tripleo-heat-templates/deployment/messaging/rpc-qdrouterd-container-puppet.yaml
Takashi Kajinami ff83505e8a Replace hiera by lookup
The hiera function is deprecated and does not work with the latest
hieradata version 5. It should be replaced by the new lookup
function[1].

[1] https://puppet.com/docs/puppet/7/hiera_automatic.html

With the lookup function, we can define value type and merge behavior,
but these are kept default at this moment to limit scope of this change
to just simple replacement. Adding value type might be useful to make
sure the value is in expected type (especially when a boolean value is
expected), but we will revisit that later.

example:
lookup(<NAME>, [<VALUE TYPE>], [<MERGE BEHAVIOR>], [<DEFAULT VALUE>])

Change-Id: If5ac88ffccc1bb800d8af33c8896294a57e9b5fb
2022-04-14 17:07:52 +09:00

270 lines
10 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Qpid dispatch router service
parameters:
ContainerQdrouterdImage:
description: image
type: string
tags:
- role_specific
ContainerQdrouterdConfigImage:
description: The container image to use for the qdrouterd config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
RpcPort:
default: 5672
description: The network port for messaging backend
type: number
RpcUserName:
default: guest
description: The username for messaging backend
type: string
RpcPassword:
description: The password for messaging backend
type: string
hidden: true
RpcUseSSL:
default: false
description: >
Messaging client subscriber parameter to specify
an SSL connection to the messaging host.
type: string
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
QdrCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QdrSslCertDb:
default: '/etc/ipa/ca.crt'
description: Path to SSL certificate db for listener.
type: string
QdrSslCertFile:
default: '/etc/pki/tls/certs/qdrouterd.crt'
description: Path to SSL certificate file for listener.
type: string
QdrSslKeyFile:
default: '/etc/pki/tls/private/qdrouterd.key'
description: Path to SSL private key file for listener.
type: string
conditions:
key_size_override_set:
not: {equals: [{get_param: QdrCertificateKeySize}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerQdrouterdImage: ContainerQdrouterdImage
ContainerQdrouterdConfigImage: ContainerQdrouterdConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerQdrouterdImage: {get_param: ContainerQdrouterdImage}
ContainerQdrouterdConfigImage: {get_param: ContainerQdrouterdConfigImage}
outputs:
role_data:
description: Role data for the qdrouterd service.
value:
service_name: oslo_messaging_rpc
firewall_rules:
'109 qdrouterd':
dport:
- {get_param: RpcPort}
- 31459
- 31460
'109 qdr':
dport:
- {get_param: RpcPort}
global_config_settings:
oslo_messaging_rpc_scheme: amqp
oslo_messaging_rpc_user_name: {get_param: RpcUserName}
oslo_messaging_rpc_password: {get_param: RpcPassword}
oslo_messaging_rpc_use_ssl: {get_param: RpcUseSSL}
oslo_messaging_rpc_port: {get_param: RpcPort}
messaging_notify_service_name: 'amqp'
messaging_rpc_service_name: 'amqp'
keystone::messaging::amqp::amqp_pre_settled: 'notify'
config_settings:
qdr::listener_addr:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
tripleo::profile::base::qdr::qdr_listener_port: {get_param: RpcPort}
tripleo::profile::base::qdr::qdr_username: {get_param: RpcUserName}
tripleo::profile::base::qdr::qdr_password: {get_param: RpcPassword}
# tls support
tripleo::profile::base::qdr::listener_require_ssl: {get_param: EnableInternalTLS}
tripleo::profile::base::qdr::listener_ssl_cert_db: {get_param: QdrSslCertDb}
tripleo::profile::base::qdr::listener_ssl_cert_file: {get_param: QdrSslCertFile}
tripleo::profile::base::qdr::listener_ssl_key_file: {get_param: QdrSslKeyFile}
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: qdrouterd
step_config: |
include tripleo::profile::base::qdr
config_image: {get_attr: [RoleParametersValue, value, ContainerQdrouterdConfigImage]}
kolla_config:
/var/lib/kolla/config_files/qdrouterd.json:
command: /usr/sbin/qdrouterd -c /etc/qpid-dispatch/qdrouterd.conf
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/qdrouterd
owner: qdrouterd:qdrouterd
recurse: true
- path: /etc/pki/tls/certs/qdrouterd.crt
owner: qdrouterd:qdrouterd
optional: true
- path: /etc/pki/tls/private/qdrouterd.key
owner: qdrouterd:qdrouterd
optional: true
docker_config:
step_1:
qdrouterd_init_logs:
start_order: 0
detach: false
image: &qdrouterd_image {get_attr: [RoleParametersValue, value, ContainerQdrouterdImage]}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/qdrouterd:/var/log/qdrouterd:z
command: ['/bin/bash', '-c', 'chown -R qdrouterd:qdrouterd /var/log/qdrouterd']
qdrouterd:
start_order: 1
stop_grace_period: 60
image: *qdrouterd_image
net: host
user: qdrouterd
privileged: false
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/qdrouterd.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/qdrouterd:/var/lib/kolla/config_files/src:ro
- /var/lib/qdrouterd:/var/lib/qdrouterd:z
- /var/log/containers/qdrouterd:/var/log/qdrouterd:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/qdrouterd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/qdrouterd.crt:ro
- /etc/pki/tls/private/qdrouterd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/qdrouterd.key:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
if:
- {get_param: EnableInternalTLS}
- - service: qdrouterd
network: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
type: node
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: qdrouterd
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
principal:
str_replace:
template: "qdrouterd/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep qdrouterd)
service_crt="/etc/pki/tls/certs/qdrouterd.crt"
service_key="/etc/pki/tls/private/qdrouterd.key
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"
{{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
# Trigger a container restart to read the new certificate
{{container_cli}} restart "$container_name"
key_size:
if:
- key_size_override_set
- {get_param: QdrCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create fcontext entry for qdrouterd data
community.general.sefcontext:
target: "/var/lib/qdrouterd(/.*)?"
setype: container_file_t
state: present
- name: create persistent logs directory
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/qdrouterd, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/qdrouterd, 'setype': container_file_t }