heat_template_version: rocky

description: >
  OpenStack containerized swift proxy service

parameters:
  DockerSwiftProxyImage:
    description: image
    type: string
  DockerSwiftConfigImage:
    description: The container image to use for the swift config_volume
    type: string
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  SwiftEncryptionEnabled:
    description: Set to True to enable data-at-rest encryption in Swift
    default: false
    type: boolean
  EnableInternalTLS:
    type: boolean
    default: false
  UpgradeRemoveUnusedPackages:
    default: false
    description: Remove package if the service is being disabled during upgrade
    type: boolean
  DeployIdentifier:
    default: ''
    type: string
    description: >
      Setting this to a unique value will re-run any deployment tasks which
      perform configuration on a Heat stack-update.

conditions:

  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]}

resources:

  ContainersCommon:
    type: ./containers-common.yaml

  SwiftProxyBase:
    type: ../../puppet/services/swift-proxy.yaml
    properties:
      EndpointMap: {get_param: EndpointMap}
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

outputs:
  role_data:
    description: Role data for the swift proxy.
    value:
      service_name: {get_attr: [SwiftProxyBase, role_data, service_name]}
      config_settings: {get_attr: [SwiftProxyBase, role_data, config_settings]}
      service_config_settings: {get_attr: [SwiftProxyBase, role_data, service_config_settings]}
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: swift
        puppet_tags: swift_config,swift_proxy_config,swift_keymaster_config
        step_config:
          get_attr: [SwiftProxyBase, role_data, step_config]
        config_image: {get_param: DockerSwiftConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/swift_proxy.json:
          command: /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
        /var/lib/kolla/config_files/swift_proxy_tls_proxy.json:
          command: /usr/sbin/httpd -DFOREGROUND
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
      docker_config_scripts:
        create_swift_secret.sh:
          mode: "0700"
          content: |
            #!/bin/bash
            export OS_PROJECT_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_domain_id)
            export OS_USER_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster user_domain_id)
            export OS_PROJECT_NAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_name)
            export OS_USERNAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster username)
            export OS_PASSWORD=$(crudini --get /etc/swift/keymaster.conf kms_keymaster password)
            export OS_AUTH_URL=$(crudini --get /etc/swift/keymaster.conf kms_keymaster auth_endpoint)
            export OS_AUTH_TYPE=password
            export OS_IDENTITY_API_VERSION=3

            echo "Check if secret already exists"
            secret_href=$(openstack secret list --name swift_root_secret_uuid)
            rc=$?
            if [[ $rc != 0 ]]; then
              echo "Failed to check secrets, check if Barbican in enabled and responding properly"
              exit $rc;
            fi
            if [ -z "$secret_href" ]; then
              echo "Create new secret"
              order_href=$(openstack secret order create --name swift_root_secret_uuid --payload-content-type="application/octet-stream" --algorithm aes --bit-length 256 --mode ctr key -f value -c "Order href")
            fi
        set_swift_keymaster_key_id.sh:
          mode: "0700"
          content: |
            #!/bin/bash
            export OS_PROJECT_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_domain_id)
            export OS_USER_DOMAIN_ID=$(crudini --get /etc/swift/keymaster.conf kms_keymaster user_domain_id)
            export OS_PROJECT_NAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster project_name)
            export OS_USERNAME=$(crudini --get /etc/swift/keymaster.conf kms_keymaster username)
            export OS_PASSWORD=$(crudini --get /etc/swift/keymaster.conf kms_keymaster password)
            export OS_AUTH_URL=$(crudini --get /etc/swift/keymaster.conf kms_keymaster auth_endpoint)
            export OS_AUTH_TYPE=password
            export OS_IDENTITY_API_VERSION=3
            echo "retrieve key_id"
            loop_wait=2
            for i in {0..5}; do
              #TODO update uuid from mistral here too
              secret_href=$(openstack secret list --name swift_root_secret_uuid)
              if [ "$secret_href" ]; then
                echo "set key_id in keymaster.conf"
                secret_href=$(openstack secret list --name swift_root_secret_uuid -f value -c "Secret href")
                crudini --set /etc/swift/keymaster.conf kms_keymaster key_id ${secret_href##*/}
                exit 0
              else
                echo "no key, wait for $loop_wait and check again"
                sleep $loop_wait
                ((loop_wait++))
              fi
            done
            echo "Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly"
            exit 1
      docker_config:
        step_4:
          map_merge:
            - if:
                - swift_encryption_enabled
                - create_swift_secret:
                    # NOTE: Barbican should be started before creating secrets
                    start_order: 0
                    image: &swift_proxy_image {get_param: DockerSwiftProxyImage}
                    net: host
                    detach: false
                    volumes:
                        list_concat:
                          - {get_attr: [ContainersCommon, volumes]}
                          -
                            - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:ro
                            - /var/lib/docker-config-scripts/create_swift_secret.sh:/create_swift_secret.sh:ro
                    user: root
                    command: "/usr/bin/bootstrap_host_exec swift_proxy /create_swift_secret.sh"
                - {}
            - if:
                - swift_encryption_enabled
                - set_swift_secret:
                    start_order: 1
                    image: *swift_proxy_image
                    net: host
                    detach: false
                    volumes:
                        list_concat:
                          - {get_attr: [ContainersCommon, volumes]}
                          -
                            - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw
                            - /var/lib/docker-config-scripts/set_swift_keymaster_key_id.sh:/set_swift_keymaster_key_id.sh:ro
                    user: root
                    command: "/set_swift_keymaster_key_id.sh"
                    environment:
                      # NOTE: this should force this container to re-run on each
                      # update (scale-out, etc.)
                      - list_join:
                          - ''
                          - - 'TRIPLEO_DEPLOY_IDENTIFIER='
                            - {get_param: DeployIdentifier}
                - {}
            - swift_proxy:
                image: *swift_proxy_image
                start_order: 2
                net: host
                user: swift
                restart: always
                healthcheck:
                  test: /openstack/healthcheck
                volumes:
                  list_concat:
                    - {get_attr: [ContainersCommon, volumes]}
                    -
                      - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro
                      - /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro
                      - /run:/run
                      - /srv/node:/srv/node
                      - /dev:/dev
                environment:
                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
            - if:
                - internal_tls_enabled
                - swift_proxy_tls_proxy:
                    image: *swift_proxy_image
                    net: host
                    user: root
                    restart: always
                    volumes:
                      list_concat:
                        - {get_attr: [ContainersCommon, volumes]}
                        -
                          - /var/lib/kolla/config_files/swift_proxy_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
                          - /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro
                          - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
                    environment:
                      - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
                - {}
      host_prep_tasks:
        - name: create persistent directories
          file:
            path: "{{ item.path }}"
            state: directory
            setype: "{{ item.setype }}"
          with_items:
            - { 'path': /srv/node, 'setype': svirt_sandbox_file_t }
            - { 'path': /var/log/swift, 'setype': svirt_sandbox_file_t }
        - stat: path=/var/log/swift
          register: swift_log_stat
        - name: Create swift logging symlink
          file:
            src: /var/log/swift
            dest: /var/log/containers/swift
            state: link
          when: swift_log_stat.stat.exists
        - name: Check if rsyslog exists
          shell: systemctl list-unit-files --type=service | grep -q rsyslog
          register: rsyslog_config
          failed_when: rsyslog_config.rc == 2
        - block:
            - name: Forward logging to swift.log file
              copy:
                content: |
                  # Fix for https://bugs.launchpad.net/tripleo/+bug/1776180
                  local2.*                 /var/log/swift/swift.log
                  &                        stop
                dest: /etc/rsyslog.d/openstack-swift.conf
              register: logconfig
            - name: Restart rsyslogd service after logging conf change
              service: name=rsyslog state=restarted
              when:
                - logconfig|changed
          when: rsyslog_config.rc == 0
      upgrade_tasks:
        - when: step|int == 0
          tags: common
          block:
            - name: Check if swift-proxy or swift-object-expirer are deployed
              command: systemctl is-enabled --quiet "{{ item }}"
              ignore_errors: True
              register: swift_proxy_services_enabled_result
              with_items:
                - openstack-swift-proxy
                - openstack-swift-object-expirer
            - name: Set fact swift_proxy_services_enabled
              set_fact:
                swift_proxy_services_enabled: "{{ swift_proxy_services_enabled_result }}"
            - name: "PreUpgrade step0,validation: Check service openstack-swift-proxy and openstack-swift-object-expirer are running"
              command: systemctl is-active --quiet "{{ item.item }}"
              when: item.rc == 0
              tags: validation
              with_items: "{{ swift_proxy_services_enabled.results }}"
        - when: step|int == 2
          block:
            - name: Stop and disable swift-proxy and swift-object-expirer services
              when: item.rc == 0
              service: name={{ item.item }} state=stopped enabled=no
              with_items: "{{ swift_proxy_services_enabled.results }}"
        - when: step|int == 3
          block:
            - name: Set fact for removal of openstack-swift-proxy package
              set_fact:
                remove_swift_proxy_package: {get_param: UpgradeRemoveUnusedPackages}
            - name: Remove openstack-swift-proxy package if operator requests it
              package: name=openstack-swift-proxy state=removed
              ignore_errors: True
              when: remove_swift_proxy_package|bool
      metadata_settings:
        get_attr: [SwiftProxyBase, role_data, metadata_settings]
      fast_forward_upgrade_tasks:
        - when:
            - step|int == 0
            - release == 'ocata'
          block:
            - name: Check if swift-proxy or swift-object-expirer are deployed
              command: systemctl is-enabled --quiet "{{ item }}"
              ignore_errors: True
              register: swift_proxy_services_enabled_result
              with_items:
                - openstack-swift-proxy
                - openstack-swift-object-expirer
            - name: Set fact swift_proxy_services_enabled
              set_fact:
                swift_proxy_services_enabled: "{{ swift_proxy_services_enabled_result }}"
        - name: Stop swift-proxy and swift-object-expirer services
          service: name={{ item.item }} state=stopped enabled=no
          with_items: "{{ swift_proxy_services_enabled.results }}"
          when:
            - step|int == 1
            - release == 'ocata'
            - item.rc == 0