a3dd023773
This change ensures that firewall rules for haproxy endpoints are enabled properly even when haproxy and api services are running in different nodes. With this change, firewall rule for ssl endpoints are removed from base firewall rules because these ports are used by haproxy and not used by api services. Also, the adhoc implementation to run firewall configurations first is refactored by the new host_firewall_tasks key. This allows us to implement tasks to configure firewall in the corresponding resource template. Closes-Bug: #1961799 Depends-on: https://review.opendev.org/831547 Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
178 lines
6.0 KiB
YAML
178 lines
6.0 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
Ceph Manager service.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
CephDashboardAdminUser:
|
|
default: 'admin'
|
|
description: Admin user for the dashboard component
|
|
type: string
|
|
CephDashboardAdminPassword:
|
|
description: Admin password for the dashboard component
|
|
type: string
|
|
hidden: true
|
|
CephEnableDashboard:
|
|
type: boolean
|
|
default: false
|
|
description: Parameter used to trigger the dashboard deployment.
|
|
CephDashboardPort:
|
|
type: number
|
|
default: 8444
|
|
description: Parameter that defines the ceph dashboard port.
|
|
CephDashboardAdminRO:
|
|
type: boolean
|
|
default: true
|
|
description: Parameter used to set a read-only admin user.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
CephCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
|
|
conditions:
|
|
internal_tls_enabled:
|
|
and:
|
|
- {get_param: CephEnableDashboard}
|
|
- {get_param: EnableInternalTLS}
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: CephCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
CephBase:
|
|
type: ./ceph-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
CephMgrAnsibleVars:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
vars:
|
|
tripleo_cephadm_dashboard_admin_user: {get_param: CephDashboardAdminUser}
|
|
tripleo_cephadm_dashboard_admin_password: {get_param: CephDashboardAdminPassword}
|
|
tripleo_cephadm_dashboard_port: {get_param: CephDashboardPort}
|
|
tripleo_cephadm_dashboard_admin_user_ro: {get_param: CephDashboardAdminRO}
|
|
tripleo_cephadm_dashboard_protocol:
|
|
if:
|
|
- internal_tls_enabled
|
|
- 'https'
|
|
- 'http'
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Ceph Manager service.
|
|
value:
|
|
service_name: ceph_mgr
|
|
firewall_rules:
|
|
'113 ceph_mgr':
|
|
dport:
|
|
list_concat:
|
|
- - '6800-7300'
|
|
- if:
|
|
- {get_param: CephEnableDashboard}
|
|
- - {get_param: CephDashboardPort}
|
|
firewall_frontend_rules:
|
|
if:
|
|
- {get_param: CephEnableDashboard}
|
|
- '100 ceph_dashboard':
|
|
dport:
|
|
- {get_param: CephDashboardPort}
|
|
upgrade_tasks: []
|
|
puppet_config: {}
|
|
docker_config: {}
|
|
external_deploy_tasks:
|
|
list_concat:
|
|
- {get_attr: [CephBase, role_data, external_deploy_tasks]}
|
|
- if:
|
|
- {get_param: CephEnableDashboard}
|
|
- - name: set tripleo-ansible ceph dashboard vars
|
|
when: step|int == 1
|
|
set_fact:
|
|
ceph_dashboard_vars:
|
|
if:
|
|
- internal_tls_enabled
|
|
- map_merge:
|
|
- {get_attr: [CephMgrAnsibleVars, value, vars]}
|
|
- tripleo_cephadm_dashboard_crt: /etc/pki/tls/certs/ceph_dashboard.crt
|
|
- tripleo_cephadm_dashboard_key: /etc/pki/tls/private/ceph_dashboard.key
|
|
- tripleo_cephadm_dashboard_grafana_api_no_ssl_verify: true
|
|
- {get_attr: [CephMgrAnsibleVars, value, vars]}
|
|
metadata_settings:
|
|
if:
|
|
- internal_tls_enabled
|
|
- - service: ceph_dashboard
|
|
network: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
|
type: node
|
|
deploy_steps_tasks:
|
|
if:
|
|
- internal_tls_enabled
|
|
- - name: Certificate generation
|
|
when:
|
|
- step|int == 1
|
|
block:
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: ceph_dashboard
|
|
dns:
|
|
str_replace:
|
|
template: "{{fqdn_$NETWORK}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
|
run_after: |
|
|
# Get mgr systemd unit
|
|
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
|
|
# Restart the mgr systemd unit
|
|
if [ -n "$mgr_unit" ]; then
|
|
systemctl restart "$mgr_unit"
|
|
fi
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: CephCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|