37447494de
Without this, ceilometer db gets hammered with gnocchi swift events. Keystone creds are required so middleware can query for id. Related change: I5c0f4f1a2c7fe7eb39ea6441970e9ac0946a4ec1 Change-Id: I9a7a80252703e470a69dc10352e7ece45ab23150
219 lines
8.6 KiB
YAML
219 lines
8.6 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
OpenStack Swift Proxy service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
Debug:
|
|
default: ''
|
|
description: Set to True to enable debugging on all services.
|
|
type: string
|
|
SwiftPassword:
|
|
description: The password for the swift service account, used by the swift proxy services.
|
|
type: string
|
|
hidden: true
|
|
SwiftProxyNodeTimeout:
|
|
default: 60
|
|
description: Timeout for requests going from swift-proxy to swift a/c/o services.
|
|
type: number
|
|
SwiftWorkers:
|
|
default: auto
|
|
description: Number of workers for Swift service.
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionSwiftProxy:
|
|
default: 'overcloud-swift-proxy'
|
|
type: string
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
SwiftCeilometerPipelineEnabled:
|
|
description: Set to False to disable the swift proxy ceilometer pipeline.
|
|
default: True
|
|
type: boolean
|
|
SwiftCeilometerIgnoreProjects:
|
|
default: ['services']
|
|
description: Comma-seperated list of project names to ignore.
|
|
type: comma_delimited_list
|
|
RabbitClientPort:
|
|
default: 5672
|
|
description: Set rabbit subscriber port, change this if using SSL
|
|
type: number
|
|
RabbitClientUseSSL:
|
|
default: false
|
|
description: >
|
|
Rabbit client subscriber parameter to specify
|
|
an SSL connection to the RabbitMQ host.
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
|
|
ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]}
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
SwiftBase:
|
|
type: ./swift-base.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
TLSProxyBase:
|
|
type: OS::TripleO::Services::TLSProxyBase
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Swift proxy service.
|
|
value:
|
|
service_name: swift_proxy
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [SwiftBase, role_data, config_settings]
|
|
- get_attr: [TLSProxyBase, role_data, config_settings]
|
|
- swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
|
|
swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
swift::proxy::authtoken::password: {get_param: SwiftPassword}
|
|
swift::proxy::authtoken::project_name: 'service'
|
|
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
|
|
swift::proxy::workers: {get_param: SwiftWorkers}
|
|
swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
|
|
swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
|
|
swift::proxy::ceilometer::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
|
|
swift::proxy::ceilometer::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
swift::proxy::ceilometer::password: {get_param: SwiftPassword}
|
|
swift::proxy::ceilometer::ignore_projects: {get_param: SwiftCeilometerIgnoreProjects}
|
|
swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
|
|
swift::proxy::ceilometer::nonblocking_notify: true
|
|
tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort}
|
|
tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL}
|
|
tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
|
|
tripleo.swift_proxy.firewall_rules:
|
|
'122 swift proxy':
|
|
dport:
|
|
- 8080
|
|
- 13808
|
|
swift::proxy::keystone::operator_roles:
|
|
- admin
|
|
- swiftoperator
|
|
- ResellerAdmin
|
|
swift::proxy::versioned_writes::allow_versioned_writes: true
|
|
swift::proxy::pipeline:
|
|
yaql:
|
|
expression: $.data.pipeline.where($ != '')
|
|
data:
|
|
pipeline:
|
|
- 'catch_errors'
|
|
- 'healthcheck'
|
|
- 'proxy-logging'
|
|
- 'cache'
|
|
- 'ratelimit'
|
|
- 'bulk'
|
|
- 'tempurl'
|
|
- 'formpost'
|
|
- 'authtoken'
|
|
- 'keystone'
|
|
- 'staticweb'
|
|
- 'copy'
|
|
- 'container_quotas'
|
|
- 'account_quotas'
|
|
- 'slo'
|
|
- 'dlo'
|
|
- 'versioned_writes'
|
|
-
|
|
if:
|
|
- ceilometer_pipeline_enabled
|
|
- 'ceilometer'
|
|
- ''
|
|
- 'proxy-logging'
|
|
- 'proxy-server'
|
|
swift::proxy::ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
|
swift::proxy::account_autocreate: true
|
|
# NOTE: bind IP is found in Heat replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
|
|
get_param: [ServiceNetMap, SwiftProxyNetwork]
|
|
tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
|
tripleo::profile::base::swift::proxy::tls_proxy_port:
|
|
get_param: [EndpointMap, SwiftInternal, port]
|
|
swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
|
|
swift::proxy::proxy_local_net_ip:
|
|
if:
|
|
- use_tls_proxy
|
|
- 'localhost'
|
|
- {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
|
step_config: |
|
|
include ::tripleo::profile::base::swift::proxy
|
|
service_config_settings:
|
|
keystone:
|
|
swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
|
|
swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
|
|
swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
|
|
swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
|
|
swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
|
|
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
|
|
swift::keystone::auth::password: {get_param: SwiftPassword}
|
|
swift::keystone::auth::region: {get_param: KeystoneRegion}
|
|
swift::keystone::auth::tenant: 'service'
|
|
swift::keystone::auth::configure_s3_endpoint: false
|
|
swift::keystone::auth::operator_roles:
|
|
- admin
|
|
- swiftoperator
|
|
- ResellerAdmin
|
|
upgrade_tasks:
|
|
- name: Stop swift_proxy service
|
|
tags: step1
|
|
service: name=openstack-swift-proxy state=stopped
|
|
metadata_settings:
|
|
get_attr: [TLSProxyBase, role_data, metadata_settings]
|