Implement support for octavia-ovn-provider driver

This patch is the second of two required to implement the octavia-ovn-provider driver for Octavia. A new var, octavia_ovn_enabled, can be used to install the driver and configure Octavia accordingly. This patch has also restructured the driver/plugin mechanism for the os_octavia role to better mirror that of os_neutron and to make future additions easier to implement. It also uses neutron's method of certificate delivery for the ovn certs. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/868461 Change-Id: Ic5963070f4f2504860ddf0829819ca2f301546b1 Signed-off-by: Matthew Thode <mthode@mthode.org>
2022-12-23 04:02:55 +00:00 · 2022-12-23 04:02:55 +00:00 · 5eae150e00
parent 048f9d548e
commit 5eae150e00
6 changed files with 188 additions and 27 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -40,8 +40,12 @@ octavia_legacy_policy: False
 # Options are 'present' and 'latest'
 octavia_package_state: "{{ package_state | default('latest') }}"

+# Source git repo/branch settings
 octavia_git_repo: https://opendev.org/openstack/octavia
 octavia_git_install_branch: master
+octavia_ovn_octavia_provider_git_repo: https://opendev.org/openstack/ovn-octavia-provider
+octavia_ovn_octavia_provider_git_install_branch: master
+
 octavia_upper_constraints_url: "{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}"
 octavia_git_constraints:
  - "--constraint {{ octavia_upper_constraints_url }}"
@ -174,37 +178,16 @@ octavia_plugin_dirs:
  - /usr/lib/octavia
  - /usr/local/lib/octavia

-# Common pip packages
-octavia_pip_packages:
-  - cryptography
-  - keystonemiddleware
-  - osprofiler
-  - PyMySQL
-  - pymemcache
-  - python-glanceclient
-  - python-keystoneclient
-  - python-memcached
-  - python-neutronclient
-  - python-novaclient
-  - python-openstackclient
-  - python-octaviaclient
-  - "git+{{ octavia_git_repo }}@{{ octavia_git_install_branch }}#egg=octavia"
-  - systemd-python
-  - "tooz[{{ octavia_coordination_driver }}]"
-
 # Memcached override
 octavia_memcached_servers: "{{ memcached_servers }}"

-# Specific pip packages provided by the user
-octavia_user_pip_packages: []
-
-octavia_optional_oslomsg_amqp1_pip_packages:
-  - oslo.messaging[amqp1]
-
 octavia_api_init_overrides: {}
 octavia_worker_init_overrides: {}
 octavia_housekeeping_init_overrides: {}
 octavia_health_manager_init_overrides: {}
+octavia_driver_agent_init_overrides:
+  Service:
+    Killmode: process

 ## Service Name-Group Mapping
 octavia_services:
@ -240,6 +223,14 @@ octavia_services:
    init_config_overrides: "{{ octavia_health_manager_init_overrides }}"
    execstarts: "{{ octavia_bin }}/octavia-health-manager"
    execreloads: "/bin/kill -HUP $MAINPID"
+  octavia-driver-agent:
+    group: octavia-api
+    service_name: octavia-driver-agent
+    service_en: "{{ octavia_ovn_enabled }}"
+    start_order: 5
+    init_config_overrides: "{{ octavia_driver_agent_init_overrides }}"
+    execstarts: "{{ octavia_bin }}/octavia-driver-agent --config-file /etc/octavia/octavia.conf"
+    execreloads: "/bin/kill -HUP $MAINPID"

 # Required secrets for the role
 octavia_required_secrets:
@ -311,6 +302,76 @@ neutron_oslomsg_rpc_port: "{{ octavia_oslomsg_rpc_port }}"
 neutron_oslomsg_rpc_servers: "{{ octavia_oslomsg_rpc_servers }}"
 neutron_oslomsg_rpc_use_ssl: "{{ octavia_oslomsg_rpc_use_ssl }}"

+# OVN Defaults
+neutron_ovn_ssl: True
+ovn_proto: "{{ (neutron_ovn_ssl) | ternary('ssl','tcp') }}"
+neutron_ovn_primary_cluster_node: "{{ groups[neutron_services['neutron-ovn-northd']['group']] | first }}"
+neutron_ovn_northd_service_name: ovn-northd
+neutron_ovn_controller_service_name: ovn-controller
+neutron_ovn_l3_scheduler: leastloaded
+neutron_ovn_nb_connection: "{{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,'+ ovn_proto + ':') }}:6641"
+neutron_ovn_sb_connection: "{{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,' + ovn_proto + ':') }}:6642"
+neutron_ovsdb_manager: ptcp:6640:127.0.0.1
+
+# Storage location for SSL certificate authority
+neutron_ovn_pki_dir: "{{ openstack_pki_dir }}"
+# Delegated host for operating the certificate authority
+neutron_ovn_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+# The local address used for the neutron_ovn node
+neutron_ovn_node_address: "{{ management_address | default('127.0.0.1') }}"
+# neutron OVN server certificate
+neutron_ovn_pki_keys_path: "{{ neutron_ovn_pki_dir ~ '/certs/private/' }}"
+neutron_ovn_pki_certs_path: "{{ neutron_ovn_pki_dir ~ '/certs/certs/' }}"
+neutron_ovn_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}"
+neutron_ovn_pki_intermediate_chain_path: "{{ neutron_ovn_pki_dir ~ '/roots/' ~ neutron_ovn_pki_intermediate_cert_name ~ '/certs/' ~ neutron_ovn_pki_intermediate_cert_name ~ '-chain.crt' }}"
+neutron_ovn_pki_regen_cert: ""
+neutron_ovn_pki_certificates:
+  - name: "neutron_ovn_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ neutron_ovn_node_address }}"
+    signed_by: "{{ neutron_ovn_pki_intermediate_cert_name }}"
+
+# OVN destination files for SSL certificates
+neutron_ovn_ssl_cert: "neutron_ovn.pem"
+neutron_ovn_ssl_key: "neutron_ovn.key"
+neutron_ovn_ssl_ca_cert: "neutron_ovn-ca.pem"
+neutron_ovn_conf_dir: "/etc/openvswitch"
+octavia_cert_dest_dir: "/etc/octavia/certs"
+# Installation details for SSL certificates
+neutron_ovn_pki_install_certificates:
+  - src: "{{ neutron_ovn_user_ssl_cert | default(neutron_ovn_pki_certs_path ~ 'neutron_ovn_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ [octavia_cert_dest_dir, neutron_ovn_ssl_cert] | join('/') }}"
+    owner: "{{ octavia_system_user_name }}"
+    group: "{{ octavia_system_group_name }}"
+    mode: "0644"
+    condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and octavia_ovn_enabled) }}"
+  - src: "{{ neutron_ovn_user_ssl_key | default(neutron_ovn_pki_keys_path ~ 'neutron_ovn_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ [octavia_cert_dest_dir, neutron_ovn_ssl_key] | join('/') }}"
+    owner: "{{ octavia_system_user_name }}"
+    group: "{{ octavia_system_group_name }}"
+    mode: "0600"
+    condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and octavia_ovn_enabled) }}"
+  - src: "{{ neutron_ovn_user_ssl_ca_cert | default(neutron_ovn_pki_intermediate_chain_path) }}"
+    dest: "{{ [octavia_cert_dest_dir, neutron_ovn_ssl_ca_cert] | join('/') }}"
+    owner: "{{ octavia_system_user_name }}"
+    group: "{{ octavia_system_group_name }}"
+    mode: "0644"
+    condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and octavia_ovn_enabled) }}"
+
+# Define user-provided SSL certificates in:
+# /etc/openstack_deploy/user_variables.yml
+#neutron_ovnnb_user_ssl_cert: <path to cert on ansible deployment host>
+#neutron_ovnnb_user_ssl_key: <path to cert on ansible deployment host>
+#neutron_ovnsb_user_ssl_cert: <path to cert on ansible deployment host>
+#neutron_ovnsb_user_ssl_key: <path to cert on ansible deployment host>
+
+# Bring in Neutron defaults in support of octavia-ovn-provider driver
+neutron_install_method: "{{ service_install_method | default('source') }}"
+neutron_venv_tag: "{{ venv_tag | default('untagged') }}"
+neutron_conf_dir: /etc/neutron
+neutron_plugin_type: "ml2.ovn"
+
 # For additional security use a different user on the Neutron queue
 # for Octavia with restricted access to only the event streamer
 # queues
@ -437,14 +498,19 @@ octavia_uwsgi_tls:
  key: "{{ octavia_api_ssl_key }}"

 # Set up the drivers
+# Provider agents are are optional and not required for a successful Octavia provider driver
+# Possible options: amphora_agent, noop_agent, ovn
+octavia_enabled_provider_agents: []
 octavia_enabled_provider_drivers:
  - "amphora:'The Octavia Amphora driver.'"
  - "amphorav2:'The Octavia Amphora v2 driver.'"
  - "octavia:'Deprecated name of Amphora driver.'"
+  - "{{ (octavia_ovn_enabled | bool) | ternary(\"ovn:'The Octavia OVN provider driver.'\", False) }}"
 octavia_default_provider_driver: "amphorav2"
 octavia_amphora_driver: amphora_haproxy_rest_driver
 octavia_compute_driver: compute_nova_driver
 octavia_network_driver: allowed_address_pairs_driver
+octavia_ovn_enabled: false

 #
 # Certificate generation
--- a/releasenotes/notes/octavia-ovn-provider-driver-3efd5e7e77291b78.yaml
+++ b/releasenotes/notes/octavia-ovn-provider-driver-3efd5e7e77291b78.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    A new parameter, `octavia_ovn_enabled`, is added to support the
+    Octavia OVN provider driver. The Octavia OVN provider driver
+    is an alternative to amphora and uses built-in support for
+    load balancing withing OVN/OVS. The `ml2.ovn` Neutron plugin
+    is required for this functionality. The OVN provider can be used
+    during load balancer creation by specifying the `--provider ovn`
+    argument for the `openstack loadbalancer create` command.
+  - |
+    Added new variable ``octavia_enabled_provider_agents`` that allows
+    to enable Provider Agents for Octavia.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -144,6 +144,28 @@
    - octavia-config
    - octavia-install

+# create the ssl certs before the installation of the services.
+- name: Create and install SSL certificates
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+  vars:
+    pki_setup_host: "{{ neutron_ovn_pki_setup_host }}"
+    pki_dir: "{{ neutron_ovn_pki_dir }}"
+    pki_create_certificates: "{{ neutron_ovn_user_ssl_cert is not defined and neutron_ovn_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ neutron_ovn_pki_regen_cert }}"
+    pki_certificates: "{{ neutron_ovn_pki_certificates }}"
+    pki_install_certificates: "{{ neutron_ovn_pki_install_certificates }}"
+#  notify:
+#    - Restart octavia services
+#    - Restart uwsgi services
+  when:
+    - neutron_plugin_type == 'ml2.ovn'
+    - octavia_ovn_enabled
+    - neutron_ovn_ssl
+  tags:
+    - octavia-config
+    - pki

 - import_tasks: octavia_install.yml
  tags:
--- a/tasks/octavia_install.yml
+++ b/tasks/octavia_install.yml
@ -33,12 +33,14 @@
    venv_install_destination_path: "{{ octavia_bin | dirname }}"
    venv_install_distro_package_list: "{{ octavia_distro_packages }}"
    venv_pip_install_args: "{{ octavia_pip_install_args }}"
-    venv_pip_packages: "{{ octavia_pip_packages | union(octavia_user_pip_packages) +
-    (octavia_oslomsg_amqp1_enabled | bool) | ternary(octavia_optional_oslomsg_amqp1_pip_packages, []) }}"
+    venv_pip_packages: "{{ octavia_venv_packages }}"
    venv_facts_when_changed:
      - section: "octavia"
        option: "venv_tag"
        value: "{{ octavia_venv_tag }}"
+      - section: "neutron"
+        option: "venv_tag"
+        value: "{{ neutron_venv_tag }}"
  tags:
    - octavia-install
  when: octavia_install_method == 'source'
--- a/templates/octavia.conf.j2
+++ b/templates/octavia.conf.j2
@ -16,7 +16,7 @@ auth_strategy = {{ octavia_auth_strategy }}
 allow_tls_terminated_listeners = {{ octavia_tls_listener_enabled }}

 default_provider_driver = {{ octavia_default_provider_driver }}
-enabled_provider_drivers = {{ octavia_enabled_provider_drivers | join(',') }}
+enabled_provider_drivers = {{ octavia_enabled_provider_drivers | select() | join(',') }}

 [oslo_messaging]
 topic = octavia_prov
@ -188,3 +188,24 @@ endpoint_type = {{ octavia_clients_endpoint }}
 [neutron]
 region_name = {{ keystone_service_region }}
 endpoint_type = {{ octavia_clients_endpoint }}
+
+{% if octavia_enabled_provider_agents | length > 0 %}
+[driver_agent]
+enabled_provider_agents = "{{ octavia_enabled_provider_agents | join(',') }}
+{% endif %}
+
+{% if octavia_ovn_enabled %}
+{%   if neutron_plugin_type == 'ml2.ovn' %}
+[ovn]
+ovn_nb_connection = {{ neutron_ovn_nb_connection }}
+ovn_sb_connection = {{ neutron_ovn_sb_connection }}
+{%     if neutron_ovn_ssl %}
+ovn_sb_ca_cert={{ ["/etc/octavia/certs", neutron_ovn_ssl_ca_cert] | join('/') }}
+ovn_sb_certificate={{ ["/etc/octavia/certs", neutron_ovn_ssl_cert] | join('/') }}
+ovn_sb_private_key={{ ["/etc/octavia/certs", neutron_ovn_ssl_key] | join('/') }}
+ovn_nb_ca_cert={{ ["/etc/octavia/certs", neutron_ovn_ssl_ca_cert] | join('/') }}
+ovn_nb_certificate={{ ["/etc/octavia/certs", neutron_ovn_ssl_cert] | join('/') }}
+ovn_nb_private_key={{ ["/etc/octavia/certs", neutron_ovn_ssl_key] | join('/') }}
+{%     endif %}
+{%   endif %}
+{% endif %}
--- a/vars/main.yml
+++ b/vars/main.yml
@ -15,6 +15,43 @@

 _octavia_is_first_play_host: "{{ (octavia_services['octavia-api']['group'] in group_names and inventory_hostname == (groups[octavia_services['octavia-api']['group']] | intersect(ansible_play_hosts)) | first) | bool }}"

+###
+### Python code details
+###
+
+octavia_pip_packages:
+  - cryptography
+  - keystonemiddleware
+  - osprofiler
+  - PyMySQL
+  - pymemcache
+  - python-glanceclient
+  - python-keystoneclient
+  - python-memcached
+  - python-neutronclient
+  - python-novaclient
+  - python-openstackclient
+  - python-octaviaclient
+  - "git+{{ octavia_git_repo }}@{{ octavia_git_install_branch }}#egg=octavia"
+  - systemd-python
+  - "tooz[{{ octavia_coordination_driver }}]"
+
+# Specific pip packages provided by the user
+octavia_user_pip_packages: []
+
+octavia_optional_oslomsg_amqp1_pip_packages:
+  - oslo.messaging[amqp1]
+octavia_optional_ovn_octavia_provider_pip_packages:
+  - "git+{{ octavia_ovn_octavia_provider_git_repo }}@{{ octavia_ovn_octavia_provider_git_install_branch }}#egg=ovn-octavia-provider"
+
+octavia_venv_packages: >-
+  {%- set pkg_list = octavia_pip_packages | union(octavia_user_pip_packages) + (octavia_oslomsg_amqp1_enabled | bool) | ternary(octavia_optional_oslomsg_amqp1_pip_packages, []) %}
+  {%- if ('ml2.ovn' in neutron_plugin_type) and
+         ('ovn' in octavia_enabled_provider_drivers) %}
+  {%-     set _ = pkg_list.extend(octavia_optional_ovn_octavia_provider_pip_packages) %}
+  {%- endif %}
+  {{- pkg_list | unique }}
+
 #
 # Compile a list of the services on a host based on whether
 # the host is in the host group and the service is enabled.