38ddc4c493
We're trying to avoid the usage of the admin endpoint in order to deprecate it eventually. Change-Id: I4b9714d525129252e06a605690cf9b4b0cd793aa
162 lines
5.9 KiB
YAML
162 lines
5.9 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Nova Metadata API service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
NovaWorkers:
|
|
default: 0
|
|
description: Number of workers for Nova services.
|
|
type: number
|
|
NovaPassword:
|
|
description: The password for the nova service and db account
|
|
type: string
|
|
hidden: true
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
NeutronMetadataProxySharedSecret:
|
|
description: Shared secret to prevent spoofing
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionNovaMetadata:
|
|
default: 'overcloud-nova-metadata'
|
|
type: string
|
|
NovaMetadataLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.nova.metadata
|
|
path: /var/log/httpd/nova_metadata_wsgi_error_ssl.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
|
|
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
|
|
|
|
resources:
|
|
ApacheServiceBase:
|
|
type: ./apache.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
NovaBase:
|
|
type: ./nova-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova Metadata service.
|
|
value:
|
|
service_name: nova_metadata
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NovaBase, role_data, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- tripleo::nova_placement::firewall_rules:
|
|
'139 nova_metadata':
|
|
dport:
|
|
- 8775
|
|
- 13775
|
|
nova::keystone::authtoken::project_name: 'service'
|
|
nova::keystone::authtoken::password: {get_param: NovaPassword}
|
|
nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
nova::metadata::enable_proxy_headers_parsing: true
|
|
nova_metadata_wsgi_enabled: true
|
|
nova::wsgi::apache_metadata::api_port: '8775'
|
|
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
|
|
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
nova::wsgi::apache_metadata::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
|
|
nova::wsgi::apache_metadata::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
|
|
-
|
|
if:
|
|
- nova_workers_zero
|
|
- {}
|
|
- nova::wsgi::apache_metadata::workers: {get_param: NovaWorkers}
|
|
-
|
|
if:
|
|
- is_neutron_shared_metadata_notempty
|
|
- nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
|
|
- {}
|
|
step_config: |
|
|
include tripleo::profile::base::nova::metadata
|
|
service_config_settings:
|
|
fluentd:
|
|
tripleo_fluentd_groups_nova_metadata:
|
|
- nova
|
|
tripleo_fluentd_sources_nova_metadata:
|
|
- {get_param: NovaMetadataLoggingSource}
|
|
keystone:
|
|
nova::keystone::auth::tenant: 'service'
|
|
nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
|
|
nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
|
|
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
|
|
nova::keystone::auth::password: {get_param: NovaPassword}
|
|
nova::keystone::auth::region: {get_param: KeystoneRegion}
|
|
mysql:
|
|
map_merge:
|
|
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
|
|
- nova::db::mysql_api::password: {get_param: NovaPassword}
|
|
nova::db::mysql_api::user: nova_api
|
|
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
nova::db::mysql_api::dbname: nova_api
|
|
nova::db::mysql_api::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|