puppet/services/swift-proxy.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   OpenStack Swift Proxy service configured with Puppet
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   RoleName:
  17     default: ''
  18     description: Role name on which the service is applied
  19     type: string
  20   RoleParameters:
  21     default: {}
  22     description: Parameters specific to the role
  23     type: json
  24   EndpointMap:
  25     default: {}
  26     description: Mapping of service endpoint -> protocol. Typically set
  27                  via parameter_defaults in the resource registry.
  28     type: json
  29   Debug:
  30     default: ''
  31     description: Set to True to enable debugging on all services.
  32     type: string
  33   SwiftPassword:
  34     description: The password for the swift service account, used by the swift proxy services.
  35     type: string
  36     hidden: true
  37   SwiftProxyNodeTimeout:
  38     default: 60
  39     description: Timeout for requests going from swift-proxy to swift a/c/o services.
  40     type: number
  41   SwiftWorkers:
  42     default: auto
  43     description: Number of workers for Swift service.
  44     type: string
  45   KeystoneRegion:
  46     type: string
  47     default: 'regionOne'
  48     description: Keystone region for endpoint
  49   MonitoringSubscriptionSwiftProxy:
  50     default: 'overcloud-swift-proxy'
  51     type: string
  52   RabbitPassword:
  53     description: The password for RabbitMQ
  54     type: string
  55     hidden: true
  56   RabbitUserName:
  57     default: guest
  58     description: The username for RabbitMQ
  59     type: string
  60   SwiftCeilometerPipelineEnabled:
  61     description: Set to False to disable the swift proxy ceilometer pipeline.
  62     default: false
  63     type: boolean
  64   SwiftCeilometerIgnoreProjects:
  65     default: ['service']
  66     description: Comma-seperated list of project names to ignore.
  67     type: comma_delimited_list
  68   RabbitClientPort:
  69     default: 5672
  70     description: Set rabbit subscriber port, change this if using SSL
  71     type: number
  72   RabbitClientUseSSL:
  73     default: false
  74     description: >
  75         Rabbit client subscriber parameter to specify
  76         an SSL connection to the RabbitMQ host.
  77     type: string
  78   EnableInternalTLS:
  79     type: boolean
  80     default: false
  81
  82 conditions:
  83
  84   ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, true]}
  85   use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
  86
  87 resources:
  88   SwiftBase:
  89     type: ./swift-base.yaml
  90     properties:
  91       ServiceNetMap: {get_param: ServiceNetMap}
  92       DefaultPasswords: {get_param: DefaultPasswords}
  93       EndpointMap: {get_param: EndpointMap}
  94       RoleName: {get_param: RoleName}
  95       RoleParameters: {get_param: RoleParameters}
  96
  97   TLSProxyBase:
  98     type: OS::TripleO::Services::TLSProxyBase
  99     properties:
 100       ServiceNetMap: {get_param: ServiceNetMap}
 101       DefaultPasswords: {get_param: DefaultPasswords}
 102       EndpointMap: {get_param: EndpointMap}
 103       EnableInternalTLS: {get_param: EnableInternalTLS}
 104
 105 outputs:
 106   role_data:
 107     description: Role data for the Swift proxy service.
 108     value:
 109       service_name: swift_proxy
 110       monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
 111       config_settings:
 112         map_merge:
 113           - get_attr: [SwiftBase, role_data, config_settings]
 114           - get_attr: [TLSProxyBase, role_data, config_settings]
 115           - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
 116             swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
 117             swift::proxy::authtoken::password: {get_param: SwiftPassword}
 118             swift::proxy::authtoken::project_name: 'service'
 119             swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
 120             swift::proxy::workers: {get_param: SwiftWorkers}
 121           -
 122             if:
 123             - ceilometer_pipeline_enabled
 124             -
 125               swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
 126               swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
 127               swift::proxy::ceilometer::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
 128               swift::proxy::ceilometer::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
 129               swift::proxy::ceilometer::password: {get_param: SwiftPassword}
 130               swift::proxy::ceilometer::ignore_projects: {get_param: SwiftCeilometerIgnoreProjects}
 131               swift::proxy::ceilometer::nonblocking_notify: true
 132               swift::proxy::ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
 133             - {}
 134           - swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
 135             tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort}
 136             tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL}
 137             tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
 138             tripleo.swift_proxy.firewall_rules:
 139               '122 swift proxy':
 140                 dport:
 141                   - 8080
 142                   - 13808
 143             swift::proxy::keystone::operator_roles:
 144               - admin
 145               - swiftoperator
 146               - ResellerAdmin
 147             swift::proxy::versioned_writes::allow_versioned_writes: true
 148             swift::proxy::pipeline:
 149               yaql:
 150                 expression: $.data.pipeline.where($ != '')
 151                 data:
 152                   pipeline:
 153                   - 'catch_errors'
 154                   - 'healthcheck'
 155                   - 'proxy-logging'
 156                   - 'cache'
 157                   - 'ratelimit'
 158                   - 'bulk'
 159                   - 'tempurl'
 160                   - 'formpost'
 161                   - 'authtoken'
 162                   - 'keystone'
 163                   - 'staticweb'
 164                   - 'copy'
 165                   - 'container_quotas'
 166                   - 'account_quotas'
 167                   - 'slo'
 168                   - 'dlo'
 169                   - 'versioned_writes'
 170                   -
 171                     if:
 172                     - ceilometer_pipeline_enabled
 173                     - 'ceilometer'
 174                     - ''
 175                   - 'proxy-logging'
 176                   - 'proxy-server'
 177             swift::proxy::account_autocreate: true
 178             # NOTE: bind IP is found in Heat replacing the network name with the
 179             # local node IP for the given network; replacement examples
 180             # (eg. for internal_api):
 181             # internal_api -> IP
 182             # internal_api_uri -> [IP]
 183             # internal_api_subnet - > IP/CIDR
 184             tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
 185               get_param: [ServiceNetMap, SwiftProxyNetwork]
 186             tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
 187               str_replace:
 188                 template:
 189                   "%{hiera('fqdn_$NETWORK')}"
 190                 params:
 191                   $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
 192             tripleo::profile::base::swift::proxy::tls_proxy_port:
 193               get_param: [EndpointMap, SwiftInternal, port]
 194             swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
 195             swift::proxy::proxy_local_net_ip:
 196               if:
 197               - use_tls_proxy
 198               - 'localhost'
 199               - {get_param: [ServiceNetMap, SwiftProxyNetwork]}
 200       step_config: |
 201         include ::tripleo::profile::base::swift::proxy
 202       service_config_settings:
 203         keystone:
 204           swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
 205           swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
 206           swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
 207           swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
 208           swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
 209           swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
 210           swift::keystone::auth::password: {get_param: SwiftPassword}
 211           swift::keystone::auth::region: {get_param: KeystoneRegion}
 212           swift::keystone::auth::tenant: 'service'
 213           swift::keystone::auth::configure_s3_endpoint: false
 214           swift::keystone::auth::operator_roles:
 215             - admin
 216             - swiftoperator
 217             - ResellerAdmin
 218       upgrade_tasks:
 219         - name: Stop swift_proxy service
 220           tags: step1
 221           service: name=openstack-swift-proxy state=stopped
 222       metadata_settings:
 223         get_attr: [TLSProxyBase, role_data, metadata_settings]