tripleo-heat-templates/deployment/heat/heat-api-container-puppet.yaml
Takashi Kajinami d8604df61b Log source ips instead of controller ips in apache access log
Currently apache access logs have controller ips instead of source ips
recorded since apache simply records source ip of http traffic.

This change ensures that client ips are detected by the X-Forwarded-For
header added by haproxy.

Note that the forwarded format does not log client ip if the header is
missing. Because of this, direct http requests(eg. healthcheck requests
from haproxy) results in log lines without client ip.

Depends-on: https://review.opendev.org/837504
Change-Id: I470c4c26f6d9977ba68a5d6eb9cd2c35af9e4b9a
2022-05-07 02:15:20 +09:00

318 lines
11 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Heat API service
parameters:
ContainerHeatApiImage:
description: image
type: string
tags:
- role_specific
# puppet needs the heat-wsgi-api binary from centos-binary-heat-api
ContainerHeatApiConfigImage:
description: The container image to use for the heat_api config_volume
type: string
tags:
- role_specific
HeatApiLoggingSource:
type: json
default:
tag: openstack.heat.api
file: /var/log/containers/heat/heat_api.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
HeatApiOptVolumes:
default: []
description: list of optional volumes to be mounted
type: comma_delimited_list
HeatApiOptEnvVars:
default: {}
description: hash of optional environment variables
type: json
HeatWorkers:
default: 0
description: Number of workers for Heat service.
type: number
HeatPassword:
description: The password for the Heat service and db account, used by the Heat services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionHeatApi:
default: 'overcloud-heat-api'
type: string
HeatApiPolicies:
description: |
A hash of policies to configure for Heat API.
e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
HeatStackDomainAdminPassword:
description: Password for heat_stack_domain_admin user.
type: string
hidden: true
conditions:
heat_workers_set:
not: {equals : [{get_param: HeatWorkers}, 0]}
resources:
ContainersCommon:
type: ../containers-common.yaml
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
HeatBase:
type: ./heat-base-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
HeatApiLogging:
type: OS::TripleO::Services::Logging::HeatApi
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerHeatApiImage: ContainerHeatApiImage
ContainerHeatApiConfigImage: ContainerHeatApiConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerHeatApiImage: {get_param: ContainerHeatApiImage}
ContainerHeatApiConfigImage: {get_param: ContainerHeatApiConfigImage}
outputs:
role_data:
description: Role data for the Heat API role.
value:
service_name: heat_api
firewall_rules:
'125 heat_api':
dport:
- 8004
firewall_frontend_rules:
'100 heat_api_haproxy_frontend':
dport:
- 8004
firewall_ssl_frontend_rules:
'100 heat_api_haproxy_frontend_ssl':
dport:
- 13004
keystone_resources:
heat:
endpoints:
public: {get_param: [EndpointMap, HeatPublic, uri]}
internal: {get_param: [EndpointMap, HeatInternal, uri]}
admin: {get_param: [EndpointMap, HeatAdmin, uri]}
users:
heat:
password: {get_param: HeatPassword}
roles:
- admin
- service
heat_stack_domain_admin:
password: {get_param: HeatStackDomainAdminPassword}
roles:
- admin
domain: heat_stack
region: {get_param: KeystoneRegion}
service: 'orchestration'
roles:
- heat_stack_user
domains:
- heat_stack
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
config_settings:
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- get_attr: [HeatApiLogging, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- apache::default_vhost: false
heat::api::bind_host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
heat::wsgi::apache_api::access_log_format: 'forwarded'
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
heat::policy::policies: {get_param: HeatApiPolicies}
heat::api::service_name: 'httpd'
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
heat::wsgi::apache_api::bind_host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
heat::wsgi::apache_api::servername:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
- if:
- heat_workers_set
- heat::wsgi::apache_api::workers: {get_param: HeatWorkers}
service_config_settings:
rsyslog:
tripleo_logging_sources_heat_api:
- {get_param: HeatApiLoggingSource}
horizon:
horizon::dashboards::heat::policies: {get_param: HeatApiPolicies}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat_api
puppet_tags: heat_config,file,concat,file_line,heat_api_paste_ini
step_config: |
include tripleo::profile::base::heat::api
config_image: {get_attr: [RoleParametersValue, value, ContainerHeatApiConfigImage]}
kolla_config:
/var/lib/kolla/config_files/heat_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/heat
owner: heat:heat
recurse: true
/var/lib/kolla/config_files/heat_api_cron.json:
command: /usr/sbin/crond -n
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/heat
owner: heat:heat
recurse: true
docker_config:
step_2:
get_attr: [HeatApiLogging, docker_config, step_2]
step_4:
heat_api:
image: {get_attr: [RoleParametersValue, value, ContainerHeatApiImage]}
net: host
privileged: false
restart: always
# NOTE(mandre) kolla image changes the user to 'heat', we need it
# to be root to run httpd
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [HeatApiLogging, volumes]}
- {get_param: HeatApiOptVolumes}
- - /var/lib/kolla/config_files/heat_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/heat_api:/var/lib/kolla/config_files/src:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
map_merge:
- {get_param: HeatApiOptEnvVars}
- KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
heat_api_cron:
image: {get_attr: [RoleParametersValue, value, ContainerHeatApiImage]}
net: host
user: root
privileged: false
restart: always
healthcheck:
test: '/usr/share/openstack-tripleo-common/healthcheck/cron heat'
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [HeatApiLogging, volumes]}
-
- /var/lib/kolla/config_files/heat_api_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/heat_api:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks: {get_attr: [HeatApiLogging, host_prep_tasks]}
upgrade_tasks: []
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
deploy_steps_tasks:
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop heat api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- heat_api
- heat_api_cron
tripleo_delegate_to: "{{ groups['heat_api'] | default([]) }}"