openstack/tripleo-heat-templates
Code Issues Proposed changes
Files
80086fd342032ec448a84ecf7c5dbe98d381450a
tripleo-heat-templates/puppet/services/cinder-api.yaml
Juan Antonio Osorio Robles 80086fd342 Add metadata settings for needed kerberos principals 
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.

bp tls-via-certmonger
bp novajoin

Change-Id: I873094bb69200052febda629fda698a7a782c031
2017-01-25 00:33:11 +02:00

164 lines
6.6 KiB
YAML
Raw Blame History

heat_template_version: ocata
description: >
OpenStack Cinder API service configured with Puppet
parameters:
CinderEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Cinder database.
type: boolean
CinderPassword:
description: The password for the cinder service account, used by cinder-api.
type: string
hidden: true
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionCinderApi:
default: 'overcloud-cinder-api'
type: string
CinderApiLoggingSource:
type: json
default:
tag: openstack.cinder.api
path: /var/log/cinder/cinder-api.log
CinderWorkers:
type: string
description: Set the number of workers for cinder::wsgi::apache
default: '%{::os_workers}'
EnableInternalTLS:
type: boolean
default: false
conditions:
cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
resources:
ApacheServiceBase:
type: ./apache.yaml
properties:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
EnableInternalTLS: {get_param: EnableInternalTLS}
CinderBase:
type: ./cinder-base.yaml
properties:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
outputs:
role_data:
description: Role data for the Cinder API role.
value:
service_name: cinder_api
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
logging_source: {get_param: CinderApiLoggingSource}
logging_groups:
- cinder
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
cinder::keystone::authtoken::password: {get_param: CinderPassword}
cinder::keystone::authtoken::project_name: 'service'
cinder::api::enable_proxy_headers_parsing: true
cinder::api::nova_catalog_info: 'compute:Compute Service:internalURL'
# TODO(emilien) move it to puppet-cinder
cinder::config:
DEFAULT/swift_catalog_info:
value: 'object-store:swift:internalURL'
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
tripleo.cinder_api.firewall_rules:
'119 cinder':
dport:
- 8776
- 13776
cinder::api::bind_host:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
cinder::api::service_name: 'httpd'
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
-
if:
- cinder_workers_zero
- {}
- cinder::wsgi::apache::workers: {get_param: CinderWorkers}
step_config: |
include ::tripleo::profile::base::cinder::api
service_config_settings:
keystone:
cinder::keystone::auth::tenant: 'service'
cinder::keystone::auth::public_url: {get_param: [EndpointMap, CinderPublic, uri]}
cinder::keystone::auth::internal_url: {get_param: [EndpointMap, CinderInternal, uri]}
cinder::keystone::auth::admin_url: {get_param: [EndpointMap, CinderAdmin, uri]}
cinder::keystone::auth::public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]}
cinder::keystone::auth::internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]}
cinder::keystone::auth::admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]}
cinder::keystone::auth::public_url_v3: {get_param: [EndpointMap, CinderV3Public, uri]}
cinder::keystone::auth::internal_url_v3: {get_param: [EndpointMap, CinderV3Internal, uri]}
cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]}
cinder::keystone::auth::password: {get_param: CinderPassword}
cinder::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder
cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
cinder::db::mysql::dbname: cinder
cinder::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
- name: check for cinder running under apache (post upgrade)
tags: step2
shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder"
register: cinder_apache
ignore_errors: true
- name: Stop cinder_api service (running under httpd)
tags: step2
service: name=httpd state=stopped
when: "cinder_apache.rc == 0"
- name: Stop and disable cinder_api service (pre-upgrade not under httpd)
tags: step2
service: name=openstack-cinder-api state=stopped enabled=no
View Git Blame Copy Permalink