Merge "Add network sysctl tweaks for security"

[apex-tripleo-heat-templates.git] / puppet / services / ceilometer-api.yaml

heat_template_version: ocata

description: >
  OpenStack Ceilometer API service configured with Puppet

parameters:
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  MonitoringSubscriptionCeilometerApi:
    default: 'overcloud-ceilometer-api'
    type: string
  CeilometerApiLoggingSource:
    type: json
    default:
      tag: openstack.ceilometer.api
      path: /var/log/ceilometer/api.log
  EnableInternalTLS:
    type: boolean
    default: false
  CeilometerApiPolicies:
    description: |
      A hash of policies to configure for Ceilometer API.
      e.g. { ceilometer-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
    default: {}
    type: json

resources:
  CeilometerServiceBase:
    type: ./ceilometer-base.yaml
    properties:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}

  ApacheServiceBase:
    type: ./apache.yaml
    properties:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      EnableInternalTLS: {get_param: EnableInternalTLS}

outputs:
  role_data:
    description: Role data for the Ceilometer API role.
    value:
      service_name: ceilometer_api
      monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerApi}
      logging_source: {get_param: CeilometerApiLoggingSource}
      logging_groups:
        - ceilometer
      config_settings:
        map_merge:
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - get_attr: [CeilometerServiceBase, role_data, config_settings]
          - tripleo.ceilometer_api.firewall_rules:
              '124 ceilometer':
                dport:
                  - 8777
                  - 13777
            # NOTE: bind IP is found in Heat replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
            # internal_api -> IP
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
          - ceilometer::api::service_name: 'httpd'
            ceilometer::api::enable_proxy_headers_parsing: true
            ceilometer::api::host:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
            ceilometer::policy::policies: {get_param: CeilometerApiPolicies}
            ceilometer::wsgi::apache::bind_host: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
            ceilometer::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            ceilometer::wsgi::apache::servername:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, CeilometerApiNetwork]}
      service_config_settings:
        get_attr: [CeilometerServiceBase, role_data, service_config_settings]
      step_config: |
        include ::tripleo::profile::base::ceilometer::api
      metadata_settings:
        get_attr: [ApacheServiceBase, role_data, metadata_settings]
      upgrade_tasks:
        - name: Stop ceilometer_api service (running under httpd)
          tags: step1
          service: name=httpd state=stopped