a3dd023773
This change ensures that firewall rules for haproxy endpoints are enabled properly even when haproxy and api services are running in different nodes. With this change, firewall rule for ssl endpoints are removed from base firewall rules because these ports are used by haproxy and not used by api services. Also, the adhoc implementation to run firewall configurations first is refactored by the new host_firewall_tasks key. This allows us to implement tasks to configure firewall in the corresponding resource template. Closes-Bug: #1961799 Depends-on: https://review.opendev.org/831547 Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
204 lines
7.0 KiB
YAML
204 lines
7.0 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
Ceph Grafana service.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
CephGrafanaAdminUser:
|
|
default: 'admin'
|
|
description: Admin user for grafana component
|
|
type: string
|
|
CephGrafanaAdminPassword:
|
|
description: Admin password for grafana component
|
|
type: string
|
|
hidden: true
|
|
GrafanaPlugins:
|
|
default: ['vonage-status-panel', 'grafana-piechart-panel']
|
|
type: comma_delimited_list
|
|
description: >
|
|
List of plugins to enable on the grafana container
|
|
GrafanaContainerImage:
|
|
description: Grafana container image
|
|
type: string
|
|
GrafanaDashboardsPath:
|
|
default: ''
|
|
description: ceph dashboards templates built for grafana
|
|
type: string
|
|
GrafanaDashboardPort:
|
|
type: number
|
|
default: 3100
|
|
description: Parameter that defines the ceph grafana port.
|
|
GrafanaDataSource:
|
|
default: 'Dashboard'
|
|
description: Grafana datasource
|
|
type: string
|
|
PrometheusContainerImage:
|
|
description: Ceph Prometheus container image
|
|
type: string
|
|
AlertManagerContainerImage:
|
|
description: Ceph AlertManager container image
|
|
type: string
|
|
NodeExporterContainerImage:
|
|
description: Ceph NodeExporter container image
|
|
default: ''
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
GrafanaCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
|
|
conditions:
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
CephBase:
|
|
type: ./ceph-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
CephGrafanaAnsibleVars:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
vars:
|
|
tripleo_cephadm_grafana_admin_user: {get_param: CephGrafanaAdminUser}
|
|
tripleo_cephadm_grafana_admin_password: {get_param: CephGrafanaAdminPassword}
|
|
tripleo_cephadm_grafana_container_image: {get_param: GrafanaContainerImage}
|
|
tripleo_cephadm_grafana_dashboards_path: {get_param: GrafanaDashboardsPath}
|
|
tripleo_cephadm_grafana_datasource: {get_param: GrafanaDataSource}
|
|
tripleo_cephadm_grafana_plugins: {get_param: GrafanaPlugins}
|
|
tripleo_cephadm_grafana_port: {get_param: GrafanaDashboardPort}
|
|
tripleo_cephadm_prometheus_container_image: {get_param: PrometheusContainerImage}
|
|
tripleo_cephadm_node_exporter_container_image: {get_param: NodeExporterContainerImage}
|
|
tripleo_cephadm_prometheus_port: 9092
|
|
tripleo_cephadm_alertmanager_port: 9093
|
|
tripleo_cephadm_alertmanager_container_image: {get_param: AlertManagerContainerImage}
|
|
tripleo_cephadm_monitoring_address_block:
|
|
list_join:
|
|
- ','
|
|
- get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephGrafanaNetwork]}]
|
|
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Ceph Dashboard service.
|
|
value:
|
|
service_name: ceph_grafana
|
|
firewall_rules:
|
|
'123 ceph_dashboard':
|
|
dport:
|
|
- {get_param: GrafanaDashboardPort}
|
|
- 9090
|
|
- 9092
|
|
- 9093
|
|
- 9094
|
|
- 9100
|
|
- 9283
|
|
firewall_frontend_rules:
|
|
'100 ceph_graphana':
|
|
dport:
|
|
- {get_param: GrafanaDashboardPort}
|
|
'100 ceph_prometheus':
|
|
dport:
|
|
- 9092
|
|
'100 ceph_alertmanager':
|
|
dport:
|
|
- 9093
|
|
upgrade_tasks: []
|
|
puppet_config: {}
|
|
docker_config: {}
|
|
external_deploy_tasks:
|
|
list_concat:
|
|
- {get_attr: [CephBase, role_data, external_deploy_tasks]}
|
|
- - name: ceph_dashboard_external_deploy_init
|
|
when: step == '1'
|
|
block:
|
|
- name: set tripleo-ansible group vars
|
|
set_fact:
|
|
ceph_monitoring_stack:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- map_merge:
|
|
- {get_attr: [CephGrafanaAnsibleVars, value, vars]}
|
|
- tripleo_cephadm_grafana_crt: '/etc/pki/tls/certs/ceph_grafana.crt'
|
|
tripleo_cephadm_grafana_key: '/etc/pki/tls/private/ceph_grafana.key'
|
|
- {get_attr: [CephGrafanaAnsibleVars, value, vars]}
|
|
metadata_settings:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - service: ceph_grafana
|
|
network: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
|
type: node
|
|
deploy_steps_tasks:
|
|
- name: Certificate generation
|
|
when:
|
|
- step|int == 1
|
|
- enable_internal_tls
|
|
block:
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: ceph_grafana
|
|
dns:
|
|
str_replace:
|
|
template: "{{fqdn_$NETWORK}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
|
run_after: |
|
|
# Get grafana systemd unit
|
|
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
|
# Restart the grafana systemd unit
|
|
if [ -z "$grafana_unit" ]; then
|
|
systemctl restart "$grafana_unit"
|
|
fi
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: GrafanaCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|