8e052715c8
Today for some services we mount in /var/lib/config-data/<service>/etc which is actually an output from the container-puppet process. We should be using kolla to ensure that we properly create the configurations based on the puppet generated configurations and things in the container. Some services correctly leverage the kolla_config that the associated api/service uses when running their db sync. This patch aligns the rest to follow the similar pattern. Change-Id: I0e3d5748a50937880a55413b75fe6eca479c9160
310 lines
12 KiB
YAML
310 lines
12 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Ironic API service
|
|
|
|
parameters:
|
|
ContainerIronicApiImage:
|
|
description: image
|
|
type: string
|
|
ContainerIronicApiConfigImage:
|
|
description: The container image to use for the ironic_api config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
IronicPassword:
|
|
description: The password for the Ironic service and db account, used by the Ironic services
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionIronicApi:
|
|
default: 'overcloud-ironic-api'
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
IronicApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Ironic API.
|
|
e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
IronicCorsAllowedOrigin:
|
|
type: string
|
|
default: ''
|
|
description: Indicate whether this resource may be shared with the domain received in the request
|
|
"origin" header.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
cors_allowed_origin_set:
|
|
not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']}
|
|
|
|
resources:
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
IronicBase:
|
|
type: ./ironic-base-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Ironic API role.
|
|
value:
|
|
service_name: ironic_api
|
|
firewall_rules:
|
|
'133 ironic api':
|
|
dport:
|
|
- 6385
|
|
- 13385
|
|
keystone_resources:
|
|
ironic:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
|
|
internal: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
|
|
admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
|
|
users:
|
|
ironic:
|
|
roles:
|
|
- admin
|
|
- service
|
|
password: {get_param: IronicPassword}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'baremetal'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [IronicBase, role_data, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- ironic::cors::allowed_origin:
|
|
if:
|
|
- cors_allowed_origin_set
|
|
- {get_param: IronicCorsAllowedOrigin}
|
|
ironic::api::authtoken::password: {get_param: IronicPassword}
|
|
ironic::api::authtoken::project_name: 'service'
|
|
ironic::api::authtoken::user_domain_name: 'Default'
|
|
ironic::api::authtoken::project_domain_name: 'Default'
|
|
ironic::api::authtoken::username: 'ironic'
|
|
ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
|
|
ironic::api::authtoken::interface: 'internal'
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
ironic::api::host_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
|
|
# This is used to build links in responses
|
|
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
|
|
ironic::api::service_name: 'httpd'
|
|
ironic::policy::policies: {get_param: IronicApiPolicies}
|
|
ironic::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]}
|
|
ironic::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
ironic::cors::max_age: 3600
|
|
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
|
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
|
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
|
- apache::default_vhost: false
|
|
service_config_settings:
|
|
mysql:
|
|
ironic::db::mysql::password: {get_param: IronicPassword}
|
|
ironic::db::mysql::user: ironic
|
|
ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
ironic::db::mysql::dbname: ironic
|
|
ironic::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: ironic_api
|
|
puppet_tags: ironic_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - include tripleo::profile::base::ironic::api
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerIronicApiConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/ironic_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files: &ironic_api_config_files
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions: &ironic_api_permissions
|
|
- path: /var/log/ironic
|
|
owner: ironic:ironic
|
|
recurse: true
|
|
/var/lib/kolla/config_files/ironic_api_db_sync.json:
|
|
command: "/usr/bin/bootstrap_host_exec ironic_api su ironic -s /bin/bash -c 'ironic-dbsync --config-file /etc/ironic/ironic.conf'"
|
|
config_files: *ironic_api_config_files
|
|
permissions: *ironic_api_permissions
|
|
docker_config:
|
|
# db sync runs before permissions set by kolla_config
|
|
step_2:
|
|
ironic_init_logs:
|
|
image: &ironic_api_image {get_param: ContainerIronicApiImage}
|
|
net: none
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/ironic:/var/log/ironic:z
|
|
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z
|
|
command: ['/bin/bash', '-c', 'chown -R ironic:ironic /var/log/ironic']
|
|
step_3:
|
|
ironic_db_sync:
|
|
start_order: 1
|
|
image: *ironic_api_image
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- - /var/lib/kolla/config_files/ironic_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/ironic:/var/log/ironic:z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
step_4:
|
|
ironic_api:
|
|
start_order: 10
|
|
image: *ironic_api_image
|
|
net: host
|
|
user: root
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/ironic:/var/log/ironic:z
|
|
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
|
|
deploy_steps_tasks:
|
|
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
external_upgrade_tasks:
|
|
- when: step|int == 1
|
|
block: &ironic_online_db_migration
|
|
- name: Online data migration for Ironic
|
|
command: "{{ container_cli }} exec ironic_api ironic-dbsync --config-file /etc/ironic/ironic.conf online_data_migrations"
|
|
delegate_to: "{{ groups['ironic_api'][0] }}"
|
|
become: true
|
|
tags:
|
|
- online_upgrade
|
|
- online_upgrade_ironic
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop ironic api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- ironic_api
|
|
tripleo_delegate_to: "{{ groups['ironic_api'] | default([]) }}"
|
|
external_update_tasks:
|
|
- when: step|int == 1
|
|
block: *ironic_online_db_migration
|