openstack/tripleo-heat-templates
Code Issues Proposed changes
b756944d45
tripleo-heat-templates/deployment/zaqar/zaqar-container-puppet.yaml
Takashi Kajinami 37548ddb40 Enforce internal api for token verification 
This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.

Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
2020-10-11 15:46:08 +09:00

401 lines
16 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
OpenStack containerized Zaqar services
parameters:
ContainerZaqarImage:
description: image
type: string
ContainerZaqarConfigImage:
description: The container image to use for the zaqar config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
Debug:
type: boolean
description: Set to True to enable debugging on all services.
default: false
ZaqarDebug:
default: ''
description: Set to True to enable debugging Zaqar service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
ZaqarPassword:
description: The password for Zaqar
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
ZaqarPolicies:
description: |
A hash of policies to configure for Zaqar.
e.g. { zaqar-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
ZaqarWorkers:
type: string
description: Set the number of workers for zaqar::wsgi::apache
default: '%{::os_workers}'
ZaqarMessageStore:
type: string
description: The messaging store for Zaqar
default: redis
ZaqarManagementStore:
type: string
description: The management store for Zaqar
default: redis
EnableInternalTLS:
type: boolean
default: false
RedisPassword:
description: The password for the redis service account.
type: string
hidden: true
conditions:
internal_tls_enabled: {get_param: EnableInternalTLS}
service_debug_unset: {equals : [{get_param: ZaqarDebug}, '']}
zaqar_management_store_sqlalchemy: {equals : [{get_param: ZaqarManagementStore}, 'sqlalchemy']}
zaqar_workers_zero: {equals : [{get_param: ZaqarWorkers}, 0]}
zaqar_messaging_store_swift: {equals : [{get_param: ZaqarMessageStore}, 'swift']}
zaqar_messaging_store_redis: {equals : [{get_param: ZaqarMessageStore}, 'redis']}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
resources:
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
outputs:
role_data:
description: Role data for the Zaqar API role.
value:
service_name: zaqar_api
firewall_rules:
'113 zaqar_api':
dport:
- 9000
- 8888
- 3000 #SSL for websocket
- 13888 #SSL for api
keystone_resources:
zaqar:
endpoints:
public: {get_param: [EndpointMap, ZaqarPublic, uri]}
internal: {get_param: [EndpointMap, ZaqarInternal, uri]}
admin: {get_param: [EndpointMap, ZaqarAdmin, uri]}
users:
zaqar:
password: {get_param: ZaqarPassword}
region: {get_param: KeystoneRegion}
service: 'messaging'
zaqar-websocket:
endpoints:
public: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]}
internal: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]}
admin: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]}
users:
zaqar-websocket:
password: {get_param: ZaqarPassword}
region: {get_param: KeystoneRegion}
service: 'messaging-websocket'
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- zaqar::policy::policies: {get_param: ZaqarPolicies}
zaqar::keystone::authtoken::password: {get_param: ZaqarPassword}
zaqar::keystone::authtoken::project_name: 'service'
zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
zaqar::keystone::authtoken::interface: 'internal'
zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
zaqar::logging::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: ZaqarDebug }
zaqar::server::service_name: 'httpd'
zaqar::transport::websocket::bind:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ZaqarApiNetwork]}
zaqar::transport::websocket::notification_bind:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ZaqarApiNetwork]}
zaqar::wsgi::apache::ssl: {get_param: EnableInternalTLS}
zaqar::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ZaqarApiNetwork]}
zaqar::message_pipeline: 'zaqar.notification.notifier'
zaqar::max_messages_post_size: 2097152
zaqar::unreliable: true
zaqar::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ZaqarApiNetwork]}
zaqar::message_store: {get_param: ZaqarMessageStore}
zaqar::management_store: {get_param: ZaqarManagementStore}
-
if:
- zaqar_messaging_store_swift
-
zaqar::messaging::swift::uri:
list_join:
- ''
- ['swift://zaqar:', {get_param: ZaqarPassword}, '@/service']
zaqar::messaging::swift::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
tripleo::profile::base::zaqar::messaging_store: 'swift'
- {}
-
if:
- zaqar_messaging_store_redis
-
zaqar_redis_password: {get_param: RedisPassword}
tripleo::profile::base::zaqar::messaging_store: 'redis'
- {}
-
if:
- zaqar_management_store_sqlalchemy
-
tripleo::profile::base::zaqar::management_store: 'sqlalchemy'
zaqar::management::sqlalchemy::uri:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: zaqar
password: {get_param: ZaqarPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /zaqar
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: zaqar
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
- {}
-
if:
- zaqar_workers_zero
- {}
- zaqar::wsgi::apache::workers: {get_param: ZaqarWorkers}
service_config_settings:
map_merge:
- keystone:
zaqar::keystone::trust::password: {get_param: ZaqarPassword}
zaqar::keystone::trust::user_domain_name: 'Default'
-
if:
- zaqar_management_store_sqlalchemy
- mysql:
zaqar::db::mysql::user: zaqar
zaqar::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
zaqar::db::mysql::dbname: zaqar
zaqar::db::mysql::password: {get_param: ZaqarPassword}
zaqar::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
- {}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: zaqar
puppet_tags: zaqar_config
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::zaqar
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerZaqarConfigImage}
kolla_config:
/var/lib/kolla/config_files/zaqar.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
# TODO(emilien) remove optional flag once we get a promotion
# https://launchpad.net/bugs/1884115
optional: true
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/zaqar_websocket.json:
command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/zaqar
owner: zaqar:zaqar
recurse: true
docker_config:
map_merge:
-
if:
- zaqar_management_store_sqlalchemy
-
step_2:
zaqar_init_log:
image: &zaqar_image {get_param: ContainerZaqarImage}
net: none
user: root
volumes:
- /var/log/containers/zaqar:/var/log/zaqar
- /var/log/containers/httpd/zaqar:/var/log/httpd
command: ['/bin/bash', '-c', 'chmod 2755 /var/log/zaqar; touch /var/log/zaqar/zaqar-server.log; chown -R zaqar:zaqar /var/log/zaqar']
step_3:
zaqar_db_sync:
image: *zaqar_image
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro
- /var/log/containers/zaqar:/var/log/zaqar
- /var/log/containers/httpd/zaqar:/var/log/httpd
command: "/usr/bin/bootstrap_host_exec zaqar_api su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'"
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
- {}
- step_4:
zaqar:
image: *zaqar_image
net: host
privileged: false
restart: always
# NOTE(mandre) kolla image changes the user to 'zaqar', we need it
# to be root to run httpd
user: root
healthcheck:
test: /usr/share/openstack-tripleo-common/healthcheck/zaqar-api
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/zaqar:/var/lib/kolla/config_files/src:ro
- /var/log/containers/zaqar:/var/log/zaqar
- /var/log/containers/httpd/zaqar:/var/log/httpd
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- []
- if:
- internal_tls_enabled
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- []
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
zaqar_websocket:
image: *zaqar_image
net: host
privileged: false
restart: always
healthcheck:
test:
list_join:
- ' '
- - '/usr/share/openstack-tripleo-common/healthcheck/zaqar-api'
- {get_param: [EndpointMap, ZaqarWebSocketInternal, port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/zaqar_websocket.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/zaqar:/var/lib/kolla/config_files/src:ro
- /var/log/containers/zaqar:/var/log/zaqar
- /var/log/containers/httpd/zaqar:/var/log/httpd
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode }}"
with_items:
- { 'path': /var/log/containers/zaqar, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/zaqar, 'setype': container_file_t, 'mode': '0750' }
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
View Git Blame Copy Permalink