swift_encryption_enabled
- 'kms_keymaster'
- ''
-
if:
- swift_encryption_enabled
- 'encryption'
- ''
- 'proxy-logging'
- 'proxy-server'
swift::proxy::account_autocreate: true
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
tripleo::profile::base::swift::proxy::tls_proxy_port:
get_param: [EndpointMap, SwiftInternal, port]
swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
swift::proxy::proxy_local_net_ip:
if:
- use_tls_proxy
- 'localhost'
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
step_config: |
include ::tripleo::profile::base::swift::proxy
service_config_settings:
keystone:
swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
swift::keystone::auth::tenant: 'service'
swift::keystone::auth::configure_s3_endpoint: false
swift::keystone::auth::operator_roles:
- admin
- swiftoperator
- ResellerAdmin
upgrade_tasks:
- name: Stop swift_proxy service
when: step|int == 1
service: name=openstack-swift-proxy state=stopped
metadata_settings:
get_attr: [TLSProxyBase, role_data, metadata_settings]