tripleo-heat-templates/puppet/services/octavia-api.yaml
Carlos Goncalves 0e6087d93a Pass parameters for TLS proxy in front of Octavia-API
If TLS in the internal network is enabled, we run octavia-api behind a
TLS proxy.This passes the necessary hieradata.

Depends-On: https://review.openstack.org/597038

Closes-Bug: #1789303
Co-Authored-By: Kellen Gattis <kgattis@redhat.com>
Change-Id: I735f701c90492fa0cf09417c8c71c2868ca85d08
2018-09-01 11:28:30 +00:00

178 lines
6.8 KiB
YAML

heat_template_version: rocky
description: >
OpenStack Octavia API service.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
OctaviaUserName:
description: The username for the Octavia database and keystone accounts.
type: string
default: 'octavia'
OctaviaPassword:
description: The password for the Octavia database and keystone accounts.
type: string
hidden: true
OctaviaProjectName:
description: The project name for the keystone Octavia account.
type: string
default: 'service'
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionOctaviaApi:
default: 'overcloud-octavia-api'
type: string
OctaviaApiLoggingSource:
type: json
default:
tag: openstack.octavia.api
path: /var/log/octavia/api.log
OctaviaApiPolicies:
description: |
A hash of policies to configure for Octavia API.
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
EnableInternalTLS:
type: boolean
default: false
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
resources:
TLSProxyBase:
type: OS::TripleO::Services::TLSProxyBase
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
OctaviaBase:
type: ./octavia-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Octavia API service.
value:
service_name: octavia_api
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
- get_attr: [OctaviaBase, role_data, config_settings]
- get_attr: [TLSProxyBase, role_data, config_settings]
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: {get_param: OctaviaUserName}
password: {get_param: OctaviaPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /octavia
query:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
octavia::api::sync_db: true
tripleo.octavia_api.firewall_rules:
'120 octavia api':
dport:
- 9876
- 13876
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
tripleo::profile::base::octavia::api::tls_proxy_bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
tripleo::profile::base::octavia::api::tls_proxy_fqdn:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
tripleo::profile::base::octavia::api::tls_proxy_port:
get_param: [EndpointMap, OctaviaInternal, port]
# Bind to localhost if internal TLS is enabled, since we put a TLS
# proxy in front.
octavia::api::host:
if:
- use_tls_proxy
- '127.0.0.1'
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
step_config: |
include tripleo::profile::base::octavia::api
service_config_settings:
fluentd:
tripleo_fluentd_groups_octavia_api:
- octavia
tripleo_fluentd_sources_octavia_api:
- {get_param: OctaviaApiLoggingSource}
keystone:
octavia::keystone::auth::tenant: {get_param: OctaviaProjectName}
octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]}
octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] }
octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] }
octavia::keystone::auth::password: {get_param: OctaviaPassword}
octavia::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
octavia::db::mysql::dbname: octavia
octavia::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"