44ef2a3ec1
The new master branch should point now to rocky. So, HOT templates should specify that they might contain features for rocky release [1] Also, this submission updates the yaml validation to use only latest heat_version alias. There are cases in which we will need to set the version for specific templates i.e. mixed versions, so there is added a variable to assign specific templates to specific heat_version aliases, avoiding the introductions of error by bulk replacing the the old version in new releases. [1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
128 lines
4.4 KiB
YAML
128 lines
4.4 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Memcached service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
MemcachedMaxMemory:
|
|
default: '50%'
|
|
description: The maximum amount of memory for memcached to be configured
|
|
to use when installed. This can be either a percentage ('50%')
|
|
or a fixed value ('2048').
|
|
type: string
|
|
MonitoringSubscriptionMemcached:
|
|
default: 'overcloud-memcached'
|
|
type: string
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
MemcachedDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging Memcached service.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
MemcachedIpSubnet:
|
|
default: ''
|
|
description: IP address/subnet on the memcached network. If empty (default), MemcachedNetwork
|
|
will be taken. Useful in the case where an operator wants to open Memcached outside
|
|
of the internal network. Use this parameter with caution and be aware of
|
|
opening memcached to external network can be dangerous.
|
|
type: string
|
|
|
|
conditions:
|
|
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
|
service_debug:
|
|
or:
|
|
- equals: [{get_param: MemcachedDebug}, 'true']
|
|
- equals: [{get_param: MemcachedDebug}, 'True']
|
|
- equals: [{get_param: Debug}, true]
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Memcached role.
|
|
value:
|
|
service_name: memcached
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
|
config_settings:
|
|
memcached_network:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK_subnet')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
memcached::listen_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
|
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
|
# https://access.redhat.com/security/cve/cve-2018-1000115
|
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
|
memcached::udp_port: 0
|
|
memcached::verbosity:
|
|
list_join:
|
|
- ''
|
|
- - 'v'
|
|
- if:
|
|
- service_debug
|
|
- 'v'
|
|
- ''
|
|
tripleo.memcached.firewall_rules:
|
|
'121 memcached':
|
|
dport: 11211
|
|
# https://access.redhat.com/security/cve/cve-2018-1000115
|
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
|
proto: 'tcp'
|
|
# Memcached traffic shouldn't be open on the internet.
|
|
# Even if binding is configured on internal_api network, enforce it
|
|
# via firewall as well.
|
|
source:
|
|
if:
|
|
- memcached_network_unset
|
|
- "%{hiera('memcached_network')}"
|
|
- {get_param: MemcachedIpSubnet}
|
|
step_config: |
|
|
include ::tripleo::profile::base::memcached
|
|
service_config_settings:
|
|
collectd:
|
|
tripleo.collectd.plugins.memcached:
|
|
- memcached
|
|
collectd::plugin::memcached::instances:
|
|
local:
|
|
host: "%{hiera('memcached::listen_ip')}"
|
|
port: 11211
|