d8604df61b
Currently apache access logs have controller ips instead of source ips recorded since apache simply records source ip of http traffic. This change ensures that client ips are detected by the X-Forwarded-For header added by haproxy. Note that the forwarded format does not log client ip if the header is missing. Because of this, direct http requests(eg. healthcheck requests from haproxy) results in log lines without client ip. Depends-on: https://review.opendev.org/837504 Change-Id: I470c4c26f6d9977ba68a5d6eb9cd2c35af9e4b9a
318 lines
11 KiB
YAML
318 lines
11 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Heat API service
|
|
|
|
parameters:
|
|
ContainerHeatApiImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
# puppet needs the heat-wsgi-api binary from centos-binary-heat-api
|
|
ContainerHeatApiConfigImage:
|
|
description: The container image to use for the heat_api config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
HeatApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.heat.api
|
|
file: /var/log/containers/heat/heat_api.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
HeatApiOptVolumes:
|
|
default: []
|
|
description: list of optional volumes to be mounted
|
|
type: comma_delimited_list
|
|
HeatApiOptEnvVars:
|
|
default: {}
|
|
description: hash of optional environment variables
|
|
type: json
|
|
HeatWorkers:
|
|
default: 0
|
|
description: Number of workers for Heat service.
|
|
type: number
|
|
HeatPassword:
|
|
description: The password for the Heat service and db account, used by the Heat services.
|
|
type: string
|
|
hidden: true
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionHeatApi:
|
|
default: 'overcloud-heat-api'
|
|
type: string
|
|
HeatApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Heat API.
|
|
e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
HeatStackDomainAdminPassword:
|
|
description: Password for heat_stack_domain_admin user.
|
|
type: string
|
|
hidden: true
|
|
|
|
conditions:
|
|
heat_workers_set:
|
|
not: {equals : [{get_param: HeatWorkers}, 0]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
HeatBase:
|
|
type: ./heat-base-puppet.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
HeatApiLogging:
|
|
type: OS::TripleO::Services::Logging::HeatApi
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerHeatApiImage: ContainerHeatApiImage
|
|
ContainerHeatApiConfigImage: ContainerHeatApiConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerHeatApiImage: {get_param: ContainerHeatApiImage}
|
|
ContainerHeatApiConfigImage: {get_param: ContainerHeatApiConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Heat API role.
|
|
value:
|
|
service_name: heat_api
|
|
firewall_rules:
|
|
'125 heat_api':
|
|
dport:
|
|
- 8004
|
|
firewall_frontend_rules:
|
|
'100 heat_api_haproxy_frontend':
|
|
dport:
|
|
- 8004
|
|
firewall_ssl_frontend_rules:
|
|
'100 heat_api_haproxy_frontend_ssl':
|
|
dport:
|
|
- 13004
|
|
keystone_resources:
|
|
heat:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, HeatPublic, uri]}
|
|
internal: {get_param: [EndpointMap, HeatInternal, uri]}
|
|
admin: {get_param: [EndpointMap, HeatAdmin, uri]}
|
|
users:
|
|
heat:
|
|
password: {get_param: HeatPassword}
|
|
roles:
|
|
- admin
|
|
- service
|
|
heat_stack_domain_admin:
|
|
password: {get_param: HeatStackDomainAdminPassword}
|
|
roles:
|
|
- admin
|
|
domain: heat_stack
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'orchestration'
|
|
roles:
|
|
- heat_stack_user
|
|
domains:
|
|
- heat_stack
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [HeatBase, role_data, config_settings]
|
|
- get_attr: [HeatApiLogging, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- apache::default_vhost: false
|
|
heat::api::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
|
|
heat::wsgi::apache_api::access_log_format: 'forwarded'
|
|
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
|
|
heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
|
|
heat::policy::policies: {get_param: HeatApiPolicies}
|
|
heat::api::service_name: 'httpd'
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
heat::wsgi::apache_api::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
|
|
heat::wsgi::apache_api::servername:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
|
|
- if:
|
|
- heat_workers_set
|
|
- heat::wsgi::apache_api::workers: {get_param: HeatWorkers}
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_heat_api:
|
|
- {get_param: HeatApiLoggingSource}
|
|
horizon:
|
|
horizon::dashboards::heat::policies: {get_param: HeatApiPolicies}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: heat_api
|
|
puppet_tags: heat_config,file,concat,file_line,heat_api_paste_ini
|
|
step_config: |
|
|
include tripleo::profile::base::heat::api
|
|
config_image: {get_attr: [RoleParametersValue, value, ContainerHeatApiConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/heat_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/heat
|
|
owner: heat:heat
|
|
recurse: true
|
|
/var/lib/kolla/config_files/heat_api_cron.json:
|
|
command: /usr/sbin/crond -n
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/heat
|
|
owner: heat:heat
|
|
recurse: true
|
|
docker_config:
|
|
step_2:
|
|
get_attr: [HeatApiLogging, docker_config, step_2]
|
|
step_4:
|
|
heat_api:
|
|
image: {get_attr: [RoleParametersValue, value, ContainerHeatApiImage]}
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
# NOTE(mandre) kolla image changes the user to 'heat', we need it
|
|
# to be root to run httpd
|
|
user: root
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [HeatApiLogging, volumes]}
|
|
- {get_param: HeatApiOptVolumes}
|
|
- - /var/lib/kolla/config_files/heat_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/heat_api:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
map_merge:
|
|
- {get_param: HeatApiOptEnvVars}
|
|
- KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
heat_api_cron:
|
|
image: {get_attr: [RoleParametersValue, value, ContainerHeatApiImage]}
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: '/usr/share/openstack-tripleo-common/healthcheck/cron heat'
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [HeatApiLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/heat_api_cron.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/heat_api:/var/lib/kolla/config_files/src:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks: {get_attr: [HeatApiLogging, host_prep_tasks]}
|
|
upgrade_tasks: []
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
deploy_steps_tasks:
|
|
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop heat api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- heat_api
|
|
- heat_api_cron
|
|
tripleo_delegate_to: "{{ groups['heat_api'] | default([]) }}"
|