tripleo-heat-templates/deployment/ironic/ironic-api-container-puppet.yaml

heat_template_version: wallaby

description: >
  OpenStack containerized Ironic API service  

parameters:
  ContainerIronicApiImage:
    description: image
    type: string
  ContainerIronicApiConfigImage:
    description: The container image to use for the ironic_api config_volume
    type: string
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry. Use
                 parameter_merge_strategies to merge it with the defaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  DeployIdentifier:
    default: ''
    type: string
    description: >
      Setting this to a unique value will re-run any deployment tasks which
      perform configuration on a Heat stack-update.      
  IronicPassword:
    description: The password for the Ironic service and db account, used by the Ironic services
    type: string
    hidden: true
  MonitoringSubscriptionIronicApi:
    default: 'overcloud-ironic-api'
    type: string
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  IronicApiPolicies:
    description: |
      A hash of policies to configure for Ironic API.
      e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }      
    default: {}
    type: json
  IronicCorsAllowedOrigin:
    type: string
    default: ''
    description: Indicate whether this resource may be shared with the domain received in the request
                 "origin" header.
  EnableInternalTLS:
    type: boolean
    default: false
  MemcacheUseAdvancedPool:
    type: boolean
    description: |
      Use the advanced (eventlet safe) memcached client pool.      
    default: true
  IronicAuthStrategy:
    type: string
    description: Auth strategy to use with ironic.
    default: 'keystone'
    constraints:
      - allowed_values: ['keystone', 'http_basic', 'noauth']
  AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
    type: string
    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
    hidden: True
  IronicRpcTransport:
    description: The remote procedure call transport between conductor and
                 API processes, such as a messaging broker or JSON RPC.
    default: 'oslo'
    type: string
    constraints:
      - allowed_values: ['oslo', 'json-rpc']

conditions:
  cors_allowed_origin_set:
    not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']}
  auth_strategy_non_default:
    contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
  auth_strategy_noauth:
    equals: [{get_param: IronicAuthStrategy}, 'noauth']
  auth_strategy_http_basic:
    equals: [{get_param: IronicAuthStrategy}, 'http_basic']
  rpc_transport_json_rpc:
    equals: [{get_param: IronicRpcTransport}, 'json-rpc']

resources:
  ApacheServiceBase:
    type: ../../deployment/apache/apache-baremetal-puppet.yaml
    properties:
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}
      EnableInternalTLS: {get_param: EnableInternalTLS}

  ContainersCommon:
    type: ../containers-common.yaml

  MySQLClient:
    type: ../database/mysql-client.yaml

  IronicBase:
    type: ./ironic-base-puppet.yaml
    properties:
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

outputs:
  role_data:
    description: Role data for the Ironic API role.
    value:
      service_name: ironic_api
      firewall_rules:
        '133 ironic api':
          dport:
            - 6385
            - 13385
      keystone_resources:
        ironic:
          endpoints:
            public: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
            internal: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
            admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
          users:
            ironic:
              roles:
               - admin
               - service
              password: {get_param: IronicPassword}
          region: {get_param: KeystoneRegion}
          service: 'baremetal'
      monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
      config_settings:
        map_merge:
          - get_attr: [IronicBase, role_data, config_settings]
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - ironic::cors::allowed_origin:
              if:
                - cors_allowed_origin_set
                - {get_param: IronicCorsAllowedOrigin}
            ironic::api::authtoken::password: {get_param: IronicPassword}
            ironic::api::authtoken::project_name: 'service'
            ironic::api::authtoken::user_domain_name: 'Default'
            ironic::api::authtoken::project_domain_name: 'Default'
            ironic::api::authtoken::username: 'ironic'
            ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            ironic::api::authtoken::region_name: {get_param: KeystoneRegion}
            ironic::api::authtoken::interface: 'internal'
            ironic::api::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
            # NOTE: bind IP is found in hiera replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
            # internal_api -> IP
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
            ironic::api::host_ip:
             str_replace:
                template:
                  "%{hiera('$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
            ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
            # This is used to build links in responses
            ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
            ironic::api::service_name: 'httpd'
            ironic::api::enable_proxy_headers_parsing: true
            ironic::healthcheck::enabled: true
            ironic::policy::policies: {get_param: IronicApiPolicies}
            ironic::wsgi::apache::vhost_custom_fragment:
              if:
                - auth_strategy_http_basic
                - 'WSGIPassAuthorization On'
            ironic::wsgi::apache::bind_host:
              str_replace:
                template:
                  "%{hiera('$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
            ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]}
            ironic::wsgi::apache::servername:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
            ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            ironic::cors::max_age: 3600
            ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
            ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
            ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
            apache::default_vhost: false
            # NOTE(tkajinam): the project_name parameter defaults to 'services' in puppet-ironic,
            # so override it here to always set the consistent project name.
            ironic::json_rpc::project_name: 'service'
          - if:
              - rpc_transport_json_rpc
              - ironic::json_rpc::auth_type:
                  if:
                    - auth_strategy_non_default
                    - if:
                      - auth_strategy_noauth
                      - 'none'
                      - {get_param: IronicAuthStrategy}
                ironic::json_rpc::password: {get_param: IronicPassword}
                ironic::json_rpc::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
      service_config_settings:
        mysql:
          ironic::db::mysql::password: {get_param: IronicPassword}
          ironic::db::mysql::user: ironic
          ironic::db::mysql::host: '%'
          ironic::db::mysql::dbname: ironic
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: ironic_api
        puppet_tags: ironic_config
        step_config:
          list_join:
            - "\n"
            - - include tripleo::profile::base::ironic::api
              - {get_attr: [MySQLClient, role_data, step_config]}
        config_image: {get_param: ContainerIronicApiConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/ironic_api.json:
          command: /usr/sbin/httpd -DFOREGROUND
          config_files: &ironic_api_config_files
            - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
              dest: "/etc/httpd/conf.d"
              merge: false
              preserve_properties: true
            - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
              dest: "/etc/httpd/conf.modules.d"
              merge: false
              preserve_properties: true
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
          permissions: &ironic_api_permissions
            - path: /var/log/ironic
              owner: ironic:ironic
              recurse: true
        /var/lib/kolla/config_files/ironic_api_db_sync.json:
          command: "/usr/bin/bootstrap_host_exec ironic_api su ironic -s /bin/bash -c 'ironic-dbsync --config-file /etc/ironic/ironic.conf'"
          config_files: *ironic_api_config_files
          permissions: *ironic_api_permissions
      docker_config:
        # db sync runs before permissions set by kolla_config
        step_2:
          ironic_init_logs:
            image: &ironic_api_image {get_param: ContainerIronicApiImage}
            net: none
            privileged: false
            user: root
            volumes:
              - /var/log/containers/ironic:/var/log/ironic:z
              - /var/log/containers/httpd/ironic-api:/var/log/httpd:z
            command: ['/bin/bash', '-c', 'chown -R ironic:ironic /var/log/ironic']
        step_3:
          ironic_db_sync:
            start_order: 1
            image: *ironic_api_image
            net: host
            privileged: false
            detach: false
            user: root
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
                -
                - - /var/lib/kolla/config_files/ironic_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
                  - /var/log/containers/ironic:/var/log/ironic:z
            environment:
              KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
              TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
        step_4:
          ironic_api:
            start_order: 10
            image: *ironic_api_image
            net: host
            user: root
            restart: always
            healthcheck:
              test: /openstack/healthcheck
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
                - - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
                  - /var/log/containers/ironic:/var/log/ironic:z
                  - /var/log/containers/httpd/ironic-api:/var/log/httpd:z
                - if:
                  - auth_strategy_http_basic
                  - - /etc/ironic_passwd:/etc/ironic/htpasswd:z
                - if:
                    - {get_param: EnableInternalTLS}
                    - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
                      - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
            environment:
              KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
      host_prep_tasks:
        - name: create persistent directories
          file:
            path: "{{ item.path }}"
            state: directory
            setype: "{{ item.setype }}"
            mode: "{{ item.mode|default(omit) }}"
          with_items:
            - { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
            - { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
        - name: create password file when auth_stragy is 'http_basic'
          vars:
            is_http_basic:
              if:
                - auth_strategy_http_basic
                - true
                - false
          copy:
            dest: /etc/ironic_passwd
            content:
              str_replace:
                template: |
                  admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
                  ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}                  
                params:
                  $ADMIN_PASSWORD: {get_param: AdminPassword}
                  $IRONIC_PASSWORD: {get_param: IronicPassword}
          when: is_http_basic | bool
      deploy_steps_tasks:
        get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
      external_upgrade_tasks:
        - when: step|int == 1
          block: &ironic_online_db_migration
            - name: Online data migration for Ironic
              command: "{{ container_cli }} exec ironic_api ironic-dbsync --config-file /etc/ironic/ironic.conf online_data_migrations"
              delegate_to: "{{ groups['ironic_api'][0] }}"
              become: true
              tags:
                - online_upgrade
                - online_upgrade_ironic
        - when:
            - step|int == 1
          tags:
            - never
            - system_upgrade_transfer_data
            - system_upgrade_stop_services
          block:
            - name: Stop ironic api container
              import_role:
                name: tripleo_container_stop
              vars:
                tripleo_containers_to_stop:
                  - ironic_api
                tripleo_delegate_to: "{{ groups['ironic_api'] | default([]) }}"
      external_update_tasks:
        - when: step|int == 1
          block: *ironic_online_db_migration