255 lines
9.3 KiB
YAML
255 lines
9.3 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Nova Vncproxy service
|
|
|
|
parameters:
|
|
DockerNovaVncProxyImage:
|
|
description: image
|
|
type: string
|
|
DockerNovaConfigImage:
|
|
description: The container image to use for the nova config_volume
|
|
type: string
|
|
NovaVncproxyLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.nova.vncproxy
|
|
path: /var/log/containers/nova/nova-vncproxy.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
UpgradeRemoveUnusedPackages:
|
|
default: false
|
|
description: Remove package if the service is being disabled during upgrade
|
|
type: boolean
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
UseTLSTransportForVnc:
|
|
type: boolean
|
|
default: true
|
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
|
enable TLS transaport for libvirt VNC and configure the
|
|
relevant keys for libvirt.
|
|
InternalTLSVncCAFile:
|
|
default: '/etc/pki/CA/certs/vnc.crt'
|
|
type: string
|
|
description: Specifies the CA cert to use for VNC TLS.
|
|
LibvirtVncCACert:
|
|
type: string
|
|
default: ''
|
|
description: This specifies the CA certificate to use for VNC TLS.
|
|
This file will be symlinked to the default CA path,
|
|
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
|
This parameter should be used if the default (which comes from
|
|
the InternalTLSVncCAFile parameter) is not desired. The current
|
|
default reflects TripleO's default CA, which is FreeIPA.
|
|
It will only be used if internal TLS is enabled.
|
|
|
|
|
|
conditions:
|
|
|
|
use_tls_for_vnc:
|
|
and:
|
|
- equals:
|
|
- {get_param: EnableInternalTLS}
|
|
- true
|
|
- equals:
|
|
- {get_param: UseTLSTransportForVnc}
|
|
- true
|
|
|
|
libvirt_vnc_specific_ca_unset:
|
|
equals:
|
|
- {get_param: LibvirtVncCACert}
|
|
- ''
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../../puppet/services/database/mysql-client.yaml
|
|
|
|
NovaVncProxyPuppetBase:
|
|
type: ../../puppet/services/nova-vnc-proxy.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NovaLogging:
|
|
type: OS::TripleO::Services::Logging::NovaCommon
|
|
properties:
|
|
DockerNovaImage: {get_param: DockerNovaVncProxyImage}
|
|
NovaServiceName: 'vncproxy'
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova Vncproxy service.
|
|
value:
|
|
service_name: {get_attr: [NovaVncProxyPuppetBase, role_data, service_name]}
|
|
config_settings:
|
|
map_merge:
|
|
- {get_attr: [NovaVncProxyPuppetBase, role_data, config_settings]}
|
|
- {get_attr: [NovaLogging, config_settings]}
|
|
service_config_settings:
|
|
map_merge:
|
|
- get_attr: [NovaVncProxyPuppetBase, role_data, service_config_settings]
|
|
- fluentd:
|
|
tripleo_fluentd_groups_nova_vnc_proxy:
|
|
- nova
|
|
tripleo_fluentd_sources_nova_vnc_proxy:
|
|
- {get_param: NovaVncproxyLoggingSource}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: nova
|
|
puppet_tags: nova_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - {get_attr: [NovaVncProxyPuppetBase, role_data, step_config]}
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: DockerNovaConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/nova_vnc_proxy.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/nova-novncproxy --web /usr/share/novnc/
|
|
- get_attr: [NovaLogging, cmd_extra_args]
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/log/nova
|
|
owner: nova:nova
|
|
recurse: true
|
|
- path: /etc/pki/tls/private/novnc_proxy.key
|
|
owner: root:nova
|
|
docker_config:
|
|
step_4:
|
|
nova_vnc_proxy:
|
|
image: {get_param: DockerNovaVncProxyImage}
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/nova_vnc_proxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
|
|
-
|
|
if:
|
|
- use_tls_for_vnc
|
|
-
|
|
- str_replace:
|
|
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
|
params:
|
|
CACERT:
|
|
if:
|
|
- libvirt_vnc_specific_ca_unset
|
|
- get_param: InternalTLSVncCAFile
|
|
- get_param: LibvirtVncCACert
|
|
- /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
|
|
- /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
|
|
- /etc/pki/tls/certs/novnc_proxy.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/novnc_proxy.crt:ro
|
|
- /etc/pki/tls/private/novnc_proxy.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/novnc_proxy.key:ro
|
|
- null
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
metadata_settings:
|
|
get_attr: [NovaVncProxyPuppetBase, role_data, metadata_settings]
|
|
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
|
|
upgrade_tasks:
|
|
- when: step|int == 0
|
|
tags: common
|
|
block:
|
|
- name: Check if nova vncproxy is deployed
|
|
command: systemctl is-enabled --quiet openstack-nova-novncproxy
|
|
ignore_errors: True
|
|
register: nova_vncproxy_enabled_result
|
|
- name: Set fact nova_vncproxy_enabled
|
|
set_fact:
|
|
nova_vncproxy_enabled: "{{ nova_vncproxy_enabled_result.rc == 0 }}"
|
|
- name: "PreUpgrade step0,validation: Check service openstack-nova-novncproxy is running"
|
|
command: systemctl is-active --quiet openstack-nova-novncproxy
|
|
tags: validation
|
|
when: nova_vncproxy_enabled|bool
|
|
- when: step|int == 2
|
|
block:
|
|
- name: Stop and disable nova_vnc_proxy service
|
|
when: nova_vncproxy_enabled|bool
|
|
service: name=openstack-nova-novncproxy state=stopped enabled=no
|
|
- when: step|int == 3
|
|
block:
|
|
- name: Set fact for removal of openstack-nova-novncproxy package
|
|
set_fact:
|
|
remove_nova_novncproxy_package: {get_param: UpgradeRemoveUnusedPackages}
|
|
- name: Remove openstack-nova-novncproxy package if operator requests it
|
|
package: name=openstack-nova-novncproxy state=removed
|
|
ignore_errors: True
|
|
when: remove_nova_novncproxy_package|bool
|
|
fast_forward_upgrade_tasks:
|
|
- when:
|
|
- step|int == 0
|
|
- release == 'ocata'
|
|
block:
|
|
- name: Check if nova vncproxy is deployed
|
|
command: systemctl is-enabled --quiet openstack-nova-novncproxy
|
|
ignore_errors: True
|
|
register: nova_vncproxy_enabled_result
|
|
- name: Set fact nova_vncproxy_enabled
|
|
set_fact:
|
|
nova_vncproxy_enabled: "{{ nova_vncproxy_enabled_result.rc == 0 }}"
|
|
- name: Stop and disable nova-novncproxy service
|
|
service: name=openstack-nova-novncproxy state=stopped
|
|
when:
|
|
- step|int == 1
|
|
- release == 'ocata'
|
|
- nova_vncproxy_enabled|bool
|
|
post_upgrade_tasks:
|
|
- when: step|int == 1
|
|
import_role:
|
|
name: tripleo-docker-rm
|
|
vars:
|
|
containers_to_rm:
|
|
- nova_vnc_proxy
|