heat_template_version: wallaby description: > OpenStack containerized Designate Central service parameters: ContainerDesignateCentralImage: description: image type: string tags: - role_specific ContainerDesignateConfigImage: description: The container image to use for the designate config_volume type: string tags: - role_specific EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json EnableSQLAlchemyCollectd: type: boolean description: > Set to true to enable the SQLAlchemy-collectd server plugin default: false RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. MonitoringSubscriptionDesignateCentral: default: 'overcloud-designate-central' type: string DesignateWorkers: default: 0 description: Number of workers for Designate services. type: number DesignateMinTTL: default: 0 description: > Configure the minimum allowable TTL in seconds. The default value is 0 which leaves the parameter unset. type: number DesignatePassword: description: The password for the Designate's database account. type: string hidden: true DesignateManagedResourceEmail: description: Configure email address to be set in zone SOAs. Leaving unset results in service defaults being used. type: string default: '' DesignateBindNSRecords: description: > Used to configure NS records and SOA record of zones managed by designate with bind servers managed type: comma_delimited_list default: ['ns1.example.org.', 'ns2.example.org.', 'ns3.example.org.'] DesignateRndcKey: description: The rndc key secret for communication with BIND. type: string hidden: true DesignateMdnsProxyBasePort: description: Configure the base port for the MiniDNS proxy endpoints on the external/public access network. type: number default: 16000 DesignateExternalBindServers: description: > Used to configure desginate with bind servers managed externally to the overcloud. Example format: [ { # entry with minimal required values "host": "10.4.22.99", "rndc_key": "FJOdVqZr5gVXbU9kIagY0IJVDq7CV/mDVb/M7mlLMgY=" }, { "host": "10.5.22.99", "port": "53", "rndc_host": "10.5.22.98", "rndc_port": "953", "rndc_key": "FJOdVqZr5gVXbU9kIagY0IJVDq7CV/mDVb/M7mlLMgY=" } ] type: json default: [] hidden: true RedisPassword: description: The password for the redis service account. type: string hidden: true DesignateApiPolicies: description: | A hash of policies to configure for Designate API. e.g. { designate-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json EnforceSecureRbac: type: boolean default: false description: >- Setting this option to True will configure each OpenStack service to enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and `[oslo_policy] enforce_scope` to True. This introduces a consistent set of RBAC personas across OpenStack services that include support for system and project scope, as well as keystone's default roles, admin, member, and reader. Do not enable this functionality until all services in your deployment actually support secure RBAC. conditions: designate_workers_set: not: {equals : [{get_param: DesignateWorkers}, 0]} designate_min_ttl_set: not: {equals : [{get_param: DesignateMinTTL}, 0]} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} designate_resource_email_set : not: {equals : [{get_param: DesignateManagedResourceEmail}, '']} designate_has_policies: not: {equals : [{get_param: DesignateApiPolicies}, {}]} resources: ContainersCommon: type: ../containers-common.yaml MySQLClient: type: ../database/mysql-client.yaml DesignateBase: type: ./designate-base.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ContainerDesignateCentralImage: ContainerDesignateCentralImage ContainerDesignateConfigImage: ContainerDesignateConfigImage - values: {get_param: [RoleParameters]} - values: ContainerDesignateCentralImage: {get_param: ContainerDesignateCentralImage} ContainerDesignateConfigImage: {get_param: ContainerDesignateConfigImage} outputs: role_data: description: Role data for the Designate Central role. value: service_name: designate_central monitoring_subscription: {get_param: MonitoringSubscriptionDesignateCentral} config_settings: map_merge: - get_attr: [DesignateBase, role_data, config_settings] - designate_redis_password: {get_param: RedisPassword} designate::policy::policies: {get_param: DesignateApiPolicies} designate::db::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} username: designate password: {get_param: DesignatePassword} host: {get_param: [EndpointMap, MysqlInternal, host]} path: /designate query: if: - enable_sqlalchemy_collectd - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo plugin: collectd collectd_program_name: designate collectd_host: localhost - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo designate::central::workers: if: - designate_workers_set - {get_param: DesignateWorkers} designate::central::min_ttl: if: - designate_min_ttl_set - {get_param: DesignateMinTTL} - if: - or: - {get_param: EnforceSecureRbac} - designate_has_policies - designate::policy::enforce_new_defaults: true - if: - designate_resource_email_set - designate::central::managed_resource_email: {get_param: DesignateManagedResourceEmail} service_config_settings: mysql: designate::db::mysql::password: {get_param: DesignatePassword} designate::db::mysql::user: designate designate::db::mysql::host: '%' designate::db::mysql::dbname: designate # BEGIN DOCKER SETTINGS puppet_config: config_volume: designate puppet_tags: designate_config step_config: list_join: - "\n" - - {get_attr: [DesignateBase, role_data, step_config]} - "include tripleo::profile::base::designate::central" - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_attr: [RoleParametersValue, value, ContainerDesignateConfigImage]} kolla_config: /var/lib/kolla/config_files/designate_central.json: command: /usr/bin/designate-central --config-file=/etc/designate/designate.conf --log-file=/var/log/designate/central.log config_files: &designate_central_config_files - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: &designate_central_permissions - path: /var/log/designate owner: designate:designate recurse: true /var/lib/kolla/config_files/designate_central_db_sync.json: command: "/usr/bin/bootstrap_host_exec designate_central su designate -s /bin/bash -c 'designate-manage --config-file /etc/designate/designate.conf database sync'" config_files: *designate_central_config_files permissions: *designate_central_permissions /var/lib/kolla/config_files/designate_central_pool_manage.json: command: "/usr/bin/bootstrap_host_exec designate_central su designate -s /bin/bash -c '/bin/designate-manage pool update'" config_files: *designate_central_config_files permissions: *designate_central_permissions deploy_steps_tasks: - name: generate designate pool when: step|int == 4 import_role: name: designate_bind_pool vars: alternate_bind: true designate_bind_pool_ns_records: {get_param: DesignateBindNSRecords} designate_rndc_key: {get_param: DesignateRndcKey} minidns_proxy_base_port: {get_param: DesignateMdnsProxyBasePort} tripleo_external_bind_servers: {get_param: DesignateExternalBindServers} docker_config: # db sync runs before permissions set by kolla_config step_2: designate_init_logs: image: &designate_central_image {get_attr: [RoleParametersValue, value, ContainerDesignateCentralImage]} net: none privileged: false user: root volumes: - /var/log/containers/designate:/var/log/designate:z command: ['/bin/bash', '-c', 'chown -R designate:designate /var/log/designate'] step_3: designate_db_sync: image: *designate_central_image cap_add: - AUDIT_WRITE net: host privileged: false detach: false user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /run:/run - /var/lib/kolla/config_files/designate_central_db_sync.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate:/var/lib/kolla/config_files/src:ro - /var/log/containers/designate:/var/log/designate:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} step_4: designate_central: image: *designate_central_image net: host privileged: false stop_grace_period: 300 restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /run:/run - /var/lib/kolla/config_files/designate_central.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate:/var/lib/kolla/config_files/src:ro - /var/log/containers/designate:/var/log/designate:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS step_5: designate_pool_manage: image: *designate_central_image net: host privileged: false detach: false user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /run:/run - /var/lib/kolla/config_files/designate_central_pool_manage.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate:/var/lib/kolla/config_files/src:ro - /var/log/containers/designate:/var/log/designate:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode }}" with_items: - { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' } upgrade_tasks: - name: pre-check to ensure redis is removed if the service is disabled when: - step|int == 0 - '"redis" not in enabled_services|list' - '"pacemaker" in enabled_services|list' become: true shell: | export CIB_file=/var/lib/pacemaker/cib/cib.xml if crm_resource -r redis-bundle -q &>/dev/null; then echo "Redis resource present in pacemaker but disabled by default in TripleO" >&2 echo "Delete the resource in pacemaker or enable the redis service before upgrading" >&2 exit 1 fi