ff83505e8a
The hiera function is deprecated and does not work with the latest hieradata version 5. It should be replaced by the new lookup function[1]. [1] https://puppet.com/docs/puppet/7/hiera_automatic.html With the lookup function, we can define value type and merge behavior, but these are kept default at this moment to limit scope of this change to just simple replacement. Adding value type might be useful to make sure the value is in expected type (especially when a boolean value is expected), but we will revisit that later. example: lookup(<NAME>, [<VALUE TYPE>], [<MERGE BEHAVIOR>], [<DEFAULT VALUE>]) Change-Id: If5ac88ffccc1bb800d8af33c8896294a57e9b5fb
270 lines
10 KiB
YAML
270 lines
10 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Qpid dispatch router service
|
|
|
|
parameters:
|
|
ContainerQdrouterdImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerQdrouterdConfigImage:
|
|
description: The container image to use for the qdrouterd config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
RpcPort:
|
|
default: 5672
|
|
description: The network port for messaging backend
|
|
type: number
|
|
RpcUserName:
|
|
default: guest
|
|
description: The username for messaging backend
|
|
type: string
|
|
RpcPassword:
|
|
description: The password for messaging backend
|
|
type: string
|
|
hidden: true
|
|
RpcUseSSL:
|
|
default: false
|
|
description: >
|
|
Messaging client subscriber parameter to specify
|
|
an SSL connection to the messaging host.
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
QdrCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
QdrSslCertDb:
|
|
default: '/etc/ipa/ca.crt'
|
|
description: Path to SSL certificate db for listener.
|
|
type: string
|
|
QdrSslCertFile:
|
|
default: '/etc/pki/tls/certs/qdrouterd.crt'
|
|
description: Path to SSL certificate file for listener.
|
|
type: string
|
|
QdrSslKeyFile:
|
|
default: '/etc/pki/tls/private/qdrouterd.key'
|
|
description: Path to SSL private key file for listener.
|
|
type: string
|
|
|
|
conditions:
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: QdrCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerQdrouterdImage: ContainerQdrouterdImage
|
|
ContainerQdrouterdConfigImage: ContainerQdrouterdConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerQdrouterdImage: {get_param: ContainerQdrouterdImage}
|
|
ContainerQdrouterdConfigImage: {get_param: ContainerQdrouterdConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the qdrouterd service.
|
|
value:
|
|
service_name: oslo_messaging_rpc
|
|
firewall_rules:
|
|
'109 qdrouterd':
|
|
dport:
|
|
- {get_param: RpcPort}
|
|
- 31459
|
|
- 31460
|
|
'109 qdr':
|
|
dport:
|
|
- {get_param: RpcPort}
|
|
global_config_settings:
|
|
oslo_messaging_rpc_scheme: amqp
|
|
oslo_messaging_rpc_user_name: {get_param: RpcUserName}
|
|
oslo_messaging_rpc_password: {get_param: RpcPassword}
|
|
oslo_messaging_rpc_use_ssl: {get_param: RpcUseSSL}
|
|
oslo_messaging_rpc_port: {get_param: RpcPort}
|
|
messaging_notify_service_name: 'amqp'
|
|
messaging_rpc_service_name: 'amqp'
|
|
keystone::messaging::amqp::amqp_pre_settled: 'notify'
|
|
config_settings:
|
|
qdr::listener_addr:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
|
tripleo::profile::base::qdr::qdr_listener_port: {get_param: RpcPort}
|
|
tripleo::profile::base::qdr::qdr_username: {get_param: RpcUserName}
|
|
tripleo::profile::base::qdr::qdr_password: {get_param: RpcPassword}
|
|
# tls support
|
|
tripleo::profile::base::qdr::listener_require_ssl: {get_param: EnableInternalTLS}
|
|
tripleo::profile::base::qdr::listener_ssl_cert_db: {get_param: QdrSslCertDb}
|
|
tripleo::profile::base::qdr::listener_ssl_cert_file: {get_param: QdrSslCertFile}
|
|
tripleo::profile::base::qdr::listener_ssl_key_file: {get_param: QdrSslKeyFile}
|
|
|
|
service_config_settings: {}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: qdrouterd
|
|
step_config: |
|
|
include tripleo::profile::base::qdr
|
|
config_image: {get_attr: [RoleParametersValue, value, ContainerQdrouterdConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/qdrouterd.json:
|
|
command: /usr/sbin/qdrouterd -c /etc/qpid-dispatch/qdrouterd.conf
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/qdrouterd
|
|
owner: qdrouterd:qdrouterd
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/qdrouterd.crt
|
|
owner: qdrouterd:qdrouterd
|
|
optional: true
|
|
- path: /etc/pki/tls/private/qdrouterd.key
|
|
owner: qdrouterd:qdrouterd
|
|
optional: true
|
|
|
|
docker_config:
|
|
step_1:
|
|
qdrouterd_init_logs:
|
|
start_order: 0
|
|
detach: false
|
|
image: &qdrouterd_image {get_attr: [RoleParametersValue, value, ContainerQdrouterdImage]}
|
|
net: none
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/qdrouterd:/var/log/qdrouterd:z
|
|
command: ['/bin/bash', '-c', 'chown -R qdrouterd:qdrouterd /var/log/qdrouterd']
|
|
qdrouterd:
|
|
start_order: 1
|
|
stop_grace_period: 60
|
|
image: *qdrouterd_image
|
|
net: host
|
|
user: qdrouterd
|
|
privileged: false
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/qdrouterd.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/qdrouterd:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/qdrouterd:/var/lib/qdrouterd:z
|
|
- /var/log/containers/qdrouterd:/var/log/qdrouterd:z
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/qdrouterd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/qdrouterd.crt:ro
|
|
- /etc/pki/tls/private/qdrouterd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/qdrouterd.key:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
metadata_settings:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - service: qdrouterd
|
|
network: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
|
type: node
|
|
deploy_steps_tasks:
|
|
- name: Certificate generation
|
|
when:
|
|
- step|int == 1
|
|
- enable_internal_tls
|
|
block:
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: qdrouterd
|
|
dns:
|
|
str_replace:
|
|
template: "{{fqdn_$NETWORK}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "qdrouterd/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
|
run_after: |
|
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep qdrouterd)
|
|
service_crt="/etc/pki/tls/certs/qdrouterd.crt"
|
|
service_key="/etc/pki/tls/private/qdrouterd.key
|
|
# Copy the new cert from the mount-point to the real path
|
|
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
|
# Copy the new key from the mount-point to the real path
|
|
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
|
# Set appropriate permissions
|
|
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
|
|
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
|
# Trigger a container restart to read the new certificate
|
|
{{container_cli}} restart "$container_name"
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: QdrCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|
|
host_prep_tasks:
|
|
- name: create fcontext entry for qdrouterd data
|
|
community.general.sefcontext:
|
|
target: "/var/lib/qdrouterd(/.*)?"
|
|
setype: container_file_t
|
|
state: present
|
|
- name: create persistent logs directory
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/qdrouterd, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/lib/qdrouterd, 'setype': container_file_t }
|