44ef2a3ec1
The new master branch should point now to rocky. So, HOT templates should specify that they might contain features for rocky release [1] Also, this submission updates the yaml validation to use only latest heat_version alias. There are cases in which we will need to set the version for specific templates i.e. mixed versions, so there is added a variable to assign specific templates to specific heat_version aliases, avoiding the introductions of error by bulk replacing the the old version in new releases. [1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
173 lines
6.9 KiB
YAML
173 lines
6.9 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Ironic API configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
IronicPassword:
|
|
description: The password for the Ironic service and db account, used by the Ironic services
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionIronicApi:
|
|
default: 'overcloud-ironic-api'
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
IronicApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Ironic API.
|
|
e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
IronicCorsAllowedOrigin:
|
|
type: string
|
|
default: ''
|
|
description: Indicate whether this resource may be shared with the domain received in the request
|
|
"origin" header.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
cors_allowed_origin_unset: {equals : [{get_param: IronicCorsAllowedOrigin}, '']}
|
|
|
|
resources:
|
|
ApacheServiceBase:
|
|
type: ./apache.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
IronicBase:
|
|
type: ./ironic-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Ironic API role.
|
|
value:
|
|
service_name: ironic_api
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [IronicBase, role_data, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
-
|
|
if:
|
|
- cors_allowed_origin_unset
|
|
- {}
|
|
- ironic::cors::allowed_origin: {get_param: IronicCorsAllowedOrigin}
|
|
- ironic::api::authtoken::password: {get_param: IronicPassword}
|
|
ironic::api::authtoken::project_name: 'service'
|
|
ironic::api::authtoken::user_domain_name: 'Default'
|
|
ironic::api::authtoken::project_domain_name: 'Default'
|
|
ironic::api::authtoken::username: 'ironic'
|
|
ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
ironic::api::host_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
|
|
# This is used to build links in responses
|
|
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
|
|
ironic::api::service_name: 'httpd'
|
|
ironic::policy::policies: {get_param: IronicApiPolicies}
|
|
ironic::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::wsgi::apache::port: {get_param: [EndpointMap, IronicInternal, port]}
|
|
ironic::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicApiNetwork]}
|
|
ironic::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
ironic::cors::max_age: 3600
|
|
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
|
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
|
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
|
|
|
tripleo.ironic_api.firewall_rules:
|
|
'133 ironic api':
|
|
dport:
|
|
- 6385
|
|
- 13385
|
|
step_config: |
|
|
include ::tripleo::profile::base::ironic::api
|
|
service_config_settings:
|
|
keystone:
|
|
ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
|
|
ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
|
|
ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
|
|
ironic::keystone::auth::auth_name: 'ironic'
|
|
ironic::keystone::auth::password: {get_param: IronicPassword }
|
|
ironic::keystone::auth::tenant: 'service'
|
|
ironic::keystone::auth::region: {get_param: KeystoneRegion}
|
|
mysql:
|
|
ironic::db::mysql::password: {get_param: IronicPassword}
|
|
ironic::db::mysql::user: ironic
|
|
ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
ironic::db::mysql::dbname: ironic
|
|
ironic::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
upgrade_tasks:
|
|
- name: Stop ironic_api service (before httpd support)
|
|
when: step|int == 1
|
|
service: name=openstack-ironic-api state=stopped enabled=no
|
|
- name: Stop ironic_api service (running under httpd)
|
|
when: step|int == 1
|
|
service: name=httpd state=stopped
|