openstack/tripleo-heat-templates
Code Issues Proposed changes
a31e100caf
tripleo-heat-templates/deployment/heat/heat-base-puppet.yaml
Takashi Kajinami 37548ddb40 Enforce internal api for token verification 
This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.

Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
2020-10-11 15:46:08 +09:00

201 lines
7.8 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
Openstack Heat base service. Shared for all Heat services.
parameters:
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HeatDebug:
default: ''
description: Set to True to enable debugging Heat services.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
HeatPassword:
description: The password for the Heat service and db account, used by the Heat services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableCache:
description: Enable caching with memcached
type: boolean
default: true
HeatCronPurgeDeletedEnsure:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Ensure
default: 'present'
HeatCronPurgeDeletedMinute:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Minute
default: '1'
HeatCronPurgeDeletedHour:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Hour
default: '0'
HeatCronPurgeDeletedMonthday:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Month Day
default: '*'
HeatCronPurgeDeletedMonth:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Month
default: '*'
HeatCronPurgeDeletedWeekday:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Week Day
default: '*'
HeatCronPurgeDeletedMaxDelay:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Max Delay
default: '3600'
HeatCronPurgeDeletedUser:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - User
default: 'heat'
HeatCronPurgeDeletedAge:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Age
default: '30'
HeatCronPurgeDeletedAgeType:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Age type
default: 'days'
HeatCronPurgeDeletedDestination:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Log destination
default: '/dev/null'
HeatYaqlLimitIterators:
type: number
description: >
The maximum number of elements in collection yaql expressions can take
for its evaluation.
default: 1000
HeatYaqlMemoryQuota:
type: number
description: >
The maximum size of memory in bytes that yaql exrpessions can take for
its evaluation.
default: 100000
HeatMaxJsonBodySize:
default: 4194304
description: Maximum raw byte size of the Heat API JSON request body.
type: number
NotificationDriver:
type: string
default: 'noop'
description: Driver or drivers to handle sending notifications.
HeatCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
conditions:
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
cache_enabled: {equals : [{get_param: EnableCache}, true]}
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
outputs:
role_data:
description: Shared role data for the Heat services.
value:
service_name: heat_base
config_settings:
map_merge:
-
if:
- cors_allowed_origin_unset
- {}
- heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}
- heat::notification_driver: {get_param: NotificationDriver}
heat::logging::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: HeatDebug }
heat::enable_proxy_headers_parsing: true
heat::rpc_response_timeout: 600
heat::rabbit_heartbeat_timeout_threshold: 60
heat::region_name: {get_param: KeystoneRegion}
heat::keystone::authtoken::project_name: 'service'
heat::keystone::authtoken::user_domain_name: 'Default'
heat::keystone::authtoken::project_domain_name: 'Default'
heat::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
heat::keystone::authtoken::password: {get_param: HeatPassword}
heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
heat::keystone::authtoken::interface: 'internal'
heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
heat::keystone::domain::domain_name: 'heat_stack'
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
heat::db::database_db_max_retries: -1
heat::db::database_max_retries: -1
heat::yaql_memory_quota: {get_param: HeatYaqlMemoryQuota}
heat::yaql_limit_iterators: {get_param: HeatYaqlLimitIterators}
heat::cors::max_age: 3600
heat::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
heat::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
heat::cron::purge_deleted::ensure: {get_param: HeatCronPurgeDeletedEnsure}
heat::cron::purge_deleted::minute: {get_param: HeatCronPurgeDeletedMinute}
heat::cron::purge_deleted::hour: {get_param: HeatCronPurgeDeletedHour}
heat::cron::purge_deleted::monthday: {get_param: HeatCronPurgeDeletedMonthday}
heat::cron::purge_deleted::month: {get_param: HeatCronPurgeDeletedMonth}
heat::cron::purge_deleted::weekday: {get_param: HeatCronPurgeDeletedWeekday}
heat::cron::purge_deleted::maxdelay: {get_param: HeatCronPurgeDeletedMaxDelay}
heat::cron::purge_deleted::user: {get_param: HeatCronPurgeDeletedUser}
heat::cron::purge_deleted::age: {get_param: HeatCronPurgeDeletedAge}
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
-
if:
- cache_enabled
- heat::cache::enabled: true
heat::cache::backend: 'dogpile.cache.memcached'
heat::cache::resource_finder_caching: false
- {}
View Git Blame Copy Permalink