heat_template_version: wallaby description: > OpenStack containerized Designate API service parameters: ContainerDesignateApiImage: description: image type: string tags: - role_specific ContainerDesignateApiConfigImage: description: The container image to use for the designate config_volume type: string tags: - role_specific DesignateApiLoggingSource: type: json default: tag: openstack.designate.api file: /var/log/containers/designate/api.log EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false DesignateWorkers: default: 0 description: Number of workers for Designate services. type: number DesignatePassword: description: The password for the Designate's database account. type: string hidden: true KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint MonitoringSubscriptionDesignateApi: default: 'overcloud-designate-api' type: string NeutronPassword: description: The password for the neutron service and db account, used by neutron agents. type: string hidden: true MemcacheUseAdvancedPool: type: boolean description: | Use the advanced (eventlet safe) memcached client pool. default: true DesignateApiPolicies: description: | A hash of policies to configure for Designate API. e.g. { designate-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json EnforceSecureRbac: type: boolean default: false description: >- Setting this option to True will configure each OpenStack service to enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and `[oslo_policy] enforce_scope` to True. This introduces a consistent set of RBAC personas across OpenStack services that include support for system and project scope, as well as keystone's default roles, admin, member, and reader. Do not enable this functionality until all services in your deployment actually support secure RBAC. conditions: designate_workers_zero: {equals : [{get_param: DesignateWorkers}, 0]} designate_has_policies: not: {equals : [{get_param: DesignateApiPolicies}, {}]} resources: ContainersCommon: type: ../containers-common.yaml DesignateBase: type: ./designate-base.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ContainerDesignateApiImage: ContainerDesignateApiImage ContainerDesignateApiConfigImage: ContainerDesignateApiConfigImage - values: {get_param: [RoleParameters]} - values: ContainerDesignateApiImage: {get_param: ContainerDesignateApiImage} ContainerDesignateApiConfigImage: {get_param: ContainerDesignateApiConfigImage} outputs: role_data: description: Role data for the Designate API role. value: service_name: designate_api firewall_rules: '139 designate api': dport: - 9001 firewall_frontend_rules: '100 designate_haproxy_frontend': dport: - 9001 firewall_ssl_frontend_rules: '100 designate_haproxy_frontend_ssl': dport: - 13001 keystone_resources: designate: endpoints: public: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]} internal: {get_param: [EndpointMap, DesignateInternal, uri_no_suffix]} admin: {get_param: [EndpointMap, DesignateAdmin, uri_no_suffix]} users: designate: password: {get_param: DesignatePassword} region: {get_param: KeystoneRegion} service: 'dns' monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi} config_settings: map_merge: - get_attr: [DesignateBase, role_data, config_settings] - designate::api::enable_proxy_headers_parsing: true designate::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] } designate::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} designate::keystone::authtoken::project_name: 'service' designate::keystone::authtoken::password: {get_param: DesignatePassword} designate::keystone::authtoken::region_name: {get_param: KeystoneRegion} designate::keystone::authtoken::interface: 'internal' designate::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool} designate::api::api_base_uri: { get_param: [EndpointMap, DesignatePublic, uri_no_suffix] } designate::api::service_name: 'httpd' designate::policy::policies: {get_param: DesignateApiPolicies} designate::policy::enforce_new_defaults: {get_param: EnforceSecureRbac} designate::policy::enforce_scope: {get_param: EnforceSecureRbac} designate::logging::log_file: '/var/log/designate/designate-api.log' designate::wsgi::apache::ssl: {get_param: EnableInternalTLS} designate::wsgi::apache::bind_host: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]} designate::wsgi::apache::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]} - if: - designate_workers_zero - {} - designate::wsgi::apache::workers: {get_param: DesignateWorkers} - if: - or: - {get_param: EnforceSecureRbac} - designate_has_policies - designate::policy::enforce_new_defaults: true service_config_settings: rsyslog: tripleo_logging_sources_designate_api: - {get_param: DesignateApiLoggingSource} neutron_api: neutron::designate::password: {get_param: NeutronPassword} neutron::designate::url: {get_param: [EndpointMap, DesignateInternal, uri]} neutron::designate::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]} neutron::designate::project_name: 'service' # BEGIN DOCKER SETTINGS puppet_config: config_volume: designate_api puppet_tags: designate_config,designate_api_paste_ini step_config: | include tripleo::profile::base::designate::api config_image: {get_attr: [RoleParametersValue, value, ContainerDesignateApiConfigImage]} kolla_config: /var/lib/kolla/config_files/designate_api.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d" dest: "/etc/httpd/conf.modules.d" merge: false preserve_properties: true permissions: - path: /var/log/designate owner: designate:designate recurse: true docker_config: step_4: designate_api: start_order: 15 image: &designate_api_image {get_attr: [RoleParametersValue, value, ContainerDesignateApiImage]} net: host stop_grace_period: 300 privileged: false user: root restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/designate_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate_api:/var/lib/kolla/config_files/src:ro - /var/log/containers/designate:/var/log/designate:z - /var/log/containers/httpd/designate-api:/var/log/httpd:z - if: - {get_param: EnableInternalTLS} - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode }}" with_items: - { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/httpd/designate-api, 'setype': container_file_t, 'mode': '0750' }