puppet/services/swift-proxy.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   OpenStack Swift Proxy service configured with Puppet
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   RoleName:
  17     default: ''
  18     description: Role name on which the service is applied
  19     type: string
  20   RoleParameters:
  21     default: {}
  22     description: Parameters specific to the role
  23     type: json
  24   EndpointMap:
  25     default: {}
  26     description: Mapping of service endpoint -> protocol. Typically set
  27                  via parameter_defaults in the resource registry.
  28     type: json
  29   Debug:
  30     default: ''
  31     description: Set to True to enable debugging on all services.
  32     type: string
  33   SwiftPassword:
  34     description: The password for the swift service account, used by the swift proxy services.
  35     type: string
  36     hidden: true
  37   SwiftProxyNodeTimeout:
  38     default: 60
  39     description: Timeout for requests going from swift-proxy to swift a/c/o services.
  40     type: number
  41   SwiftWorkers:
  42     default: auto
  43     description: Number of workers for Swift service.
  44     type: string
  45   KeystoneRegion:
  46     type: string
  47     default: 'regionOne'
  48     description: Keystone region for endpoint
  49   MonitoringSubscriptionSwiftProxy:
  50     default: 'overcloud-swift-proxy'
  51     type: string
  52   RabbitPassword:
  53     description: The password for RabbitMQ
  54     type: string
  55     hidden: true
  56   RabbitUserName:
  57     default: guest
  58     description: The username for RabbitMQ
  59     type: string
  60   SwiftCeilometerPipelineEnabled:
  61     description: Set to False to disable the swift proxy ceilometer pipeline.
  62     default: True
  63     type: boolean
  64   SwiftCeilometerIgnoreProjects:
  65     default: ['services']
  66     description: Comma-seperated list of project names to ignore.
  67     type: comma_delimited_list
  68   RabbitClientPort:
  69     default: 5672
  70     description: Set rabbit subscriber port, change this if using SSL
  71     type: number
  72   RabbitClientUseSSL:
  73     default: false
  74     description: >
  75         Rabbit client subscriber parameter to specify
  76         an SSL connection to the RabbitMQ host.
  77     type: string
  78   EnableInternalTLS:
  79     type: boolean
  80     default: false
  81
  82 conditions:
  83
  84   ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]}
  85   use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
  86
  87 resources:
  88   SwiftBase:
  89     type: ./swift-base.yaml
  90     properties:
  91       ServiceNetMap: {get_param: ServiceNetMap}
  92       DefaultPasswords: {get_param: DefaultPasswords}
  93       EndpointMap: {get_param: EndpointMap}
  94       RoleName: {get_param: RoleName}
  95       RoleParameters: {get_param: RoleParameters}
  96
  97   TLSProxyBase:
  98     type: OS::TripleO::Services::TLSProxyBase
  99     properties:
 100       ServiceNetMap: {get_param: ServiceNetMap}
 101       DefaultPasswords: {get_param: DefaultPasswords}
 102       EndpointMap: {get_param: EndpointMap}
 103       EnableInternalTLS: {get_param: EnableInternalTLS}
 104
 105 outputs:
 106   role_data:
 107     description: Role data for the Swift proxy service.
 108     value:
 109       service_name: swift_proxy
 110       monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
 111       config_settings:
 112         map_merge:
 113           - get_attr: [SwiftBase, role_data, config_settings]
 114           - get_attr: [TLSProxyBase, role_data, config_settings]
 115           - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
 116             swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
 117             swift::proxy::authtoken::password: {get_param: SwiftPassword}
 118             swift::proxy::authtoken::project_name: 'service'
 119             swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
 120             swift::proxy::workers: {get_param: SwiftWorkers}
 121             swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
 122             swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
 123             swift::proxy::ceilometer::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
 124             swift::proxy::ceilometer::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
 125             swift::proxy::ceilometer::password: {get_param: SwiftPassword}
 126             swift::proxy::ceilometer::ignore_projects: {get_param: SwiftCeilometerIgnoreProjects}
 127             swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
 128             swift::proxy::ceilometer::nonblocking_notify: true
 129             tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort}
 130             tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL}
 131             tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
 132             tripleo.swift_proxy.firewall_rules:
 133               '122 swift proxy':
 134                 dport:
 135                   - 8080
 136                   - 13808
 137             swift::proxy::keystone::operator_roles:
 138               - admin
 139               - swiftoperator
 140               - ResellerAdmin
 141             swift::proxy::versioned_writes::allow_versioned_writes: true
 142             swift::proxy::pipeline:
 143               yaql:
 144                 expression: $.data.pipeline.where($ != '')
 145                 data:
 146                   pipeline:
 147                   - 'catch_errors'
 148                   - 'healthcheck'
 149                   - 'proxy-logging'
 150                   - 'cache'
 151                   - 'ratelimit'
 152                   - 'bulk'
 153                   - 'tempurl'
 154                   - 'formpost'
 155                   - 'authtoken'
 156                   - 'keystone'
 157                   - 'staticweb'
 158                   - 'copy'
 159                   - 'container_quotas'
 160                   - 'account_quotas'
 161                   - 'slo'
 162                   - 'dlo'
 163                   - 'versioned_writes'
 164                   -
 165                     if:
 166                     - ceilometer_pipeline_enabled
 167                     - 'ceilometer'
 168                     - ''
 169                   - 'proxy-logging'
 170                   - 'proxy-server'
 171             swift::proxy::ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
 172             swift::proxy::account_autocreate: true
 173             # NOTE: bind IP is found in Heat replacing the network name with the
 174             # local node IP for the given network; replacement examples
 175             # (eg. for internal_api):
 176             # internal_api -> IP
 177             # internal_api_uri -> [IP]
 178             # internal_api_subnet - > IP/CIDR
 179             tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
 180               get_param: [ServiceNetMap, SwiftProxyNetwork]
 181             tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
 182               str_replace:
 183                 template:
 184                   "%{hiera('fqdn_$NETWORK')}"
 185                 params:
 186                   $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
 187             tripleo::profile::base::swift::proxy::tls_proxy_port:
 188               get_param: [EndpointMap, SwiftInternal, port]
 189             swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
 190             swift::proxy::proxy_local_net_ip:
 191               if:
 192               - use_tls_proxy
 193               - 'localhost'
 194               - {get_param: [ServiceNetMap, SwiftProxyNetwork]}
 195       step_config: |
 196         include ::tripleo::profile::base::swift::proxy
 197       service_config_settings:
 198         keystone:
 199           swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
 200           swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
 201           swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
 202           swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
 203           swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
 204           swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
 205           swift::keystone::auth::password: {get_param: SwiftPassword}
 206           swift::keystone::auth::region: {get_param: KeystoneRegion}
 207           swift::keystone::auth::tenant: 'service'
 208           swift::keystone::auth::configure_s3_endpoint: false
 209           swift::keystone::auth::operator_roles:
 210             - admin
 211             - swiftoperator
 212             - ResellerAdmin
 213       upgrade_tasks:
 214         - name: Stop swift_proxy service
 215           tags: step1
 216           service: name=openstack-swift-proxy state=stopped
 217       metadata_settings:
 218         get_attr: [TLSProxyBase, role_data, metadata_settings]