Adds network/cidr mapping into a new service property

[apex-tripleo-heat-templates.git] / puppet / services / nova-libvirt.yaml

heat_template_version: pike

description: >
  Libvirt service configured with Puppet

parameters:
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  NovaComputeLibvirtType:
    type: string
    default: kvm
  LibvirtEnabledPerfEvents:
    type: comma_delimited_list
    default: []
    description: This is a performance event list which could be used as monitor.
                 For example - ``enabled_perf_events = cmt, mbml, mbmt``
                 The supported events list can be found in
                 https://libvirt.org/html/libvirt-libvirt-domain.html ,
                 which you may need to search key words ``VIR_PERF_PARAM_*``
  MonitoringSubscriptionNovaLibvirt:
    default: 'overcloud-nova-libvirt'
    type: string
  EnableInternalTLS:
    type: boolean
    default: false
  UseTLSTransportForLiveMigration:
    type: boolean
    default: true
    description: If set to true and if EnableInternalTLS is enabled, it will
                 set the libvirt URI's transport to tls and configure the
                 relevant keys for libvirt.
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  LibvirtCACert:
    type: string
    default: ''
    description: This specifies the CA certificate to use for TLS in libvirt.
                 This file will be symlinked to the default CA path in libvirt,
                 which is /etc/pki/CA/cacert.pem. Note that due to limitations
                 GNU TLS, which is the TLS backend for libvirt, the file must
                 be less than 65K (so we can't use the system's CA bundle).
                 This parameter should be used if the default (which comes from
                 the InternalTLSCAFile parameter) is not desired. The current
                 default reflects TripleO's default CA, which is FreeIPA.
                 It will only be used if internal TLS is enabled.

conditions:

  use_tls_for_live_migration:
    and:
    - equals:
      - {get_param: EnableInternalTLS}
      - true
    - equals:
      - {get_param: UseTLSTransportForLiveMigration}
      - true

  libvirt_specific_ca_unset:
    equals:
      - {get_param: LibvirtCACert}
      - ''

resources:
  NovaBase:
    type: ./nova-base.yaml
    properties:
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

outputs:
  role_data:
    description: Role data for the Libvirt service.
    value:
      service_name: nova_libvirt
      monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
      config_settings:
        map_merge:
          - get_attr: [NovaBase, role_data, config_settings]
          # we include ::nova::compute::libvirt::services in nova/libvirt profile
          - nova::compute::libvirt::manage_libvirt_services: false
          # we manage migration in nova common puppet profile
            nova::compute::libvirt::migration_support: false
            tripleo::profile::base::nova::manage_migration: true
            tripleo::profile::base::nova::libvirt_enabled: true
            nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
            nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
            nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
            nova::compute::libvirt::qemu::configure_qemu: true
            nova::compute::libvirt::qemu::max_files: 32768
            nova::compute::libvirt::qemu::max_processes: 131072
            nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
            tripleo.nova_libvirt.firewall_rules:
              '200 nova_libvirt':
                dport:
                  - 16514
                  - '49152-49215'
                  - '5900-5999'

          -
            if:
              - use_tls_for_live_migration
              -
                generate_service_certificates: true
                tripleo::profile::base::nova::libvirt_tls: true
                nova::migration::libvirt::live_migration_inbound_addr:
                  str_replace:
                    template:
                      "%{hiera('fqdn_$NETWORK')}"
                    params:
                      $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                tripleo::certmonger::ca::libvirt::origin_ca_pem:
                  if:
                    - libvirt_specific_ca_unset
                    - get_param: InternalTLSCAFile
                    - get_param: LibvirtCACert
                tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
                tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
                libvirt_certificates_specs:
                  libvirt-server-cert:
                    service_certificate: '/etc/pki/libvirt/servercert.pem'
                    service_key: '/etc/pki/libvirt/private/serverkey.pem'
                    hostname:
                      str_replace:
                        template: "%{hiera('fqdn_NETWORK')}"
                        params:
                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                    principal:
                      str_replace:
                        template: "libvirt/%{hiera('fqdn_NETWORK')}"
                        params:
                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                  libvirt-client-cert:
                    service_certificate: '/etc/pki/libvirt/clientcert.pem'
                    service_key: '/etc/pki/libvirt/private/clientkey.pem'
                    hostname:
                      str_replace:
                        template: "%{hiera('fqdn_NETWORK')}"
                        params:
                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                    principal:
                      str_replace:
                        template: "libvirt/%{hiera('fqdn_NETWORK')}"
                        params:
                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
              - {}
      step_config: |
        include tripleo::profile::base::nova::libvirt
      metadata_settings:
        if:
          - use_tls_for_live_migration
          -
            - service: libvirt
              network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
              type: node
          - null