diff --git a/adjutant b/adjutant new file mode 100644 index 0000000000..e715e8bbed --- /dev/null +++ b/adjutant @@ -0,0 +1,29 @@ +etc/kolla/passwords.yml +etc/kolla/globals.yml +ansible/group_vars/all.yml +ansible/site.yml +ansible/roles/common/tasks/config.yml +ansible/roles/common/defaults/main.yml +ansible/roles/common/templates/cron-logrotate-adjutant.conf.j2 +ansible/roles/common/templates/conf/filter/01-rewrite-0.14.conf.j2 +ansible/roles/common/templates/conf/filter/01-rewrite-0.12.conf.j2 +ansible/roles/adjutant/tasks/copy-certs.yml +ansible/roles/adjutant/tasks/pull.yml +ansible/roles/adjutant/tasks/check-containers.yml +ansible/roles/adjutant/tasks/precheck.yml +ansible/roles/adjutant/tasks/loadbalancer.yml +ansible/roles/adjutant/tasks/deploy.yml +ansible/roles/adjutant/tasks/register.yml +ansible/roles/adjutant/tasks/bootstrap_service.yml +ansible/roles/adjutant/tasks/config.yml +ansible/roles/adjutant/tasks/stop.yml +ansible/roles/adjutant/tasks/external_ceph.yml +ansible/roles/adjutant/tasks/bootstrap.yml +ansible/roles/adjutant/defaults/main.yml +ansible/roles/adjutant/templates/adjutant-api.json.j2 +ansible/roles/adjutant/templates/wsgi-adjutant.conf.j2 +ansible/roles/adjutant/templates/adjutant.yaml copy.j2 +ansible/roles/adjutant/handlers/main.yml +ansible/roles/adjutant/templates/adjutant.yaml.j2 +ansible/inventory/multinode +ansible/inventory/all-in-one diff --git a/ansible/roles/adjutant/defaults/main.yml b/ansible/roles/adjutant/defaults/main.yml new file mode 100644 index 0000000000..b4026a716b --- /dev/null +++ b/ansible/roles/adjutant/defaults/main.yml @@ -0,0 +1,82 @@ +--- +project_name: "adjutant" + +adjutant_services: + adjutant-api: + container_name: adjutant_api + group: adjutant-api + enabled: true + image: "{{ adjutant_api_image_full }}" + volumes: "{{ adjutant_api_default_volumes + adjutant_api_extra_volumes }}" + dimensions: "{{ adjutant_api_dimensions }}" + haproxy: + adjutant_api: + enabled: "{{ enable_adjutant }}" + mode: "http" + external: false + port: "{{ adjutant_api_listen_port }}" + adjutant_api_external: + enabled: "{{ enable_adjutant }}" + mode: "http" + external: true + port: "{{ adjutant_api_listen_port }}" + +#################### +# Database +#################### +adjutant_database_name: "adjutant" +adjutant_database_user: "{% if use_preconfigured_databases | bool and use_common_mariadb_user | bool %}{{ database_user }}{% else %}adjutant{% endif %}" +adjutant_database_address: "{{ database_address | put_address_in_context('url') }}:{{ database_port }}" + + +#################### +# Docker +#################### +adjutant_install_type: "{{ kolla_install_type }}" +adjutant_tag: "{{ openstack_tag }}" + +adjutant_api_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ adjutant_install_type }}-adjutant-api" +adjutant_api_tag: "{{ adjutant_tag }}" +adjutant_api_image_full: "{{ adjutant_api_image }}:{{ adjutant_api_tag }}" + +adjutant_api_dimensions: "{{ default_container_dimensions }}" + +adjutant_api_default_volumes: + - "{{ node_config_directory }}/adjutant-api/:{{ container_config_directory }}/:ro" + - "/etc/localtime:/etc/localtime:ro" + - "{{ '/etc/timezone:/etc/timezone:ro' if kolla_base_distro in ['debian', 'ubuntu'] else '' }}" + - "kolla_logs:/var/log/kolla/" + +adjutant_extra_volumes: "{{ default_extra_volumes }}" +adjutant_api_extra_volumes: "{{ adjutant_extra_volumes }}" + +#################### +# OpenStack +#################### +adjutant_admin_endpoint: "{{ admin_protocol }}://{{ adjutant_internal_fqdn | put_address_in_context('url') }}:{{ adjutant_api_port }}" +adjutant_internal_endpoint: "{{ internal_protocol }}://{{ adjutant_internal_fqdn | put_address_in_context('url') }}:{{ adjutant_api_port }}" +adjutant_public_endpoint: "{{ public_protocol }}://{{ adjutant_external_fqdn | put_address_in_context('url') }}:{{ adjutant_api_port }}" + +adjutant_logging_debug: "{{ openstack_logging_debug }}" + +adjutant_keystone_user: "adjutant" + +openstack_adjutant_auth: "{{ openstack_auth }}" + +#################### +# Keystone +#################### +adjutant_ks_services: + - name: "adjutant" + type: "registration" + description: "OpenStack Registration Service" + endpoints: + - {'interface': 'admin', 'url': '{{ adjutant_admin_endpoint }}/v1'} + - {'interface': 'internal', 'url': '{{ adjutant_internal_endpoint }}/v1'} + - {'interface': 'public', 'url': '{{ adjutant_public_endpoint }}/v1'} + +adjutant_ks_users: + - project: "service" + user: "{{ adjutant_keystone_user }}" + password: "{{ adjutant_keystone_password }}" + role: "admin" diff --git a/ansible/roles/adjutant/handlers/main.yml b/ansible/roles/adjutant/handlers/main.yml new file mode 100644 index 0000000000..e028302f0d --- /dev/null +++ b/ansible/roles/adjutant/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: Restart adjutant-api container + vars: + service_name: "adjutant-api" + service: "{{ adjutant_services[service_name] }}" + become: true + kolla_docker: + action: "recreate_or_restart_container" + common_options: "{{ docker_common_options }}" + name: "{{ service.container_name }}" + image: "{{ service.image }}" + volumes: "{{ service.volumes }}" + dimensions: "{{ service.dimensions }}" + when: + - kolla_action != "config" diff --git a/ansible/roles/adjutant/meta/main.yml b/ansible/roles/adjutant/meta/main.yml new file mode 100644 index 0000000000..6b4fff8fef --- /dev/null +++ b/ansible/roles/adjutant/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: common } diff --git a/ansible/roles/adjutant/tasks/bootstrap.yml b/ansible/roles/adjutant/tasks/bootstrap.yml new file mode 100644 index 0000000000..61ff9a6de4 --- /dev/null +++ b/ansible/roles/adjutant/tasks/bootstrap.yml @@ -0,0 +1,36 @@ +--- +- name: Creating adjutant database + become: true + kolla_toolbox: + module_name: mysql_db + module_args: + login_host: "{{ database_address }}" + login_port: "{{ database_port }}" + login_user: "{{ database_user }}" + login_password: "{{ database_password }}" + name: "{{ adjutant_database_name }}" + run_once: True + delegate_to: "{{ groups['adjutant-api'][0] }}" + when: + - not use_preconfigured_databases | bool + +- name: Creating adjutant database user and setting permissions + become: true + kolla_toolbox: + module_name: mysql_user + module_args: + login_host: "{{ database_address }}" + login_port: "{{ database_port }}" + login_user: "{{ database_user }}" + login_password: "{{ database_password }}" + name: "{{ adjutant_database_user }}" + password: "{{ adjutant_database_password }}" + host: "%" + priv: "{{ adjutant_database_name }}.*:ALL" + append_privs: "yes" + run_once: True + delegate_to: "{{ groups['adjutant-api'][0] }}" + when: + - not use_preconfigured_databases | bool + +- include_tasks: bootstrap_service.yml diff --git a/ansible/roles/adjutant/tasks/bootstrap_service.yml b/ansible/roles/adjutant/tasks/bootstrap_service.yml new file mode 100644 index 0000000000..5caa777bd6 --- /dev/null +++ b/ansible/roles/adjutant/tasks/bootstrap_service.yml @@ -0,0 +1,20 @@ +--- +- name: Running adjutant bootstrap container + vars: + adjutant_api: "{{ adjutant_services['adjutant-api'] }}" + become: true + kolla_docker: + action: "start_container" + common_options: "{{ docker_common_options }}" + detach: False + environment: + KOLLA_BOOTSTRAP: + KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}" + image: "{{ adjutant_api.image }}" + labels: + BOOTSTRAP: + name: "bootstrap_adjutant" + restart_policy: no + volumes: "{{ adjutant_api.volumes }}" + run_once: True + delegate_to: "{{ groups[adjutant_api.group][0] }}" diff --git a/ansible/roles/adjutant/tasks/check-containers.yml b/ansible/roles/adjutant/tasks/check-containers.yml new file mode 100644 index 0000000000..f334a578ad --- /dev/null +++ b/ansible/roles/adjutant/tasks/check-containers.yml @@ -0,0 +1,16 @@ +--- +- name: Check adjutant containers + become: true + kolla_docker: + action: "compare_container" + common_options: "{{ docker_common_options }}" + name: "{{ item.value.container_name }}" + image: "{{ item.value.image }}" + volumes: "{{ item.value.volumes }}" + dimensions: "{{ item.value.dimensions }}" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + with_dict: "{{ adjutant_services }}" + notify: + - "Restart {{ item.key }} container" diff --git a/ansible/roles/adjutant/tasks/check.yml b/ansible/roles/adjutant/tasks/check.yml new file mode 100644 index 0000000000..ed97d539c0 --- /dev/null +++ b/ansible/roles/adjutant/tasks/check.yml @@ -0,0 +1 @@ +--- diff --git a/ansible/roles/adjutant/tasks/config.yml b/ansible/roles/adjutant/tasks/config.yml new file mode 100644 index 0000000000..6dc01a6ab6 --- /dev/null +++ b/ansible/roles/adjutant/tasks/config.yml @@ -0,0 +1,107 @@ +--- +- name: Ensuring config directories exist + file: + path: "{{ node_config_directory }}/{{ item.key }}" + state: "directory" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + with_dict: "{{ adjutant_services }}" + +- name: Check if policies shall be overwritten + stat: + path: "{{ item }}" + delegate_to: localhost + run_once: True + register: adjutant_policy + with_first_found: + - files: "{{ supported_policy_format_list }}" + paths: + - "{{ node_custom_config }}/adjutant/" + skip: true + +- name: Set adjutant policy file + set_fact: + adjutant_policy_file: "{{ adjutant_policy.results.0.stat.path | basename }}" + adjutant_policy_file_path: "{{ adjutant_policy.results.0.stat.path }}" + when: + - adjutant_policy.results + +- include_tasks: copy-certs.yml + when: + - kolla_copy_ca_into_containers | bool + +- name: Copying over config.json files for services + template: + src: "{{ item.key }}.json.j2" + dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + with_dict: "{{ adjutant_services }}" + notify: + - Restart {{ item.key }} container + +- name: Copying over adjutant.yaml + vars: + service: "{{ adjutant_services['adjutant-api'] }}" + # NOTE(dszumski): We can't use merge_yaml since it replaces empty values + # with `null`. This breaks the thresholder config file parsing (which should + # probably be more robust). + template: + src: "{{ item }}" + dest: "{{ node_config_directory }}/adjutant-api/adjutant.yaml" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0644" + become: true + with_first_found: + - "{{ node_custom_config }}/adjutant.yaml" + - "{{ node_custom_config }}/adjutant/{{ item.key }}.conf" + - "{{ node_custom_config }}/adjutant/{{ inventory_hostname }}/adjutant.yaml" + - "{{ role_path }}/templates/adjutant.yml.j2" + when: + - inventory_hostname in groups['adjutant-api'] + - service.enabled | bool + notify: + - Restart adjutant-api container + + +- name: Copying over wsgi-adjutant.conf + vars: + service: "{{ adjutant_services['adjutant-api'] }}" + template: + src: "wsgi-adjutant.conf.j2" + dest: "{{ node_config_directory }}/{{ item }}/wsgi-adjutant.conf" + mode: "0660" + become: true + when: + - inventory_hostname in groups['adjutant-api'] + - service.enabled | bool + with_items: + - "adjutant-api" + notify: + - Restart adjutant-api container + +- name: Copying over existing policy file + template: + src: "{{ adjutant_policy_file_path }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ adjutant_policy_file }}" + mode: "0660" + become: true + when: + - adjutant_policy_file is defined + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + with_dict: "{{ adjutant_services }}" + notify: + - Restart {{ item.key }} container + +- include_tasks: check-containers.yml + when: kolla_action != "config" diff --git a/ansible/roles/adjutant/tasks/copy-certs.yml b/ansible/roles/adjutant/tasks/copy-certs.yml new file mode 100644 index 0000000000..482dfdfe22 --- /dev/null +++ b/ansible/roles/adjutant/tasks/copy-certs.yml @@ -0,0 +1,6 @@ +--- +- name: "Copy certificates and keys for {{ project_name }}" + import_role: + role: service-cert-copy + vars: + project_services: "{{ adjutant_services }}" diff --git a/ansible/roles/adjutant/tasks/deploy-containers.yml b/ansible/roles/adjutant/tasks/deploy-containers.yml new file mode 100644 index 0000000000..eb24ab5c7a --- /dev/null +++ b/ansible/roles/adjutant/tasks/deploy-containers.yml @@ -0,0 +1,2 @@ +--- +- import_tasks: check-containers.yml diff --git a/ansible/roles/adjutant/tasks/deploy.yml b/ansible/roles/adjutant/tasks/deploy.yml new file mode 100644 index 0000000000..48dca0f84d --- /dev/null +++ b/ansible/roles/adjutant/tasks/deploy.yml @@ -0,0 +1,12 @@ +--- +- include_tasks: register.yml + when: inventory_hostname in groups['adjutant-api'] + +- include_tasks: config.yml + when: inventory_hostname in groups['adjutant-api'] + +- include_tasks: bootstrap.yml + when: inventory_hostname in groups['adjutant-api'] + +- name: Flush handlers + meta: flush_handlers diff --git a/ansible/roles/adjutant/tasks/external_ceph.yml b/ansible/roles/adjutant/tasks/external_ceph.yml new file mode 100644 index 0000000000..677d6ca120 --- /dev/null +++ b/ansible/roles/adjutant/tasks/external_ceph.yml @@ -0,0 +1,35 @@ +--- +- name: Copy over ceph.conf file + template: + src: "{{ node_custom_config }}/adjutant/ceph.conf" + dest: "{{ node_config_directory }}/{{ item }}/ceph.conf" + mode: "0660" + become: true + when: inventory_hostname in groups[item] + with_items: + - "adjutant-api" + notify: + - Restart {{ item }} container + +- name: Copy over ceph adjutant keyring + copy: + src: "{{ node_custom_config }}/adjutant/{{ ceph_adjutant_keyring }}" + dest: "{{ node_config_directory }}/{{ item }}/{{ ceph_adjutant_keyring }}" + mode: "0660" + become: true + when: inventory_hostname in groups[item] + with_items: + - "adjutant-api" + notify: + - Restart {{ item }} container + +- name: Ensuring config directory has correct owner and permission + become: true + file: + path: "{{ node_config_directory }}/{{ item }}" + recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + when: inventory_hostname in groups[item] + with_items: + - "adjutant-api" diff --git a/ansible/roles/adjutant/tasks/loadbalancer.yml b/ansible/roles/adjutant/tasks/loadbalancer.yml new file mode 100644 index 0000000000..31e88a9fac --- /dev/null +++ b/ansible/roles/adjutant/tasks/loadbalancer.yml @@ -0,0 +1,7 @@ +--- +- name: "Configure haproxy for {{ project_name }}" + import_role: + name: haproxy-config + vars: + project_services: "{{ adjutant_services }}" + tags: always diff --git a/ansible/roles/adjutant/tasks/main.yml b/ansible/roles/adjutant/tasks/main.yml new file mode 100644 index 0000000000..bc5d1e6257 --- /dev/null +++ b/ansible/roles/adjutant/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include_tasks: "{{ kolla_action }}.yml" diff --git a/ansible/roles/adjutant/tasks/precheck.yml b/ansible/roles/adjutant/tasks/precheck.yml new file mode 100644 index 0000000000..87f10ee1fe --- /dev/null +++ b/ansible/roles/adjutant/tasks/precheck.yml @@ -0,0 +1,24 @@ +--- +- import_role: + name: service-precheck + vars: + service_precheck_services: "{{ adjutant_services }}" + service_name: "{{ project_name }}" + +- name: Get container facts + become: true + kolla_container_facts: + name: + - adjutant_api + register: container_facts + +- name: Checking free port for adjutant API + wait_for: + host: "{{ api_interface_address }}" + port: "{{ adjutant_api_listen_port }}" + connect_timeout: 1 + timeout: 1 + state: stopped + when: + - container_facts['adjutant_api'] is not defined + - inventory_hostname in groups['adjutant-api'] diff --git a/ansible/roles/adjutant/tasks/pull.yml b/ansible/roles/adjutant/tasks/pull.yml new file mode 100644 index 0000000000..78878bf0f2 --- /dev/null +++ b/ansible/roles/adjutant/tasks/pull.yml @@ -0,0 +1,11 @@ +--- +- name: Pulling adjutant images + become: true + kolla_docker: + action: "pull_image" + common_options: "{{ docker_common_options }}" + image: "{{ item.value.image }}" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + with_dict: "{{ adjutant_services }}" diff --git a/ansible/roles/adjutant/tasks/reconfigure.yml b/ansible/roles/adjutant/tasks/reconfigure.yml new file mode 100644 index 0000000000..f670a5b78d --- /dev/null +++ b/ansible/roles/adjutant/tasks/reconfigure.yml @@ -0,0 +1,2 @@ +--- +- include_tasks: deploy.yml diff --git a/ansible/roles/adjutant/tasks/register.yml b/ansible/roles/adjutant/tasks/register.yml new file mode 100644 index 0000000000..a7dd832f99 --- /dev/null +++ b/ansible/roles/adjutant/tasks/register.yml @@ -0,0 +1,8 @@ +--- +- import_role: + name: service-ks-register + vars: + service_ks_register_auth: "{{ openstack_adjutant_auth }}" + service_ks_register_services: "{{ adjutant_ks_services }}" + service_ks_register_users: "{{ adjutant_ks_users }}" + tags: always diff --git a/ansible/roles/adjutant/tasks/stop.yml b/ansible/roles/adjutant/tasks/stop.yml new file mode 100644 index 0000000000..94c692c546 --- /dev/null +++ b/ansible/roles/adjutant/tasks/stop.yml @@ -0,0 +1,6 @@ +--- +- import_role: + name: service-stop + vars: + project_services: "{{ adjutant_services }}" + service_name: "{{ project_name }}" diff --git a/ansible/roles/adjutant/tasks/upgrade.yml b/ansible/roles/adjutant/tasks/upgrade.yml new file mode 100644 index 0000000000..20ccddc8f1 --- /dev/null +++ b/ansible/roles/adjutant/tasks/upgrade.yml @@ -0,0 +1,7 @@ +--- +- include_tasks: config.yml + +- include_tasks: bootstrap_service.yml + +- name: Flush handlers + meta: flush_handlers diff --git a/ansible/roles/adjutant/templates/adjutant-api.json.j2 b/ansible/roles/adjutant/templates/adjutant-api.json.j2 new file mode 100644 index 0000000000..567648c1ef --- /dev/null +++ b/ansible/roles/adjutant/templates/adjutant-api.json.j2 @@ -0,0 +1,36 @@ +{% set adjutant_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} +{% set adjutant_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} +{ + "command": "{{ adjutant_cmd }} -DFOREGROUND", + "config_files": [ + { + "source": "{{ container_config_directory }}/adjutant.yaml", + "dest": "/etc/adjutant/adjutant.yaml", + "owner": "adjutant", + "perm": "0644" + }, + { + "source": "{{ container_config_directory }}/wsgi-adjutant.conf", + "dest": "/etc/{{ adjutant_dir }}/wsgi-adjutant.conf", + "owner": "adjutant", + "perm": "0600" + }{% if adjutant_policy_file is defined %}, + { + "source": "{{ container_config_directory }}/{{ adjutant_policy_file }}", + "dest": "/etc/adjutant/{{ adjutant_policy_file }}", + "owner": "adjutant", + "perm": "0600" + }{% endif %} + + ], + "permissions": [ + { + "path": "/var/lib/adjutant", + "owner": "adjutant:adjutant" + }, + { + "path": "/var/log/kolla/adjutant", + "owner": "adjutant:kolla" + } + ] +} diff --git a/ansible/roles/adjutant/templates/adjutant.yaml copy.j2 b/ansible/roles/adjutant/templates/adjutant.yaml copy.j2 new file mode 100644 index 0000000000..28ad357b8d --- /dev/null +++ b/ansible/roles/adjutant/templates/adjutant.yaml copy.j2 @@ -0,0 +1,93 @@ +[DEFAULT] +debug = {{ adjutant_logging_debug }} + +log_dir = /var/log/kolla/adjutant + +{% if enable_redis | bool %} +coordination_url = {{ redis_connection_string }} +{% endif %} + +{% if service_name == 'adjutant-api' %} +# Force adjutant-api.log or will use app.wsgi +log_file = /var/log/kolla/adjutant/adjutant-api.log +{% endif %} + +[api] +port = {{ adjutant_api_listen_port }} +host = {{ api_interface_address }} +middlewares = keystonemiddleware.auth_token.AuthProtocol +auth_mode = keystone + +[oslo_middleware] +enable_proxy_headers_parsing = True + +[database] +connection = mysql+pymysql://{{ adjutant_database_user }}:{{ adjutant_database_password }}@{{ adjutant_database_address }}/{{ adjutant_database_name }} +max_pool_size = 50 +max_overflow = 1000 +max_retries = -1 + +{% if enable_adjutant_statsd | bool %} +[statsd] +resource_id = {{ adjutant_resource_id }} +user_id = {{ adjutant_user_id }} +project_id = {{ adjutant_project_id }} +archive_policy_name = low +flush_delay = 10 +{% endif %} + +[metricd] +workers = {{ adjutant_metricd_workers }} + +[indexer] +url = mysql+pymysql://{{ adjutant_database_user }}:{{ adjutant_database_password }}@{{ adjutant_database_address }}/{{ adjutant_database_name }} + +[keystone_authtoken] +www_authenticate_uri = {{ keystone_internal_url }}/v3 +project_domain_id = {{ default_project_domain_id }} +project_name = service +user_domain_id = {{ default_user_domain_id }} +username = {{ adjutant_keystone_user }} +password = {{ adjutant_keystone_password }} +auth_url = {{ keystone_admin_url }} +auth_type = password +cafile = {{ openstack_cacert }} + +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + +{% if adjutant_policy_file is defined %} +[oslo_policy] +policy_file = {{ adjutant_policy_file }} +{% endif %} + +[incoming] +{% if adjutant_incoming_storage == 'redis' %} +driver = redis +redis_url = {{ redis_connection_string }} +{% endif %} + +[storage] +{% if adjutant_backend_storage == 'file' %} +driver = file +file_basepath = /var/lib/adjutant +{% elif adjutant_backend_storage == 'ceph' %} +driver = ceph +ceph_pool = {{ ceph_adjutant_pool_name }} +ceph_username = {{ ceph_adjutant_user }} +ceph_keyring = {{ ceph_adjutant_keyring }} +ceph_conffile = /etc/ceph/ceph.conf +{% elif adjutant_backend_storage == 'swift' %} +driver = swift +swift_authurl = {{ keystone_internal_url }}/v3 +swift_auth_version = 3 +swift_user = service:{{ swift_keystone_user }} +swift_key = {{ swift_keystone_password }} +swift_project_name = {{ swift_admin_tenant_name }} +{% endif %} + +{% if enable_grafana | bool %} +[cors] +allowed_origin = {{ public_protocol }}://{{ kolla_external_fqdn | put_address_in_context('url') }}:{{ grafana_server_port }} +{% endif %} diff --git a/ansible/roles/adjutant/templates/adjutant.yml.j2 b/ansible/roles/adjutant/templates/adjutant.yml.j2 new file mode 100644 index 0000000000..08eaf6bbe6 --- /dev/null +++ b/ansible/roles/adjutant/templates/adjutant.yml.j2 @@ -0,0 +1,785 @@ +django: + # String + # The Django secret key. + secret_key: {{ adjutant_secret_key }} + # Boolean + # Django debug mode is turned on. + debug: False + # List + # The Django allowed hosts + allowed_hosts: + - '*' + # String + # The header representing a HTTP header/value combination that signifies a request is secure. + secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO + # String + # The value representing a HTTP header/value combination that signifies a request is secure. + secure_proxy_ssl_header_value: https + # Dict + # Django databases config. + databases: + default: + ENGINE: django.db.backends.mysql + NAME: {{ adjutant_database_name }} + USER: {{ adjutant_database_user }} + PASSWORD: {{ adjutant_database_password }} + HOST: {{ database_address }} + # Dict + # A full override of the Django logging config for more customised logging. + # logging: + # String + # The name and location of the Adjutant log file, superceded by 'adjutant.django.logging'. + log_file: /var/log/kolla/adjutant/adjutant-api.log + email: + # String + # Django email backend to use. + email_backend: django.core.mail.backends.console.EmailBackend + # Integer + # Email backend timeout. + # timeout: + # Hostname + # Email backend server location. + # host: + # Port + # Email backend server port. + # port: + # String + # Email backend user. + # host_user: + # String + # Email backend user password. + # host_password: + # Boolean + # Whether to use TLS for email. Mutually exclusive with 'use_ssl'. + use_tls: False + # Boolean + # Whether to use SSL for email. Mutually exclusive with 'use_tls'. + use_ssl: False + +identity: + # Integer + # Cache time for Keystone Tokens in the Keystone Middleware. + token_cache_time: -1 + # Boolean + # Is Adjutant allowed (or able) to edit users in Keystone. + can_edit_users: True + # Boolean + # Should Adjutant assume and treat all usernames as emails. + username_is_email: True + # Dict + # A mapping from held role to roles it is allowed to manage. + role_mapping: + admin: + - project_admin + - project_mod + - heat_stack_owner + - member + project_admin: + - project_admin + - project_mod + - heat_stack_owner + - member + project_mod: + - project_mod + - heat_stack_owner + - member + auth: + # String + # Username for Adjutant Keystone admin user. + username: {{ adjutant_keystone_user }} + # String + # Password for Adjutant Keystone admin user. + password: {{ adjutant_keystone_password }} + # String + # Project name for Adjutant Keystone admin user. + project_name: service + # String + # Project domain id for Adjutant Keystone admin user. + project_domain_id: {{ default_project_domain_id }} + # String + # User domain id for Adjutant Keystone admin user. + user_domain_id: {{ default_user_domain_id }} + # URI + # Keystone auth url that Adjutant will use. + auth_url: {{ keystone_internal_url }}/v3 + +api: + # List + # List of Active Delegate APIs. + active_delegate_apis: + - UserRoles + - UserDetail + - UserResetPassword + - UserList + - RoleList + - SignUp + delegate_apis: + CreateProjectAndUser: + # String + # Default region in which any potential resources may be created. + default_region: RegionOne + # String + # Domain in which project and users will be created. + default_domain_id: default + # String + # Parent id under which this project will be created. Default is None, and will create under default domain. + # default_parent_id: + UserList: + # List + # Users with any of these roles will be hidden from the user list. + blacklisted_roles: + - admin + UserDetail: + # List + # User with these roles will return not found. + blacklisted_roles: + - admin + UserRoles: + # List + # User with these roles will return not found. + blacklisted_roles: + - admin + SignUp: + # String + # Default region in which any potential resources may be created. + default_region: RegionOne + # String + # Domain in which project and users will be created. + default_domain_id: default + # String + # Parent id under which this project will be created. Default is None, and will create under default domain. + # default_parent_id: + +notifications: + handler_defaults: + EmailNotification: + # List + # List of email addresses to send this notification to. + # emails: + # String + # From email for this notification. + from: bounce+%(task_uuid)s@example.com + # String + # Reply-to email for this notification. + reply: no-reply@example.com + # String + # Email template for this notification. No template will cause the email not to send. + template: notification.txt + # String + # Email html template for this notification. + # html_template: + +workflow: + # URI + # The base Horizon url for Adjutant to use when producing links to Horizon. + horizon_url: https://{{ kolla_internal_vip_address }} + # Integer + # The default token expiry time for Task tokens. + default_token_expiry: 86400 + task_defaults: + emails: + initial: + # String + # Default email subject for this stage + subject: Task Confirmation + # String + # Default from email for this stage + from: bounce+%(task_uuid)s@example.com + # String + # Default reply-to email for this stage + reply: no-reply@example.com + # String + # Default email template for this stage + template: initial.txt + # String + # Default email html template for this stage + # html_template: + token: + # String + # Default email subject for this stage + subject: Task Token + # String + # Default from email for this stage + from: bounce+%(task_uuid)s@example.com + # String + # Default reply-to email for this stage + reply: no-reply@example.com + # String + # Default email template for this stage + template: token.txt + # String + # Default email html template for this stage + # html_template: + completed: + # String + # Default email subject for this stage + subject: Task Completed + # String + # Default from email for this stage + from: bounce+%(task_uuid)s@example.com + # String + # Default reply-to email for this stage + reply: no-reply@example.com + # String + # Default email template for this stage + template: completed.txt + # String + # Default email html template for this stage + # html_template: + notifications: + # List + # Handlers to use for standard notifications. + standard_handlers: + - EmailNotification + # List + # Handlers to use for error notifications. + error_handlers: + - EmailNotification + # Dict + # Settings for standard notification handlers. + # standard_handler_config: + # Dict + # Settings for error notification handlers. + # error_handler_config: + # List + # Error types which are safe to acknowledge automatically. + safe_errors: + - SMTPException + action_defaults: + NewProjectWithUserAction: + # List + # Roles to be given on project for the user. + default_roles: + - member + - project_admin + NewProjectAction: + # List + # Roles to be given on project to the creating user. + default_roles: + - member + - project_admin + AddDefaultUsersToProjectAction: + # List + # Users which this action should add to the project. + # default_users: + # List + # Roles which those users should get. + # default_roles: + NewDefaultNetworkAction: + region_defaults: + # String + # Name to be given to the default network. + network_name: default_network + # String + # Name to be given to the default subnet. + subnet_name: default_subnet + # String + # Name to be given to the default router. + router_name: default_router + # String + # ID of the public network. + # public_network: + # String + # CIDR for the default subnet. + # subnet_cidr: + # List + # DNS nameservers for the subnet. + # dns_nameservers: + # Dict + # Specific per region config for default network. See 'region_defaults'. + # regions: + NewProjectDefaultNetworkAction: + region_defaults: + # String + # Name to be given to the default network. + network_name: default_network + # String + # Name to be given to the default subnet. + subnet_name: default_subnet + # String + # Name to be given to the default router. + router_name: default_router + # String + # ID of the public network. + # public_network: + # String + # CIDR for the default subnet. + # subnet_cidr: + # List + # DNS nameservers for the subnet. + # dns_nameservers: + # Dict + # Specific per region config for default network. See 'region_defaults'. + # regions: + SetProjectQuotaAction: + # Float + # Precentage different allowed when matching quota sizes. + size_difference_threshold: 0.1 + # Integer + # The allowed number of days between auto approved quota changes. + days_between_autoapprove: 30 + # Dict + # Which quota size to use for which region. + region_sizes: + RegionOne: small + UpdateProjectQuotasAction: + # Float + # Precentage different allowed when matching quota sizes. + size_difference_threshold: 0.1 + # Integer + # The allowed number of days between auto approved quota changes. + days_between_autoapprove: 30 + ResetUserPasswordAction: + # List + # Users with these roles cannot reset their passwords. + blacklisted_roles: + - admin + SendAdditionalEmailAction: + prepare: + # String + # Email subject for this stage. + subject: Openstack Email Notification + # String + # From email for this stage. + from: bounce+%(task_uuid)s@example.com + # String + # Reply-to email for this stage. + reply: no-reply@example.com + # String + # Email template for this stage. No template will cause the email not to send. + # template: + # String + # Email html template for this stage. No template will cause the email not to send. + # html_template: + # Boolean + # Email the user who started the task. + email_current_user: False + # Boolean + # Send to an email set in the task cache. + email_task_cache: False + # List + # Send emails to the given roles on the project. + # email_roles: + # List + # Send emails to an arbitrary admin emails + # email_additional_addresses: + approve: + # String + # Email subject for this stage. + subject: Openstack Email Notification + # String + # From email for this stage. + from: bounce+%(task_uuid)s@example.com + # String + # Reply-to email for this stage. + reply: no-reply@example.com + # String + # Email template for this stage. No template will cause the email not to send. + # template: + # String + # Email html template for this stage. No template will cause the email not to send. + # html_template: + # Boolean + # Email the user who started the task. + email_current_user: False + # Boolean + # Send to an email set in the task cache. + email_task_cache: False + # List + # Send emails to the given roles on the project. + # email_roles: + # List + # Send emails to an arbitrary admin emails + # email_additional_addresses: + submit: + # String + # Email subject for this stage. + subject: Openstack Email Notification + # String + # From email for this stage. + from: bounce+%(task_uuid)s@example.com + # String + # Reply-to email for this stage. + reply: no-reply@example.com + # String + # Email template for this stage. No template will cause the email not to send. + # template: + # String + # Email html template for this stage. No template will cause the email not to send. + # html_template: + # Boolean + # Email the user who started the task. + email_current_user: False + # Boolean + # Send to an email set in the task cache. + email_task_cache: False + # List + # Send emails to the given roles on the project. + # email_roles: + # List + # Send emails to an arbitrary admin emails + # email_additional_addresses: + tasks: + create_project_and_user: + # Boolean + # Override if this task allows auto_approval. Otherwise uses task default. + allow_auto_approve: True + # List + # Additional actions to be run as part of the task after default actions. + # additional_actions: + # Integer + # Override for the task token expiry. Otherwise uses task default. + # token_expiry: + # Dict + # Action config overrides over the action defaults. See 'adjutant.workflow.action_defaults'. + actions: + SomeCustomAction: + some_action_setting: + # Dict + # Email config overrides for this task over task defaults.See 'adjutant.workflow.emails'. + emails: + completed: + subject: signup completed + template: create_project_and_user_completed.txt + initial: + subject: signup received + template: create_project_and_user_initial.txt + token: + subject: signup approved + template: create_project_and_user_token.txt + # Dict + # Notification config overrides for this task over task defaults.See 'adjutant.workflow.notifications'. + notifications: + error_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + error_handlers: + - EmailNotification + standard_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + standard_handlers: + - EmailNotification + edit_user_roles: + # Boolean + # Override if this task allows auto_approval. Otherwise uses task default. + allow_auto_approve: True + # List + # Additional actions to be run as part of the task after default actions. + # additional_actions: + # Integer + # Override for the task token expiry. Otherwise uses task default. + # token_expiry: + # Dict + # Action config overrides over the action defaults. See 'adjutant.workflow.action_defaults'. + actions: + SomeCustomAction: + some_action_setting: + # Dict + # Email config overrides for this task over task defaults.See 'adjutant.workflow.emails'. + emails: + completed: null + initial: null + token: null + # Dict + # Notification config overrides for this task over task defaults.See 'adjutant.workflow.notifications'. + notifications: + error_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + error_handlers: + - EmailNotification + standard_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + standard_handlers: + - EmailNotification + invite_user_to_project: + # Boolean + # Override if this task allows auto_approval. Otherwise uses task default. + allow_auto_approve: True + # List + # Additional actions to be run as part of the task after default actions. + # additional_actions: + # Integer + # Override for the task token expiry. Otherwise uses task default. + # token_expiry: + # Dict + # Action config overrides over the action defaults. See 'adjutant.workflow.action_defaults'. + actions: + SomeCustomAction: + some_action_setting: + # Dict + # Email config overrides for this task over task defaults.See 'adjutant.workflow.emails'. + emails: + completed: + subject: invite_user_to_project + template: invite_user_to_project_completed.txt + initial: null + token: + subject: invite_user_to_project + template: invite_user_to_project_token.txt + # Dict + # Notification config overrides for this task over task defaults.See 'adjutant.workflow.notifications'. + notifications: + error_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + error_handlers: + - EmailNotification + standard_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + standard_handlers: + - EmailNotification + reset_user_password: + # Boolean + # Override if this task allows auto_approval. Otherwise uses task default. + allow_auto_approve: True + # List + # Additional actions to be run as part of the task after default actions. + # additional_actions: + # Integer + # Override for the task token expiry. Otherwise uses task default. + # token_expiry: + # Dict + # Action config overrides over the action defaults. See 'adjutant.workflow.action_defaults'. + actions: + SomeCustomAction: + some_action_setting: + # Dict + # Email config overrides for this task over task defaults.See 'adjutant.workflow.emails'. + emails: + completed: + subject: Password Reset for OpenStack + template: reset_user_password_completed.txt + initial: null + token: + subject: Password Reset for OpenStack + template: reset_user_password_token.txt + # Dict + # Notification config overrides for this task over task defaults.See 'adjutant.workflow.notifications'. + notifications: + error_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + error_handlers: + - EmailNotification + standard_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + standard_handlers: + - EmailNotification + update_user_email: + # Boolean + # Override if this task allows auto_approval. Otherwise uses task default. + allow_auto_approve: True + # List + # Additional actions to be run as part of the task after default actions. + additional_actions: + - SendAdditionalEmailAction + # Integer + # Override for the task token expiry. Otherwise uses task default. + # token_expiry: + # Dict + # Action config overrides over the action defaults. See 'adjutant.workflow.action_defaults'. + actions: + SendAdditionalEmailAction: + initial: + email_current_user: true + subject: OpenStack Email Update Requested + template: update_user_email_started.txt + # Dict + # Email config overrides for this task over task defaults.See 'adjutant.workflow.emails'. + emails: + completed: + subject: Email Update Complete + template: update_user_email_completed.txt + initial: null + token: + subject: update_user_email_token + template: update_user_email_token.txt + # Dict + # Notification config overrides for this task over task defaults.See 'adjutant.workflow.notifications'. + notifications: + error_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + error_handlers: + - EmailNotification + standard_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + standard_handlers: + - EmailNotification + update_quota: + # Boolean + # Override if this task allows auto_approval. Otherwise uses task default. + allow_auto_approve: True + # List + # Additional actions to be run as part of the task after default actions. + # additional_actions: + # Integer + # Override for the task token expiry. Otherwise uses task default. + # token_expiry: + # Dict + # Action config overrides over the action defaults. See 'adjutant.workflow.action_defaults'. + actions: + SomeCustomAction: + some_action_setting: + # Dict + # Email config overrides for this task over task defaults.See 'adjutant.workflow.emails'. + emails: + completed: + subject: signup completed + template: create_project_and_user_completed.txt + initial: null + token: null + # Dict + # Notification config overrides for this task over task defaults.See 'adjutant.workflow.notifications'. + notifications: + error_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + error_handlers: + - EmailNotification + standard_handler_config: + EmailNotification: + emails: + - example@example.com + reply: no-reply@example.com + standard_handlers: + - EmailNotification + +quota: + # Dict + # A definition of the quota size groups that Adjutant should use. + sizes: + large: + cinder: + gigabytes: 50000 + snapshots: 600 + volumes: 200 + neutron: + floatingip: 50 + network: 10 + port: 500 + router: 10 + security_group: 100 + security_group_rule: 800 + subnet: 10 + nova: + cores: 200 + fixed_ips: 0 + floating_ips: 50 + injected_file_content_bytes: 10240 + injected_files: 5 + instances: 100 + key_pairs: 50 + metadata_items: 128 + ram: 655360 + security_group_rules: 800 + security_groups: 100 + octavia: + health_monitor: 100 + listener: 10 + load_balancer: 10 + member: 10 + pool: 10 + medium: + cinder: + gigabytes: 10000 + snapshots: 300 + volumes: 100 + neutron: + floatingip: 25 + network: 5 + port: 250 + router: 5 + security_group: 50 + security_group_rule: 400 + subnet: 5 + nova: + cores: 100 + fixed_ips: 0 + floating_ips: 25 + injected_file_content_bytes: 10240 + injected_files: 5 + instances: 50 + key_pairs: 50 + metadata_items: 128 + ram: 327680 + security_group_rules: 400 + security_groups: 50 + octavia: + health_monitor: 50 + listener: 5 + load_balancer: 5 + member: 5 + pool: 5 + small: + cinder: + gigabytes: 5000 + snapshots: 50 + volumes: 20 + neutron: + floatingip: 10 + network: 3 + port: 50 + router: 3 + security_group: 20 + security_group_rule: 100 + subnet: 3 + nova: + cores: 20 + fixed_ips: 0 + floating_ips: 10 + injected_file_content_bytes: 10240 + injected_files: 5 + instances: 10 + key_pairs: 50 + metadata_items: 128 + ram: 65536 + security_group_rules: 100 + security_groups: 20 + octavia: + health_monitor: 5 + listener: 1 + load_balancer: 1 + member: 2 + pool: 1 + # List + # An ascending list of all the quota size names, so that Adjutant knows their relative sizes/order. + sizes_ascending: + - small + - medium + - large + # Dict + # A per region definition of what services Adjutant should manage quotas for. '*' means all or default region. + services: + '*': + - cinder + - neutron + - nova diff --git a/ansible/roles/adjutant/templates/wsgi-adjutant.conf.j2 b/ansible/roles/adjutant/templates/wsgi-adjutant.conf.j2 new file mode 100644 index 0000000000..49bc02f3d2 --- /dev/null +++ b/ansible/roles/adjutant/templates/wsgi-adjutant.conf.j2 @@ -0,0 +1,37 @@ +{% set adjutant_log_dir = '/var/log/kolla/adjutant' %} +{% if adjutant_install_type == 'binary' %} + {% set python_path = '/usr/lib/python3/dist-packages' if kolla_base_distro in ['debian', 'ubuntu'] else '/usr/lib/python' ~ distro_python_version ~ '/site-packages' %} +{% else %} + {% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %} +{% endif %} +{% set wsgi_path = '/usr/bin' if adjutant_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %} +Listen {{ api_interface_address | put_address_in_context('url') }}:{{ adjutant_api_listen_port }} + +ServerSignature Off +ServerTokens Prod +TraceEnable off + +ErrorLog "{{ adjutant_log_dir }}/apache-error.log" + + CustomLog "{{ adjutant_log_dir }}/apache-access.log" common + + +{% if adjutant_logging_debug | bool %} +LogLevel info +{% endif %} + + + + ErrorLog "{{ adjutant_log_dir }}/adjutant-api-error.log" + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat + CustomLog "{{ adjutant_log_dir }}/adjutant-api-access.log" logformat + WSGIApplicationGroup %{GLOBAL} + WSGIDaemonProcess adjutant group=adjutant processes={{ openstack_service_workers }} threads=1 user=adjutant python-path={{ python_path }} + WSGIProcessGroup adjutant + WSGIScriptAlias / "{{ wsgi_path }}/adjutant/wsgi.py" + + + Require all granted + + + diff --git a/ansible/roles/common/templates/cron-logrotate-adjutant.conf.j2 b/ansible/roles/common/templates/cron-logrotate-adjutant.conf.j2 new file mode 100644 index 0000000000..b2db42d1ee --- /dev/null +++ b/ansible/roles/common/templates/cron-logrotate-adjutant.conf.j2 @@ -0,0 +1,3 @@ +"/var/log/kolla/adjutant/*.log" +{ +}