Code Review / apex-tripleo-heat-templates.git / blob
? search:


f0b18136d99d039b783ab61dd246ece5dde4100e
[apex-tripleo-heat-templates.git] / puppet / services / barbican-api.yaml
1 heat_template_version: pike
2
3 description: >
4   OpenStack Barbican API service configured with Puppet
5
6 parameters:
7   ServiceNetMap:
8     default: {}
9     description: Mapping of service_name -> network name. Typically set
10                  via parameter_defaults in the resource registry.  This
11                  mapping overrides those in ServiceNetMapDefaults.
12     type: json
13   DefaultPasswords:
14     default: {}
15     type: json
16   EndpointMap:
17     default: {}
18     description: Mapping of service endpoint -> protocol. Typically set
19                  via parameter_defaults in the resource registry.
20     type: json
21   BarbicanPassword:
22     description: The password for the barbican service account.
23     type: string
24     hidden: true
25   BarbicanWorkers:
26     description: Set the number of workers for barbican::wsgi::apache
27     default: '%{::processorcount}'
28     type: string
29   Debug:
30     default: ''
31     description: Set to True to enable debugging on all services.
32     type: string
33   KeystoneRegion:
34     type: string
35     default: 'regionOne'
36     description: Keystone region for endpoint
37   RabbitClientPort:
38     default: 5672
39     description: Set rabbit subscriber port, change this if using SSL
40     type: number
41   RabbitClientUseSSL:
42     default: false
43     description: >
44         Rabbit client subscriber parameter to specify
45         an SSL connection to the RabbitMQ host.
46     type: string
47   RabbitPassword:
48     description: The password for RabbitMQ
49     type: string
50     hidden: true
51   RabbitUserName:
52     default: guest
53     description: The username for RabbitMQ
54     type: string
55   EnableInternalTLS:
56     type: boolean
57     default: false
58   BarbicanPolicies:
59     description: |
60       A hash of policies to configure for Barbican.
61       e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
62     default: {}
63     type: json
64
65 resources:
66
67   ApacheServiceBase:
68     type: ./apache.yaml
69     properties:
70       ServiceNetMap: {get_param: ServiceNetMap}
71       DefaultPasswords: {get_param: DefaultPasswords}
72       EndpointMap: {get_param: EndpointMap}
73
74 outputs:
75   role_data:
76     description: Role data for the Barbican API role.
77     value:
78       service_name: barbican_api
79       config_settings:
80         map_merge:
81           - get_attr: [ApacheServiceBase, role_data, config_settings]
82           - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
83             barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
84             barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
85             barbican::keystone::authtoken::project_name: 'service'
86             barbican::policy::policies: {get_param: BarbicanPolicies}
87             barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
88             barbican::api::db_auto_create: false
89             barbican::api::enabled_certificate_plugins: ['simple_certificate']
90             barbican::api::logging::debug: {get_param: Debug}
91             barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
92             barbican::api::rabbit_userid: {get_param: RabbitUserName}
93             barbican::api::rabbit_password: {get_param: RabbitPassword}
94             barbican::api::rabbit_port: {get_param: RabbitClientPort}
95             barbican::api::rabbit_heartbeat_timeout_threshold: 60
96             barbican::api::service_name: 'httpd'
97             barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
98             barbican::wsgi::apache::ssl:  {get_param: EnableInternalTLS}
99             barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
100             barbican::wsgi::apache::servername:
101               str_replace:
102                 template:
103                   "%{hiera('fqdn_$NETWORK')}"
104                 params:
105                   $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
106             barbican::db::database_connection:
107               make_url:
108                 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
109                 username: barbican
110                 password: {get_param: BarbicanPassword}
111                 host: {get_param: [EndpointMap, MysqlInternal, host]}
112                 path: /barbican
113                 query:
114                   read_default_file: /etc/my.cnf.d/tripleo.cnf
115                   read_default_group: tripleo
116             tripleo.barbican_api.firewall_rules:
117               '117 barbican':
118                 dport:
119                   - 9311
120                   - 13311
121       step_config: |
122         include ::tripleo::profile::base::barbican::api
123       service_config_settings:
124         mysql:
125           barbican::db::mysql::password: {get_param: BarbicanPassword}
126           barbican::db::mysql::user: barbican
127           barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
128           barbican::db::mysql::dbname: barbican
129           barbican::db::mysql::allowed_hosts:
130             - '%'
131             - "%{hiera('mysql_bind_host')}"
132         keystone:
133           barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
134           barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
135           barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
136           barbican::keystone::auth::password: {get_param: BarbicanPassword}
137           barbican::keystone::auth::region: {get_param: KeystoneRegion}
138           barbican::keystone::auth::tenant: 'service'
139         nova_compute:
140           nova::compute::keymgr_api_class: >
141             castellan.key_manager.barbican_key_manager.BarbicanKeyManager
142           nova::compute::barbican_endpoint:
143             get_param: [EndpointMap, BarbicanInternal, uri]
144           nova::compute::barbican_auth_endpoint:
145             get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
146         cinder_api:
147           cinder::api::keymgr_api_class: >
148             castellan.key_manager.barbican_key_manager.BarbicanKeyManager
149           cinder::api::keymgr_encryption_api_url:
150             get_param: [EndpointMap, BarbicanInternal, uri]
151           cinder::api::keymgr_encryption_auth_url:
152             get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
153       metadata_settings:
154         get_attr: [ApacheServiceBase, role_data, metadata_settings]
155       upgrade_tasks:
156         yaql:
157           expression: $.data.apache_upgrade + $.data.barbican_api_upgrade
158           data:
159             apache_upgrade:
160               get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
161             barbican_api_upgrade:
162               - name: Check if barbican_api is deployed
163                 command: systemctl is-enabled openstack-barbican-api
164                 tags: common
165                 ignore_errors: True
166                 register: barbican_api_enabled
167               - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
168                 shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
169                 when: barbican_api_enabled.rc == 0
170                 tags: step0,validation
171               - name: Install openstack-barbican-api package if it was disabled
172                 tags: step3
173                 yum: name=openstack-barbican-api state=latest
174                 when: barbican_api_enabled.rc != 0