58129434ac
According to the parameter description, www_authenticate_uri should be complete public Identity endpoint, which is accessible by all end users. This change replaces internal endpoint by public endpoint to meet that requirement. Conflicts: deployment/ironic/ironic-conductor-container-puppet.yaml deployment/swift/swift-proxy-container-puppet.yaml Backport note: This change includes commit2b9461e97fwhich fixes the remaining usage of internal endpoint. Also, commit02bb4b8aa0was partially included to remove the following ineffective puppet parameter. neutron::server::placement::www_authenticate_uri Closes-Bug: #1955397 Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382 (cherry picked from commit160936df13)
225 lines
9.0 KiB
YAML
225 lines
9.0 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
Openstack Heat base service. Shared for all Heat services.
|
|
|
|
parameters:
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
HeatDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Heat services.
|
|
type: boolean
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
HeatPassword:
|
|
description: The password for the Heat service and db account, used by the Heat services.
|
|
type: string
|
|
hidden: true
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableCache:
|
|
description: Enable caching with memcached
|
|
type: boolean
|
|
default: true
|
|
HeatCronPurgeDeletedEnsure:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Ensure
|
|
default: 'present'
|
|
HeatCronPurgeDeletedMinute:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Minute
|
|
default: '1'
|
|
HeatCronPurgeDeletedHour:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Hour
|
|
default: '0'
|
|
HeatCronPurgeDeletedMonthday:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Month Day
|
|
default: '*'
|
|
HeatCronPurgeDeletedMonth:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Month
|
|
default: '*'
|
|
HeatCronPurgeDeletedWeekday:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Week Day
|
|
default: '*'
|
|
HeatCronPurgeDeletedMaxDelay:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Max Delay
|
|
default: '3600'
|
|
HeatCronPurgeDeletedUser:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - User
|
|
default: 'heat'
|
|
HeatCronPurgeDeletedAge:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Age
|
|
default: '30'
|
|
HeatCronPurgeDeletedAgeType:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Age type
|
|
default: 'days'
|
|
HeatCronPurgeDeletedDestination:
|
|
type: string
|
|
description: >
|
|
Cron to purge db entries marked as deleted and older than $age - Log destination
|
|
default: '/dev/null'
|
|
HeatYaqlLimitIterators:
|
|
type: number
|
|
description: >
|
|
The maximum number of elements in collection yaql expressions can take
|
|
for its evaluation.
|
|
default: 1000
|
|
HeatYaqlMemoryQuota:
|
|
type: number
|
|
description: >
|
|
The maximum size of memory in bytes that yaql exrpessions can take for
|
|
its evaluation.
|
|
default: 100000
|
|
HeatMaxJsonBodySize:
|
|
default: 4194304
|
|
description: Maximum raw byte size of the Heat API JSON request body.
|
|
type: number
|
|
NotificationDriver:
|
|
type: comma_delimited_list
|
|
default: 'noop'
|
|
description: Driver or drivers to handle sending notifications.
|
|
HeatCorsAllowedOrigin:
|
|
type: string
|
|
default: ''
|
|
description: Indicate whether this resource may be shared with the domain received in the request
|
|
"origin" header.
|
|
MemcachedTLS:
|
|
default: false
|
|
description: Set to True to enable TLS on Memcached service.
|
|
Because not all services support Memcached TLS, during the
|
|
migration period, Memcached will listen on 2 ports - on the
|
|
port set with MemcachedPort parameter (above) and on 11211,
|
|
without TLS.
|
|
type: boolean
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
EnforceSecureRbac:
|
|
type: boolean
|
|
default: false
|
|
description: >-
|
|
Setting this option to True will configure each OpenStack service to
|
|
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
|
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
|
of RBAC personas across OpenStack services that include support for
|
|
system and project scope, as well as keystone's default roles, admin,
|
|
member, and reader. Do not enable this functionality until all services in
|
|
your deployment actually support secure RBAC.
|
|
|
|
conditions:
|
|
tls_cache_enabled:
|
|
and:
|
|
- {get_param: EnableCache}
|
|
- {get_param: MemcachedTLS}
|
|
cors_allowed_origin_set:
|
|
not: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Shared role data for the Heat services.
|
|
value:
|
|
service_name: heat_base
|
|
config_settings:
|
|
map_merge:
|
|
- if:
|
|
- {get_param: EnforceSecureRbac}
|
|
- heat::policy::enforce_scope: true
|
|
heat::policy::enforce_new_defaults: true
|
|
- if:
|
|
- cors_allowed_origin_set
|
|
- heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}
|
|
- heat::notification_driver: {get_param: NotificationDriver}
|
|
heat::logging::debug:
|
|
if:
|
|
- {get_param: HeatDebug}
|
|
- true
|
|
- {get_param: Debug}
|
|
heat::enable_proxy_headers_parsing: true
|
|
heat::rpc_response_timeout: 600
|
|
heat::rabbit_heartbeat_timeout_threshold: 60
|
|
heat::region_name: {get_param: KeystoneRegion}
|
|
heat::keystone::authtoken::project_name: 'service'
|
|
heat::keystone::authtoken::user_domain_name: 'Default'
|
|
heat::keystone::authtoken::project_domain_name: 'Default'
|
|
heat::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
|
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
heat::keystone::authtoken::password: {get_param: HeatPassword}
|
|
heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
heat::keystone::authtoken::interface: 'internal'
|
|
heat::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
heat::keystone::domain::domain_name: 'heat_stack'
|
|
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
|
|
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
|
|
heat::db::database_db_max_retries: -1
|
|
heat::db::database_max_retries: -1
|
|
heat::yaql_memory_quota: {get_param: HeatYaqlMemoryQuota}
|
|
heat::yaql_limit_iterators: {get_param: HeatYaqlLimitIterators}
|
|
heat::cors::max_age: 3600
|
|
heat::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
|
heat::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
|
heat::cron::purge_deleted::ensure: {get_param: HeatCronPurgeDeletedEnsure}
|
|
heat::cron::purge_deleted::minute: {get_param: HeatCronPurgeDeletedMinute}
|
|
heat::cron::purge_deleted::hour: {get_param: HeatCronPurgeDeletedHour}
|
|
heat::cron::purge_deleted::monthday: {get_param: HeatCronPurgeDeletedMonthday}
|
|
heat::cron::purge_deleted::month: {get_param: HeatCronPurgeDeletedMonth}
|
|
heat::cron::purge_deleted::weekday: {get_param: HeatCronPurgeDeletedWeekday}
|
|
heat::cron::purge_deleted::maxdelay: {get_param: HeatCronPurgeDeletedMaxDelay}
|
|
heat::cron::purge_deleted::user: {get_param: HeatCronPurgeDeletedUser}
|
|
heat::cron::purge_deleted::age: {get_param: HeatCronPurgeDeletedAge}
|
|
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
|
|
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
|
|
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
|
|
- heat::cache::enabled: {get_param: EnableCache}
|
|
heat::cache::tls_enabled: {get_param: MemcachedTLS}
|
|
heat::cache::resource_finder_caching: false
|
|
- if:
|
|
- tls_cache_enabled
|
|
- heat::cache::backend: 'dogpile.cache.pymemcache'
|
|
- heat::cache::backend: 'dogpile.cache.memcached'
|