tripleo-heat-templates/deployment/nova/nova-metadata-container-puppet.yaml
rabi 6d2901345a Add <service>_api_paste_ini in puppet_tags
Most of the services are either missing or using deprecated tags for
paste deploy configuration. Add those for us to be able to customize
paste deploy.

Also, removes the unnecessary tag from nova-compute.

Change-Id: I699b9283c7dbdb59923007488b4ac6c359d6eced
2021-08-11 12:33:02 +09:00

293 lines
11 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Nova Metadata service
parameters:
ContainerNovaMetadataImage:
description: image
type: string
ContainerNovaMetadataConfigImage:
description: The container image to use for the nova config_volume
type: string
NovaMetadataLoggingSource:
type: json
default:
tag: openstack.nova.api.metadata
file: /var/log/containers/nova/nova-metadata-api.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
NovaWorkers:
default: 0
description: Number of workers for Nova services.
type: number
NovaPassword:
description: The password for the nova service and db account
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
NeutronMetadataProxySharedSecret:
description: Shared secret to prevent spoofing
type: string
hidden: true
MonitoringSubscriptionNovaMetadata:
default: 'overcloud-nova-metadata'
type: string
NovaLocalMetadataPerCell:
default: false
description: >
Indicates that the nova-metadata API service has been deployed
per-cell, so that we can have better performance and data isolation in a
multi-cell deployment. Users should consider the use of this configuration
depending on how neutron is setup. If networks span cells, you might need
to run nova-metadata API service globally. If your networks are segmented
along cell boundaries, then you can run nova-metadata API service per cell.
When running nova-metadata API service per cell, you should also configure
each Neutron metadata-agent to point to the corresponding nova-metadata API
service.
type: boolean
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
conditions:
nova_workers_set:
not: {equals : [{get_param: NovaWorkers}, 0]}
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaMetadataLogging:
type: OS::TripleO::Services::Logging::NovaMetadata
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
NovaBase:
type: ./nova-base-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaApiDBClient:
type: ./nova-apidb-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaDBClient:
type: ./nova-db-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Metadata service.
value:
service_name: nova_metadata
firewall_rules:
'139 nova_metadata':
dport:
- 8775
- 13775
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- if:
- not: {get_param: NovaLocalMetadataPerCell}
- {get_attr: [NovaApiDBClient, role_data, config_settings]}
- get_attr: [NovaDBClient, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [NovaMetadataLogging, config_settings]
- apache::default_vhost: false
- nova::keystone::authtoken::project_name: 'service'
nova::keystone::authtoken::password: {get_param: NovaPassword}
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
nova::keystone::authtoken::interface: 'internal'
nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
nova::wsgi::apache_metadata::api_port: '8775'
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
nova::wsgi::apache_metadata::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
nova::wsgi::apache_metadata::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
nova::wsgi::apache_metadata::workers:
if:
- nova_workers_set
- {get_param: NovaWorkers}
nova::metadata::neutron_metadata_proxy_shared_secret:
if:
- is_neutron_shared_metadata_notempty
- {get_param: NeutronMetadataProxySharedSecret}
service_config_settings:
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
mysql:
map_merge:
- if:
- not: {get_param: NovaLocalMetadataPerCell}
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
rsyslog:
tripleo_logging_sources_nova_metadata:
- {get_param: NovaMetadataLoggingSource}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova_metadata
puppet_tags: nova_config,nova_api_paste_ini
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::nova::metadata
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerNovaMetadataConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_metadata.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/nova
owner: nova:nova
recurse: true
docker_config:
step_2:
get_attr: [NovaMetadataLogging, docker_config, step_2]
step_4:
nova_metadata:
start_order: 2
image: {get_param: ContainerNovaMetadataImage}
net: host
user: root
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaMetadataLogging, volumes]}
- - /var/lib/kolla/config_files/nova_metadata.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_metadata:/var/lib/kolla/config_files/src:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
list_concat:
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
- - name: validate nova-metadata container state
containers.podman.podman_container_info:
name: nova_metadata
register: nova_metadata_infos
failed_when:
- nova_metadata_infos.containers.0.Healthcheck.Status is defined
- "'healthy' not in nova_metadata_infos.containers.0.Healthcheck.Status"
retries: 10
delay: 30
tags:
- opendev-validation
- opendev-validation-nova
when:
- container_cli == 'podman'
- not container_healthcheck_disabled
- step|int == 5
host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]}
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop nova metadata container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- nova_metadata
tripleo_delegate_to: "{{ groups['nova_metadata'] | default([]) }}"