d8604df61b
Currently apache access logs have controller ips instead of source ips recorded since apache simply records source ip of http traffic. This change ensures that client ips are detected by the X-Forwarded-For header added by haproxy. Note that the forwarded format does not log client ip if the header is missing. Because of this, direct http requests(eg. healthcheck requests from haproxy) results in log lines without client ip. Depends-on: https://review.opendev.org/837504 Change-Id: I470c4c26f6d9977ba68a5d6eb9cd2c35af9e4b9a
406 lines
16 KiB
YAML
406 lines
16 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Ironic API service
|
|
|
|
parameters:
|
|
ContainerIronicApiImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerIronicApiConfigImage:
|
|
description: The container image to use for the ironic_api config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
IronicPassword:
|
|
description: The password for the Ironic service and db account, used by the Ironic services
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionIronicApi:
|
|
default: 'overcloud-ironic-api'
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
IronicApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Ironic API.
|
|
e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
IronicCorsAllowedOrigin:
|
|
type: string
|
|
default: ''
|
|
description: Indicate whether this resource may be shared with the domain received in the request
|
|
"origin" header.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
IronicAuthStrategy:
|
|
type: string
|
|
description: Auth strategy to use with ironic.
|
|
default: 'keystone'
|
|
constraints:
|
|
- allowed_values: ['keystone', 'http_basic', 'noauth']
|
|
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
|
|
type: string
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
hidden: True
|
|
IronicRpcTransport:
|
|
description: The remote procedure call transport between conductor and
|
|
API processes, such as a messaging broker or JSON RPC.
|
|
default: 'oslo'
|
|
type: string
|
|
constraints:
|
|
- allowed_values: ['oslo', 'json-rpc']
|
|
|
|
conditions:
|
|
cors_allowed_origin_set:
|
|
not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']}
|
|
auth_strategy_non_default:
|
|
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
|
|
auth_strategy_noauth:
|
|
equals: [{get_param: IronicAuthStrategy}, 'noauth']
|
|
auth_strategy_http_basic:
|
|
equals: [{get_param: IronicAuthStrategy}, 'http_basic']
|
|
rpc_transport_json_rpc:
|
|
equals: [{get_param: IronicRpcTransport}, 'json-rpc']
|
|
|
|
resources:
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
IronicBase:
|
|
type: ./ironic-base-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerIronicApiImage: ContainerIronicApiImage
|
|
ContainerIronicApiConfigImage: ContainerIronicApiConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerIronicApiImage: {get_param: ContainerIronicApiImage}
|
|
ContainerIronicApiConfigImage: {get_param: ContainerIronicApiConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Ironic API role.
|
|
value:
|
|
service_name: ironic_api
|
|
firewall_rules:
|
|
'133 ironic api':
|
|
dport:
|
|
- 6385
|
|
firewall_frontend_rules:
|
|
'100 ironic_haproxy_frontend':
|
|
dport:
|
|
- 6385
|
|
firewall_ssl_frontend_rules:
|
|
'100 ironic_haproxy_frontend_ssl':
|
|
dport:
|
|
- 13385
|
|
keystone_resources:
|
|
ironic:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
|
|
internal: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
|
|
admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
|
|
users:
|
|
ironic:
|
|
roles:
|
|
- admin
|
|
- service
|
|
password: {get_param: IronicPassword}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'baremetal'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [IronicBase, role_data, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- ironic::cors::allowed_origin:
|
|
if:
|
|
- cors_allowed_origin_set
|
|
- {get_param: IronicCorsAllowedOrigin}
|
|
ironic::api::authtoken::password: {get_param: IronicPassword}
|
|
ironic::api::authtoken::project_name: 'service'
|
|
ironic::api::authtoken::user_domain_name: 'Default'
|
|
ironic::api::authtoken::project_domain_name: 'Default'
|
|
ironic::api::authtoken::username: 'ironic'
|
|
ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
ironic::api::authtoken::region_name: {get_param: KeystoneRegion}
|
|
ironic::api::authtoken::interface: 'internal'
|
|
ironic::api::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
ironic::api::host_ip:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
|
|
# This is used to build links in responses
|
|
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
|
|
ironic::api::service_name: 'httpd'
|
|
ironic::api::enable_proxy_headers_parsing: true
|
|
ironic::api::sync_db: false
|
|
ironic::healthcheck::enabled: true
|
|
ironic::policy::policies: {get_param: IronicApiPolicies}
|
|
ironic::wsgi::apache::vhost_custom_fragment:
|
|
if:
|
|
- auth_strategy_http_basic
|
|
- 'WSGIPassAuthorization On'
|
|
ironic::wsgi::apache::access_log_format: 'forwarded'
|
|
ironic::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]}
|
|
ironic::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
ironic::cors::max_age: 3600
|
|
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
|
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
|
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
|
apache::default_vhost: false
|
|
# NOTE(tkajinam): the project_name parameter defaults to 'services' in puppet-ironic,
|
|
# so override it here to always set the consistent project name.
|
|
ironic::json_rpc::project_name: 'service'
|
|
- if:
|
|
- rpc_transport_json_rpc
|
|
- ironic::json_rpc::auth_type:
|
|
if:
|
|
- auth_strategy_non_default
|
|
- if:
|
|
- auth_strategy_noauth
|
|
- 'none'
|
|
- {get_param: IronicAuthStrategy}
|
|
ironic::json_rpc::password: {get_param: IronicPassword}
|
|
ironic::json_rpc::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
service_config_settings:
|
|
mysql:
|
|
ironic::db::mysql::password: {get_param: IronicPassword}
|
|
ironic::db::mysql::user: ironic
|
|
ironic::db::mysql::host: '%'
|
|
ironic::db::mysql::dbname: ironic
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: ironic_api
|
|
puppet_tags: ironic_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - include tripleo::profile::base::ironic::api
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_attr: [RoleParametersValue, value, ContainerIronicApiConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/ironic_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files: &ironic_api_config_files
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions: &ironic_api_permissions
|
|
- path: /var/log/ironic
|
|
owner: ironic:ironic
|
|
recurse: true
|
|
/var/lib/kolla/config_files/ironic_api_db_sync.json:
|
|
command: "/usr/bin/bootstrap_host_exec ironic_api su ironic -s /bin/bash -c 'ironic-dbsync --config-file /etc/ironic/ironic.conf'"
|
|
config_files: *ironic_api_config_files
|
|
permissions: *ironic_api_permissions
|
|
docker_config:
|
|
# db sync runs before permissions set by kolla_config
|
|
step_2:
|
|
ironic_init_logs:
|
|
image: &ironic_api_image {get_attr: [RoleParametersValue, value, ContainerIronicApiImage]}
|
|
net: none
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/ironic:/var/log/ironic:z
|
|
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z
|
|
command: ['/bin/bash', '-c', 'chown -R ironic:ironic /var/log/ironic']
|
|
step_3:
|
|
ironic_db_sync:
|
|
start_order: 1
|
|
image: *ironic_api_image
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- - /var/lib/kolla/config_files/ironic_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/ironic:/var/log/ironic:z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
step_4:
|
|
ironic_api:
|
|
start_order: 10
|
|
image: *ironic_api_image
|
|
net: host
|
|
user: root
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/ironic:/var/log/ironic:z
|
|
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z
|
|
- if:
|
|
- auth_strategy_http_basic
|
|
- - /etc/ironic_passwd:/etc/ironic/htpasswd:z
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
|
|
- name: create password file when auth_stragy is 'http_basic'
|
|
vars:
|
|
is_http_basic:
|
|
if:
|
|
- auth_strategy_http_basic
|
|
- true
|
|
- false
|
|
copy:
|
|
dest: /etc/ironic_passwd
|
|
content:
|
|
str_replace:
|
|
template: |
|
|
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
|
|
ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
|
|
params:
|
|
$ADMIN_PASSWORD: {get_param: AdminPassword}
|
|
$IRONIC_PASSWORD: {get_param: IronicPassword}
|
|
when: is_http_basic | bool
|
|
deploy_steps_tasks:
|
|
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
external_upgrade_tasks:
|
|
- when: step|int == 1
|
|
block: &ironic_online_db_migration
|
|
- name: Online data migration for Ironic
|
|
command: "{{ container_cli }} exec ironic_api ironic-dbsync --config-file /etc/ironic/ironic.conf online_data_migrations"
|
|
delegate_to: "{{ groups['ironic_api'][0] }}"
|
|
become: true
|
|
tags:
|
|
- online_upgrade
|
|
- online_upgrade_ironic
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop ironic api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- ironic_api
|
|
tripleo_delegate_to: "{{ groups['ironic_api'] | default([]) }}"
|
|
external_update_tasks:
|
|
- when: step|int == 1
|
|
block: *ironic_online_db_migration
|