Merge "TLS everywhere: configure mongodb's TLS settings"

[apex-tripleo-heat-templates.git] / puppet / services / nova-placement.yaml

heat_template_version: pike

description: >
  OpenStack Nova Placement API service configured with Puppet

parameters:
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  NovaWorkers:
    default: 0
    description: Number of workers for Nova Placement API service.
    type: number
  NovaPassword:
    description: The password for the nova service and db account, used by nova-placement.
    type: string
    hidden: true
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  MonitoringSubscriptionNovaPlacement:
    default: 'overcloud-nova-placement'
    type: string
  NovaPlacementLoggingSource:
    type: json
    default:
      tag: openstack.nova.placement
      path: /var/log/httpd/nova_placement_wsgi_error_ssl.log
  EnableInternalTLS:
    type: boolean
    default: false

conditions:
  nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}

resources:
  ApacheServiceBase:
    type: ./apache.yaml
    properties:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}
      EnableInternalTLS: {get_param: EnableInternalTLS}

  NovaBase:
    type: ./nova-base.yaml
    properties:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

outputs:
  role_data:
    description: Role data for the Nova Placement API service.
    value:
      service_name: nova_placement
      monitoring_subscription: {get_param: MonitoringSubscriptionNovaPlacement}
      logging_source: {get_param: NovaPlacementLoggingSource}
      logging_groups:
        - nova
      config_settings:
        map_merge:
        - get_attr: [NovaBase, role_data, config_settings]
        - get_attr: [ApacheServiceBase, role_data, config_settings]
        - tripleo.nova_placement.firewall_rules:
            '138 nova_placement':
              dport:
                - 8778
                - 13778
          nova::keystone::authtoken::project_name: 'service'
          nova::keystone::authtoken::password: {get_param: NovaPassword}
          nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
          nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
          nova::wsgi::apache_placement::api_port: '8778'
          nova::wsgi::apache_placement::ssl: {get_param: EnableInternalTLS}
          # NOTE: bind IP is found in Heat replacing the network name with the local node IP
          # for the given network; replacement examples (eg. for internal_api):
          # internal_api -> IP
          # internal_api_uri -> [IP]
          # internal_api_subnet - > IP/CIDR
          nova::wsgi::apache_placement::bind_host: {get_param: [ServiceNetMap, NovaPlacementNetwork]}
          nova::wsgi::apache_placement::servername:
            str_replace:
              template:
                "%{hiera('fqdn_$NETWORK')}"
              params:
                $NETWORK: {get_param: [ServiceNetMap, NovaPlacementNetwork]}
        -
          if:
          - nova_workers_zero
          - {}
          - nova::wsgi::apache_placement::workers: {get_param: NovaWorkers}
      step_config: |
        include tripleo::profile::base::nova::placement
      service_config_settings:
        keystone:
          nova::keystone::auth_placement::tenant: 'service'
          nova::keystone::auth_placement::public_url: {get_param: [EndpointMap, NovaPlacementPublic, uri]}
          nova::keystone::auth_placement::internal_url: {get_param: [EndpointMap, NovaPlacementInternal, uri]}
          nova::keystone::auth_placement::admin_url: {get_param: [EndpointMap, NovaPlacementAdmin, uri]}
          nova::keystone::auth_placement::password: {get_param: NovaPassword}
          nova::keystone::auth_placement::region: {get_param: KeystoneRegion}
        mysql:
          map_merge:
          - {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
          - nova::db::mysql_placement::password: {get_param: NovaPassword}
            nova::db::mysql_placement::user: nova_placement
            nova::db::mysql_placement::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
            nova::db::mysql_placement::dbname: nova_placement
            nova::db::mysql_placement::allowed_hosts:
              - '%'
              - "%{hiera('mysql_bind_host')}"
      upgrade_tasks:
        - name: Stop nova_placement service (running under httpd)
          tags: step1
          service: name=httpd state=stopped
        # The nova placement API isn't installed in newton images, so install
        # it on upgrade
        - name: Install nova-placement packages on upgrade
          tags: step3
          yum: name=openstack-nova-placement-api state=latest