3a7baa8fa6
Since https://review.openstack.org/#/c/514707/ added the net_ip_map to hieradata, we can look up the per-network bind IPs via hiera interpolation instead of heat map_replace. In some cases the ServiceNetMap lookup is used for other things, but anywhere we make use of the "magic" translation via NetIpMap is changed the same way. This will enable more of the configuration data to be exposed per role vs per node in a future patch (to simplify our ansible workflow). Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com> Change-Id: Ie3da9fedbfce87e85f74d8780e7ad1ceadda79c8
191 lines
7.0 KiB
YAML
191 lines
7.0 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack Nova Vncproxy service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
StackUpdateType:
|
|
type: string
|
|
description: >
|
|
Type of update, to differentiate between UPGRADE and UPDATE cases
|
|
when StackAction is UPDATE (both are the same stack action).
|
|
constraints:
|
|
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
|
|
default: ''
|
|
MonitoringSubscriptionNovaVNCProxy:
|
|
default: 'overcloud-nova-vncproxy'
|
|
type: string
|
|
NovaVncproxyLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.nova.vncproxy
|
|
path: /var/log/nova/nova-vncproxy.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
UseTLSTransportForVnc:
|
|
type: boolean
|
|
default: true
|
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
|
enable TLS transaport for libvirt VNC and configure the
|
|
relevant keys for libvirt.
|
|
InternalTLSVncCAFile:
|
|
default: '/etc/ipa/vnc.crt'
|
|
type: string
|
|
description: Specifies the CA cert to use for VNC TLS.
|
|
LibvirtVncCACert:
|
|
type: string
|
|
default: ''
|
|
description: This specifies the CA certificate to use for VNC TLS.
|
|
This file will be symlinked to the default CA path,
|
|
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
|
This parameter should be used if the default (which comes from
|
|
the InternalTLSVncCAFile parameter) is not desired. The current
|
|
default reflects TripleO's default CA, which is FreeIPA.
|
|
It will only be used if internal TLS is enabled.
|
|
|
|
conditions:
|
|
|
|
use_tls_for_vnc:
|
|
and:
|
|
- equals:
|
|
- {get_param: EnableInternalTLS}
|
|
- true
|
|
- equals:
|
|
- {get_param: UseTLSTransportForVnc}
|
|
- true
|
|
|
|
libvirt_vnc_specific_ca_unset:
|
|
equals:
|
|
- {get_param: LibvirtVncCACert}
|
|
- ''
|
|
|
|
allow_noauth:
|
|
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
|
|
equals: [{get_param: StackUpdateType}, 'UPGRADE']
|
|
|
|
|
|
resources:
|
|
NovaBase:
|
|
type: ./nova-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova Vncproxy service.
|
|
value:
|
|
service_name: nova_vnc_proxy
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaVNCProxy}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NovaBase, role_data, config_settings]
|
|
- nova::vncproxy::enabled: true
|
|
nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]}
|
|
nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]}
|
|
nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
nova::vncproxy::host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
tripleo.nova_vnc_proxy.firewall_rules:
|
|
'137 nova_vnc_proxy':
|
|
dport:
|
|
- 6080
|
|
- 13080
|
|
-
|
|
if:
|
|
- use_tls_for_vnc
|
|
-
|
|
nova::vncproxy::allow_vencrypt: true
|
|
nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]}
|
|
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
|
|
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
|
|
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
|
|
generate_service_certificates: true
|
|
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
|
|
if:
|
|
- libvirt_vnc_specific_ca_unset
|
|
- get_param: InternalTLSVncCAFile
|
|
- get_param: LibvirtVncCACert
|
|
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
|
|
libvirt_vnc_certificates_specs:
|
|
libvirt-vnc-client-cert:
|
|
cacertfile:
|
|
if:
|
|
- libvirt_vnc_specific_ca_unset
|
|
- get_param: InternalTLSVncCAFile
|
|
- null
|
|
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
|
|
service_key: '/etc/pki/libvirt-vnc/client-key.pem'
|
|
notify_service: '%{::nova::params::vncproxy_service_name}'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
- {}
|
|
service_config_settings:
|
|
fluentd:
|
|
tripleo_fluentd_groups_nova_vnc_proxy:
|
|
- nova
|
|
tripleo_fluentd_sources_nova_vnc_proxy:
|
|
- {get_param: NovaVncproxyLoggingSource}
|
|
step_config: |
|
|
include tripleo::profile::base::nova::vncproxy
|
|
upgrade_tasks:
|
|
- name: Stop nova_vnc_proxy service
|
|
when: step|int == 1
|
|
service: name=openstack-nova-consoleauth state=stopped
|
|
metadata_settings:
|
|
if:
|
|
- use_tls_for_vnc
|
|
-
|
|
- service: libvirt-vnc
|
|
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
type: node
|
|
- null
|