d1eb0bc0dc
The admin endpoint is listening on the ctlplane network by default; services should ideally be using the internal api network for this kind of traffic, as the ctlplane network is mostly for provisioning. On the other hand, the admin endpoint shouldn't be as relevant with services switching to keystone v3. Change-Id: I1213a83ef8693c1cca1d20de974f7949a801d9f1
167 lines
6.8 KiB
YAML
167 lines
6.8 KiB
YAML
heat_template_version: ocata
|
|
|
|
description: >
|
|
OpenStack Cinder API service configured with Puppet
|
|
|
|
parameters:
|
|
CinderEnableDBPurge:
|
|
default: true
|
|
description: |
|
|
Whether to create cron job for purging soft deleted rows in Cinder database.
|
|
type: boolean
|
|
CinderPassword:
|
|
description: The password for the cinder service account, used by cinder-api.
|
|
type: string
|
|
hidden: true
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionCinderApi:
|
|
default: 'overcloud-cinder-api'
|
|
type: string
|
|
CinderApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.cinder.api
|
|
path: /var/log/cinder/cinder-api.log
|
|
CinderWorkers:
|
|
type: string
|
|
description: Set the number of workers for cinder::wsgi::apache
|
|
default: '%{::os_workers}'
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
|
|
|
|
resources:
|
|
|
|
ApacheServiceBase:
|
|
type: ./apache.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
CinderBase:
|
|
type: ./cinder-base.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Cinder API role.
|
|
value:
|
|
service_name: cinder_api
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
|
|
logging_source: {get_param: CinderApiLoggingSource}
|
|
logging_groups:
|
|
- cinder
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [CinderBase, role_data, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
|
|
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
cinder::keystone::authtoken::password: {get_param: CinderPassword}
|
|
cinder::keystone::authtoken::project_name: 'service'
|
|
cinder::api::enable_proxy_headers_parsing: true
|
|
|
|
cinder::api::nova_catalog_info: 'compute:Compute Service:internalURL'
|
|
# TODO(emilien) move it to puppet-cinder
|
|
cinder::config:
|
|
DEFAULT/swift_catalog_info:
|
|
value: 'object-store:swift:internalURL'
|
|
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
|
|
tripleo.cinder_api.firewall_rules:
|
|
'119 cinder':
|
|
dport:
|
|
- 8776
|
|
- 13776
|
|
cinder::api::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
|
|
cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
cinder::api::service_name: 'httpd'
|
|
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
cinder::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CinderApiNetwork]}
|
|
cinder::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
|
|
-
|
|
if:
|
|
- cinder_workers_zero
|
|
- {}
|
|
- cinder::wsgi::apache::workers: {get_param: CinderWorkers}
|
|
step_config: |
|
|
include ::tripleo::profile::base::cinder::api
|
|
service_config_settings:
|
|
keystone:
|
|
cinder::keystone::auth::tenant: 'service'
|
|
cinder::keystone::auth::public_url: {get_param: [EndpointMap, CinderPublic, uri]}
|
|
cinder::keystone::auth::internal_url: {get_param: [EndpointMap, CinderInternal, uri]}
|
|
cinder::keystone::auth::admin_url: {get_param: [EndpointMap, CinderAdmin, uri]}
|
|
cinder::keystone::auth::public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]}
|
|
cinder::keystone::auth::internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]}
|
|
cinder::keystone::auth::admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]}
|
|
cinder::keystone::auth::public_url_v3: {get_param: [EndpointMap, CinderV3Public, uri]}
|
|
cinder::keystone::auth::internal_url_v3: {get_param: [EndpointMap, CinderV3Internal, uri]}
|
|
cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]}
|
|
cinder::keystone::auth::password: {get_param: CinderPassword}
|
|
cinder::keystone::auth::region: {get_param: KeystoneRegion}
|
|
mysql:
|
|
cinder::db::mysql::password: {get_param: CinderPassword}
|
|
cinder::db::mysql::user: cinder
|
|
cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
cinder::db::mysql::dbname: cinder
|
|
cinder::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
upgrade_tasks:
|
|
- name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running"
|
|
shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b'
|
|
tags: step0,validation
|
|
- name: check for cinder running under apache (post upgrade)
|
|
tags: step2
|
|
shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder"
|
|
register: cinder_apache
|
|
ignore_errors: true
|
|
- name: Stop cinder_api service (running under httpd)
|
|
tags: step2
|
|
service: name=httpd state=stopped
|
|
when: "cinder_apache.rc == 0"
|
|
- name: Stop and disable cinder_api service (pre-upgrade not under httpd)
|
|
tags: step2
|
|
service: name=openstack-cinder-api state=stopped enabled=no
|