56bec75c02
To not to redefine variable multiple times in each service we run check only once and we set fact. To increase readability of generated playbook we add block per strep in services. Change-Id: I2399a72709d240f84e3463c5c3b56942462d1e5c
314 lines
13 KiB
YAML
314 lines
13 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized swift proxy service
|
|
|
|
parameters:
|
|
DockerSwiftProxyImage:
|
|
description: image
|
|
type: string
|
|
DockerSwiftConfigImage:
|
|
description: The container image to use for the swift config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
SwiftEncryptionEnabled:
|
|
description: Set to True to enable data-at-rest encryption in Swift
|
|
default: false
|
|
type: boolean
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
UpgradeRemoveUnusedPackages:
|
|
default: false
|
|
description: Remove package if the service is being disabled during upgrade
|
|
type: boolean
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
SwiftProxyBase:
|
|
type: ../../puppet/services/swift-proxy.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the swift proxy.
|
|
value:
|
|
service_name: {get_attr: [SwiftProxyBase, role_data, service_name]}
|
|
config_settings: {get_attr: [SwiftProxyBase, role_data, config_settings]}
|
|
logging_source: {get_attr: [SwiftProxyBase, role_data, logging_source]}
|
|
logging_groups: {get_attr: [SwiftProxyBase, role_data, logging_groups]}
|
|
service_config_settings: {get_attr: [SwiftProxyBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: swift
|
|
puppet_tags: swift_config,swift_proxy_config,swift_keymaster_config
|
|
step_config:
|
|
get_attr: [SwiftProxyBase, role_data, step_config]
|
|
config_image: {get_param: DockerSwiftConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/swift_proxy.json:
|
|
command: /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/swift_proxy_tls_proxy.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
docker_config_scripts:
|
|
create_swift_secret.sh:
|
|
mode: "0700"
|
|
content: |
|
|
#!/bin/bash
|
|
export OS_PROJECT_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_domain_id)
|
|
export OS_USER_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster user_domain_id)
|
|
export OS_PROJECT_NAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_name)
|
|
export OS_USERNAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster username)
|
|
export OS_PASSWORD=$(crudini --get /etc/swift/keymaster.conf kms_keymaster password)
|
|
export OS_AUTH_URL=$(crudini --get /etc/swift/keymaster.conf kms_keymaster auth_endpoint)
|
|
export OS_AUTH_TYPE=password
|
|
export OS_IDENTITY_API_VERSION=3
|
|
|
|
echo "Check if secret already exists"
|
|
secret_href=$(openstack secret list --name swift_root_secret_uuid)
|
|
rc=$?
|
|
if [[ $rc != 0 ]]; then
|
|
echo "Failed to check secrets, check if Barbican in enabled and responding properly"
|
|
exit $rc;
|
|
fi
|
|
if [ -z "$secret_href" ]; then
|
|
echo "Create new secret"
|
|
order_href=$(openstack secret order create --name swift_root_secret_uuid --payload-content-type="application/octet-stream" --algorithm aes --bit-length 256 --mode ctr key -f value -c "Order href")
|
|
fi
|
|
set_swift_keymaster_key_id.sh:
|
|
mode: "0700"
|
|
content: |
|
|
#!/bin/bash
|
|
export OS_PROJECT_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_domain_id)
|
|
export OS_USER_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster user_domain_id)
|
|
export OS_PROJECT_NAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_name)
|
|
export OS_USERNAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster username)
|
|
export OS_PASSWORD=$(crudini --get /etc/swift/keymaster.conf kms_keymaster password)
|
|
export OS_AUTH_URL=$(crudini --get /etc/swift/keymaster.conf kms_keymaster auth_endpoint)
|
|
export OS_AUTH_TYPE=password
|
|
export OS_IDENTITY_API_VERSION=3
|
|
echo "retrieve key_id"
|
|
loop_wait=2
|
|
for i in {0..5}; do
|
|
#TODO update uuid from mistral here too
|
|
secret_href=$(openstack secret list --name swift_root_secret_uuid)
|
|
if [ "$secret_href" ]; then
|
|
echo "set key_id in keymaster.conf"
|
|
secret_href=$(openstack secret list --name swift_root_secret_uuid -f value -c "Secret href")
|
|
crudini --set /etc/swift/keymaster.conf kms_keymaster key_id ${secret_href##*/}
|
|
exit 0
|
|
else
|
|
echo "no key, wait for $loop_wait and check again"
|
|
sleep $loop_wait
|
|
((loop_wait++))
|
|
fi
|
|
done
|
|
echo "Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly"
|
|
exit 1
|
|
docker_config:
|
|
step_4:
|
|
map_merge:
|
|
- if:
|
|
- swift_encryption_enabled
|
|
- create_swift_secret:
|
|
# NOTE: Barbican should be started before creating secrets
|
|
start_order: 0
|
|
image: &swift_proxy_image {get_param: DockerSwiftProxyImage}
|
|
net: host
|
|
detach: false
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:ro
|
|
- /var/lib/docker-config-scripts/create_swift_secret.sh:/create_swift_secret.sh:ro
|
|
user: root
|
|
command: "/usr/bin/bootstrap_host_exec swift_proxy /create_swift_secret.sh"
|
|
- {}
|
|
- if:
|
|
- swift_encryption_enabled
|
|
- set_swift_secret:
|
|
start_order: 1
|
|
image: *swift_proxy_image
|
|
net: host
|
|
detach: false
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw
|
|
- /var/lib/docker-config-scripts/set_swift_keymaster_key_id.sh:/set_swift_keymaster_key_id.sh:ro
|
|
user: root
|
|
command: "/set_swift_keymaster_key_id.sh"
|
|
environment:
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
- list_join:
|
|
- ''
|
|
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
|
|
- {get_param: DeployIdentifier}
|
|
- {}
|
|
- swift_proxy:
|
|
image: *swift_proxy_image
|
|
start_order: 2
|
|
net: host
|
|
user: swift
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro
|
|
- /run:/run
|
|
- /srv/node:/srv/node
|
|
- /dev:/dev
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
- if:
|
|
- internal_tls_enabled
|
|
- swift_proxy_tls_proxy:
|
|
image: *swift_proxy_image
|
|
net: host
|
|
user: root
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/swift_proxy_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro
|
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
- {}
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
with_items:
|
|
- /srv/node
|
|
- /var/log/swift
|
|
- name: Create swift logging symlink
|
|
file:
|
|
src: /var/log/swift
|
|
dest: /var/log/containers/swift
|
|
state: link
|
|
upgrade_tasks:
|
|
- when: step|int == 0
|
|
tags: common
|
|
block:
|
|
- name: Check if swift-proxy or swift-object-expirer are deployed
|
|
command: systemctl is-enabled --quiet "{{ item }}"
|
|
ignore_errors: True
|
|
register: swift_proxy_services_enabled_result
|
|
with_items:
|
|
- openstack-swift-proxy
|
|
- openstack-swift-object-expirer
|
|
- name: Set fact swift_proxy_services_enabled
|
|
set_fact:
|
|
swift_proxy_services_enabled: "{{ swift_proxy_services_enabled_result }}"
|
|
- name: "PreUpgrade step0,validation: Check service openstack-swift-proxy and openstack-swift-object-expirer are running"
|
|
command: systemctl is-active --quiet "{{ item.item }}"
|
|
when: item.rc == 0
|
|
tags: validation
|
|
with_items: "{{ swift_proxy_services_enabled.results }}"
|
|
- when: step|int == 2
|
|
block:
|
|
- name: Stop and disable swift-proxy and swift-object-expirer services
|
|
when: item.rc == 0
|
|
service: name={{ item.item }} state=stopped enabled=no
|
|
with_items: "{{ swift_proxy_services_enabled.results }}"
|
|
- name: Set fact for removal of openstack-swift-proxy package
|
|
set_fact:
|
|
remove_swift_proxy_package: {get_param: UpgradeRemoveUnusedPackages}
|
|
- name: Remove openstack-swift-proxy package if operator requests it
|
|
yum: name=openstack-swift-proxy state=removed
|
|
ignore_errors: True
|
|
when: remove_swift_proxy_package|bool
|
|
metadata_settings:
|
|
get_attr: [SwiftProxyBase, role_data, metadata_settings]
|
|
fast_forward_upgrade_tasks:
|
|
- name: Check if swift-proxy or swift-object-expirer are deployed
|
|
command: systemctl is-enabled --quiet "{{ item }}"
|
|
with_items:
|
|
- openstack-swift-proxy
|
|
- openstack-swift-object-expirer
|
|
ignore_errors: True
|
|
register: swift_proxy_services_enabled_result
|
|
when:
|
|
- step|int == 0
|
|
- release == 'ocata'
|
|
- name: Set fact swift_proxy_services_enabled
|
|
when:
|
|
- step|int == 0
|
|
- release == 'ocata'
|
|
set_fact:
|
|
swift_proxy_services_enabled: "{{ swift_proxy_services_enabled_result }}"
|
|
- name: Stop swift-proxy and swift-object-expirer services
|
|
service: name={{ item.item }} state=stopped enabled=no
|
|
with_items: "{{ swift_proxy_services_enabled.results }}"
|
|
when:
|
|
- step|int == 1
|
|
- release == 'ocata'
|
|
- item.rc == 0
|