{"heat_template_version": "wallaby", "description": "OpenStack containerized Rabbitmq service\n", "parameters": {"ContainerRabbitmqImage": {"description": "image", "type": "string", "tags": ["role_specific"]}, "ContainerRabbitmqConfigImage": {"description": "The container image to use for the rabbitmq config_volume", "type": "string", "tags": ["role_specific"]}, "EndpointMap": {"default": {}, "description": "Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry.", "type": "json"}, "ServiceData": {"default": {}, "description": "Dictionary packing service data", "type": "json"}, "ServiceNetMap": {"default": {}, "description": "Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults.", "type": "json"}, "RoleName": {"default": "", "description": "Role name on which the service is applied", "type": "string"}, "RoleParameters": {"default": {}, "description": "Parameters specific to the role", "type": "json"}, "RabbitCookie": {"type": "string", "default": "", "hidden": true}, "EnableInternalTLS": {"type": "boolean", "default": false}, "RpcPort": {"default": 5672, "description": "The network port for messaging backend", "type": "number"}, "RpcUserName": {"default": "guest", "description": "The username for messaging backend", "type": "string"}, "RpcPassword": {"description": "The password for messaging backend", "type": "string", "hidden": true}, "RpcUseSSL": {"default": false, "description": "Messaging client subscriber parameter to specify an SSL connection to the messaging host.\n", "type": "string"}, "DeployIdentifier": {"default": "", "type": "string", "description": "Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update.\n"}, "CertificateKeySize": {"type": "string", "default": "2048", "description": "Specifies the private key size used when creating the certificate."}, "RpcCertificateKeySize": {"type": "string", "default": "", "description": "Override the private key size used when creating the certificate for this service"}, "RabbitFIPS": {"type": "boolean", "default": false, "description": "Configures RabbitMQ to run in FIPS mode"}}, "conditions": {"internal_tls_enabled": {"equals": [{"get_param": "EnableInternalTLS"}, true]}, "key_size_override_unset": {"equals": [{"get_param": "RpcCertificateKeySize"}, ""]}}, "resources": {"ContainersCommon": {"type": "file:///usr/share/openstack-tripleo-heat-templates/deployment/containers-common.yaml"}, "RabbitMQServiceBase": {"type": "file:///usr/share/openstack-tripleo-heat-templates/deployment/rabbitmq/rabbitmq-container-puppet.yaml", "properties": {"ServiceData": {"get_param": "ServiceData"}, "ServiceNetMap": {"get_param": "ServiceNetMap"}, "EndpointMap": {"get_param": "EndpointMap"}, "RoleName": {"get_param": "RoleName"}, "RoleParameters": {"get_param": "RoleParameters"}}}, "RoleParametersValue": {"type": "OS::Heat::Value", "properties": {"type": "json", "value": {"map_replace": [{"map_replace": [{"ContainerRabbitmqImage": "ContainerRabbitmqImage", "ContainerRabbitmqConfigImage": "ContainerRabbitmqConfigImage"}, {"values": {"get_param": ["RoleParameters"]}}]}, {"values": {"ContainerRabbitmqImage": {"get_param": "ContainerRabbitmqImage"}, "ContainerRabbitmqConfigImage": {"get_param": "ContainerRabbitmqConfigImage"}}}]}}}}, "outputs": {"role_data": {"description": "Role data for the Rabbitmq API role.", "value": {"service_name": "oslo_messaging_rpc", "firewall_rules": {"109 rabbitmq": {"dport": [4369, {"get_param": "RpcPort"}, 25672, "25673-25683"]}}, "monitoring_subscription": {"get_attr": ["RabbitMQServiceBase", "role_data", "monitoring_subscription"]}, "global_config_settings": {"map_merge": [{"get_attr": ["RabbitMQServiceBase", "role_data", "global_config_settings"]}, {"oslo_messaging_rpc_scheme": "rabbit", "oslo_messaging_rpc_user_name": {"get_param": "RpcUserName"}, "oslo_messaging_rpc_password": {"get_param": "RpcPassword"}, "oslo_messaging_rpc_use_ssl": {"get_param": "RpcUseSSL"}, "oslo_messaging_rpc_port": {"get_param": "RpcPort"}}]}, "config_settings": {"map_merge": [{"get_attr": ["RabbitMQServiceBase", "role_data", "config_settings"]}, {"rabbitmq::default_user": {"get_param": "RpcUserName"}, "rabbitmq::default_pass": {"get_param": "RpcPassword"}, "rabbitmq::port": {"get_param": "RpcPort"}, "rabbitmq::interface": {"str_replace": {"template": "%{hiera('$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "OsloMessagingRpcNetwork"]}}}}, "rabbitmq::ssl": {"get_param": "EnableInternalTLS"}, "rabbitmq::ssl_erl_dist": {"get_param": "EnableInternalTLS"}, "rabbitmq::ssl_port": {"get_param": "RpcPort"}, "rabbitmq::ssl_only": {"get_param": "EnableInternalTLS"}, "rabbitmq::ssl_interface": {"str_replace": {"template": "%{hiera('$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "OsloMessagingRpcNetwork"]}}}}, "tripleo::profile::base::rabbitmq::enable_internal_tls": {"get_param": "EnableInternalTLS"}, "rabbitmq::collect_statistics_interval": 30000, "rabbitmq::admin_enable": false, "rabbitmq::management_enable": true, "rabbitmq::use_config_file_for_plugins": true, "rabbitmq::management_ip_address": "127.0.0.1", "rabbitmq::config_management_variables": {"rates_mode": "none"}}, {"if": ["internal_tls_enabled", {"tripleo::rabbitmq::service_certificate": "/etc/pki/tls/certs/rabbitmq.crt", "tripleo::certmonger::rabbitmq::postsave_cmd": "true", "tripleo::profile::base::rabbitmq::certificate_specs": {"service_certificate": "/etc/pki/tls/certs/rabbitmq.crt", "service_key": "/etc/pki/tls/private/rabbitmq.key"}, "rabbitmq::ssl_versions": {"if": [{"get_param": "RabbitFIPS"}, ["tlsv1.2", "tlsv1.3"], ["tlsv1.2"]]}}, {}]}]}, "puppet_config": {"config_volume": "rabbitmq", "step_config": {"list_join": ["\n", ["['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }", "include tripleo::profile::base::rabbitmq"]]}, "config_image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqConfigImage"]}}, "kolla_config": {"/var/lib/kolla/config_files/rabbitmq.json": {"command": "/usr/lib/rabbitmq/bin/rabbitmq-server", "config_files": [{"source": "/var/lib/kolla/config_files/src/*", "dest": "/", "merge": true, "preserve_properties": true}, {"source": "/var/lib/kolla/config_files/src-tls/*", "dest": "/", "merge": true, "preserve_properties": true, "optional": true}], "permissions": [{"path": "/var/lib/rabbitmq", "owner": "rabbitmq:rabbitmq", "recurse": true}, {"path": "/etc/pki/tls/certs/rabbitmq.crt", "owner": "rabbitmq:rabbitmq", "optional": true}, {"path": "/etc/pki/tls/private/rabbitmq.key", "owner": "rabbitmq:rabbitmq", "optional": true}]}}, "docker_config": {"step_1": {"rabbitmq_init_logs": {"start_order": 0, "detach": false, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqImage"]}, "net": "none", "privileged": false, "user": "root", "volumes": ["/var/log/containers/rabbitmq:/var/log/rabbitmq:z"], "command": ["/bin/bash", "-c", "chown -R rabbitmq:rabbitmq /var/log/rabbitmq"]}, "rabbitmq_bootstrap": {"start_order": 1, "detach": false, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqImage"]}, "net": "host", "privileged": false, "user": "root", "command": ["bash", "-ec", {"list_join": ["\n", ["kolla_set_configs", "if [[ -e \"/var/lib/rabbitmq/.erlang.cookie\" ]]; then rm -f /var/lib/rabbitmq/.erlang.cookie; fi", "hiera 'rabbitmq::erlang_cookie' > /var/lib/rabbitmq/.erlang.cookie", "chown rabbitmq:rabbitmq /var/lib/rabbitmq/.erlang.cookie", "chmod 400 /var/lib/rabbitmq/.erlang.cookie"]]}], "volumes": {"list_concat": [{"get_attr": ["ContainersCommon", "volumes"]}, ["/var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro", "/var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro", "/var/lib/rabbitmq:/var/lib/rabbitmq:z", "/var/log/containers/rabbitmq:/var/log/rabbitmq:z"], {"if": ["internal_tls_enabled", ["/etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro", "/etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro"], null]}]}, "environment": {"KOLLA_CONFIG_STRATEGY": "COPY_ALWAYS", "TRIPLEO_DEPLOY_IDENTIFIER": {"get_param": "DeployIdentifier"}}}, "rabbitmq": {"start_order": 2, "stop_grace_period": 60, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqImage"]}, "net": "host", "privileged": false, "restart": "always", "healthcheck": {"test": "/openstack/healthcheck"}, "volumes": {"list_concat": [{"get_attr": ["ContainersCommon", "volumes"]}, ["/var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro", "/var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro", "/var/lib/rabbitmq:/var/lib/rabbitmq:z", "/var/log/containers/rabbitmq:/var/log/rabbitmq:z"], {"if": ["internal_tls_enabled", ["/etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro", "/etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro"], null]}]}, "environment": {"KOLLA_CONFIG_STRATEGY": "COPY_ALWAYS"}}}}, "container_puppet_tasks": {"step_2": {"config_volume": "rabbit_init_tasks", "puppet_tags": "rabbitmq_policy,rabbitmq_user", "step_config": "include tripleo::profile::base::rabbitmq", "config_image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqConfigImage"]}, "volumes": ["/var/lib/config-data/puppet-generated/rabbitmq/etc/rabbitmq:/etc/rabbitmq:ro", "/var/lib/rabbitmq:/var/lib/rabbitmq:z"]}}, "metadata_settings": {"if": ["internal_tls_enabled", [{"service": "rabbitmq", "network": {"get_param": ["ServiceNetMap", "OsloMessagingRpcNetwork"]}, "type": "node"}], null]}, "deploy_steps_tasks": [{"name": "Certificate generation", "when": ["step|int == 1", "enable_internal_tls"], "block": [{"include_role": {"name": "linux-system-roles.certificate"}, "vars": {"certificate_requests": [{"name": "rabbitmq", "dns": {"str_replace": {"template": "{{fqdn_$NETWORK}}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "OsloMessagingRpcNetwork"]}}}}, "principal": {"str_replace": {"template": "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "OsloMessagingRpcNetwork"]}}}}, "run_after": "container_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')\nservice_crt=\"/etc/pki/tls/certs/rabbitmq.crt\"\nservice_key=\"/etc/pki/tls/private/rabbitmq.key\"\nif echo \"$container_name\" | grep -q \"^rabbitmq-bundle\"; then\n  # lp#1917868: Do not use podman cp with HA containers as they get\n  # frozen temporarily and that can make pacemaker operation fail.\n  tar -c \"$service_crt\" \"$service_key\" | {{container_cli}} exec -i \"$container_name\" tar -C / -xv\n  # no need to update the mount point, because pacemaker\n  # recreates the container when it's restarted\nelse\n  # Refresh the cert at the mount-point\n  {{container_cli}} cp $service_crt \"$container_name:/var/lib/kolla/config_files/src-tls/$service_crt\"\n  # Refresh the key at the mount-point\n  {{container_cli}} cp $service_key \"$container_name:/var/lib/kolla/config_files/src-tls/$service_key\"\n  # Copy the new cert from the mount-point to the real path\n  {{container_cli}} exec -u root \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_crt\" \"$service_crt\"\n  # Copy the new key from the mount-point to the real path\n  {{container_cli}} exec -u root \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_key\" \"$service_key\"\nfi\n# Set appropriate permissions\n{{container_cli}} exec -u root \"$container_name\" chown rabbitmq:rabbitmq \"$service_crt\"\n{{container_cli}} exec -u root \"$container_name\" chown rabbitmq:rabbitmq \"$service_key\"\n# Trigger a pem cache clear in RabbitMQ to read the new certificates\n{{container_cli}} exec \"$container_name\" rabbitmqctl eval \"ssl:clear_pem_cache().\"\n", "key_size": {"if": ["key_size_override_unset", {"get_param": "CertificateKeySize"}, {"get_param": "RpcCertificateKeySize"}]}, "ca": "ipa"}]}}]}], "host_prep_tasks": [{"name": "create fcontext for rabbitmq data", "community.general.sefcontext": {"target": "/var/lib/rabbitmq(/.*)?", "setype": "container_file_t", "state": "present"}}, {"name": "create persistent directories", "file": {"path": "{{ item.path }}", "state": "directory", "setype": "{{ item.setype }}", "mode": "{{ item.mode|default(omit) }}"}, "with_items": [{"path": "/var/log/containers/rabbitmq", "setype": "container_file_t", "mode": "0750"}, {"path": "/var/lib/rabbitmq", "setype": "container_file_t"}]}], "upgrade_tasks": [], "update_tasks": null}}}}