{"heat_template_version": "wallaby", "description": "OpenStack containerized Redis services\n", "parameters": {"ContainerRedisImage": {"description": "image", "type": "string", "tags": ["role_specific"]}, "ContainerRedisConfigImage": {"description": "The container image to use for the redis config_volume", "type": "string", "tags": ["role_specific"]}, "EndpointMap": {"default": {}, "description": "Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry.", "type": "json"}, "ServiceData": {"default": {}, "description": "Dictionary packing service data", "type": "json"}, "ServiceNetMap": {"default": {}, "description": "Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults.", "type": "json"}, "RoleName": {"default": "", "description": "Role name on which the service is applied", "type": "string"}, "RoleParameters": {"default": {}, "description": "Parameters specific to the role", "type": "json"}, "EnableInternalTLS": {"type": "boolean", "default": false}, "CertificateKeySize": {"type": "string", "default": "2048", "description": "Specifies the private key size used when creating the certificate."}, "RedisCertificateKeySize": {"type": "string", "default": "", "description": "Override the private key size used when creating the certificate for this service"}}, "conditions": {"key_size_override_set": {"not": {"equals": [{"get_param": "RedisCertificateKeySize"}, ""]}}}, "resources": {"ContainersCommon": {"type": "file:///usr/share/openstack-tripleo-heat-templates/deployment/containers-common.yaml"}, "RedisBase": {"type": "file:///usr/share/openstack-tripleo-heat-templates/deployment/database/redis-base-puppet.yaml", "properties": {"EndpointMap": {"get_param": "EndpointMap"}, "ServiceData": {"get_param": "ServiceData"}, "ServiceNetMap": {"get_param": "ServiceNetMap"}}}, "RoleParametersValue": {"type": "OS::Heat::Value", "properties": {"type": "json", "value": {"map_replace": [{"map_replace": [{"ContainerRedisImage": "ContainerRedisImage", "ContainerRedisConfigImage": "ContainerRedisConfigImage"}, {"values": {"get_param": ["RoleParameters"]}}]}, {"values": {"ContainerRedisImage": {"get_param": "ContainerRedisImage"}, "ContainerRedisConfigImage": {"get_param": "ContainerRedisConfigImage"}}}]}}}}, "outputs": {"role_data": {"description": "Role data for the Redis API role.", "value": {"service_name": "redis", "firewall_rules": {"108 redis": {"dport": [6379, 26379]}}, "firewall_frontend_rules": {"100 redis_haproxy_frontend": {"dport": [6379, 26379]}}, "config_settings": {"map_merge": [{"get_attr": ["RedisBase", "role_data", "config_settings"]}, {"redis::daemonize": false, "tripleo::stunnel::manage_service": false, "tripleo::stunnel::foreground": "yes"}, {"tripleo::profile::base::database::redis::tls_proxy_bind_ip": {"str_replace": {"template": "%{hiera('$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RedisNetwork"]}}}}, "tripleo::profile::base::database::redis::tls_proxy_fqdn": {"str_replace": {"template": "%{hiera('fqdn_$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RedisNetwork"]}}}}, "tripleo::profile::base::database::redis::tls_proxy_port": 6379}, {"if": [{"get_param": "EnableInternalTLS"}, {"tripleo::redis::service_certificate": "/etc/pki/tls/certs/redis.crt", "redis_certificate_specs": {"service_certificate": "/etc/pki/tls/certs/redis.crt", "service_key": "/etc/pki/tls/private/redis.key"}}]}]}, "service_config_settings": {"get_attr": ["RedisBase", "role_data", "service_config_settings"]}, "puppet_config": {"config_volume": "redis", "puppet_tags": "exec", "step_config": {"list_join": ["\n", ["Exec <| title == 'systemd-reload-redis' |> { unless => 'true' }", "include tripleo::profile::base::database::redis", {"get_attr": ["RedisBase", "role_data", "step_config"]}]]}, "config_image": {"get_attr": ["RoleParametersValue", "value", "ContainerRedisConfigImage"]}}, "kolla_config": {"/var/lib/kolla/config_files/redis.json": {"command": "/usr/bin/redis-server /etc/redis.conf", "config_files": [{"source": "/var/lib/kolla/config_files/src/*", "dest": "/", "merge": true, "preserve_properties": true}], "permissions": [{"path": "/run/redis", "owner": "redis:redis", "recurse": true}]}, "/var/lib/kolla/config_files/redis_tls_proxy.json": {"command": "stunnel /etc/stunnel/stunnel.conf", "config_files": [{"source": "/var/lib/kolla/config_files/src/*", "dest": "/", "merge": true, "preserve_properties": true}]}}, "docker_config": {"step_1": {"map_merge": [{"redis_init_logs": {"start_order": 0, "detach": false, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRedisImage"]}, "net": "none", "privileged": false, "user": "root", "volumes": ["/var/log/containers/redis:/var/log/redis:z"], "command": ["/bin/bash", "-c", "chown -R redis:redis /var/log/redis"]}}, {"redis": {"start_order": 1, "stop_grace_period": 60, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRedisImage"]}, "net": "host", "privileged": false, "restart": "always", "healthcheck": {"test": "/openstack/healthcheck"}, "volumes": ["/var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro", "/var/lib/config-data/puppet-generated/redis:/var/lib/kolla/config_files/src:ro", "/etc/localtime:/etc/localtime:ro", "/var/log/containers/redis:/var/log/redis:z", "/run/redis:/run/redis:z"], "environment": {"KOLLA_CONFIG_STRATEGY": "COPY_ALWAYS"}}}, {"if": [{"get_param": "EnableInternalTLS"}, {"redis_tls_proxy": {"start_order": 2, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRedisImage"]}, "net": "host", "user": "root", "restart": "always", "healthcheck": {"test": "/openstack/healthcheck"}, "volumes": {"list_concat": [{"get_attr": ["ContainersCommon", "volumes"]}, ["/var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro", "/var/lib/config-data/puppet-generated/redis:/var/lib/kolla/config_files/src:ro", "/etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro", "/etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro"]]}, "environment": {"KOLLA_CONFIG_STRATEGY": "COPY_ALWAYS"}}}]}]}}, "metadata_settings": {"if": [{"get_param": "EnableInternalTLS"}, [{"service": "redis", "network": {"get_param": ["ServiceNetMap", "RedisNetwork"]}, "type": "vip"}, {"service": "redis", "network": {"get_param": ["ServiceNetMap", "RedisNetwork"]}, "type": "node"}]]}, "deploy_steps_tasks": [{"name": "Certificate generation", "when": ["step|int == 1", "enable_internal_tls"], "block": [{"include_role": {"name": "linux-system-roles.certificate"}, "vars": {"certificate_requests": [{"name": "redis", "dns": [{"str_replace": {"template": "{{fqdn_$NETWORK}}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RedisNetwork"]}}}}, {"str_replace": {"template": "{{cloud_names.cloud_name_NETWORK}}", "params": {"NETWORK": {"get_param": ["ServiceNetMap", "RedisNetwork"]}}}}], "principal": {"str_replace": {"template": "redis/{{fqdn_$NETWORK}}@{{idm_realm}}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RedisNetwork"]}}}}, "run_after": "container_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} | grep redis_tls_proxy)\nservice_crt=\"/etc/pki/tls/certs/redis.crt\"\nservice_key=\"/etc/pki/tls/private/redis.key\"\n# Copy the new cert from the mount-point to the real path\n{{container_cli}} exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_crt\" \"$service_crt\"\n# Copy the new cert from the mount-point to the real path\n{{container_cli}} exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_key\" \"$service_key\"\n# Set appropriate permissions\n{{container_cli}} exec \"$container_name\" chown memcached:memcached \"$service_crt\"\n{{container_cli}} exec \"$container_name\" chown memcached:memcached \"$service_key\"\n# Trigger a reload for stunnel to read the new certificate\n{{container_cli}} exec pkill -o -HUP stunnel\n", "key_size": {"if": ["key_size_override_set", {"get_param": "RedisCertificateKeySize"}, {"get_param": "CertificateKeySize"}]}, "ca": "ipa"}]}}]}], "external_deploy_tasks": {"get_attr": ["RedisBase", "role_data", "external_deploy_tasks"]}, "host_prep_tasks": [{"name": "create fcontext entry for redis data", "community.general.sefcontext": {"target": "/var/run/redis(/.*)?", "setype": "container_file_t", "state": "present"}}, {"name": "create persistent directories", "file": {"path": "{{ item.path }}", "state": "directory", "setype": "{{ item.setype }}", "mode": "{{ item.mode|default(omit) }}"}, "with_items": [{"path": "/var/log/containers/redis", "setype": "container_file_t", "mode": "0750"}, {"path": "/run/redis", "setype": "container_file_t"}]}, {"name": "ensure /run/redis is present upon reboot", "copy": {"dest": "/etc/tmpfiles.d/run-redis.conf", "content": "d /run/redis 0755 root root - -\n"}}], "update_tasks": [{"name": "redis_container_puppet_redis_pkg_clean", "when": "step|int == 1", "block": [{"name": "Ensure redis is uninstalled on container host", "package": {"name": "redis", "state": "absent"}}]}, {"name": "redis_container_puppet_tmpfile_cleanup", "when": "step|int == 1", "block": [{"name": "remove old tmpfiles.d config", "file": {"path": "/etc/tmpfiles.d/var-run-redis.conf", "state": "absent"}}]}], "external_update_tasks": {"get_attr": ["RedisBase", "role_data", "external_update_tasks"]}, "upgrade_tasks": [{"name": "redis_container_puppet_redis_pkg_clean", "when": "step|int == 1", "block": [{"name": "Ensure redis is uninstalled on container host", "package": {"name": "redis", "state": "absent"}}]}, {"name": "redis_container_puppet_tmpfile_cleanup", "when": "step|int == 1", "block": [{"name": "remove old tmpfiles.d config", "file": {"path": "/etc/tmpfiles.d/var-run-redis.conf", "state": "absent"}}]}], "external_upgrade_tasks": [{"when": ["step|int == 1"], "tags": ["never", "system_upgrade_transfer_data", "system_upgrade_stop_services"], "block": [{"name": "Stop redis container", "import_role": {"name": "tripleo_container_stop"}, "vars": {"tripleo_containers_to_stop": {"with_items": {"list_concat": [["redis"], [{"if": [{"get_param": "EnableInternalTLS"}, ["redis_tls_proxy"]]}]]}}, "tripleo_delegate_to": "{{ groups['redis'] | difference(groups['excluded_overcloud']) }}"}}]}]}}}}