{"heat_template_version": "wallaby", "description": "Qpid dispatch router service for metrics and monitoring purposes\n", "parameters": {"ContainerMetricsQdrImage": {"description": "image", "type": "string", "tags": ["role_specific"]}, "ContainerMetricsQdrConfigImage": {"description": "The container image to use for the qdrouterd config_volume", "type": "string", "tags": ["role_specific"]}, "ServiceData": {"default": {}, "description": "Dictionary packing service data", "type": "json"}, "ServiceNetMap": {"default": {}, "description": "Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults.", "type": "json"}, "RoleName": {"default": "", "description": "Role name on which the service is applied", "type": "string"}, "RoleParameters": {"default": {}, "description": "Parameters specific to the role", "type": "json"}, "EndpointMap": {"default": {}, "description": "Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry.", "type": "json"}, "MonitoringSubscriptionQdr": {"default": "overcloud-qdr", "type": "string"}, "MetricsQdrLoggingSource": {"type": "json", "default": {"tag": "openstack.nova.consoleauth", "file": "/var/log/containers/metrics_qdr/metrics_qdr.log", "startmsg.regex": "^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}(.[0-9]+ \\\\+[0-9]+)? [A-Z]+ \\\\([a-z]+\\\\) "}}, "MetricsQdrPort": {"default": 5666, "description": "Service name or port number on which the qdrouterd will accept connections.", "type": "number"}, "MetricsQdrUsername": {"default": "guest", "description": "Username which should be used to authenticate to the deployed qdrouterd.", "type": "string"}, "MetricsQdrPassword": {"default": "guest", "description": "Password which should be used to authenticate to the deployed qdrouterd.", "type": "string", "hidden": true}, "MetricsQdrConnectors": {"default": [], "description": "Connectors configuration (array of hashes).", "type": "json"}, "MetricsQdrSSLProfiles": {"default": [{"name": "sslProfile"}], "description": "SSL Profiles for the connectors (array of hashes).", "type": "json"}, "MetricsQdrAddresses": {"default": [{"prefix": "collectd", "distribution": "multicast"}, {"prefix": "ceilometer/metering.sample", "distribution": "multicast"}, {"prefix": "ceilometer/event.sample", "distribution": "multicast"}], "description": "Addresses configuration (array of hashes).", "type": "json"}, "MetricsQdrAutoLinks": {"default": [], "description": "AutoLinks for the Configured Addresses", "type": "json"}, "MetricsQdrUseSSL": {"default": false, "description": "Set to true if it is required to use SSL or TLS on the connection for the local listener. !WARNING! Currently breaks connections from collectd and ceilometer.", "type": "boolean"}, "MetricsQdrUseEncryption": {"default": false, "description": "Set to true if it is required to encrypt connection to the peer for listener. Not currently implemented, use EnableInternalTLS instead. This option can be ignored.", "type": "boolean"}, "MetricsQdrSaslMechanisms": {"default": "ANONYMOUS", "description": "List of accepted SASL auth mechanisms for listener in format of comma separated list.", "type": "string"}, "MetricsQdrSslCertDb": {"default": "/etc/ipa/ca.crt", "description": "Path to SSL certificate db for listener.", "type": "string"}, "MetricsQdrSslCertFile": {"default": "/etc/pki/tls/certs/metrics_qdr.crt", "description": "Path to SSL certificate file for listener.", "type": "string"}, "MetricsQdrSslKeyFile": {"default": "/etc/pki/tls/private/metrics_qdr.key", "description": "Path to SSL private key file for listener.", "type": "string"}, "MetricsQdrSslPwFile": {"default": "", "description": "Path to SSL password file for certificate key for listener.", "type": "string"}, "MetricsQdrSslPassword": {"default": "", "description": "SSL password to be supplied for listener.", "type": "string"}, "MetricsQdrTrustedCerts": {"default": "", "description": "Path to file containing trusted certificates for listener.", "type": "string"}, "MetricsQdrAuthenticateClient": {"default": false, "description": "Authenticate the client using SSL/TLS", "type": "boolean"}, "MetricsQdrExternalEndpoint": {"default": false, "description": "Whether QDR should listen on external network interface. To enable listening on external network one must deploy QDRs in mesh mode.", "type": "boolean"}, "InternalTLSCAFile": {"default": "/etc/ipa/ca.crt", "type": "string", "description": "Specifies the default CA cert to use if TLS is used for services in the internal network."}, "EnableInternalTLS": {"type": "boolean", "default": false}, "EnableSTF": {"default": false, "description": "Set to true to enable configuration for STF client.", "type": "boolean"}, "CertificateKeySize": {"type": "string", "default": "2048", "description": "Specifies the private key size used when creating the certificate."}, "QdrCertificateKeySize": {"type": "string", "default": "", "description": "Override the private key size used when creating the certificate for this service"}}, "conditions": {"internal_tls_enabled": {"equals": [{"get_param": "EnableInternalTLS"}, true]}, "listener_ssl_enabled": {"equals": [{"get_param": "MetricsQdrUseSSL"}, true]}, "enable_stf": {"equals": [{"get_param": "EnableSTF"}, true]}, "key_size_override_unset": {"equals": [{"get_param": "QdrCertificateKeySize"}, ""]}}, "resources": {"ContainersCommon": {"type": "file:///usr/share/openstack-tripleo-heat-templates/deployment/containers-common.yaml"}, "RoleParametersValue": {"type": "OS::Heat::Value", "properties": {"type": "json", "value": {"map_replace": [{"map_replace": [{"ContainerMetricsQdrImage": "ContainerMetricsQdrImage", "ContainerMetricsQdrConfigImage": "ContainerMetricsQdrConfigImage"}, {"values": {"get_param": ["RoleParameters"]}}]}, {"values": {"ContainerMetricsQdrImage": {"get_param": "ContainerMetricsQdrImage"}, "ContainerMetricsQdrConfigImage": {"get_param": "ContainerMetricsQdrConfigImage"}}}]}}}}, "outputs": {"role_data": {"description": "Role data for the metrics Qdr role.", "value": {"service_name": "metrics_qdr", "firewall_rules": {"map_merge": [{"109 metrics qdr": {"dport": [{"get_param": "MetricsQdrPort"}]}}, {"map_merge": {"repeat": {"for_each": {"<%net_cidr%>": {"get_param": ["ServiceData", "net_cidr_map", "ctlplane"]}}, "template": {"109 accept internal metrics qdr ctlplane subnet <%net_cidr%>": {"dport": [5667, 5668]}}}}}]}, "monitoring_subscription": {"get_param": "MonitoringSubscriptionQdr"}, "service_config_settings": {"rsyslog": {"tripleo_logging_sources_metrics_qdr": [{"get_param": "MetricsQdrLoggingSource"}]}}, "config_settings": {"map_merge": [{"tripleo::profile::base::metrics::qdr::listener_addr": {"str_replace": {"template": "%{hiera('$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", {"str_replace": {"template": "ROLENAMEMetricsQdrNetwork", "params": {"ROLENAME": {"get_param": "RoleName"}}}}]}}}}, "tripleo::haproxy::metrics_qdr": {"get_param": "MetricsQdrExternalEndpoint"}, "tripleo::profile::base::metrics::qdr::listener_port": {"get_param": "MetricsQdrPort"}, "tripleo::profile::base::metrics::qdr::username": {"get_param": "MetricsQdrUsername"}, "tripleo::profile::base::metrics::qdr::password": {"get_param": "MetricsQdrPassword"}, "tripleo::profile::base::metrics::qdr::connectors": {"get_param": "MetricsQdrConnectors"}, "tripleo::profile::base::metrics::qdr::addresses": {"get_param": "MetricsQdrAddresses"}, "tripleo::profile::base::metrics::qdr::autolink_addresses": {"get_param": "MetricsQdrAutoLinks"}, "tripleo::profile::base::metrics::qdr::listener_require_ssl": {"if": ["listener_ssl_enabled", true, false]}, "tripleo::profile::base::metrics::qdr::listener_require_encrypt": {"get_param": "MetricsQdrUseEncryption"}, "tripleo::profile::base::metrics::qdr::listener_sasl_mech": {"get_param": "MetricsQdrSaslMechanisms"}, "tripleo::profile::base::metrics::qdr::listener_ssl_cert_db": {"get_param": "MetricsQdrSslCertDb"}, "tripleo::profile::base::metrics::qdr::listener_ssl_cert_file": {"get_param": "MetricsQdrSslCertFile"}, "tripleo::profile::base::metrics::qdr::listener_ssl_key_file": {"get_param": "MetricsQdrSslKeyFile"}, "tripleo::profile::base::metrics::qdr::listener_ssl_pw_file": {"get_param": "MetricsQdrSslPwFile"}, "tripleo::profile::base::metrics::qdr::listener_ssl_password": {"get_param": "MetricsQdrSslPassword"}, "tripleo::profile::base::metrics::qdr::listener_trusted_certs": {"get_param": "MetricsQdrTrustedCerts"}, "qdr::log_enable": "info+", "qdr::log_output": "/var/log/qdrouterd/metrics_qdr.log", "qdr::listener_auth_peer": {"get_param": "MetricsQdrAuthenticateClient"}}, {"if": ["internal_tls_enabled", {"tripleo::profile::base::metrics::qdr::ssl_profiles": {"list_concat": [{"get_param": "MetricsQdrSSLProfiles"}, [{"name": "tlsProfile", "certFile": "/etc/pki/tls/certs/metrics_qdr.crt", "keyFile": "/etc/pki/tls/private/metrics_qdr.key", "caCertFile": {"get_param": "InternalTLSCAFile"}}]]}}, {"tripleo::profile::base::metrics::qdr::ssl_profiles": {"get_param": "MetricsQdrSSLProfiles"}}]}, {"if": ["enable_stf", {"tripleo::profile::base::metrics::qdr::interior_mesh_nodes": "", "tripleo::profile::base::metrics::qdr::router_mode": "edge"}, null]}]}, "metadata_settings": {"if": ["internal_tls_enabled", [{"service": "metrics_qdr", "network": {"get_param": ["ServiceNetMap", {"str_replace": {"template": "ROLENAMEMetricsQdrNetwork", "params": {"ROLENAME": {"get_param": "RoleName"}}}}]}, "type": "node"}], null]}, "puppet_config": {"config_volume": "metrics_qdr", "step_config": "include tripleo::profile::base::metrics::qdr\n", "config_image": {"get_attr": ["RoleParametersValue", "value", "ContainerMetricsQdrConfigImage"]}}, "kolla_config": {"/var/lib/kolla/config_files/metrics_qdr.json": {"command": "/usr/sbin/qdrouterd -c /etc/qpid-dispatch/qdrouterd.conf", "config_files": [{"source": "/var/lib/kolla/config_files/src/*", "dest": "/", "merge": true, "preserve_properties": true}, {"source": "/var/lib/kolla/config_files/src-tls/*", "dest": "/", "merge": true, "preserve_properties": true, "optional": true}], "permissions": [{"path": "/var/lib/qdrouterd", "owner": "qdrouterd:qdrouterd", "recurse": true}, {"path": "/etc/pki/tls/certs/metrics_qdr.crt", "owner": "qdrouterd:qdrouterd", "optional": true}, {"path": "/etc/pki/tls/private/metrics_qdr.key", "owner": "qdrouterd:qdrouterd", "optional": true}]}}, "docker_config": {"step_1": {"metrics_qdr_init_logs": {"start_order": 0, "detach": false, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerMetricsQdrImage"]}, "net": "none", "privileged": false, "user": "root", "volumes": ["/var/log/containers/metrics_qdr:/var/log/qdrouterd:z"], "command": ["/bin/bash", "-c", "chown -R qdrouterd:qdrouterd /var/log/qdrouterd"]}, "metrics_qdr": {"start_order": 1, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerMetricsQdrImage"]}, "net": "host", "user": "qdrouterd", "privileged": false, "restart": "always", "healthcheck": {"test": "/openstack/healthcheck"}, "volumes": {"list_concat": [{"get_attr": ["ContainersCommon", "volumes"]}, ["/var/lib/kolla/config_files/metrics_qdr.json:/var/lib/kolla/config_files/config.json:ro", "/var/lib/config-data/puppet-generated/metrics_qdr:/var/lib/kolla/config_files/src:ro", "/var/lib/metrics_qdr:/var/lib/qdrouterd:z", "/var/log/containers/metrics_qdr:/var/log/qdrouterd:z"], {"if": ["internal_tls_enabled", ["/etc/pki/tls/certs/metrics_qdr.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/metrics_qdr.crt:ro", "/etc/pki/tls/private/metrics_qdr.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/metrics_qdr.key:ro"], null]}]}, "environment": {"KOLLA_CONFIG_STRATEGY": "COPY_ALWAYS"}}}}, "deploy_steps_tasks": [{"name": "Certificate generation", "when": ["step|int == 1", "enable_internal_tls"], "block": [{"include_role": {"name": "linux-system-roles.certificate"}, "vars": {"certificate_requests": [{"name": "metrics_qdr", "dns": {"str_replace": {"template": "{{fqdn_NETWORK}}", "params": {"NETWORK": {"get_param": ["ServiceNetMap", {"str_replace": {"template": "ROLENAMEMetricsQdrNetwork", "params": {"ROLENAME": {"get_param": "RoleName"}}}}]}}}}, "principal": {"str_replace": {"template": "metrics_qdr/{{fqdn_NETWORK}}@{{idm_realm}}", "params": {"NETWORK": {"get_param": ["ServiceNetMap", {"str_replace": {"template": "ROLENAMEMetricsQdrNetwork", "params": {"ROLENAME": {"get_param": "RoleName"}}}}]}}}}, "run_after": "container_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} | grep metrics_qdr)\nservice_crt=\"/etc/pki/tls/certs/metrics_qdr.crt\"\nservice_key=\"/etc/pki/tls/private/metrics_qdr.key\n# Copy the new cert from the mount-point to the real path\n{{container_cli}} exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_crt\" \"$service_crt\"\n# Copy the new key from the mount-point to the real path\n{{container_cli}} exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_key\" \"$service_key\"\n# Set appropriate permissions\n{{container_cli}} exec \"$container_name\" chown qdrouterd:qdrouterd \"$service_crt\"\n{{container_cli}} exec \"$container_name\" chown qdrouterd:qdrouterd \"$service_key\"\n# Trigger a container restart to read the new certificate\n{{container_cli}} restart \"$container_name\"\n", "key_size": {"if": ["key_size_override_unset", {"get_param": "CertificateKeySize"}, {"get_param": "QdrCertificateKeySize"}]}, "ca": "ipa"}]}}]}], "host_prep_tasks": [{"name": "create persistent logs directory", "file": {"path": "{{ item.path }}", "state": "directory", "setype": "{{ item.setype }}", "mode": "{{ item.mode|default(omit) }}"}, "with_items": [{"path": "/var/log/containers/metrics_qdr", "setype": "container_file_t", "mode": "0750"}, {"path": "/var/lib/metrics_qdr", "setype": "container_file_t"}]}]}}}}