openstack
/
tripleo-heat-templates
Code Issues Proposed changes
tripleo-heat-templates/deployment/neutron/neutron-api-container-puppe...

670 lines
28 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack containerized Neutron API service
parameters:
ContainerNeutronApiImage:
description: image
type: string
tags:
- role_specific
ContainerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
tags:
- role_specific
NeutronApiLoggingSource:
type: json
default:
tag: openstack.neutron.api
file: /var/log/containers/neutron/server.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
NeutronApiOptVolumes:
default: []
description: list of optional volumes to be mounted
type: comma_delimited_list
NeutronApiOptEnvVars:
default: {}
description: hash of optional environment variables
type: json
NeutronWorkers:
default: ''
description: |
Sets the number of API workers for the Neutron service.
The default value results in the configuration being left unset
and a system-dependent default will be chosen (usually the number
of processors). Please note that this can result in a large number
of processes and memory consumption on systems with a large core
count. On such systems it is recommended that a non-default value
be selected that matches the load requirements.
type: string
NeutronRpcWorkers:
default: ''
description: |
Sets the number of RPC workers for the Neutron service.
If not specified, it'll take the value of NeutronWorkers and if this is
not specified either, the default value results in the configuration
being left unset and a system-dependent default will be chosen
(usually 1).
type: string
NeutronPassword:
description: The password for the neutron service and db account, used by neutron agents.
type: string
hidden: true
NeutronAllowL3AgentFailover:
default: 'True'
description: Allow automatic l3-agent failover
type: string
NovaPassword:
description: The password for the nova service and db account
type: string
hidden: true
PlacementPassword:
description: The password for the Placement service and db account
type: string
hidden: true
NeutronEnableIgmpSnooping:
description: Enable IGMP Snooping.
type: boolean
default: false
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionNeutronServer:
default: 'overcloud-neutron-server'
type: string
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
NeutronApiPolicies:
description: |
A hash of policies to configure for Neutron API.
e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NeutronOvsIntegrationBridge:
default: ''
type: string
description: Name of Open vSwitch bridge to use
NeutronPortQuota:
default: '500'
type: string
description: Number of ports allowed per tenant, and minus means unlimited.
NeutronSecurityGroupQuota:
default: '10'
type: string
description: Number of security groups allowed per tenant, and minus means unlimited
# TODO(bogdando): Right now OVN doesn't support AZ aware routing scheduling.
# Later in Train cycle OVN ml2 driver will be extended to support it.
# Until then, we have to determine if NeutronMechanismDrivers is OVN or OVS.
NeutronMechanismDrivers:
default: 'ovn'
description: |
The mechanism drivers for the Neutron tenant network.
type: comma_delimited_list
NeutronDefaultAvailabilityZones:
description: Comma-separated list of default network availability zones to
be used by Neutron if its resource is created without
availability zone hints. If not set, no AZs will be configured
for Neutron network services.
default: []
type: comma_delimited_list
NeutronNetworkSchedulerDriver:
description: The network schedule driver to use for availability zones.
default: neutron.scheduler.dhcp_agent_scheduler.AZAwareWeightScheduler
type: string
NeutronRouterSchedulerDriver:
description: The router schedule driver to use for availability zones.
default: neutron.scheduler.l3_agent_scheduler.AZLeastRoutersScheduler
type: string
NeutronDhcpLoadType:
description: Additional to the availability zones aware network scheduler.
default: networks
type: string
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
NeutronCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
NeutronL3HA:
default: ''
type: string
description: |
Whether to enable HA for virtual routers. When not set, L3 HA will be
automatically enabled if the number of nodes hosting controller
configurations and DVR is disabled. Valid values are 'true' or 'false'
This parameter is being deprecated in Newton and is scheduled to be
removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be
available to override.
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'noauth', 'http_basic']
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
type: string
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
hidden: True
NeutronAgentDownTime:
default: 600
type: number
description: |
Seconds to regard the agent as down; should be at least twice
NeutronGlobalReportInterval, to be sure the agent is down for good.
IronicPassword:
description: The password for the Ironic service and db account, used by the Ironic services
type: string
hidden: true
EnforceSecureRbac:
type: boolean
default: false
description: >-
Setting this option to True will configure each OpenStack service to
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
of RBAC personas across OpenStack services that include support for
system and project scope, as well as keystone's default roles, admin,
member, and reader. Do not enable this functionality until all services in
your deployment actually support secure RBAC.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- NeutronL3HA
conditions:
neutron_workers_set:
not: {equals : [{get_param: NeutronWorkers}, '']}
neutron_rpc_workers_set:
not: {equals : [{get_param: NeutronRpcWorkers}, '']}
neutron_ovs_int_br_set:
not: {equals : [{get_param: NeutronOvsIntegrationBridge}, '']}
az_set:
not: {equals: [{get_param: NeutronDefaultAvailabilityZones}, []]}
ovn_and_tls:
and:
- contains: ['ovn', {get_param: NeutronMechanismDrivers}]
- {get_param: EnableInternalTLS}
key_size_override_set:
not: {equals: [{get_param: NeutronCertificateKeySize}, '']}
auth_strategy_http_basic:
equals: [{get_param: NeutronAuthStrategy}, 'http_basic']
resources:
TLSProxyBase:
type: OS::TripleO::Services::TLSProxyBase
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
NeutronBase:
type: ./neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronApi
properties:
NeutronServiceName: server
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerNeutronApiImage: ContainerNeutronApiImage
ContainerNeutronConfigImage: ContainerNeutronConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerNeutronApiImage: {get_param: ContainerNeutronApiImage}
ContainerNeutronConfigImage: {get_param: ContainerNeutronConfigImage}
outputs:
role_data:
description: Role data for the Neutron API role.
value:
service_name: neutron_api
firewall_rules:
'114 neutron api':
dport:
- 9696
firewall_frontend_rules:
'100 neutron_haproxy_frontend':
dport:
- 9696
firewall_ssl_frontend_rules:
'100 neutron_haproxy_frontend_ssl':
dport:
- 13696
keystone_resources:
neutron:
endpoints:
public: {get_param: [EndpointMap, NeutronPublic, uri]}
internal: {get_param: [EndpointMap, NeutronInternal, uri]}
admin: {get_param: [EndpointMap, NeutronAdmin, uri]}
users:
neutron:
password: {get_param: NeutronPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'network'
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [TLSProxyBase, role_data, config_settings]
- get_attr: [NeutronLogging, config_settings]
- neutron::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: neutron
password: {get_param: NeutronPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /ovs_neutron
query:
if:
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: ovs_neutron
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
neutron::policy::policies: {get_param: NeutronApiPolicies}
- if:
- {get_param: EnforceSecureRbac}
- neutron::policy::enforce_scope: true
neutron::policy::enforce_new_defaults: true
neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::agent_down_time: {get_param: NeutronAgentDownTime}
neutron::server::auth_strategy: {get_param: NeutronAuthStrategy}
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
neutron::server::enable_proxy_headers_parsing: true
neutron::server::igmp_snooping_enable: {get_param: NeutronEnableIgmpSnooping}
neutron::keystone::authtoken::password: {get_param: NeutronPassword}
neutron::server::notifications::nova::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
neutron::server::notifications::nova::project_name: 'service'
neutron::server::notifications::nova::user_domain_name: 'Default'
neutron::server::notifications::nova::project_domain_name: 'Default'
neutron::server::notifications::nova::region_name: {get_param: KeystoneRegion}
neutron::server::notifications::nova::password: {get_param: NovaPassword}
neutron::server::notifications::nova::endpoint_type: 'internal'
neutron::keystone::authtoken::project_name: 'service'
neutron::keystone::authtoken::user_domain_name: 'Default'
neutron::keystone::authtoken::project_domain_name: 'Default'
neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
neutron::keystone::authtoken::interface: 'internal'
neutron::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
neutron::quota::quota_port: {get_param: NeutronPortQuota}
neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
neutron::server::placement::password: {get_param: PlacementPassword}
neutron::server::placement::project_domain_name: 'Default'
neutron::server::placement::project_name: 'service'
neutron::server::placement::user_domain_name: 'Default'
neutron::server::placement::username: placement
neutron::server::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::placement::auth_type: 'password'
neutron::server::placement::region_name: {get_param: KeystoneRegion}
neutron::server::placement::endpoint_type: 'internal'
neutron::server::sync_db: false
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
tripleo::profile::base::neutron::server::tls_proxy_bind_ip:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::tls_proxy_fqdn:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::tls_proxy_port:
get_param: [EndpointMap, NeutronInternal, port]
# Bind to localhost if internal TLS is enabled, since we put a TLS
# proxy in front.
neutron::bind_host:
if:
- {get_param: EnableInternalTLS}
- "%{lookup('localhost_address')}"
- str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
- if:
- neutron_workers_set
- neutron::server::api_workers: {get_param: NeutronWorkers}
- if:
- neutron_rpc_workers_set
- neutron::server::rpc_workers: {get_param: NeutronRpcWorkers}
- if:
- neutron_workers_set
- neutron::server::rpc_workers: {get_param: NeutronWorkers}
- if:
- neutron_ovs_int_br_set
- neutron::server::ovs_integration_bridge: {get_param: NeutronOvsIntegrationBridge}
- if:
- az_set
- neutron::server::dhcp_load_type: {get_param: NeutronDhcpLoadType}
neutron::server::network_scheduler_driver:
{get_param: NeutronNetworkSchedulerDriver}
neutron::server::router_scheduler_driver:
{get_param: NeutronRouterSchedulerDriver}
neutron::server::default_availability_zones:
{get_param: NeutronDefaultAvailabilityZones}
- if:
- ovn_and_tls
- tripleo::profile::base::neutron::plugins::ml2::ovn::protocol: 'ssl'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_private_key: '/etc/pki/tls/private/neutron_ovn.key'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/neutron_ovn.crt'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_private_key: '/etc/pki/tls/private/neutron_ovn.key'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/neutron_ovn.crt'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
- if:
- auth_strategy_http_basic
- neutron::config::api_paste_ini:
composite:neutronapi_v2_0/http_basic:
value: 'cors http_proxy_to_wsgi request_id fake_project_id catch_errors osprofiler basic_auth extensions neutronapiapp_v2_0'
composite:neutronversions_composite/http_basic:
value: 'cors http_proxy_to_wsgi neutronversions'
filter:basic_auth/paste.filter_factory:
value: 'oslo_middleware.basic_auth:BasicAuthMiddleware.factory'
service_config_settings:
rsyslog:
tripleo_logging_sources_neutron_api:
- {get_param: NeutronApiLoggingSource}
mysql:
neutron::db::mysql::password: {get_param: NeutronPassword}
neutron::db::mysql::user: neutron
neutron::db::mysql::host: '%'
neutron::db::mysql::dbname: ovs_neutron
horizon:
horizon::policy::neutron_policies: {get_param: NeutronApiPolicies}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: neutron
puppet_tags: neutron_config,neutron_api_paste_ini
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::neutron::server
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
kolla_config:
/var/lib/kolla/config_files/neutron_api.json:
command:
list_join:
- ' '
- - /usr/bin/neutron-server --config-dir /usr/share/neutron/server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-server
- get_attr: [NeutronLogging, cmd_extra_args]
config_files: &neutron_api_config_files
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
optional: true
preserve_properties: true
permissions: &neutron_api_permissions
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /etc/pki/tls/certs/neutron_ovn.crt
owner: neutron:neutron
optional: true
perm: '0644'
- path: /etc/pki/tls/private/neutron_ovn.key
owner: neutron:neutron
optional: true
perm: '0644'
/var/lib/kolla/config_files/neutron_api_db_sync.json:
command: "/usr/bin/bootstrap_host_exec neutron_api neutron-db-manage upgrade heads"
# FIXME: we should make config file permissions right
# and run as neutron user
#command: "/usr/bin/bootstrap_host_exec neutron_api su neutron -s /bin/bash -c 'neutron-db-manage upgrade heads'"
config_files: *neutron_api_config_files
permissions: *neutron_api_permissions
/var/lib/kolla/config_files/neutron_server_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
docker_config:
step_2:
get_attr: [NeutronLogging, docker_config, step_2]
step_3:
neutron_db_sync:
image: &neutron_api_image {get_attr: [RoleParametersValue, value, ContainerNeutronApiImage]}
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
- {get_param: NeutronApiOptVolumes}
- - /var/lib/kolla/config_files/neutron_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
map_merge:
- neutron_api:
start_order: 0
image: *neutron_api_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
- {get_param: NeutronApiOptVolumes}
- - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- if:
- ovn_and_tls
- - /etc/pki/tls/certs/neutron_ovn.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron_ovn.crt:ro
- /etc/pki/tls/private/neutron_ovn.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron_ovn.key:ro
- if:
- auth_strategy_http_basic
- - /etc/neutron_passwd:/etc/htpasswd:z
environment:
map_merge:
- {get_param: NeutronApiOptEnvVars}
- KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- if:
- {get_param: EnableInternalTLS}
- neutron_server_tls_proxy:
image: *neutron_api_image
net: host
user: root
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
- - /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - name: create password file when auth_strategy is 'http_basic'
vars:
is_http_basic:
if:
- auth_strategy_http_basic
- true
- false
copy:
dest: /etc/neutron_passwd
content:
str_replace:
template: |
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
neutron:{{'$NEUTRON_PASSWORD' | password_hash('bcrypt')}}
ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
params:
$ADMIN_PASSWORD: {get_param: AdminPassword}
$NEUTRON_PASSWORD: {get_param: NeutronPassword}
$IRONIC_PASSWORD: {get_param: IronicPassword}
when: is_http_basic | bool
metadata_settings:
list_concat:
- {get_attr: [TLSProxyBase, role_data, metadata_settings]}
- if:
- ovn_and_tls
- - service: neutron_ovn
network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
type: node
deploy_steps_tasks:
if:
- ovn_and_tls
- - name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: neutron_ovn
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron_ovn/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
key_size:
if:
- key_size_override_set
- {get_param: NeutronCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop neutron api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- neutron_api
tripleo_delegate_to: "{{ groups['neutron_api'] | default([]) }}"
View Git Blame Copy Permalink