Alex Schultz ebab335f38 Role specific container support
We may want to be able to specific different containers at a role level.
This requires switching the container image parameters to be role
specific too allow for role based overrides.

Change-Id: I4090e889a32abd51e7c11139737a7a18e27d18e7
2022-01-21 14:18:02 -07:00

376 lines
15 KiB
YAML

heat_template_version: wallaby
description: >
Qpid dispatch router service for metrics and monitoring purposes
parameters:
ContainerMetricsQdrImage:
description: image
type: string
tags:
- role_specific
EnableInternalTLS:
default: false
type: boolean
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults
in the resource registry.
type: json
InternalTLSCAFile:
default: /etc/ipa/ca.crt
description: Specifies the default CA cert to use if TLS is used for services in
the internal network.
type: string
MetricsQdrAddresses:
default:
- distribution: multicast
prefix: collectd
- distribution: multicast
prefix: ceilometer/metering.sample
- distribution: multicast
prefix: ceilometer/event.sample
description: Addresses configuration (array of hashes).
type: json
MetricsQdrAuthenticateClient:
default: false
description: Authenticate the client using SSL/TLS
type: boolean
MetricsQdrAutoLinks:
default: []
description: AutoLinks for the Configured Addresses
type: json
MetricsQdrConnectors:
default: []
description: Connectors configuration (array of hashes).
type: json
MetricsQdrExternalEndpoint:
default: false
description: Whether QDR should listen on external network interface. To enable
listening on external network one must deploy QDRs in mesh mode.
type: boolean
MetricsQdrLoggingSource:
default:
file: /var/log/containers/metrics_qdr/metrics_qdr.log
startmsg.regex: '^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}(.[0-9]+
\\+[0-9]+)? [A-Z]+ \\([a-z]+\\) '
tag: openstack.nova.consoleauth
type: json
MetricsQdrPassword:
default: guest
description: Password which should be used to authenticate to the deployed qdrouterd.
hidden: true
type: string
MetricsQdrPort:
default: 5666
description: Service name or port number on which the qdrouterd will accept connections.
type: number
MetricsQdrSSLProfiles:
default:
- name: sslProfile
description: SSL Profiles for the connectors (array of hashes).
type: json
MetricsQdrSaslMechanisms:
default: ANONYMOUS
description: List of accepted SASL auth mechanisms for listener in format of comma
separated list.
type: string
MetricsQdrSslCertDb:
default: '/etc/ipa/ca.crt'
description: Path to SSL certificate db for listener.
type: string
MetricsQdrSslCertFile:
default: '/etc/pki/tls/certs/metrics_qdr.crt'
description: Path to SSL certificate file for listener.
type: string
MetricsQdrSslKeyFile:
default: '/etc/pki/tls/private/metrics_qdr.key'
description: Path to SSL private key file for listener.
type: string
MetricsQdrSslPassword:
default: ''
description: SSL password to be supplied for listener.
type: string
MetricsQdrSslPwFile:
default: ''
description: Path to SSL password file for certificate key for listener.
type: string
MetricsQdrTrustedCerts:
default: ''
description: Path to file containing trusted certificates for listener.
type: string
MetricsQdrUseEncryption:
default: false
description: Set to true if it is required to encrypt connection to the peer for
listener. Not currently implemented, use EnableInternalTLS instead. This option can be ignored.
type: boolean
MetricsQdrUseSSL:
default: false
description: Set to true if it is required to use SSL or TLS on the connection for
the local listener. !WARNING! Currently breaks connections from collectd and ceilometer.
type: boolean
MetricsQdrUsername:
default: guest
description: Username which should be used to authenticate to the deployed qdrouterd.
type: string
MonitoringSubscriptionQdr:
default: overcloud-qdr
type: string
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
##############################################################################
# The existing MetricsQdr parameters will be combined with
# MetricsQdrVars in the MetricsQdrParametersValue below. Eventually,
# these legacy parameters will be deprecated in favour of passing the
# parameters into the MetricsQdrVars param below.
# For backwards compatibility these legacy params will be accepted, but will
# be overwritten by any element passed to MetricsQdrVars.
# New configs should add the vars directly into the
# MetricsQdrVars parameter, which will not require anymore
# changes in THT to add new params.
##############################################################################
MetricsQdrVars:
default: {}
description: Hash of qdr variables used to configure the qdr role.
tags:
- role_specific
type: json
conditions:
role_specific_required: {not: {equals: [{ get_param: [RoleParameters, MetricsQdrVars] }, ""]}}
resources:
ContainersCommon:
type: ../containers-common.yaml
MetricsQdrParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_merge:
- tripleo_metrics_qdr_connectors: { get_param: MetricsQdrConnectors }
tripleo_metrics_qdr_autolink_addresses: { get_param: MetricsQdrAutoLinks }
tripleo_metrics_qdr_addresses: { get_param: MetricsQdrAddresses }
tripleo_metrics_qdr_listener_port: { get_param: MetricsQdrPort }
tripleo_metrics_qdr_ssl_profiles: { get_param: MetricsQdrSSLProfiles }
tripleo_metrics_qdr_listener_auth_peer: { get_param: MetricsQdrAuthenticateClient }
tripleo_metrics_qdr_listener_require_ssl: { get_param: MetricsQdrUseSSL }
tripleo_metrics_qdr_listener_sasl_mech: { get_param: MetricsQdrSaslMechanisms }
tripleo_metrics_qdr_listener_ssl_cert_db: { get_param: MetricsQdrSslCertDb }
tripleo_metrics_qdr_listener_ssl_cert_file: { get_param: MetricsQdrSslCertFile }
tripleo_metrics_qdr_listener_ssl_key_file: { get_param: MetricsQdrSslKeyFile }
tripleo_metrics_qdr_listener_use_encryption: { get_param: MetricsQdrUseEncryption }
tripleo_enable_internal_tls: { get_param: EnableInternalTLS }
###### *CS These vars might need more work, still need to double-check
# TODO: May need to re-implement logic for this one (currently a hardcoded path in the ansible I think?)
tripleo_internal_tlscafile: { get_param: InternalTLSCAFile }
# TODO: In puppet these two are used to create a sasldb user[1][2]. The qdr-config-ansible-role needs to be updated to handle this.
# [1] https://review.opendev.org/plugins/gitiles/openstack/puppet-tripleo/+/refs/heads/master/manifests/profile/base/metrics/qdr.pp#224
# [2] https://review.opendev.org/plugins/gitiles/openstack/puppet-qdr/+/refs/heads/master/lib/puppet/provider/qdr_user/sasl.rb
tripleo_metrics_qdr_username: { get_param: MetricsQdrUsername }
tripleo_metrics_qdr_password: { get_param: MetricsQdrPassword }
# RFE to add support for these SSL related options? Each of them exists in puppet-qdr[1s] but are unused[2s]
# [1] https://review.opendev.org/plugins/gitiles/openstack/puppet-qdr/+/refs/heads/master/manifests/init.pp#170
# [2] https://github.com/openstack/puppet-qdr/search?q=listener_ssl_pw_file
tripleo_metrics_qdr_listener_ssl_pw_file: { get_param: MetricsQdrSslPwFile }
# [1] https://review.opendev.org/plugins/gitiles/openstack/puppet-qdr/+/refs/heads/master/manifests/init.pp#171
# [2] https://github.com/openstack/puppet-qdr/search?q=listener_ssl_password
tripleo_metrics_qdr_listener_ssl_password: { get_param: MetricsQdrSslPassword }
# [1] https://review.opendev.org/plugins/gitiles/openstack/puppet-qdr/+/refs/heads/master/manifests/init.pp#172
# [2] https://github.com/openstack/puppet-qdr/search?q=listener_trusted_certs
tripleo_metrics_qdr_listener_trusted_certs: { get_param: MetricsQdrTrustedCerts }
######
- {get_param: MetricsQdrVars}
- if:
- role_specific_required
- {get_param: [RoleParameters, MetricsQdrVars]}
- {}
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerMetricsQdrImage: ContainerMetricsQdrImage
- values: {get_param: [RoleParameters]}
- values:
ContainerMetricsQdrImage: {get_param: ContainerMetricsQdrImage}
outputs:
role_data:
description: Role data for the metrics Qdr role.
value:
service_name: qdr
firewall_rules:
map_merge:
- '109 metrics qdr':
dport:
- {get_param: MetricsQdrPort}
- map_merge:
repeat:
for_each:
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
template:
'109 accept internal metrics qdr ctlplane subnet <%net_cidr%>':
dport:
- 5667
- 5668
# For sensu
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
# See https://docs.openstack.org/tripleo-docs/latest/developer/tht_walkthrough/tls_for_services.html
metadata_settings:
if:
- {get_param: EnableInternalTLS}
- - service: metrics_qdr
network:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
type: node
kolla_config:
/var/lib/kolla/config_files/metrics_qdr.json:
command: /usr/sbin/qdrouterd -c /etc/qpid-dispatch/qdrouterd.conf
config_files:
- dest: /etc/qpid-dispatch/
merge: true
preserve_properties: true
source: /var/lib/kolla/config_files/src/*
- dest: /
merge: true
optional: true
preserve_properties: true
source: /var/lib/kolla/config_files/src-tls/*
permissions:
- owner: qdrouterd:qdrouterd
path: /var/lib/qdrouterd
recurse: true
- owner: qdrouterd:qdrouterd
path: /var/log/qdrouterd
recurse: true
- optional: true
owner: qdrouterd:qdrouterd
path: /etc/pki/tls/certs/metrics_qdr.crt
- optional: true
owner: qdrouterd:qdrouterd
path: /etc/pki/tls/private/metrics_qdr.key
service_config_settings:
rsyslog:
tripleo_logging_sources_metrics_qdr:
- {get_param: MetricsQdrLoggingSource}
config_settings:
map_merge:
- tripleo::haproxy::metrics_qdr: {get_param: MetricsQdrExternalEndpoint}
- if:
- {get_param: EnableInternalTLS}
- generate_service_certificates: true
# These two are used here: https://review.opendev.org/plugins/gitiles/openstack/puppet-tripleo/+/refs/heads/master/files/certmonger-metrics-qdr-refresh.sh#8
tripleo::metrics::qdr::service_certificate: { get_param: MetricsQdrSslCertFile }
tripleo::metrics::qdr::service_key: { get_param: MetricsQdrSslKeyFile }
# This one is used here: https://review.opendev.org/plugins/gitiles/openstack/puppet-tripleo/+/refs/heads/master/manifests/profile/base/certmonger_user.pp#193
tripleo::profile::base::metrics::qdr::certificate_specs:
service_certificate: { get_param: MetricsQdrSslCertFile }
service_key: { get_param: MetricsQdrSslKeyFile }
postsave_cmd: "/usr/bin/certmonger-metrics-qdr-refresh.sh"
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
principal:
str_replace:
template: "metrics_qdr/%{hiera('fqdn_NETWORK')}"
params:
NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
docker_config:
step_1:
metrics_qdr:
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
healthcheck:
test: /openstack/healthcheck
image:
get_attr: [RoleParametersValue, value, ContainerMetricsQdrImage]
net: host
privileged: false
restart: always
start_order: 1
user: qdrouterd
volumes:
list_concat:
- get_attr:
- ContainersCommon
- volumes
- - /var/lib/kolla/config_files/metrics_qdr.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/ansible-generated/metrics_qdr:/var/lib/kolla/config_files/src:ro
- /var/lib/metrics_qdr:/var/lib/qdrouterd:z
- /var/log/containers/metrics_qdr:/var/log/qdrouterd:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/metrics_qdr.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/metrics_qdr.crt:ro
- /etc/pki/tls/private/metrics_qdr.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/metrics_qdr.key:ro
host_prep_tasks:
- name: Create required host directories for QDR
file:
mode: '{{ item.mode|default(omit) }}'
path: '{{ item.path }}'
setype: '{{ item.setype }}'
state: directory
with_items:
- path: /var/log/containers/metrics_qdr
setype: container_file_t
mode: '0750'
- path: /var/lib/metrics_qdr
setype: container_file_t
mode: '0750'
- path: /var/lib/config-data/ansible-generated/metrics_qdr
setype: container_file_t
mode: '0750'
deploy_steps_tasks:
- name: QDR Config on step 1
when: step == '1'
include_role:
name: tripleo_metrics_qdr
tasks_from: create_config
vars:
- {get_attr: [MetricsQdrParametersValue, value]}