tripleo-heat-templates/deployment/ironic/ironic-api-container-puppet.yaml
Takashi Kajinami d8604df61b Log source ips instead of controller ips in apache access log
Currently apache access logs have controller ips instead of source ips
recorded since apache simply records source ip of http traffic.

This change ensures that client ips are detected by the X-Forwarded-For
header added by haproxy.

Note that the forwarded format does not log client ip if the header is
missing. Because of this, direct http requests(eg. healthcheck requests
from haproxy) results in log lines without client ip.

Depends-on: https://review.opendev.org/837504
Change-Id: I470c4c26f6d9977ba68a5d6eb9cd2c35af9e4b9a
2022-05-07 02:15:20 +09:00

406 lines
16 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Ironic API service
parameters:
ContainerIronicApiImage:
description: image
type: string
tags:
- role_specific
ContainerIronicApiConfigImage:
description: The container image to use for the ironic_api config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
IronicPassword:
description: The password for the Ironic service and db account, used by the Ironic services
type: string
hidden: true
MonitoringSubscriptionIronicApi:
default: 'overcloud-ironic-api'
type: string
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
IronicApiPolicies:
description: |
A hash of policies to configure for Ironic API.
e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
IronicCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
EnableInternalTLS:
type: boolean
default: false
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
type: string
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
hidden: True
IronicRpcTransport:
description: The remote procedure call transport between conductor and
API processes, such as a messaging broker or JSON RPC.
default: 'oslo'
type: string
constraints:
- allowed_values: ['oslo', 'json-rpc']
conditions:
cors_allowed_origin_set:
not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']}
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
auth_strategy_http_basic:
equals: [{get_param: IronicAuthStrategy}, 'http_basic']
rpc_transport_json_rpc:
equals: [{get_param: IronicRpcTransport}, 'json-rpc']
resources:
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
IronicBase:
type: ./ironic-base-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerIronicApiImage: ContainerIronicApiImage
ContainerIronicApiConfigImage: ContainerIronicApiConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerIronicApiImage: {get_param: ContainerIronicApiImage}
ContainerIronicApiConfigImage: {get_param: ContainerIronicApiConfigImage}
outputs:
role_data:
description: Role data for the Ironic API role.
value:
service_name: ironic_api
firewall_rules:
'133 ironic api':
dport:
- 6385
firewall_frontend_rules:
'100 ironic_haproxy_frontend':
dport:
- 6385
firewall_ssl_frontend_rules:
'100 ironic_haproxy_frontend_ssl':
dport:
- 13385
keystone_resources:
ironic:
endpoints:
public: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
internal: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
users:
ironic:
roles:
- admin
- service
password: {get_param: IronicPassword}
region: {get_param: KeystoneRegion}
service: 'baremetal'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
config_settings:
map_merge:
- get_attr: [IronicBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- ironic::cors::allowed_origin:
if:
- cors_allowed_origin_set
- {get_param: IronicCorsAllowedOrigin}
ironic::api::authtoken::password: {get_param: IronicPassword}
ironic::api::authtoken::project_name: 'service'
ironic::api::authtoken::user_domain_name: 'Default'
ironic::api::authtoken::project_domain_name: 'Default'
ironic::api::authtoken::username: 'ironic'
ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::api::authtoken::region_name: {get_param: KeystoneRegion}
ironic::api::authtoken::interface: 'internal'
ironic::api::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
ironic::api::host_ip:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
# This is used to build links in responses
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
ironic::api::service_name: 'httpd'
ironic::api::enable_proxy_headers_parsing: true
ironic::api::sync_db: false
ironic::healthcheck::enabled: true
ironic::policy::policies: {get_param: IronicApiPolicies}
ironic::wsgi::apache::vhost_custom_fragment:
if:
- auth_strategy_http_basic
- 'WSGIPassAuthorization On'
ironic::wsgi::apache::access_log_format: 'forwarded'
ironic::wsgi::apache::bind_host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]}
ironic::wsgi::apache::servername:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS}
ironic::cors::max_age: 3600
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
apache::default_vhost: false
# NOTE(tkajinam): the project_name parameter defaults to 'services' in puppet-ironic,
# so override it here to always set the consistent project name.
ironic::json_rpc::project_name: 'service'
- if:
- rpc_transport_json_rpc
- ironic::json_rpc::auth_type:
if:
- auth_strategy_non_default
- if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
ironic::json_rpc::password: {get_param: IronicPassword}
ironic::json_rpc::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
service_config_settings:
mysql:
ironic::db::mysql::password: {get_param: IronicPassword}
ironic::db::mysql::user: ironic
ironic::db::mysql::host: '%'
ironic::db::mysql::dbname: ironic
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: ironic_api
puppet_tags: ironic_config
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::ironic::api
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerIronicApiConfigImage]}
kolla_config:
/var/lib/kolla/config_files/ironic_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files: &ironic_api_config_files
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions: &ironic_api_permissions
- path: /var/log/ironic
owner: ironic:ironic
recurse: true
/var/lib/kolla/config_files/ironic_api_db_sync.json:
command: "/usr/bin/bootstrap_host_exec ironic_api su ironic -s /bin/bash -c 'ironic-dbsync --config-file /etc/ironic/ironic.conf'"
config_files: *ironic_api_config_files
permissions: *ironic_api_permissions
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
ironic_init_logs:
image: &ironic_api_image {get_attr: [RoleParametersValue, value, ContainerIronicApiImage]}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/ironic:/var/log/ironic:z
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'chown -R ironic:ironic /var/log/ironic']
step_3:
ironic_db_sync:
start_order: 1
image: *ironic_api_image
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- - /var/lib/kolla/config_files/ironic_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
- /var/log/containers/ironic:/var/log/ironic:z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
ironic_api:
start_order: 10
image: *ironic_api_image
net: host
user: root
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
- /var/log/containers/ironic:/var/log/ironic:z
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z
- if:
- auth_strategy_http_basic
- - /etc/ironic_passwd:/etc/ironic/htpasswd:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
- name: create password file when auth_stragy is 'http_basic'
vars:
is_http_basic:
if:
- auth_strategy_http_basic
- true
- false
copy:
dest: /etc/ironic_passwd
content:
str_replace:
template: |
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
params:
$ADMIN_PASSWORD: {get_param: AdminPassword}
$IRONIC_PASSWORD: {get_param: IronicPassword}
when: is_http_basic | bool
deploy_steps_tasks:
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
external_upgrade_tasks:
- when: step|int == 1
block: &ironic_online_db_migration
- name: Online data migration for Ironic
command: "{{ container_cli }} exec ironic_api ironic-dbsync --config-file /etc/ironic/ironic.conf online_data_migrations"
delegate_to: "{{ groups['ironic_api'][0] }}"
become: true
tags:
- online_upgrade
- online_upgrade_ironic
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop ironic api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- ironic_api
tripleo_delegate_to: "{{ groups['ironic_api'] | default([]) }}"
external_update_tasks:
- when: step|int == 1
block: *ironic_online_db_migration