f3ac958f47
This patch enables TLS connections to memcached in services which support it. Specifically the settings are consumed by swift's internal memcached client through puppet-swift; or oslo.cache, through puppet-ceilometer, puppet-keystone, puppet-nova, puppet-heat and puppet-oslo. NOTE(moguimar): Squashing fixes proposed by Rabi Mirsha in order to optimize conditions. Squashes: - Optimize conditions for TLS support (cherry picked from commitcc5eb81771) Depends-on: https://review.opendev.org/773908 Depends-on: https://review.opendev.org/774121 Depends-on: https://review.opendev.org/775618 Depends-on: https://review.opendev.org/779924 Depends-on: https://review.opendev.org/775647 Change-Id: Ic77ed56c32c7071ce126a1528030094b97894653 (cherry picked from commit1ceb521805)
371 lines
14 KiB
YAML
371 lines
14 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Nova base service. Shared for all Nova services.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
NotificationDriver:
|
|
type: string
|
|
default: 'noop'
|
|
description: Driver or drivers to handle sending notifications.
|
|
NovaPassword:
|
|
description: The password for the nova service and db account
|
|
type: string
|
|
hidden: true
|
|
NeutronPassword:
|
|
description: The password for the neutron service and db account, used by neutron agents.
|
|
type: string
|
|
hidden: true
|
|
PlacementPassword:
|
|
description: The password for the Placement service and db account
|
|
type: string
|
|
hidden: true
|
|
PlacementAPIInterface:
|
|
type: string
|
|
description: >
|
|
Endpoint interface to be used for the placement API.
|
|
default: 'internal'
|
|
ExtractedPlacementEnabled:
|
|
type: boolean
|
|
description: Set to True when deploying the extracted Placement service.
|
|
default: False
|
|
NovaOVSBridge:
|
|
default: 'br-int'
|
|
description: Name of integration bridge used by Open vSwitch
|
|
type: string
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
NovaDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging Nova services.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
EnableCache:
|
|
description: Enable caching with memcached
|
|
type: boolean
|
|
default: true
|
|
EnableSQLAlchemyCollectd:
|
|
type: boolean
|
|
description: >
|
|
Set to true to enable the SQLAlchemy-collectd server plugin
|
|
default: false
|
|
EnableConfigPurge:
|
|
type: boolean
|
|
default: false
|
|
description: >
|
|
Remove configuration that is not generated by TripleO. Used to avoid
|
|
configuration remnants after upgrades.
|
|
UpgradeLevelNovaCompute:
|
|
type: string
|
|
description: Nova Compute upgrade level
|
|
default: ''
|
|
NovaCronArchiveDeleteRowsMinute:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Minute
|
|
default: '1'
|
|
NovaCronArchiveDeleteRowsHour:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Hour
|
|
default: '0'
|
|
NovaCronArchiveDeleteRowsMonthday:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Month Day
|
|
default: '*'
|
|
NovaCronArchiveDeleteRowsMonth:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Month
|
|
default: '*'
|
|
NovaCronArchiveDeleteRowsWeekday:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Week Day
|
|
default: '*'
|
|
NovaCronArchiveDeleteRowsMaxRows:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Max Rows
|
|
default: '1000'
|
|
NovaCronArchiveDeleteRowsUser:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - User
|
|
default: 'nova'
|
|
NovaCronArchiveDeleteRowsDestination:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Log destination
|
|
default: '/var/log/nova/nova-rowsflush.log'
|
|
NovaCronArchiveDeleteRowsMaxDelay:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Max Delay
|
|
default: '3600'
|
|
NovaCronArchiveDeleteRowsUntilComplete:
|
|
type: boolean
|
|
description: >
|
|
Cron to move deleted instances to another table - Until complete
|
|
default: true
|
|
NovaCronArchiveDeleteRowsPurge:
|
|
type: boolean
|
|
description: >
|
|
Purge shadow tables immediately after scheduled archiving
|
|
default: false
|
|
NovaCronArchiveDeleteAllCells:
|
|
type: boolean
|
|
description: >
|
|
Archive deleted instances from all cells
|
|
default: true
|
|
NovaCronArchiveDeleteRowsAge:
|
|
type: number
|
|
description: >
|
|
Cron to archive deleted instances - Age
|
|
This will define the retention policy when
|
|
archiving the deleted instances entries in days.
|
|
0 means, purge data older than today in
|
|
shadow tables.
|
|
default: 90
|
|
NovaCronPurgeShadowTablesMinute:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Minute
|
|
default: '0'
|
|
NovaCronPurgeShadowTablesHour:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Hour
|
|
default: '5'
|
|
NovaCronPurgeShadowTablesMonthday:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Month Day
|
|
default: '*'
|
|
NovaCronPurgeShadowTablesMonth:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Month
|
|
default: '*'
|
|
NovaCronPurgeShadowTablesWeekday:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Week Day
|
|
default: '*'
|
|
NovaCronPurgeShadowTablesUser:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - User
|
|
default: 'nova'
|
|
NovaCronPurgeShadowTablesDestination:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Log destination
|
|
default: '/var/log/nova/nova-rowspurge.log'
|
|
NovaCronPurgeShadowTablesMaxDelay:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Max Delay
|
|
default: '3600'
|
|
NovaCronPurgeShadowTablesAge:
|
|
type: number
|
|
description: >
|
|
Cron to purge shadow tables - Age
|
|
This will define the retention policy when
|
|
purging the shadow tables in days.
|
|
0 means, purge data older than today in
|
|
shadow tables.
|
|
default: 14
|
|
NovaCronPurgeShadowTablesVerbose:
|
|
type: boolean
|
|
description: >
|
|
Cron to purge shadow tables - Verbose
|
|
default: false
|
|
NovaCronPurgeShadowTablesAllCells:
|
|
type: boolean
|
|
description: >
|
|
Cron to purge shadow tables - All cells
|
|
default: true
|
|
NovaOVSDBConnection:
|
|
type: string
|
|
description: OVS DB connection string to used by Nova
|
|
default: ''
|
|
tags:
|
|
- role_specific
|
|
NovaSyncPowerStateInterval:
|
|
type: number
|
|
description:
|
|
Interval to sync power states between the database and the hypervisor. Set
|
|
to -1 to disable. Setting this to 0 will run at the default rate.
|
|
default: 0
|
|
RpcUseSSL:
|
|
default: false
|
|
description: >
|
|
Messaging client subscriber parameter to specify
|
|
an SSL connection to the messaging host.
|
|
type: string
|
|
NovaAdditionalCell:
|
|
default: false
|
|
description: Whether this is an cell additional to the default cell.
|
|
type: boolean
|
|
NovaCrossAZAttach:
|
|
default: true
|
|
description:
|
|
Whether instances can attach cinder volumes from a different availability zone.
|
|
type: boolean
|
|
MemcachedTLS:
|
|
default: false
|
|
description: Set to True to enable TLS on Memcached service.
|
|
Because not all services support Memcached TLS, during the
|
|
migration period, Memcached will listen on 2 ports - on the
|
|
port set with MemcachedPort parameter (above) and on 11211,
|
|
without TLS.
|
|
type: boolean
|
|
|
|
conditions:
|
|
|
|
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
|
|
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
|
|
tls_cache_enabled:
|
|
and:
|
|
- {get_param: EnableCache}
|
|
- {get_param: MemcachedTLS}
|
|
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
|
|
|
resources:
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- nova::ovsdb_connection: NovaOVSDBConnection
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
NovaOVSDBConnection: {get_param: NovaOVSDBConnection}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova base service.
|
|
value:
|
|
service_name: nova_base
|
|
config_settings:
|
|
map_merge:
|
|
- nova::my_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
nova::rabbit_use_ssl: {get_param: RpcUseSSL}
|
|
nova::keystone::service_user::send_service_user_token: true
|
|
nova::keystone::service_user::project_name: 'service'
|
|
nova::keystone::service_user::password: {get_param: NovaPassword}
|
|
nova::keystone::service_user::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
nova::keystone::service_user::region_name: {get_param: KeystoneRegion}
|
|
nova::placement::project_name: 'service'
|
|
nova::placement::password: {get_param: PlacementPassword}
|
|
nova::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
nova::placement::region_name: {get_param: KeystoneRegion}
|
|
nova::placement::valid_interfaces: {get_param: PlacementAPIInterface}
|
|
nova::os_region_name: {get_param: KeystoneRegion}
|
|
nova::logging::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug }
|
|
- {get_param: NovaDebug }
|
|
nova::purge_config: {get_param: EnableConfigPurge}
|
|
nova::network::neutron::project_name: 'service'
|
|
nova::network::neutron::username: 'neutron'
|
|
nova::network::neutron::region_name: {get_param: KeystoneRegion}
|
|
nova::dhcp_domain: ''
|
|
nova::network::neutron::password: {get_param: NeutronPassword}
|
|
nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
|
nova::rabbit_heartbeat_timeout_threshold: 60
|
|
nova::cinder_catalog_info: 'volumev3:cinderv3:internalURL'
|
|
nova::host: "%{hiera('fqdn_canonical')}"
|
|
nova::notify_on_state_change: 'vm_and_task_state'
|
|
nova::notification_driver: {get_param: NotificationDriver}
|
|
nova::notification_format: 'unversioned'
|
|
nova::network::neutron::auth_type: 'v3password'
|
|
nova::db::database_db_max_retries: -1
|
|
nova::db::database_max_retries: -1
|
|
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
|
|
nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute}
|
|
nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour}
|
|
nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday}
|
|
nova::cron::archive_deleted_rows::month: {get_param: NovaCronArchiveDeleteRowsMonth}
|
|
nova::cron::archive_deleted_rows::weekday: {get_param: NovaCronArchiveDeleteRowsWeekday}
|
|
nova::cron::archive_deleted_rows::max_rows: {get_param: NovaCronArchiveDeleteRowsMaxRows}
|
|
nova::cron::archive_deleted_rows::user: {get_param: NovaCronArchiveDeleteRowsUser}
|
|
nova::cron::archive_deleted_rows::destination: {get_param: NovaCronArchiveDeleteRowsDestination}
|
|
nova::cron::archive_deleted_rows::maxdelay: {get_param: NovaCronArchiveDeleteRowsMaxDelay}
|
|
nova::cron::archive_deleted_rows::until_complete: {get_param: NovaCronArchiveDeleteRowsUntilComplete}
|
|
nova::cron::archive_deleted_rows::purge: {get_param: NovaCronArchiveDeleteRowsPurge}
|
|
nova::cron::archive_deleted_rows::all_cells: {get_param: NovaCronArchiveDeleteAllCells}
|
|
nova::cron::archive_deleted_rows::age: {get_param: NovaCronArchiveDeleteRowsAge}
|
|
nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute}
|
|
nova::cron::purge_shadow_tables::hour: {get_param: NovaCronPurgeShadowTablesHour}
|
|
nova::cron::purge_shadow_tables::monthday: {get_param: NovaCronPurgeShadowTablesMonthday}
|
|
nova::cron::purge_shadow_tables::month: {get_param: NovaCronPurgeShadowTablesMonth}
|
|
nova::cron::purge_shadow_tables::weekday: {get_param: NovaCronPurgeShadowTablesWeekday}
|
|
nova::cron::purge_shadow_tables::user: {get_param: NovaCronPurgeShadowTablesUser}
|
|
nova::cron::purge_shadow_tables::destination: {get_param: NovaCronPurgeShadowTablesDestination}
|
|
nova::cron::purge_shadow_tables::maxdelay: {get_param: NovaCronPurgeShadowTablesMaxDelay}
|
|
nova::cron::purge_shadow_tables::age: {get_param: NovaCronPurgeShadowTablesAge}
|
|
nova::cron::purge_shadow_tables::verbose: {get_param: NovaCronPurgeShadowTablesVerbose}
|
|
nova::cron::purge_shadow_tables::all_cells: {get_param: NovaCronPurgeShadowTablesAllCells}
|
|
nova::compute::sync_power_state_interval: {get_param: NovaSyncPowerStateInterval}
|
|
nova_is_additional_cell: {get_param: NovaAdditionalCell}
|
|
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
|
|
- get_attr: [RoleParametersValue, value]
|
|
- nova::cache::enabled: {get_param: EnableCache}
|
|
nova::cache::tls_enabled: {get_param: MemcachedTLS}
|
|
if:
|
|
- tls_cache_enabled
|
|
- nova::cache::backend: 'dogpile.cache.pymemcache'
|
|
- nova::cache::backend: 'dogpile.cache.memcached'
|
|
- if:
|
|
- compute_upgrade_level_empty
|
|
- {}
|
|
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
|
|
service_config_settings:
|
|
rabbitmq:
|
|
nova::rabbit_use_ssl: {get_param: RpcUseSSL}
|