Add cookbook support for Openstack Orchestration

This new cookbook supports the installation and configuraiton for heat services.
More pedantic patches will follow to make Rubocop happy.

Implements: blueprint heat-support

Change-Id: I8b734b7124c49190a68acc4d0da28a31da03ac57
This commit is contained in:
hanzhf 2013-12-02 01:28:36 +08:00
parent b8873817f4
commit 0b81a7b037
28 changed files with 2439 additions and 0 deletions

6
Berksfile Normal file
View File

@ -0,0 +1,6 @@
metadata
cookbook "openstack-identity",
git: "git://github.com/stackforge/cookbook-openstack-identity.git"
cookbook "openstack-common",
git: "git://github.com/stackforge/cookbook-openstack-common.git"

41
Berksfile.lock Normal file
View File

@ -0,0 +1,41 @@
{
"sources": {
"openstack-orchestration": {
"path": "."
},
"openstack-identity": {
"locked_version": "8.0.0",
"git": "git://github.com/stackforge/cookbook-openstack-identity.git",
"ref": "309b8040a03d4bde97ca443644125e16c242edd8"
},
"openstack-common": {
"locked_version": "8.0.0",
"git": "git://github.com/stackforge/cookbook-openstack-common.git",
"ref": "3ca576b8e6dfca3b39ab4ccd7327a40c78379985"
},
"apt": {
"locked_version": "2.3.0"
},
"database": {
"locked_version": "1.5.2"
},
"mysql": {
"locked_version": "4.0.6"
},
"openssl": {
"locked_version": "1.1.0"
},
"build-essential": {
"locked_version": "1.4.2"
},
"postgresql": {
"locked_version": "3.3.4"
},
"aws": {
"locked_version": "1.0.0"
},
"xfs": {
"locked_version": "1.1.0"
}
}
}

6
CHANGELOG.md Normal file
View File

@ -0,0 +1,6 @@
# CHANGELOG for cookbook-openstack-orchestration
This file is used to list changes made in each version of cookbook-openstack-orchestration
## 8.0.0:
* Initial release of cookbook-openstack-orchestration.

9
Gemfile Normal file
View File

@ -0,0 +1,9 @@
source "https://rubygems.org"
gem "chef", "~> 11.4.4"
gem "json", "<= 1.7.7" # chef 11 dependency
gem "berkshelf", "~> 2.0.10"
gem "chefspec", "~> 3.0.2"
gem "foodcritic", "~> 3.0.3"
gem "strainer"
gem "rubocop"

213
Gemfile.lock Normal file
View File

@ -0,0 +1,213 @@
GEM
remote: https://rubygems.org/
specs:
activesupport (3.2.16)
i18n (~> 0.6, >= 0.6.4)
multi_json (~> 1.0)
addressable (2.3.5)
akami (1.2.0)
gyoku (>= 0.4.0)
nokogiri (>= 1.4.0)
ast (1.1.0)
berkshelf (2.0.10)
activesupport (~> 3.2.0)
addressable (~> 2.3.4)
buff-shell_out (~> 0.1)
chozo (>= 0.6.1)
faraday (>= 0.8.5)
hashie (>= 2.0.2)
minitar (~> 0.5.4)
rbzip2 (~> 0.2.0)
retryable (~> 1.3.3)
ridley (~> 1.5.0)
solve (>= 0.5.0)
thor (~> 0.18.0)
buff-config (0.4.0)
buff-extensions (~> 0.3)
varia_model (~> 0.1)
buff-extensions (0.5.0)
buff-ignore (1.1.1)
buff-platform (0.1.0)
buff-ruby_engine (0.1.0)
buff-shell_out (0.1.1)
buff-ruby_engine (~> 0.1.0)
builder (3.2.2)
celluloid (0.14.1)
timers (>= 1.0.0)
celluloid-io (0.14.1)
celluloid (>= 0.14.1)
nio4r (>= 0.4.5)
chef (11.4.4)
erubis
highline (>= 1.6.9)
json (>= 1.4.4, <= 1.7.7)
mixlib-authentication (>= 1.3.0)
mixlib-cli (~> 1.3.0)
mixlib-config (>= 1.1.2)
mixlib-log (>= 1.3.0)
mixlib-shellout
net-ssh (~> 2.6)
net-ssh-multi (~> 1.1.0)
ohai (>= 0.6.0)
rest-client (>= 1.0.4, < 1.7.0)
yajl-ruby (~> 1.1)
chefspec (3.0.2)
chef (~> 11.0)
fauxhai (~> 2.0)
rspec (~> 2.14)
chozo (0.6.1)
activesupport (>= 3.2.0)
hashie (>= 2.0.2)
multi_json (>= 1.3.0)
diff-lcs (1.2.5)
erubis (2.7.0)
faraday (0.8.8)
multipart-post (~> 1.2.0)
fauxhai (2.0.1)
net-ssh
ohai
ffi (1.9.3)
foodcritic (3.0.3)
erubis
gherkin (~> 2.11.7)
nokogiri (~> 1.5.4)
rake
treetop (~> 1.4.10)
yajl-ruby (~> 1.1.0)
gherkin (2.11.8)
multi_json (~> 1.3)
gssapi (1.0.3)
ffi (>= 1.0.1)
gyoku (1.1.0)
builder (>= 2.1.2)
hashie (2.0.5)
highline (1.6.20)
httpclient (2.3.4.1)
httpi (0.9.7)
rack
i18n (0.6.9)
ipaddress (0.8.0)
json (1.7.7)
little-plugger (1.1.3)
logging (1.8.1)
little-plugger (>= 1.1.3)
multi_json (>= 1.3.6)
mime-types (2.0)
minitar (0.5.4)
mixlib-authentication (1.3.0)
mixlib-log
mixlib-cli (1.3.0)
mixlib-config (2.1.0)
mixlib-log (1.6.0)
mixlib-shellout (1.3.0)
multi_json (1.8.2)
multipart-post (1.2.0)
net-http-persistent (2.9)
net-ssh (2.7.0)
net-ssh-gateway (1.2.0)
net-ssh (>= 2.6.5)
net-ssh-multi (1.1)
net-ssh (>= 2.1.4)
net-ssh-gateway (>= 0.99.0)
nio4r (0.5.0)
nokogiri (1.5.11)
nori (1.1.5)
ohai (6.20.0)
ipaddress
mixlib-cli
mixlib-config
mixlib-log
mixlib-shellout
systemu (~> 2.5.2)
yajl-ruby
parser (2.1.1)
ast (~> 1.1)
slop (~> 3.4, >= 3.4.5)
polyglot (0.3.3)
powerpack (0.0.9)
rack (1.5.2)
rainbow (1.99.0)
rake (10.1.1)
rbzip2 (0.2.0)
rest-client (1.6.7)
mime-types (>= 1.16)
retryable (1.3.3)
ridley (1.5.3)
addressable
buff-config (~> 0.2)
buff-extensions (~> 0.3)
buff-ignore (~> 1.1)
buff-shell_out (~> 0.1)
celluloid (~> 0.14.0)
celluloid-io (~> 0.14.0)
erubis
faraday (>= 0.8.4)
hashie (>= 2.0.2)
json (>= 1.7.7)
mixlib-authentication (>= 1.3.0)
net-http-persistent (>= 2.8)
net-ssh
nio4r (>= 0.5.0)
retryable
solve (>= 0.4.4)
varia_model (~> 0.1)
winrm (~> 1.1.0)
rspec (2.14.1)
rspec-core (~> 2.14.0)
rspec-expectations (~> 2.14.0)
rspec-mocks (~> 2.14.0)
rspec-core (2.14.7)
rspec-expectations (2.14.4)
diff-lcs (>= 1.1.3, < 2.0)
rspec-mocks (2.14.4)
rubocop (0.16.0)
parser (~> 2.1)
powerpack (~> 0.0.6)
rainbow (>= 1.1.4)
rubyntlm (0.1.1)
savon (0.9.5)
akami (~> 1.0)
builder (>= 2.1.2)
gyoku (>= 0.4.0)
httpi (~> 0.9)
nokogiri (>= 1.4.0)
nori (~> 1.0)
wasabi (~> 1.0)
slop (3.4.7)
solve (0.8.2)
strainer (3.3.0)
berkshelf (~> 2.0)
buff-platform (~> 0.1)
systemu (2.5.2)
thor (0.18.1)
timers (1.1.0)
treetop (1.4.15)
polyglot
polyglot (>= 0.3.1)
uuidtools (2.1.4)
varia_model (0.2.0)
buff-extensions (~> 0.2)
hashie (>= 2.0.2)
wasabi (1.0.0)
nokogiri (>= 1.4.0)
winrm (1.1.3)
gssapi (~> 1.0.0)
httpclient (~> 2.2, >= 2.2.0.2)
logging (~> 1.6, >= 1.6.1)
nokogiri (~> 1.5)
rubyntlm (~> 0.1.1)
savon (= 0.9.5)
uuidtools (~> 2.1.2)
yajl-ruby (1.1.0)
PLATFORMS
ruby
DEPENDENCIES
berkshelf (~> 2.0.10)
chef (~> 11.4.4)
chefspec (~> 3.0.2)
foodcritic (~> 3.0.3)
json (<= 1.7.7)
rubocop
strainer

131
README.md Normal file
View File

@ -0,0 +1,131 @@
Description
===========
This cookbook installs the OpenStack Heat service **Heat** as part of an OpenStack reference deployment Chef for OpenStack.
http://heat.openstack.org/
Requirements
============
Chef 0.10.0 or higher required (for Chef environment use).
Cookbooks
---------
The following cookbooks are dependencies:
* openstack-common
* openstack-identity
Usage
=====
common
------
- Installs the heat packages and setup configuration for Heat.
api
------
- Configure and start heat-api service
api-cfn
------
- Configure and start heat-api-cfn service
api-cloudwatch
------
- Configure and start heat-api-cloudwatch service
engine
------
- Setup the heat database and start heat-engine service
keystone-registration
---------------------
- Registers the Heat API endpoint, heat service and user
Attributes
==========
Attributes for the Heat service are in the ['openstack']['orchestration'] namespace.
* `openstack['orchestration']['verbose']` - Enables/disables verbose output for heat services.
* `openstack['orchestration']['debug']` - Enables/disables debug output for heat services.
* `openstack['orchestration']['identity_service_chef_role']` - The name of the Chef role that installs the Keystone Service API
* `openstack['orchestration']['rabbit_server_chef_role']` - The name of the Chef role that knows about the message queue server
* `openstack['orchestration']['user']` - User heat runs as
* `openstack['orchestration']['group']` - Group heat runs as
* `openstack['orchestration']['db']['username']` - Username for heat database access
* `openstack['orchestration']['api']['adminURL']` - Used when registering heat endpoint with keystone
* `openstack['orchestration']['api']['internalURL']` - Used when registering heat endpoint with keystone
* `openstack['orchestration']['api']['publicURL']` - Used when registering heat endpoint with keystone
* `openstack['orchestration']['service_tenant_name']` - Tenant name used by heat when interacting with keystone - used in the API and registry paste.ini files
* `openstack['orchestration']['service_user']` - User name used by heat when interacting with keystone - used in the API and registry paste.ini files
* `openstack['orchestration']['service_role']` - User role used by heat when interacting with keystone - used in the API and registry paste.ini files
* `openstack['orchestration']['api']['auth']['cache_dir']` - Defaults to `/var/cache/heat`. Directory where `auth_token` middleware writes certificates for heat
* `openstack['orchestration']['syslog']['use']` - Should heat log to syslog?
* `openstack['orchestration']['syslog']['facility']` - Which facility heat should use when logging in python style (for example, `LOG_LOCAL1`)
* `openstack['orchestration']['syslog']['config_facility']` - Which facility heat should use when logging in rsyslog style (for example, local1)
* `openstack['orchestration']['rpc_thread_pool_size']` - size of RPC thread pool
* `openstack['orchestration']['rpc_conn_pool_size']` - size of RPC connection pool
* `openstack['orchestration']['rpc_response_timeout']` - seconds to wait for a response from call or multicall
* `openstack['orchestration']['platform']` - hash of platform specific package/service names and options
MQ attributes
-------------
* `openstack["orchestration"]["mq"]["service_type"]` - Select qpid or rabbitmq. default rabbitmq
TODO: move rabbit parameters under openstack["orchestration"]["mq"]
* `openstack["orchestration"]["rabbit"]["username"]` - Username for nova rabbit access
* `openstack["orchestration"]["rabbit"]["vhost"]` - The rabbit vhost to use
* `openstack["orchestration"]["rabbit"]["port"]` - The rabbit port to use
* `openstack["orchestration"]["rabbit"]["host"]` - The rabbit host to use (must set when `openstack["orchestration"]["rabbit"]["ha"]` false).
* `openstack["orchestration"]["rabbit"]["ha"]` - Whether or not to use rabbit ha
* `openstack["orchestration"]["mq"]["qpid"]["host"]` - The qpid host to use
* `openstack["orchestration"]["mq"]["qpid"]["port"]` - The qpid port to use
* `openstack["orchestration"]["mq"]["qpid"]["qpid_hosts"]` - Qpid hosts. TODO. use only when ha is specified.
* `openstack["orchestration"]["mq"]["qpid"]["username"]` - Username for qpid connection
* `openstack["orchestration"]["mq"]["qpid"]["password"]` - Password for qpid connection
* `openstack["orchestration"]["mq"]["qpid"]["sasl_mechanisms"]` - Space separated list of SASL mechanisms to use for auth
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_timeout"]` - The number of seconds to wait before deciding that a reconnect attempt has failed.
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_limit"]` - The limit for the number of times to reconnect before considering the connection to be failed.
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_interval_min"]` - Minimum number of seconds between connection attempts.
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_interval_max"]` - Maximum number of seconds between connection attempts.
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_interval"]` - Equivalent to setting qpid_reconnect_interval_min and qpid_reconnect_interval_max to the same value.
* `openstack["orchestration"]["mq"]["qpid"]["heartbeat"]` - Seconds between heartbeat messages sent to ensure that the connection is still alive.
* `openstack["orchestration"]["mq"]["qpid"]["protocol"]` - Protocol to use. Default tcp.
* `openstack["orchestration"]["mq"]["qpid"]["tcp_nodelay"]` - Disable the Nagle algorithm. default disabled.
Testing
=====
This cookbook uses [bundler](http://gembundler.com/), [berkshelf](http://berkshelf.com/), and [strainer](https://github.com/customink/strainer) to isolate dependencies and run tests.
Tests are defined in Strainerfile.
To run tests:
$ bundle install # install gem dependencies
$ bundle exec berks install # install cookbook dependencies
$ bundle exec strainer test # run tests
License and Author
==================
| | |
|:---------------------|:---------------------------------------------------|
| **Author** | Zhao Fang Han (<hanzhf@cn.ibm.com>) |
| | | |
| **Copyright** | Copyright (c) 2013, IBM Corp. |
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

5
Strainerfile Normal file
View File

@ -0,0 +1,5 @@
# Strainerfile
rubocop: bundle exec rubocop $SANDBOX/$COOKBOOK
knife test: bundle exec knife cookbook test $COOKBOOK
foodcritic: bundle exec foodcritic -f any -t ~FC003 -t ~FC023 $SANDBOX/$COOKBOOK
chefspec: bundle exec rspec $SANDBOX/$COOKBOOK/spec

138
attributes/default.rb Normal file
View File

@ -0,0 +1,138 @@
#
# Cookbook Name:: openstack-orchestration
# Attributes:: default
#
# Copyright 2013, IBM Corp.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Set to some text value if you want templated config files
# to contain a custom banner at the top of the written file
default["openstack"]["orchestration"]["custom_template_banner"] = "
# This file autogenerated by Chef
# Do not edit, changes will be overwritten
"
default["openstack"]["orchestration"]["verbose"] = "False"
default["openstack"]["orchestration"]["debug"] = "False"
# This is the name of the Chef role that will install the Keystone Service API
default["openstack"]["orchestration"]["identity_service_chef_role"] = "os-identity"
# Gets set in the Heat Endpoint when registering with Keystone
default["openstack"]["orchestration"]["region"] = "RegionOne"
# The name of the Chef role that knows about the message queue server
# that Heat uses
default["openstack"]["orchestration"]["rabbit_server_chef_role"] = "os-ops-messaging"
default["openstack"]["orchestration"]["db"]["username"] = "heat"
# This user's password is stored in an encrypted databag
# and accessed with openstack-common cookbook library's
# user_password routine. You are expected to create
# the user, pass, vhost in a wrapper rabbitmq cookbook.
default["openstack"]["orchestration"]["rabbit"]["ha"] = false
default["openstack"]["orchestration"]["rabbit"]["username"] = "guest"
default["openstack"]["orchestration"]["rabbit"]["vhost"] = "/"
default["openstack"]["orchestration"]["rabbit"]["port"] = 5672
default["openstack"]["orchestration"]["rabbit"]["host"] = "127.0.0.1"
# MQ options
default["openstack"]["orchestration"]["mq"]["service_type"] = node["openstack"]["mq"]["service_type"]
default["openstack"]["orchestration"]["mq"]["qpid"]["host"] = "127.0.0.1"
default["openstack"]["orchestration"]["mq"]["qpid"]["port"] = "5672"
default["openstack"]["orchestration"]["mq"]["qpid"]["qpid_hosts"] = ['127.0.0.1:5672']
default["openstack"]["orchestration"]["mq"]["qpid"]["username"] = ""
default["openstack"]["orchestration"]["mq"]["qpid"]["password"] = ""
default["openstack"]["orchestration"]["mq"]["qpid"]["sasl_mechanisms"] = ""
default["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_timeout"] = 0
default["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_limit"] = 0
default["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_interval_min"] = 0
default["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_interval_max"] = 0
default["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_interval"] = 0
default["openstack"]["orchestration"]["mq"]["qpid"]["heartbeat"] = 60
default["openstack"]["orchestration"]["mq"]["qpid"]["protocol"] = "tcp"
default["openstack"]["orchestration"]["mq"]["qpid"]["tcp_nodelay"] = true
default["openstack"]["orchestration"]["service_tenant_name"] = "service"
default["openstack"]["orchestration"]["service_user"] = "heat"
default["openstack"]["orchestration"]["service_role"] = "admin"
default["openstack"]["orchestration"]["api"]["auth"]["version"] = "v2.0"
# If set, heat API service will bind to the address on this interface,
# otherwise it will bind to the API endpoint's host.
default["openstack"]["orchestration"]["api"]["bind_interface"] = nil
# If set, heat api-cfn service will bind to the address on this interface,
# otherwise it will bind to the API endpoint's host.
default["openstack"]["orchestration"]["api-cfn"]["bind_interface"] = nil
# If set, heat api-cloudwatch service will bind to the address on this interface,
# otherwise it will bind to the API endpoint's host.
default["openstack"]["orchestration"]["api-cloudwatch"]["bind_interface"] = nil
# Keystone PKI signing directory. Only written to the filter:authtoken section
# of the api-paste.ini when node["openstack"]["auth"]["strategy"] == "pki"
default["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] = "/var/cache/heat"
# logging attribute
default["openstack"]["orchestration"]["syslog"]["use"] = false
default["openstack"]["orchestration"]["syslog"]["facility"] = "LOG_LOCAL2"
default["openstack"]["orchestration"]["syslog"]["config_facility"] = "local2"
# Common rpc definitions
default["openstack"]["orchestration"]["rpc_thread_pool_size"] = 64
default["openstack"]["orchestration"]["rpc_conn_pool_size"] = 30
default["openstack"]["orchestration"]["rpc_response_timeout"] = 60
# platform-specific settings
case platform
when "fedora", "redhat", "centos" # :pragma-foodcritic: ~FC024 - won't fix this
default["openstack"]["orchestration"]["user"] = "heat"
default["openstack"]["orchestration"]["group"] = "heat"
default["openstack"]["orchestration"]["platform"] = {
"mysql_python_packages" => [ "MySQL-python" ],
"postgresql_python_packages" => ["python-psycopg2"],
"heat_common_packages" => [ "openstack-heat" ],
"heat_api_packages" => ["python-heatclient"],
"heat_api_service" => "openstack-heat-api",
"heat_api_cfn_packages" => ["python-heatclient"],
"heat_api_cfn_service" => "openstack-heat-api-cfn",
"heat_api_cloudwatch_packages" => ["python-heatclient"],
"heat_api_cloudwatch_service" => "openstack-heat-api-cloudwatch",
"heat_engine_packages" => [],
"heat_engine_service" => "openstack-heat-engine",
"heat_api_process_name" => "heat-api",
"package_overrides" => ""
}
when "ubuntu"
default["openstack"]["orchestration"]["user"] = "heat"
default["openstack"]["orchestration"]["group"] = "heat"
default["openstack"]["orchestration"]["platform"] = {
"mysql_python_packages" => [ "python-mysqldb" ],
"postgresql_python_packages" => ["python-psycopg2"],
"heat_common_packages" => ["heat-common"],
"heat_api_packages" => ["heat-api", "python-heatclient"],
"heat_api_service" => "heat-api",
"heat_api_cfn_packages" => ["heat-api-cfn","python-heatclient"],
"heat_api_cfn_service" => "heat-api-cfn",
"heat_api_cloudwatch_packages" => ["heat-api-cloudwatch","python-heatclient"],
"heat_api_cloudwatch_service" => "heat-api-cloudwatch",
"heat_engine_packages" => ["heat-engine"],
"heat_engine_service" => "heat-engine",
"package_overrides" => "-o Dpkg::Options::='--force-confold' -o Dpkg::Options::='--force-confdef'"
}
end

19
metadata.rb Normal file
View File

@ -0,0 +1,19 @@
name "openstack-orchestration"
maintainer "IBM, Inc."
license "Apache 2.0"
description "Installs and configures the Heat Service"
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version "8.0.0"
recipe "openstack-orchestration::common", "Installs packages and set up configuraitions for a Heat Server"
recipe "openstack-orchestration::api", "Start Heat Api service and set up configuraions for this service"
recipe "openstack-orchestration::api-cfn", "Start Heat Api CloudFormation service and set up configuraions for this service"
recipe "openstack-orchestration::api-cloudwatch", "Start Heat Api CloudWatch service and set up configuraions for this service"
recipe "openstack-orchestration::engine", "Setup Heat database and start Heat Engine service"
recipe "openstack-orchestration::identity_registration", "Registers Heat service, user and endpoints with Keystone"
%w{ ubuntu fedora redhat centos }.each do |os|
supports os
end
depends "openstack-common", "~> 8.0"
depends "openstack-identity", "~> 8.0"

54
recipes/api-cfn.rb Normal file
View File

@ -0,0 +1,54 @@
#
# Cookbook Name:: openstack-orchestration
# Recipe:: api-cfn
#
# Copyright 2013, IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe "openstack-orchestration::common"
platform_options = node["openstack"]["orchestration"]["platform"]
platform_options["heat_api_cfn_packages"].each do |pkg|
package pkg do
options platform_options["package_overrides"]
action :upgrade
end
end
service "heat-api-cfn" do
service_name platform_options["heat_api_cfn_service"]
supports :status => true, :restart => true
action :enable
subscribes :restart, "template[/etc/heat/heat.conf]"
end
template "/etc/heat/api-paste.ini" do
source "api-paste.ini.erb"
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00644
notifies :restart, "service[heat-api-cfn]", :immediately
end
template "/etc/heat/policy.json" do
source "policy.json.erb"
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00644
notifies :restart, "service[heat-api-cfn]", :immediately
end

58
recipes/api-cloudwatch.rb Normal file
View File

@ -0,0 +1,58 @@
#
# Cookbook Name:: openstack-orchestration
# Recipe:: api-cloudwatch
#
#
# Cookbook Name:: openstack-orchestration
# Recipe:: api-cloudwatch
#
# Copyright 2013, IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe "openstack-orchestration::common"
platform_options = node["openstack"]["orchestration"]["platform"]
platform_options["heat_api_cloudwatch_packages"].each do |pkg|
package pkg do
options platform_options["package_overrides"]
action :upgrade
end
end
service "heat-api-cloudwatch" do
service_name platform_options["heat_api_cloudwatch_service"]
supports :status => true, :restart => true
action :enable
subscribes :restart, "template[/etc/heat/heat.conf]"
end
template "/etc/heat/api-paste.ini" do
source "api-paste.ini.erb"
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00644
notifies :restart, "service[heat-api-cloudwatch]", :immediately
end
template "/etc/heat/policy.json" do
source "policy.json.erb"
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00644
notifies :restart, "service[heat-api-cloudwatch]", :immediately
end

54
recipes/api.rb Normal file
View File

@ -0,0 +1,54 @@
#
# Cookbook Name:: openstack-orchestration
# Recipe:: api
#
# Copyright 2013, IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe "openstack-orchestration::common"
platform_options = node["openstack"]["orchestration"]["platform"]
platform_options["heat_api_packages"].each do |pkg|
package pkg do
options platform_options["package_overrides"]
action :upgrade
end
end
service "heat-api" do
service_name platform_options["heat_api_service"]
supports :status => true, :restart => true
action :enable
subscribes :restart, "template[/etc/heat/heat.conf]"
end
template "/etc/heat/api-paste.ini" do
source "api-paste.ini.erb"
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00644
notifies :restart, "service[heat-api]", :immediately
end
template "/etc/heat/policy.json" do
source "policy.json.erb"
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00644
notifies :restart, "service[heat-api]", :immediately
end

128
recipes/common.rb Normal file
View File

@ -0,0 +1,128 @@
#
# Cookbook Name:: openstack-orchestration
# Recipe:: engine
#
# Copyright 2013, IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class ::Chef::Recipe
include ::Openstack
end
if node["openstack"]["orchestration"]["syslog"]["use"]
include_recipe "openstack-common::logging"
end
package "python-keystone" do
action :upgrade
end
platform_options = node["openstack"]["orchestration"]["platform"]
platform_options["heat_common_packages"].each do |pkg|
package pkg do
options platform_options["package_overrides"]
action :upgrade
end
end
db_type = node['openstack']['db']['orchestration']['db_type']
platform_options["#{db_type}_python_packages"].each do |pkg|
package pkg do
action :upgrade
end
end
db_user = node["openstack"]["orchestration"]["db"]["username"]
db_pass = db_password "heat"
sql_connection = db_uri("orchestration", db_user, db_pass)
identity_endpoint = endpoint "identity-api"
identity_admin_endpoint = endpoint "identity-admin"
heat_api_endpoint = endpoint "orchestration-api"
heat_api_cfn_endpoint = endpoint "orchestration-api-cfn"
heat_api_cloudwatch_endpoint = endpoint "orchestration-api-cloudwatch"
service_pass = service_password "openstack-orchestration"
#TODO(jaypipes): Move this logic and stuff into the openstack-common
# library cookbook.
auth_uri = identity_endpoint.to_s
if node["openstack"]["orchestration"]["api"]["auth"]["version"] != "v2.0"
# The auth_uri should contain /v2.0 in most cases, but if the
# auth_version is v3.0, we leave it off. This is only necessary
# for environments that need to support V3 non-default-domain
# tokens, which is really the only reason to set version to
# something other than v2.0 (the default)
auth_uri = auth_uri.gsub('/v2.0', '')
end
if node["openstack"]["orchestration"]["mq"]["service_type"] == "rabbitmq"
if node["openstack"]["orchestration"]["rabbit"]["ha"]
rabbit_hosts = rabbit_servers
end
rabbit_pass = user_password node["openstack"]["orchestration"]["rabbit"]["username"]
end
directory "/etc/heat" do
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00700
action :create
end
directory "/etc/heat/environment.d" do
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00700
action :create
end
directory node["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] do
owner node["openstack"]["orchestration"]["user"]
group node["openstack"]["orchestration"]["group"]
mode 00700
end
template "/etc/heat/heat.conf" do
source "heat.conf.erb"
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00644
variables(
:rabbit_password => rabbit_pass,
:rabbit_hosts => rabbit_hosts,
:auth_uri => auth_uri,
:identity_admin_endpoint => identity_admin_endpoint,
:service_pass => service_pass,
:sql_connection => sql_connection,
:heat_api_endpoint => heat_api_endpoint,
:heat_api_cfn_endpoint => heat_api_cfn_endpoint,
:heat_api_cloudwatch_endpoint => heat_api_cloudwatch_endpoint
)
end
template "/etc/heat/environment.d/default.yaml" do
source "default.yaml.erb"
group node["openstack"]["orchestration"]["group"]
owner node["openstack"]["orchestration"]["user"]
mode 00644
end
execute "heat-manage db_sync" do
command "heat-manage db_sync"
action :run
end

18
recipes/default.rb Normal file
View File

@ -0,0 +1,18 @@
#
# Cookbook Name:: openstack-orchestration
# Recipe:: default
#
# Copyright 2013, IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

37
recipes/engine.rb Normal file
View File

@ -0,0 +1,37 @@
#
# Cookbook Name:: openstack-orchestration
# Recipe:: engine
#
# Copyright 2013, IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe "openstack-orchestration::common"
platform_options = node["openstack"]["orchestration"]["platform"]
platform_options["heat_engine_packages"].each do |pkg|
package pkg do
options platform_options["package_overrides"]
action :upgrade
end
end
service "heat_engine" do
service_name platform_options["heat_engine_service"]
supports :status => true, :restart => true
action :enable
subscribes :restart, "template[/etc/heat/heat.conf]"
end

View File

@ -0,0 +1,124 @@
#
# Cookbook Name:: openstack-orchestration
# Recipe:: identity_registration
#
# Copyright 2013, IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require "uri"
class ::Chef::Recipe
include ::Openstack
end
identity_admin_endpoint = endpoint "identity-admin"
token = secret "secrets", "openstack_identity_bootstrap_token"
auth_url = ::URI.decode identity_admin_endpoint.to_s
heat_endpoint = endpoint "orchestration-api"
heat_cfn_endpoint = endpoint "orchestration-api-cfn"
service_pass = service_password "openstack-orchestration"
service_tenant_name = node["openstack"]["orchestration"]["service_tenant_name"]
service_user = node["openstack"]["orchestration"]["service_user"]
service_role = node["openstack"]["orchestration"]["service_role"]
region = node["openstack"]["orchestration"]["region"]
#Do not configure a service/endpoint in keystone for heat-api-cloudwatch(Bug #1167927),
#See discussions on https://bugs.launchpad.net/heat/+bug/1167927
# Register Heat API Service
openstack_identity_register "Register Heat Orchestration Service" do
auth_uri auth_url
bootstrap_token token
service_name "heat"
service_type "orchestration"
service_description "Heat Orchestration Service"
action :create_service
end
# Register Heat API Cloudformation Service
openstack_identity_register "Register Heat Cloudformation Service" do
auth_uri auth_url
bootstrap_token token
service_name "heat-cfn"
service_type "cloudformation"
service_description "Heat Cloudformation Service"
action :create_service
end
# Register Heat API Endpoint
openstack_identity_register "Register Heat Orchestration Endpoint" do
auth_uri auth_url
bootstrap_token token
service_type "orchestration"
endpoint_region region
endpoint_adminurl heat_endpoint.to_s
endpoint_internalurl heat_endpoint.to_s
endpoint_publicurl heat_endpoint.to_s
action :create_endpoint
end
# Register Heat API CloudFormation Endpoint
openstack_identity_register "Register Heat Cloudformation Endpoint" do
auth_uri auth_url
bootstrap_token token
service_type "cloudformation"
endpoint_region region
endpoint_adminurl heat_cfn_endpoint.to_s
endpoint_internalurl heat_cfn_endpoint.to_s
endpoint_publicurl heat_cfn_endpoint.to_s
action :create_endpoint
end
# Register Service Tenant
openstack_identity_register "Register Service Tenant" do
auth_uri auth_url
bootstrap_token token
tenant_name service_tenant_name
tenant_description "Service Tenant"
tenant_enabled true # Not required as this is the default
action :create_tenant
end
# Register Service User
openstack_identity_register "Register Heat Service User" do
auth_uri auth_url
bootstrap_token token
tenant_name service_tenant_name
user_name service_user
user_pass service_pass
# String until https://review.openstack.org/#/c/29498/ merged
user_enabled true
action :create_user
end
## Grant Admin role to Service User for Service Tenant ##
openstack_identity_register "Grant '#{service_role}' Role to #{service_user} User for #{service_tenant_name} Tenant" do
auth_uri auth_url
bootstrap_token token
tenant_name service_tenant_name
user_name service_user
role_name service_role
action :grant_role
end

View File

@ -0,0 +1,29 @@
require_relative "spec_helper"
describe "openstack-orchestration::api-cfn" do
before { orchestration_stubs }
describe "redhat" do
before do
@chef_run = ::ChefSpec::Runner.new ::REDHAT_OPTS do |n|
n.set["openstack"]["orchestration"]["syslog"]["use"] = true
end
@chef_run.converge "openstack-orchestration::api-cfn"
end
expect_runs_openstack_orchestration_common_recipe
expect_runs_openstack_common_logging_recipe
it "installs heat client packages" do
expect(@chef_run).to upgrade_package "python-heatclient"
end
expect_creates_api_paste "service[heat-api-cfn]"
expect_creates_policy_json "service[heat-api-cfn]","heat","heat"
it "starts heat api-cfn on boot" do
expect(@chef_run).to enable_service("openstack-heat-api-cfn")
end
end
end

View File

@ -0,0 +1,29 @@
require_relative "spec_helper"
describe "openstack-orchestration::api-cloudwatch" do
before { orchestration_stubs }
describe "redhat" do
before do
@chef_run = ::ChefSpec::Runner.new ::REDHAT_OPTS do |n|
n.set["openstack"]["orchestration"]["syslog"]["use"] = true
end
@chef_run.converge "openstack-orchestration::api-cloudwatch"
end
expect_runs_openstack_orchestration_common_recipe
expect_runs_openstack_common_logging_recipe
it "installs heat client packages" do
expect(@chef_run).to upgrade_package "python-heatclient"
end
expect_creates_api_paste "service[heat-api-cloudwatch]"
expect_creates_policy_json "service[heat-api-cloudwatch]","heat","heat"
it "starts heat api-cloudwatch on boot" do
expect(@chef_run).to enable_service("openstack-heat-api-cloudwatch")
end
end
end

29
spec/api-redhat_spec.rb Normal file
View File

@ -0,0 +1,29 @@
require_relative "spec_helper"
describe "openstack-orchestration::api" do
before { orchestration_stubs }
describe "redhat" do
before do
@chef_run = ::ChefSpec::Runner.new ::REDHAT_OPTS
@chef_run.converge "openstack-orchestration::api"
end
expect_runs_openstack_orchestration_common_recipe
it "doesn't run logging recipe" do
expect(@chef_run).not_to include_recipe "openstack-common::logging"
end
it "installs heat client packages" do
expect(@chef_run).to upgrade_package "python-heatclient"
end
expect_creates_api_paste "service[heat-api]"
expect_creates_policy_json "service[heat-api]","heat","heat"
it "starts heat api on boot" do
expect(@chef_run).to enable_service("openstack-heat-api")
end
end
end

115
spec/common-redhat_spec.rb Normal file
View File

@ -0,0 +1,115 @@
require_relative "spec_helper"
describe "openstack-orchestration::common" do
before { orchestration_stubs }
before do
@chef_run = ::ChefSpec::Runner.new ::REDHAT_OPTS
@chef_run.converge "openstack-orchestration::common"
end
it "installs python-keystone" do
expect(@chef_run).to upgrade_package "python-keystone"
end
it "installs the openstack-heat package" do
expect(@chef_run).to upgrade_package "openstack-heat"
end
it "installs mysql python packages by default" do
expect(@chef_run).to upgrade_package "MySQL-python"
end
it "installs postgresql python packages if explicitly told" do
chef_run = ::ChefSpec::Runner.new ::REDHAT_OPTS
node = chef_run.node
node.set["openstack"]["db"]["orchestration"]["db_type"] = "postgresql"
chef_run.converge "openstack-orchestration::common"
expect(chef_run).to upgrade_package "python-psycopg2"
expect(chef_run).not_to upgrade_package "MySQL-python"
end
describe "/etc/heat" do
before do
@dir = @chef_run.directory "/etc/heat"
end
it "has proper owner" do
expect(@dir.owner).to eq("heat")
end
it "has proper modes" do
expect(sprintf("%o", @dir.mode)).to eq "700"
end
end
describe "/etc/heat/environment.d" do
before do
@dir = @chef_run.directory "/etc/heat/environment.d"
end
it "has proper owner" do
expect(@dir.owner).to eq("heat")
end
it "has proper modes" do
expect(sprintf("%o", @dir.mode)).to eq "700"
end
end
describe "/var/cache/heat" do
before do
@dir = @chef_run.directory "/var/cache/heat"
end
it "has proper owner" do
expect(@dir.owner).to eq("heat")
end
it "has proper modes" do
expect(sprintf("%o", @dir.mode)).to eq "700"
end
end
describe "heat.conf" do
before do
@template = @chef_run.template "/etc/heat/heat.conf"
end
it "has proper owner" do
expect(@template.owner).to eq("heat")
expect(@template.group).to eq("heat")
end
it "has proper modes" do
expect(sprintf("%o", @template.mode)).to eq "644"
end
# Pending on https://review.openstack.org/#/c/59088/
it "template contents" do
pending "TODO: implement"
end
end
describe "default.yaml" do
before do
@template = @chef_run.template "/etc/heat/environment.d/default.yaml"
end
it "has proper owner" do
expect(@template.owner).to eq("heat")
expect(@template.group).to eq("heat")
end
it "has proper modes" do
expect(sprintf("%o", @template.mode)).to eq "644"
end
end
it "runs db migrations" do
cmd = "heat-manage db_sync"
expect(@chef_run).to run_execute(cmd)
end
end

4
spec/default_spec.rb Normal file
View File

@ -0,0 +1,4 @@
require_relative "spec_helper"
describe "openstack-orchestration::default" do
end

View File

@ -0,0 +1,21 @@
require_relative "spec_helper"
describe "openstack-orchestration::engine" do
before { orchestration_stubs }
describe "redhat" do
before do
@chef_run = ::ChefSpec::Runner.new ::REDHAT_OPTS
@chef_run.converge "openstack-orchestration::engine"
end
expect_runs_openstack_orchestration_common_recipe
it "doesn't run logging recipe" do
expect(@chef_run).not_to include_recipe "openstack-common::logging"
end
it "starts heat engine on boot" do
expect(@chef_run).to enable_service("openstack-heat-engine")
end
end
end

View File

@ -0,0 +1,87 @@
require_relative "spec_helper"
describe "openstack-orchestration::identity_registration" do
before do
orchestration_stubs
@chef_run = ::ChefSpec::Runner.new ::REDHAT_OPTS
@chef_run.converge "openstack-orchestration::identity_registration"
end
it "Register Heat Orchestration Service" do
resource = @chef_run.find_resource(
"openstack-identity_register",
"Register Heat Orchestration Service"
).to_hash
expect(resource).to include(
:auth_uri => "http://127.0.0.1:35357/v2.0",
:bootstrap_token => "bootstrap-token",
:service_name => "heat",
:service_type => "orchestration",
:service_description => "Heat Orchestration Service",
:action => [:create_service]
)
end
# Pending on https://review.openstack.org/#/c/59088/
it "Register Heat Orchestration Endpoint" do
pending "TODO: implement"
end
it "Register Heat Cloudformation Service" do
resource = @chef_run.find_resource(
"openstack-identity_register",
"Register Heat Cloudformation Service"
).to_hash
expect(resource).to include(
:auth_uri => "http://127.0.0.1:35357/v2.0",
:bootstrap_token => "bootstrap-token",
:service_name => "heat-cfn",
:service_type => "cloudformation",
:service_description => "Heat Cloudformation Service",
:action => [:create_service]
)
end
# Pending on https://review.openstack.org/#/c/59088/
it "Register Heat Cloudformation Endpoint" do
pending "TODO: implement"
end
it "registers service user" do
resource = @chef_run.find_resource(
"openstack-identity_register",
"Register Heat Service User"
).to_hash
expect(resource).to include(
:auth_uri => "http://127.0.0.1:35357/v2.0",
:bootstrap_token => "bootstrap-token",
:tenant_name => "service",
:user_name => "heat",
:user_pass => "heat-pass",
:user_enabled => true,
:action => [:create_user]
)
end
it "grants admin role to service user for service tenant" do
resource = @chef_run.find_resource(
"openstack-identity_register",
"Grant 'admin' Role to heat User for service Tenant"
).to_hash
expect(resource).to include(
:auth_uri => "http://127.0.0.1:35357/v2.0",
:bootstrap_token => "bootstrap-token",
:tenant_name => "service",
:user_name => "heat",
:role_name => "admin",
:action => [:grant_role]
)
end
end

95
spec/spec_helper.rb Normal file
View File

@ -0,0 +1,95 @@
require "chefspec"
require "chef/application"
::LOG_LEVEL = :fatal
::REDHAT_OPTS = {
:platform => "redhat",
:version => "6.3",
:log_level => ::LOG_LEVEL
}
def orchestration_stubs
::Chef::Recipe.any_instance.stub(:rabbit_servers).
and_return "1.1.1.1:5672,2.2.2.2:5672"
::Chef::Recipe.any_instance.stub(:address_for).
with("lo").
and_return "127.0.1.1"
::Chef::Recipe.any_instance.stub(:secret).
with("secrets", "openstack_identity_bootstrap_token").
and_return "bootstrap-token"
::Chef::Recipe.any_instance.stub(:db_password).and_return String.new
::Chef::Recipe.any_instance.stub(:user_password).and_return String.new
::Chef::Recipe.any_instance.stub(:user_password).
with("guest").
and_return "rabbit-pass"
::Chef::Recipe.any_instance.stub(:user_password).
with("admin-user").
and_return "admin-pass"
::Chef::Recipe.any_instance.stub(:service_password).with("openstack-orchestration").
and_return "heat-pass"
::Chef::Application.stub(:fatal!)
end
def expect_runs_openstack_orchestration_common_recipe
it "runs orchestration common recipe" do
expect(@chef_run).to include_recipe "openstack-orchestration::common"
end
end
def expect_installs_python_keystone
it "installs python-keystone" do
expect(@chef_run).to upgrade_package "python-keystone"
end
end
def expect_runs_openstack_common_logging_recipe
it "runs logging recipe if node attributes say to" do
expect(@chef_run).to include_recipe "openstack-common::logging"
end
end
def expect_creates_api_paste service, action=:restart
describe "api-paste.ini" do
before do
@template = @chef_run.template "/etc/heat/api-paste.ini"
end
it "has proper owner" do
expect(@template.owner).to eq("heat")
expect(@template.group).to eq("heat")
end
it "has proper modes" do
expect(sprintf("%o", @template.mode)).to eq "644"
end
it "template contents" do
pending "TODO: implement"
end
it "notifies heat-api restart" do
expect(@template).to notify(service).to(action)
end
end
end
def expect_creates_policy_json service, user, group, action=:restart
describe "policy.json" do
before do
@template = @chef_run.template "/etc/heat/policy.json"
end
it "has proper owner" do
expect(@template.owner).to eq(user)
expect(@template.group).to eq(group)
end
it "has proper modes" do
expect(sprintf("%o", @template.mode)).to eq "644"
end
it "notifies service restart" do
expect(@template).to notify(service).to(action)
end
end
end

View File

@ -0,0 +1,88 @@
<%= node["openstack"]["orchestration"]["custom_template_banner"] %>
# heat-api pipeline
[pipeline:heat-api]
pipeline = faultwrap versionnegotiation authtoken context apiv1app
# heat-api pipeline for standalone heat
# ie. uses alternative auth backend that authenticates users against keystone
# using username and password instead of validating token (which requires
# an admin/service token).
# To enable, in heat.conf:
# [paste_deploy]
# flavor = standalone
#
[pipeline:heat-api-standalone]
pipeline = faultwrap versionnegotiation authpassword context apiv1app
# heat-api pipeline for custom cloud backends
# i.e. in heat.conf:
# [paste_deploy]
# flavor = custombackend
#
[pipeline:heat-api-custombackend]
pipeline = faultwrap versionnegotiation context custombackendauth apiv1app
# heat-api-cfn pipeline
[pipeline:heat-api-cfn]
pipeline = cfnversionnegotiation ec2authtoken authtoken context apicfnv1app
# heat-api-cfn pipeline for standalone heat
# relies exclusively on authenticating with ec2 signed requests
[pipeline:heat-api-cfn-standalone]
pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app
# heat-api-cloudwatch pipeline
[pipeline:heat-api-cloudwatch]
pipeline = versionnegotiation ec2authtoken authtoken context apicwapp
# heat-api-cloudwatch pipeline for standalone heat
# relies exclusively on authenticating with ec2 signed requests
[pipeline:heat-api-cloudwatch-standalone]
pipeline = versionnegotiation ec2authtoken context apicwapp
[app:apiv1app]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.openstack.v1:API
[app:apicfnv1app]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.cfn.v1:API
[app:apicwapp]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.cloudwatch:API
[filter:versionnegotiation]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.openstack:version_negotiation_filter
[filter:faultwrap]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.openstack:faultwrap_filter
[filter:cfnversionnegotiation]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.cfn:version_negotiation_filter
[filter:cwversionnegotiation]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.cloudwatch:version_negotiation_filter
[filter:context]
paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory
[filter:ec2authtoken]
paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
# Auth middleware that validates token against keystone
[filter:authtoken]
paste.filter_factory = heat.common.auth_token:filter_factory
# Auth middleware that validates username/password against keystone
[filter:authpassword]
paste.filter_factory = heat.common.auth_password:filter_factory
# Auth middleware that validates against custom backend
[filter:custombackendauth]
paste.filter_factory = heat.common.custom_backend_auth:filter_factory

View File

@ -0,0 +1,10 @@
<%= node["openstack"]["orchestration"]["custom_template_banner"] %>
resource_registry:
# allow older templates with Quantum in them.
"OS::Quantum*": "OS::Neutron*"
# Choose your implementation of AWS::CloudWatch::Alarm
#"AWS::CloudWatch::Alarm": "file:///etc/heat/templates/AWS_CloudWatch_Alarm.yaml"
"AWS::CloudWatch::Alarm": "OS::Heat::CWLiteAlarm"
"OS::Metering::Alarm": "OS::Ceilometer::Alarm"
"AWS::RDS::DBInstance": "file:///etc/heat/templates/AWS_RDS_DBInstance.yaml"

View File

@ -0,0 +1,862 @@
<%= node["openstack"]["orchestration"]["custom_template_banner"] %>
[DEFAULT]
#
# Options defined in heat.common.config
#
sql_connection=<%= @sql_connection %>
# The default user for new instances (string value)
#instance_user=ec2-user
# Driver to use for controlling instances (string value)
#instance_driver=heat.engine.nova
# Engine identifier for multi-engine distributed lock. If
# this is set to "generate_uuid", a UUID will be generated.
# (string value)
#engine_id=generate_uuid
# List of directories to search for Plugins (list value)
#plugin_dirs=/usr/lib64/heat,/usr/lib/heat
# The directory to search for environment files (string value)
#environment_dir=/etc/heat/environment.d
# Select deferred auth method, stored password or trusts
# (string value)
#deferred_auth_method=password
# Subset of trustor roles to be delegated to heat (list value)
#trusts_delegated_roles=heat_stack_owner
# Maximum resources allowed per top-level stack. (integer
# value)
#max_resources_per_stack=1000
# Maximum number of stacks any one tenant may have active at
# one time. (integer value)
#max_stacks_per_tenant=100
# Controls how many events will be pruned whenever a stack's
# events exceed max_events_per_stack. Set this lower to keep
# more events at the expense of more frequent purges. (integer
# value)
#event_purge_batch_size=10
# Maximum events that will be available per stack. Older
# events will be deleted when this is reached. Set to 0 for
# unlimited events per stack. (integer value)
#max_events_per_stack=1000
# Name of the engine node. This can be an opaque identifier.It
# is not necessarily a hostname, FQDN, or IP address. (string
# value)
#host=heat
# seconds between running periodic tasks (integer value)
#periodic_interval=60
# URL of the Heat metadata server (string value)
heat_metadata_server_url=http://<%= @heat_api_cfn_endpoint.host %>:<%= @heat_api_cfn_endpoint.port %>
# URL of the Heat waitcondition server (string value)
heat_waitcondition_server_url=http://<%= @heat_api_cfn_endpoint.host %>:<%= @heat_api_cfn_endpoint.port %><%= @heat_api_cfn_endpoint.path %>/waitcondition
# URL of the Heat cloudwatch server (string value)
heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat_api_cloudwatch_endpoint.port %>
# Instance connection to cfn/cw API via https (string value)
#instance_connection_is_secure=0
# Instance connection to cfn/cw API validate certs if ssl
# (string value)
#instance_connection_https_validate_certificates=1
# Keystone role for heat template-defined users (string value)
#heat_stack_user_role=heat_stack_user
# Maximum raw byte size of any template. (integer value)
#max_template_size=524288
# Maximum depth allowed when using nested stacks. (integer
# value)
#max_nested_stack_depth=3
#
# Options defined in heat.common.crypt
#
# Encryption key used for authentication info in database
# (string value)
#auth_encryption_key=notgood but just long enough i think
#
# Options defined in heat.common.wsgi
#
# Maximum raw byte size of JSON request body. Should be larger
# than max_template_size. (integer value)
#max_json_body_size=1048576
#
# Options defined in heat.db.api
#
# The backend to use for db (string value)
#db_backend=sqlalchemy
#
# Options defined in heat.engine.clients
#
# Fully qualified class name to use as a client backend.
# (string value)
#cloud_backend=heat.engine.clients.OpenStackClients
#
# Options defined in heat.openstack.common.db.sqlalchemy.session
#
# the filename to use with sqlite (string value)
#sqlite_db=heat.sqlite
# If true, use synchronous mode for sqlite (boolean value)
#sqlite_synchronous=true
#
# Options defined in heat.openstack.common.eventlet_backdoor
#
# Enable eventlet backdoor. Acceptable values are 0, <port>,
# and <start>:<end>, where 0 results in listening on a random
# tcp port number; <port> results in listening on the
# specified port number (and not enabling backdoor if that
# port is in use); and <start>:<end> results in listening on
# the smallest unused port number within the specified range
# of port numbers. The chosen port is displayed in the
# service's log file. (string value)
#backdoor_port=<None>
#
# Options defined in heat.openstack.common.lockutils
#
# Whether to disable inter-process locks (boolean value)
#disable_process_locking=false
# Directory to use for lock files. (string value)
#lock_path=<None>
#
# Options defined in heat.openstack.common.log
#
# Print debugging output (set logging level to DEBUG instead
# of default WARNING level). (boolean value)
debug=<%= node["openstack"]["orchestration"]["debug"] %>
# Print more verbose output (set logging level to INFO instead
# of default WARNING level). (boolean value)
verbose=<%= node["openstack"]["orchestration"]["verbose"] %>
# Log output to standard error (boolean value)
#use_stderr=true
# format string to use for log messages with context (string
# value)
#logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s
# format string to use for log messages without context
# (string value)
#logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
# data to append to log format when level is DEBUG (string
# value)
#logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d
# prefix each line of exception output with this format
# (string value)
#logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
# list of logger=LEVEL pairs (list value)
#default_log_levels=amqplib=WARN,sqlalchemy=WARN,boto=WARN,suds=INFO,keystone=INFO,eventlet.wsgi.server=WARN
# publish error events (boolean value)
#publish_errors=false
# make deprecations fatal (boolean value)
#fatal_deprecations=false
# If an instance is passed with the log message, format it
# like this (string value)
#instance_format="[instance: %(uuid)s] "
# If an instance UUID is passed with the log message, format
# it like this (string value)
#instance_uuid_format="[instance: %(uuid)s] "
# (Optional) In addition to the system's default language log,
# creates an additional log in the given language if such
# language is present in the operating system. This option is
# only enabled if the 'log-file' option is used, and the
# additional log will be created in the same directory of the
# main log, inside a directory named after the locale. This is
# an OSEE-only property. (string value)
#log_additional_locale=<None>
# If this option is specified, the logging configuration file
# specified is used and overrides any other logging options
# specified. Please see the Python logging module
# documentation for details on logging configuration files.
# (string value)
<% if node["openstack"]["orchestration"]["syslog"]["use"] %>
log_config = /etc/openstack/logging.conf
<% end %>
# DEPRECATED. A logging.Formatter log message format string
# which may use any of the available logging.LogRecord
# attributes. This option is deprecated. Please use
# logging_context_format_string and
# logging_default_format_string instead. (string value)
#log_format=<None>
# Format string for %%(asctime)s in log records. Default:
# %(default)s (string value)
#log_date_format=%Y-%m-%d %H:%M:%S
# (Optional) Name of log file to output to. If no default is
# set, logging will go to stdout. (string value)
#log_file=<None>
# (Optional) The base directory used for relative --log-file
# paths (string value)
#log_dir=<None>
# Use syslog for logging. (boolean value)
#use_syslog=false
# syslog facility to receive log lines (string value)
#syslog_log_facility=LOG_USER
#
# Options defined in heat.openstack.common.notifier.api
#
# Driver or drivers to handle sending notifications (multi
# valued)
#notification_driver=
# Default notification level for outgoing notifications
# (string value)
#default_notification_level=INFO
# Default publisher_id for outgoing notifications (string
# value)
#default_publisher_id=<None>
#
# Options defined in heat.openstack.common.notifier.list_notifier
#
# List of drivers to send notifications (multi valued)
#list_notifier_drivers=heat.openstack.common.notifier.no_op_notifier
#
# Options defined in heat.openstack.common.notifier.rpc_notifier
#
# AMQP topic used for openstack notifications (list value)
#notification_topics=notifications
#
# Options defined in heat.openstack.common.policy
#
# JSON file containing policy (string value)
#policy_file=policy.json
# Rule enforced when requested rule is not found (string
# value)
#policy_default_rule=default
#
# Options defined in heat.openstack.common.rpc
#
# The messaging module to use, defaults to kombu. (string
# value)
#rpc_backend=
# Size of RPC thread pool (integer value)
rpc_thread_pool_size=<%= node["openstack"]["orchestration"]["rpc_thread_pool_size"] %>
# Size of RPC connection pool (integer value)
rpc_conn_pool_size=<%= node["openstack"]["orchestration"]["rpc_conn_pool_size"] %>
# Seconds to wait for a response from call or multicall
# (integer value)
rpc_response_timeout=<%= node["openstack"]["orchestration"]["rpc_response_timeout"] %>
# Seconds to wait before a cast expires (TTL). Only supported
# by impl_zmq. (integer value)
#rpc_cast_timeout=30
# Modules of exceptions that are permitted to be recreatedupon
# receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=heat.openstack.common.exception,heat.common.exception,nova.exception,cinder.exception,exceptions
# If passed, use a fake RabbitMQ provider (boolean value)
#fake_rabbit=false
# AMQP exchange to connect to if using RabbitMQ or Qpid
# (string value)
#control_exchange=openstack
#
# Options defined in heat.openstack.common.rpc.amqp
#
# Use durable queues in amqp. (boolean value)
#amqp_durable_queues=false
# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false
#
# Options defined in heat.openstack.common.rpc.impl_kombu
#
# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions (string value)
#kombu_ssl_version=
# SSL key file (valid only if SSL enabled) (string value)
#kombu_ssl_keyfile=
# SSL cert file (valid only if SSL enabled) (string value)
#kombu_ssl_certfile=
# SSL certification authority file (valid only if SSL enabled)
# (string value)
#kombu_ssl_ca_certs=
<% if node["openstack"]["orchestration"]["mq"]["service_type"] == "rabbitmq" %>
<% if node["openstack"]["orchestration"]["rabbit"]["ha"] -%>
rabbit_hosts=<%= @rabbit_hosts %>
#### (ListOpt) RabbitMQ HA cluster host:port pairs
# rabbit_durable_queues=false
#### (BoolOpt) use durable queues in RabbitMQ
rabbit_ha_queues=True
#### (BoolOpt) use H/A queues in RabbitMQ (x-ha-policy: all).You need to
#### wipe RabbitMQ database when changing this option.
<% else -%>
rabbit_host=<%= node["openstack"]["orchestration"]["rabbit"]["host"] %>
#### (StrOpt) The RabbitMQ broker address where a single node is used
rabbit_port=<%= node["openstack"]["orchestration"]["rabbit"]["port"] %>
#### (IntOpt) The RabbitMQ broker port where a single node is used
<% end -%>
# connect over SSL for RabbitMQ (boolean value)
#rabbit_use_ssl=false
rabbit_userid=<%= node["openstack"]["orchestration"]["rabbit"]["username"] %>
#### (StrOpt) the RabbitMQ userid
rabbit_password=<%= @rabbit_password %>
#### (StrOpt) the RabbitMQ password
rabbit_virtual_host=<%= node["openstack"]["orchestration"]["rabbit"]["vhost"] %>
#### (StrOpt) the RabbitMQ virtual host
# how frequently to retry connecting with RabbitMQ (integer
# value)
#rabbit_retry_interval=1
# how long to backoff for between retries when connecting to
# RabbitMQ (integer value)
#rabbit_retry_backoff=2
# maximum retries with trying to connect to RabbitMQ (the
# default of 0 implies an infinite retry count) (integer
# value)
#rabbit_max_retries=0
# use H/A queues in RabbitMQ (x-ha-policy: all).You need to
# wipe RabbitMQ database when changing this option. (boolean
# value)
#rabbit_ha_queues=false
<% end -%>
#
# Options defined in heat.openstack.common.rpc.impl_qpid
#
<% if node["openstack"]["orchestration"]["mq"]["service_type"] == "qpid" %>
rpc_backend=heat.openstack.common.rpc.impl_qpid
# Qpid broker hostname (string value)
qpid_hostname=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["host"] %>
# Qpid broker port (integer value)
qpid_port=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["port"] %>
# Qpid HA cluster host:port pairs (list value)
#qpid_hosts=$qpid_hostname:$qpid_port
# Username for qpid connection (string value)
qpid_username=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["username"] %>
# Password for qpid connection (string value)
qpid_password=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["password"] %>
# Space separated list of SASL mechanisms to use for auth
# (string value)
qpid_sasl_mechanisms=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["sasl_mechanisms"] %>
# Seconds between connection keepalive heartbeats (integer
# value)
qpid_heartbeat=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["heartbeat"] %>
# Transport to use, either 'tcp' or 'ssl' (string value)
qpid_protocol=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["protocol"] %>
# Disable Nagle algorithm (boolean value)
qpid_tcp_nodelay=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["tcp_nodelay"] %>
# The qpid topology version to use. Version 1 is what was
# originally used by impl_qpid. Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work. Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1
qpid_reconnect_timeout=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_timeout"] %>
qpid_reconnect_limit=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_limit"] %>
qpid_reconnect_interval_min=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_interval_min"] %>
qpid_reconnect_interval_max=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_interval_max"] %>
qpid_reconnect_interval=<%= node["openstack"]["orchestration"]["mq"]["qpid"]["reconnect_interval"] %>
<% end -%>
#
# Options defined in heat.openstack.common.rpc.impl_zmq
#
# ZeroMQ bind address. Should be a wildcard (*), an ethernet
# interface, or IP. The "host" option should point or resolve
# to this address. (string value)
#rpc_zmq_bind_address=*
# MatchMaker driver (string value)
#rpc_zmq_matchmaker=heat.openstack.common.rpc.matchmaker.MatchMakerLocalhost
# ZeroMQ receiver listening port (integer value)
#rpc_zmq_port=9501
# Number of ZeroMQ contexts, defaults to 1 (integer value)
#rpc_zmq_contexts=1
# Maximum number of ingress messages to locally buffer per
# topic. Default is unlimited. (integer value)
#rpc_zmq_topic_backlog=<None>
# Directory for holding IPC sockets (string value)
#rpc_zmq_ipc_dir=/var/run/openstack
# Name of this node. Must be a valid hostname, FQDN, or IP
# address. Must match "host" option, if running Nova. (string
# value)
#rpc_zmq_host=heat
#
# Options defined in heat.openstack.common.rpc.matchmaker
#
# Heartbeat frequency (integer value)
#matchmaker_heartbeat_freq=300
# Heartbeat time-to-live. (integer value)
#matchmaker_heartbeat_ttl=600
[ssl]
#
# Options defined in heat.openstack.common.sslutils
#
# CA certificate file to use to verify connecting clients
# (string value)
#ca_file=<None>
# Certificate file to use when starting the server securely
# (string value)
#cert_file=<None>
# Private key file to use when starting the server securely
# (string value)
#key_file=<None>
[database]
#
# Options defined in heat.openstack.common.db.api
#
# The backend to use for db (string value)
#backend=sqlalchemy
# Enable the experimental use of thread pooling for all DB API
# calls (boolean value)
#use_tpool=false
#
# Options defined in heat.openstack.common.db.sqlalchemy.session
#
# The SQLAlchemy connection string used to connect to the
# database (string value)
#connection=sqlite:////heat/openstack/common/db/$sqlite_db
# The SQLAlchemy connection string used to connect to the
# slave database (string value)
#slave_connection=
# timeout before idle sql connections are reaped (integer
# value)
#idle_timeout=3600
# Minimum number of SQL connections to keep open in a pool
# (integer value)
#min_pool_size=1
# Maximum number of SQL connections to keep open in a pool
# (integer value)
#max_pool_size=<None>
# maximum db connection retries during startup. (setting -1
# implies an infinite retry count) (integer value)
#max_retries=10
# interval between retries of opening a sql connection
# (integer value)
#retry_interval=10
# If set, use this value for max_overflow with sqlalchemy
# (integer value)
#max_overflow=<None>
# Verbosity of SQL debugging information. 0=None,
# 100=Everything (integer value)
#connection_debug=0
# Add python stack traces to SQL as comment strings (boolean
# value)
#connection_trace=false
# If set, use this value for pool_timeout with sqlalchemy
# (integer value)
#pool_timeout=<None>
[paste_deploy]
#
# Options defined in heat.common.config
#
# The flavor to use (string value)
#flavor=<None>
# The API paste config file to use (string value)
#api_paste_config=api-paste.ini
[rpc_notifier2]
#
# Options defined in heat.openstack.common.notifier.rpc_notifier2
#
# AMQP topic(s) used for openstack notifications (list value)
#topics=notifications
[ec2authtoken]
#
# Options defined in heat.api.aws.ec2token
#
# Authentication Endpoint URI (string value)
#auth_uri=<None>
# Allow orchestration of multiple clouds (boolean value)
#multi_cloud=false
# Allowed keystone endpoints for auth_uri when multi_cloud is
# enabled. At least one endpoint needs to be specified. (list
# value)
#allowed_auth_uris=
[heat_api_cloudwatch]
#
# Options defined in heat.common.wsgi
#
# Address to bind the server. Useful when selecting a
# particular network interface. (string value)
bind_host=<%= @heat_api_cloudwatch_endpoint.host %>
# The port on which the server will listen. (integer value)
bind_port=<%= @heat_api_cloudwatch_endpoint.port %>
# Number of backlog requests to configure the socket with
# (integer value)
#backlog=4096
# Location of the SSL Certificate File to use for SSL mode
# (string value)
#cert_file=<None>
# Location of the SSL Key File to use for enabling SSL mode
# (string value)
#key_file=<None>
# Number of workers for Heat service (integer value)
#workers=0
[heat_api]
#
# Options defined in heat.common.wsgi
#
# Address to bind the server. Useful when selecting a
# particular network interface. (string value)
bind_host=<%= @heat_api_endpoint.host %>
# The port on which the server will listen. (integer value)
bind_port=<%= @heat_api_endpoint.port %>
# Number of backlog requests to configure the socket with
# (integer value)
#backlog=4096
# Location of the SSL Certificate File to use for SSL mode
# (string value)
#cert_file=<None>
# Location of the SSL Key File to use for enabling SSL mode
# (string value)
#key_file=<None>
# Number of workers for Heat service (integer value)
#workers=0
[heat_api_cfn]
#
# Options defined in heat.common.wsgi
#
# Address to bind the server. Useful when selecting a
# particular network interface. (string value)
bind_host=<%= @heat_api_cfn_endpoint.host %>
# The port on which the server will listen. (integer value)
bind_port=<%= @heat_api_cfn_endpoint.port %>
# Number of backlog requests to configure the socket with
# (integer value)
#backlog=4096
# Location of the SSL Certificate File to use for SSL mode
# (string value)
#cert_file=<None>
# Location of the SSL Key File to use for enabling SSL mode
# (string value)
#key_file=<None>
# Number of workers for Heat service (integer value)
#workers=0
[keystone_authtoken]
#
# Options defined in keystoneclient.middleware.auth_token
#
# Prefix to prepend at the beginning of the path (string
# value)
#auth_admin_prefix=
# Host providing the admin Identity API endpoint (string
# value)
auth_host=<%= @identity_admin_endpoint.host %>
# Port of the admin Identity API endpoint (integer value)
auth_port=<%= @identity_admin_endpoint.port %>
# Protocol of the admin Identity API endpoint(http or https)
# (string value)
auth_protocol=<%= @identity_admin_endpoint.scheme %>
# Complete public Identity API endpoint (string value)
auth_uri=<%= @auth_uri %>
# API version of the admin Identity API endpoint (string
# value)
auth_version=<%= node["openstack"]["orchestration"]["api"]["auth"]["version"] %>
# Do not handle authorization requests within the middleware,
# but delegate the authorization decision to downstream WSGI
# components (boolean value)
#delay_auth_decision=false
# Request timeout value for communicating with Identity API
# server. (boolean value)
#http_connect_timeout=<None>
# How many times are we trying to reconnect when communicating
# with Identity API Server. (integer value)
#http_request_max_retries=3
# Allows to pass in the name of a fake http_handler callback
# function used instead of httplib.HTTPConnection or
# httplib.HTTPSConnection. Useful for unit testing where
# network is not available. (string value)
#http_handler=<None>
# Single shared secret with the Keystone configuration used
# for bootstrapping a Keystone installation, or otherwise
# bypassing the normal authentication process. (string value)
#admin_token=<None>
# Keystone account username (string value)
admin_user=<%= node["openstack"]["orchestration"]["service_user"] %>
# Keystone account password (string value)
admin_password=<%= @service_pass %>
# Keystone service account tenant name to validate user tokens
# (string value)
admin_tenant_name=<%= node["openstack"]["orchestration"]["service_tenant_name"] %>
# Env key for the swift cache (string value)
#cache=<None>
# Required if Keystone server requires client certificate
# (string value)
#certfile=<None>
# Required if Keystone server requires client certificate
# (string value)
#keyfile=<None>
# A PEM encoded Certificate Authority to use when verifying
# HTTPs connections. Defaults to system CAs. (string value)
#cafile=<None>
# Verify HTTPS connections. (boolean value)
#insecure=false
# Directory used to cache files related to PKI tokens (string
# value)
signing_dir=<%= node["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] %>
# If defined, the memcache server(s) to use for caching (list
# value)
#memcached_servers=<None>
# In order to prevent excessive requests and validations, the
# middleware uses an in-memory cache for the tokens the
# Keystone API returns. This is only valid if memcache_servers
# is defined. Set to -1 to disable caching completely.
# (integer value)
#token_cache_time=300
# Value only used for unit testing (integer value)
#revocation_cache_time=1
# (optional) if defined, indicate whether token data should be
# authenticated or authenticated and encrypted. Acceptable
# values are MAC or ENCRYPT. If MAC, token data is
# authenticated (with HMAC) in the cache. If ENCRYPT, token
# data is encrypted and authenticated in the cache. If the
# value is not one of these options or empty, auth_token will
# raise an exception on initialization. (string value)
#memcache_security_strategy=<None>
# (optional, mandatory if memcache_security_strategy is
# defined) this string is used for key derivation. (string
# value)
#memcache_secret_key=<None>
[auth_password]
#
# Options defined in heat.common.config
#
# Allow orchestration of multiple clouds (boolean value)
#multi_cloud=false
# Allowed keystone endpoints for auth_uri when multi_cloud is
# enabled. At least one endpoint needs to be specified. (list
# value)
#allowed_auth_uris=
[matchmaker_ring]
#
# Options defined in heat.openstack.common.rpc.matchmaker_ring
#
# Matchmaker ring file (JSON) (string value)
#ringfile=/etc/oslo/matchmaker_ring.json
[matchmaker_redis]
#
# Options defined in heat.openstack.common.rpc.matchmaker_redis
#
# Host to locate redis (string value)
#host=127.0.0.1
# Use this port to connect to redis host. (integer value)
#port=6379
# Password for Redis server. (optional) (string value)
#password=<None>

View File

@ -0,0 +1,29 @@
<%= node["openstack"]["orchestration"]["custom_template_banner"] %>
{
"deny_stack_user": "not role:heat_stack_user",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user"
}