tripleo-heat-templates/deployment/heat/heat-base-puppet.yaml
Takashi Kajinami 160936df13 Use public endpoint for [keystone_authtoken] www_authenticate_uri
According to the parameter description, www_authenticate_uri should be
complete public Identity endpoint, which is accessible by all end
users.
This change replaces internal endpoint by public endpoint to meet that
requirement.

Closes-Bug: #1955397
Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382
2021-12-20 10:51:05 +00:00

229 lines
9.1 KiB
YAML

heat_template_version: wallaby
description: >
Openstack Heat base service. Shared for all Heat services.
parameters:
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HeatDebug:
default: false
description: Set to True to enable debugging Heat services.
type: boolean
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
HeatPassword:
description: The password for the Heat service and db account, used by the Heat services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableCache:
description: Enable caching with memcached
type: boolean
default: true
HeatCronPurgeDeletedEnsure:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Ensure
default: 'present'
HeatCronPurgeDeletedMinute:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Minute
default: '1'
HeatCronPurgeDeletedHour:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Hour
default: '0'
HeatCronPurgeDeletedMonthday:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Month Day
default: '*'
HeatCronPurgeDeletedMonth:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Month
default: '*'
HeatCronPurgeDeletedWeekday:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Week Day
default: '*'
HeatCronPurgeDeletedMaxDelay:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Max Delay
default: '3600'
HeatCronPurgeDeletedUser:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - User
default: 'heat'
HeatCronPurgeDeletedAge:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Age
default: '30'
HeatCronPurgeDeletedAgeType:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Age type
default: 'days'
HeatCronPurgeDeletedDestination:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Log destination
default: '/dev/null'
HeatYaqlLimitIterators:
type: number
description: >
The maximum number of elements in collection yaql expressions can take
for its evaluation.
default: 1000
HeatYaqlMemoryQuota:
type: number
description: >
The maximum size of memory in bytes that yaql exrpessions can take for
its evaluation.
default: 100000
HeatMaxJsonBodySize:
default: 4194304
description: Maximum raw byte size of the Heat API JSON request body.
type: number
NotificationDriver:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
HeatCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
HeatRpcResponseTimeout:
default: 600
description: Heat's RPC response timeout, in seconds.
type: number
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
EnforceSecureRbac:
type: boolean
default: false
description: >-
Setting this option to True will configure each OpenStack service to
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
of RBAC personas across OpenStack services that include support for
system and project scope, as well as keystone's default roles, admin,
member, and reader. Do not enable this functionality until all services in
your deployment actually support secure RBAC.
conditions:
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
cors_allowed_origin_set:
not: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
outputs:
role_data:
description: Shared role data for the Heat services.
value:
service_name: heat_base
config_settings:
map_merge:
- if:
- {get_param: EnforceSecureRbac}
- heat::policy::enforce_scope: true
heat::policy::enforce_new_defaults: true
- if:
- cors_allowed_origin_set
- heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}
- heat::notification_driver: {get_param: NotificationDriver}
heat::logging::debug:
if:
- {get_param: HeatDebug}
- true
- {get_param: Debug}
heat::enable_proxy_headers_parsing: true
heat::rpc_response_timeout: {get_param: HeatRpcResponseTimeout}
heat::rabbit_heartbeat_timeout_threshold: 60
heat::region_name: {get_param: KeystoneRegion}
heat::keystone::authtoken::project_name: 'service'
heat::keystone::authtoken::user_domain_name: 'Default'
heat::keystone::authtoken::project_domain_name: 'Default'
heat::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
heat::keystone::authtoken::password: {get_param: HeatPassword}
heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
heat::keystone::authtoken::interface: 'internal'
heat::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
heat::keystone::domain::domain_name: 'heat_stack'
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
heat::db::database_db_max_retries: -1
heat::db::database_max_retries: -1
heat::yaql_memory_quota: {get_param: HeatYaqlMemoryQuota}
heat::yaql_limit_iterators: {get_param: HeatYaqlLimitIterators}
heat::cors::max_age: 3600
heat::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
heat::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
heat::cron::purge_deleted::ensure: {get_param: HeatCronPurgeDeletedEnsure}
heat::cron::purge_deleted::minute: {get_param: HeatCronPurgeDeletedMinute}
heat::cron::purge_deleted::hour: {get_param: HeatCronPurgeDeletedHour}
heat::cron::purge_deleted::monthday: {get_param: HeatCronPurgeDeletedMonthday}
heat::cron::purge_deleted::month: {get_param: HeatCronPurgeDeletedMonth}
heat::cron::purge_deleted::weekday: {get_param: HeatCronPurgeDeletedWeekday}
heat::cron::purge_deleted::maxdelay: {get_param: HeatCronPurgeDeletedMaxDelay}
heat::cron::purge_deleted::user: {get_param: HeatCronPurgeDeletedUser}
heat::cron::purge_deleted::age: {get_param: HeatCronPurgeDeletedAge}
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
- heat::cache::enabled: {get_param: EnableCache}
heat::cache::tls_enabled: {get_param: MemcachedTLS}
heat::cache::resource_finder_caching: false
- if:
- tls_cache_enabled
- heat::cache::backend: 'dogpile.cache.pymemcache'
- heat::cache::backend: 'dogpile.cache.memcached'