heat_template_version: pike

description: >
  OpenStack Glance API service configured with Puppet

parameters:
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  Debug:
    default: ''
    description: Set to True to enable debugging on all services.
    type: string
  GlancePassword:
    description: The password for the glance service and db account, used by the glance services.
    type: string
    hidden: true
  GlanceWorkers:
    default: ''
    description: |
      Number of API worker processes for Glance. If left unset (empty string), the
      default value will result in the configuration being left unset and a
      system-dependent default value will be chosen (e.g.: number of
      processors). Please note that this will create a large number of
      processes on systems with a large number of CPUs resulting in excess
      memory consumption. It is recommended that a suitable non-default value
      be selected on such systems.
    type: string
  MonitoringSubscriptionGlanceApi:
    default: 'overcloud-glance-api'
    type: string
  GlanceApiLoggingSource:
    type: json
    default:
      tag: openstack.glance.api
      path: /var/log/glance/api.log
  EnableInternalTLS:
    type: boolean
    default: false
  CephClientUserName:
    default: openstack
    type: string
  Debug:
    default: ''
    description: Set to True to enable debugging on all services.
    type: string
  GlanceNotifierStrategy:
    description: Strategy to use for Glance notification queue
    type: string
    default: noop
  GlanceLogFile:
    description: The filepath of the file to use for logging messages from Glance.
    type: string
    default: ''
  GlanceBackend:
    default: swift
    description: The short name of the Glance backend to use. Should be one
      of swift, rbd, or file
    type: string
    constraints:
    - allowed_values: ['swift', 'file', 'rbd']
  GlanceNfsEnabled:
    default: false
    description: >
      When using GlanceBackend 'file', mount NFS share for image storage.
    type: boolean
  GlanceNfsShare:
    default: ''
    description: >
      NFS share to mount for image storage (when GlanceNfsEnabled is true)
    type: string
  GlanceNfsOptions:
    default: 'intr,context=system_u:object_r:glance_var_lib_t:s0'
    description: >
      NFS mount options for image storage (when GlanceNfsEnabled is true)
    type: string
  GlanceRbdPoolName:
    default: images
    type: string
  RabbitPassword:
    description: The password for RabbitMQ
    type: string
    hidden: true
  RabbitUserName:
    default: guest
    description: The username for RabbitMQ
    type: string
  RabbitClientPort:
    default: 5672
    description: Set rabbit subscriber port, change this if using SSL
    type: number
  RabbitClientUseSSL:
    default: false
    description: >
        Rabbit client subscriber parameter to specify
        an SSL connection to the RabbitMQ host.
    type: string
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  GlanceApiPolicies:
    description: |
      A hash of policies to configure for Glance API.
      e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
    default: {}
    type: json

conditions:
  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
  glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']}

resources:

  TLSProxyBase:
    type: OS::TripleO::Services::TLSProxyBase
    properties:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      EnableInternalTLS: {get_param: EnableInternalTLS}

outputs:
  role_data:
    description: Role data for the Glance API role.
    value:
      service_name: glance_api
      monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
      logging_source: {get_param: GlanceApiLoggingSource}
      logging_groups:
        - glance
      config_settings:
        map_merge:
          - get_attr: [TLSProxyBase, role_data, config_settings]
          - glance::api::database_connection:
              make_url:
                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
                username: glance
                password: {get_param: GlancePassword}
                host: {get_param: [EndpointMap, MysqlInternal, host]}
                path: /glance
                query:
                  read_default_file: /etc/my.cnf.d/tripleo.cnf
                  read_default_group: tripleo
            glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
            glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            glance::api::enable_v1_api: false
            glance::api::enable_v2_api: true
            glance::api::authtoken::password: {get_param: GlancePassword}
            glance::api::enable_proxy_headers_parsing: true
            glance::api::debug: {get_param: Debug}
            glance::policy::policies: {get_param: GlanceApiPolicies}
            tripleo.glance_api.firewall_rules:
              '112 glance_api':
                dport:
                  - 9292
                  - 13292
            glance::api::authtoken::project_name: 'service'
            glance::keystone::authtoken::user_domain_name: 'Default'
            glance::keystone::authtoken::project_domain_name: 'Default'
            glance::api::pipeline: 'keystone'
            glance::api::show_image_direct_url: true
            # NOTE: bind IP is found in Heat replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
            # internal_api -> IP
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
            tripleo::profile::base::glance::api::tls_proxy_bind_ip:
              get_param: [ServiceNetMap, GlanceApiNetwork]
            tripleo::profile::base::glance::api::tls_proxy_fqdn:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
            tripleo::profile::base::glance::api::tls_proxy_port:
              get_param: [EndpointMap, GlanceInternal, port]
            # Bind to localhost if internal TLS is enabled, since we put a TLs
            # proxy in front.
            glance::api::bind_host:
              if:
              - use_tls_proxy
              - 'localhost'
              - {get_param: [ServiceNetMap, GlanceApiNetwork]}
            glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
            glance_log_file: {get_param: GlanceLogFile}
            glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] }
            glance::backend::swift::swift_store_user: service:glance
            glance::backend::swift::swift_store_key: {get_param: GlancePassword}
            glance::backend::swift::swift_store_create_container_on_put: true
            glance::backend::swift::swift_store_auth_version: 3
            glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
            glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
            glance_backend: {get_param: GlanceBackend}
            glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
            glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
            glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
            glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
            glance::notify::rabbitmq::notification_driver: messagingv2
            tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
            tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
            tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
          -
            if:
            - glance_workers_unset
            - {}
            - glance::api::workers: {get_param: GlanceWorkers}
      service_config_settings:
        keystone:
          glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
          glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
          glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
          glance::keystone::auth::password: {get_param: GlancePassword }
          glance::keystone::auth::region: {get_param: KeystoneRegion}
          glance::keystone::auth::tenant: 'service'
        mysql:
          glance::db::mysql::password: {get_param: GlancePassword}
          glance::db::mysql::user: glance
          glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
          glance::db::mysql::dbname: glance
          glance::db::mysql::allowed_hosts:
            - '%'
            - "%{hiera('mysql_bind_host')}"
      step_config: |
        include ::tripleo::profile::base::glance::api
      upgrade_tasks:
        - name: Check if glance_api is deployed
          command: systemctl is-enabled openstack-glance-api
          tags: common
          ignore_errors: True
          register: glance_api_enabled
        #(TODO) Remove all glance-registry bits in Pike.
        - name: Check if glance_registry is deployed
          command: systemctl is-enabled openstack-glance-registry
          tags: common
          ignore_errors: True
          register: glance_registry_enabled
        - name: "PreUpgrade step0,validation: Check service openstack-glance-api is running"
          shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b'
          tags: step0,validation
          when: glance_api_enabled.rc == 0
        - name: Stop glance_api service
          tags: step1
          when: glance_api_enabled.rc == 0
          service: name=openstack-glance-api state=stopped
        - name: Stop and disable glance registry (removed for Ocata)
          tags: step1
          when: glance_registry_enabled.rc == 0
          service: name=openstack-glance-registry state=stopped enabled=no