tripleo-heat-templates/deployment/cephadm/ceph-grafana.yaml
Takashi Kajinami a3dd023773 Define frontend firewall rules separately
This change ensures that firewall rules for haproxy endpoints are
enabled properly even when haproxy and api services are running in
different nodes.

With this change, firewall rule for ssl endpoints are removed from base
firewall rules because these ports are used by haproxy and not used by
api services.

Also, the adhoc implementation to run firewall configurations first is
refactored by the new host_firewall_tasks key. This allows us to
implement tasks to configure firewall in the corresponding resource
template.

Closes-Bug: #1961799
Depends-on: https://review.opendev.org/831547
Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
2022-04-28 04:23:41 +00:00

204 lines
7.0 KiB
YAML

heat_template_version: wallaby
description: >
Ceph Grafana service.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
CephGrafanaAdminUser:
default: 'admin'
description: Admin user for grafana component
type: string
CephGrafanaAdminPassword:
description: Admin password for grafana component
type: string
hidden: true
GrafanaPlugins:
default: ['vonage-status-panel', 'grafana-piechart-panel']
type: comma_delimited_list
description: >
List of plugins to enable on the grafana container
GrafanaContainerImage:
description: Grafana container image
type: string
GrafanaDashboardsPath:
default: ''
description: ceph dashboards templates built for grafana
type: string
GrafanaDashboardPort:
type: number
default: 3100
description: Parameter that defines the ceph grafana port.
GrafanaDataSource:
default: 'Dashboard'
description: Grafana datasource
type: string
PrometheusContainerImage:
description: Ceph Prometheus container image
type: string
AlertManagerContainerImage:
description: Ceph AlertManager container image
type: string
NodeExporterContainerImage:
description: Ceph NodeExporter container image
default: ''
type: string
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
GrafanaCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
key_size_override_set:
not: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
resources:
CephBase:
type: ./ceph-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
CephGrafanaAnsibleVars:
type: OS::Heat::Value
properties:
type: json
value:
vars:
tripleo_cephadm_grafana_admin_user: {get_param: CephGrafanaAdminUser}
tripleo_cephadm_grafana_admin_password: {get_param: CephGrafanaAdminPassword}
tripleo_cephadm_grafana_container_image: {get_param: GrafanaContainerImage}
tripleo_cephadm_grafana_dashboards_path: {get_param: GrafanaDashboardsPath}
tripleo_cephadm_grafana_datasource: {get_param: GrafanaDataSource}
tripleo_cephadm_grafana_plugins: {get_param: GrafanaPlugins}
tripleo_cephadm_grafana_port: {get_param: GrafanaDashboardPort}
tripleo_cephadm_prometheus_container_image: {get_param: PrometheusContainerImage}
tripleo_cephadm_node_exporter_container_image: {get_param: NodeExporterContainerImage}
tripleo_cephadm_prometheus_port: 9092
tripleo_cephadm_alertmanager_port: 9093
tripleo_cephadm_alertmanager_container_image: {get_param: AlertManagerContainerImage}
tripleo_cephadm_monitoring_address_block:
list_join:
- ','
- get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephGrafanaNetwork]}]
outputs:
role_data:
description: Role data for the Ceph Dashboard service.
value:
service_name: ceph_grafana
firewall_rules:
'123 ceph_dashboard':
dport:
- {get_param: GrafanaDashboardPort}
- 9090
- 9092
- 9093
- 9094
- 9100
- 9283
firewall_frontend_rules:
'100 ceph_graphana':
dport:
- {get_param: GrafanaDashboardPort}
'100 ceph_prometheus':
dport:
- 9092
'100 ceph_alertmanager':
dport:
- 9093
upgrade_tasks: []
puppet_config: {}
docker_config: {}
external_deploy_tasks:
list_concat:
- {get_attr: [CephBase, role_data, external_deploy_tasks]}
- - name: ceph_dashboard_external_deploy_init
when: step == '1'
block:
- name: set tripleo-ansible group vars
set_fact:
ceph_monitoring_stack:
if:
- {get_param: EnableInternalTLS}
- map_merge:
- {get_attr: [CephGrafanaAnsibleVars, value, vars]}
- tripleo_cephadm_grafana_crt: '/etc/pki/tls/certs/ceph_grafana.crt'
tripleo_cephadm_grafana_key: '/etc/pki/tls/private/ceph_grafana.key'
- {get_attr: [CephGrafanaAnsibleVars, value, vars]}
metadata_settings:
if:
- {get_param: EnableInternalTLS}
- - service: ceph_grafana
network: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
type: node
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_grafana
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
run_after: |
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi
key_size:
if:
- key_size_override_set
- {get_param: GrafanaCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa