Implement support for octavia-ovn-provider driver
This patch is the second of two required to implement the octavia-ovn-provider driver for Octavia. A new var, octavia_ovn_enabled, can be used to install the driver and configure Octavia accordingly. This patch has also restructured the driver/plugin mechanism for the os_octavia role to better mirror that of os_neutron and to make future additions easier to implement. It also uses neutron's method of certificate delivery for the ovn certs. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/868461 Change-Id: Ic5963070f4f2504860ddf0829819ca2f301546b1 Signed-off-by: Matthew Thode <mthode@mthode.org>
This commit is contained in:
parent
048f9d548e
commit
5eae150e00
|
@ -40,8 +40,12 @@ octavia_legacy_policy: False
|
|||
# Options are 'present' and 'latest'
|
||||
octavia_package_state: "{{ package_state | default('latest') }}"
|
||||
|
||||
# Source git repo/branch settings
|
||||
octavia_git_repo: https://opendev.org/openstack/octavia
|
||||
octavia_git_install_branch: master
|
||||
octavia_ovn_octavia_provider_git_repo: https://opendev.org/openstack/ovn-octavia-provider
|
||||
octavia_ovn_octavia_provider_git_install_branch: master
|
||||
|
||||
octavia_upper_constraints_url: "{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}"
|
||||
octavia_git_constraints:
|
||||
- "--constraint {{ octavia_upper_constraints_url }}"
|
||||
|
@ -174,37 +178,16 @@ octavia_plugin_dirs:
|
|||
- /usr/lib/octavia
|
||||
- /usr/local/lib/octavia
|
||||
|
||||
# Common pip packages
|
||||
octavia_pip_packages:
|
||||
- cryptography
|
||||
- keystonemiddleware
|
||||
- osprofiler
|
||||
- PyMySQL
|
||||
- pymemcache
|
||||
- python-glanceclient
|
||||
- python-keystoneclient
|
||||
- python-memcached
|
||||
- python-neutronclient
|
||||
- python-novaclient
|
||||
- python-openstackclient
|
||||
- python-octaviaclient
|
||||
- "git+{{ octavia_git_repo }}@{{ octavia_git_install_branch }}#egg=octavia"
|
||||
- systemd-python
|
||||
- "tooz[{{ octavia_coordination_driver }}]"
|
||||
|
||||
# Memcached override
|
||||
octavia_memcached_servers: "{{ memcached_servers }}"
|
||||
|
||||
# Specific pip packages provided by the user
|
||||
octavia_user_pip_packages: []
|
||||
|
||||
octavia_optional_oslomsg_amqp1_pip_packages:
|
||||
- oslo.messaging[amqp1]
|
||||
|
||||
octavia_api_init_overrides: {}
|
||||
octavia_worker_init_overrides: {}
|
||||
octavia_housekeeping_init_overrides: {}
|
||||
octavia_health_manager_init_overrides: {}
|
||||
octavia_driver_agent_init_overrides:
|
||||
Service:
|
||||
Killmode: process
|
||||
|
||||
## Service Name-Group Mapping
|
||||
octavia_services:
|
||||
|
@ -240,6 +223,14 @@ octavia_services:
|
|||
init_config_overrides: "{{ octavia_health_manager_init_overrides }}"
|
||||
execstarts: "{{ octavia_bin }}/octavia-health-manager"
|
||||
execreloads: "/bin/kill -HUP $MAINPID"
|
||||
octavia-driver-agent:
|
||||
group: octavia-api
|
||||
service_name: octavia-driver-agent
|
||||
service_en: "{{ octavia_ovn_enabled }}"
|
||||
start_order: 5
|
||||
init_config_overrides: "{{ octavia_driver_agent_init_overrides }}"
|
||||
execstarts: "{{ octavia_bin }}/octavia-driver-agent --config-file /etc/octavia/octavia.conf"
|
||||
execreloads: "/bin/kill -HUP $MAINPID"
|
||||
|
||||
# Required secrets for the role
|
||||
octavia_required_secrets:
|
||||
|
@ -311,6 +302,76 @@ neutron_oslomsg_rpc_port: "{{ octavia_oslomsg_rpc_port }}"
|
|||
neutron_oslomsg_rpc_servers: "{{ octavia_oslomsg_rpc_servers }}"
|
||||
neutron_oslomsg_rpc_use_ssl: "{{ octavia_oslomsg_rpc_use_ssl }}"
|
||||
|
||||
# OVN Defaults
|
||||
neutron_ovn_ssl: True
|
||||
ovn_proto: "{{ (neutron_ovn_ssl) | ternary('ssl','tcp') }}"
|
||||
neutron_ovn_primary_cluster_node: "{{ groups[neutron_services['neutron-ovn-northd']['group']] | first }}"
|
||||
neutron_ovn_northd_service_name: ovn-northd
|
||||
neutron_ovn_controller_service_name: ovn-controller
|
||||
neutron_ovn_l3_scheduler: leastloaded
|
||||
neutron_ovn_nb_connection: "{{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,'+ ovn_proto + ':') }}:6641"
|
||||
neutron_ovn_sb_connection: "{{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,' + ovn_proto + ':') }}:6642"
|
||||
neutron_ovsdb_manager: ptcp:6640:127.0.0.1
|
||||
|
||||
# Storage location for SSL certificate authority
|
||||
neutron_ovn_pki_dir: "{{ openstack_pki_dir }}"
|
||||
# Delegated host for operating the certificate authority
|
||||
neutron_ovn_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
|
||||
# The local address used for the neutron_ovn node
|
||||
neutron_ovn_node_address: "{{ management_address | default('127.0.0.1') }}"
|
||||
# neutron OVN server certificate
|
||||
neutron_ovn_pki_keys_path: "{{ neutron_ovn_pki_dir ~ '/certs/private/' }}"
|
||||
neutron_ovn_pki_certs_path: "{{ neutron_ovn_pki_dir ~ '/certs/certs/' }}"
|
||||
neutron_ovn_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}"
|
||||
neutron_ovn_pki_intermediate_chain_path: "{{ neutron_ovn_pki_dir ~ '/roots/' ~ neutron_ovn_pki_intermediate_cert_name ~ '/certs/' ~ neutron_ovn_pki_intermediate_cert_name ~ '-chain.crt' }}"
|
||||
neutron_ovn_pki_regen_cert: ""
|
||||
neutron_ovn_pki_certificates:
|
||||
- name: "neutron_ovn_{{ ansible_facts['hostname'] }}"
|
||||
provider: ownca
|
||||
cn: "{{ ansible_facts['hostname'] }}"
|
||||
san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ neutron_ovn_node_address }}"
|
||||
signed_by: "{{ neutron_ovn_pki_intermediate_cert_name }}"
|
||||
|
||||
# OVN destination files for SSL certificates
|
||||
neutron_ovn_ssl_cert: "neutron_ovn.pem"
|
||||
neutron_ovn_ssl_key: "neutron_ovn.key"
|
||||
neutron_ovn_ssl_ca_cert: "neutron_ovn-ca.pem"
|
||||
neutron_ovn_conf_dir: "/etc/openvswitch"
|
||||
octavia_cert_dest_dir: "/etc/octavia/certs"
|
||||
# Installation details for SSL certificates
|
||||
neutron_ovn_pki_install_certificates:
|
||||
- src: "{{ neutron_ovn_user_ssl_cert | default(neutron_ovn_pki_certs_path ~ 'neutron_ovn_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
|
||||
dest: "{{ [octavia_cert_dest_dir, neutron_ovn_ssl_cert] | join('/') }}"
|
||||
owner: "{{ octavia_system_user_name }}"
|
||||
group: "{{ octavia_system_group_name }}"
|
||||
mode: "0644"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and octavia_ovn_enabled) }}"
|
||||
- src: "{{ neutron_ovn_user_ssl_key | default(neutron_ovn_pki_keys_path ~ 'neutron_ovn_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
|
||||
dest: "{{ [octavia_cert_dest_dir, neutron_ovn_ssl_key] | join('/') }}"
|
||||
owner: "{{ octavia_system_user_name }}"
|
||||
group: "{{ octavia_system_group_name }}"
|
||||
mode: "0600"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and octavia_ovn_enabled) }}"
|
||||
- src: "{{ neutron_ovn_user_ssl_ca_cert | default(neutron_ovn_pki_intermediate_chain_path) }}"
|
||||
dest: "{{ [octavia_cert_dest_dir, neutron_ovn_ssl_ca_cert] | join('/') }}"
|
||||
owner: "{{ octavia_system_user_name }}"
|
||||
group: "{{ octavia_system_group_name }}"
|
||||
mode: "0644"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and octavia_ovn_enabled) }}"
|
||||
|
||||
# Define user-provided SSL certificates in:
|
||||
# /etc/openstack_deploy/user_variables.yml
|
||||
#neutron_ovnnb_user_ssl_cert: <path to cert on ansible deployment host>
|
||||
#neutron_ovnnb_user_ssl_key: <path to cert on ansible deployment host>
|
||||
#neutron_ovnsb_user_ssl_cert: <path to cert on ansible deployment host>
|
||||
#neutron_ovnsb_user_ssl_key: <path to cert on ansible deployment host>
|
||||
|
||||
# Bring in Neutron defaults in support of octavia-ovn-provider driver
|
||||
neutron_install_method: "{{ service_install_method | default('source') }}"
|
||||
neutron_venv_tag: "{{ venv_tag | default('untagged') }}"
|
||||
neutron_conf_dir: /etc/neutron
|
||||
neutron_plugin_type: "ml2.ovn"
|
||||
|
||||
# For additional security use a different user on the Neutron queue
|
||||
# for Octavia with restricted access to only the event streamer
|
||||
# queues
|
||||
|
@ -437,14 +498,19 @@ octavia_uwsgi_tls:
|
|||
key: "{{ octavia_api_ssl_key }}"
|
||||
|
||||
# Set up the drivers
|
||||
# Provider agents are are optional and not required for a successful Octavia provider driver
|
||||
# Possible options: amphora_agent, noop_agent, ovn
|
||||
octavia_enabled_provider_agents: []
|
||||
octavia_enabled_provider_drivers:
|
||||
- "amphora:'The Octavia Amphora driver.'"
|
||||
- "amphorav2:'The Octavia Amphora v2 driver.'"
|
||||
- "octavia:'Deprecated name of Amphora driver.'"
|
||||
- "{{ (octavia_ovn_enabled | bool) | ternary(\"ovn:'The Octavia OVN provider driver.'\", False) }}"
|
||||
octavia_default_provider_driver: "amphorav2"
|
||||
octavia_amphora_driver: amphora_haproxy_rest_driver
|
||||
octavia_compute_driver: compute_nova_driver
|
||||
octavia_network_driver: allowed_address_pairs_driver
|
||||
octavia_ovn_enabled: false
|
||||
|
||||
#
|
||||
# Certificate generation
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
A new parameter, `octavia_ovn_enabled`, is added to support the
|
||||
Octavia OVN provider driver. The Octavia OVN provider driver
|
||||
is an alternative to amphora and uses built-in support for
|
||||
load balancing withing OVN/OVS. The `ml2.ovn` Neutron plugin
|
||||
is required for this functionality. The OVN provider can be used
|
||||
during load balancer creation by specifying the `--provider ovn`
|
||||
argument for the `openstack loadbalancer create` command.
|
||||
- |
|
||||
Added new variable ``octavia_enabled_provider_agents`` that allows
|
||||
to enable Provider Agents for Octavia.
|
|
@ -144,6 +144,28 @@
|
|||
- octavia-config
|
||||
- octavia-install
|
||||
|
||||
# create the ssl certs before the installation of the services.
|
||||
- name: Create and install SSL certificates
|
||||
include_role:
|
||||
name: pki
|
||||
tasks_from: main_certs.yml
|
||||
vars:
|
||||
pki_setup_host: "{{ neutron_ovn_pki_setup_host }}"
|
||||
pki_dir: "{{ neutron_ovn_pki_dir }}"
|
||||
pki_create_certificates: "{{ neutron_ovn_user_ssl_cert is not defined and neutron_ovn_user_ssl_key is not defined }}"
|
||||
pki_regen_cert: "{{ neutron_ovn_pki_regen_cert }}"
|
||||
pki_certificates: "{{ neutron_ovn_pki_certificates }}"
|
||||
pki_install_certificates: "{{ neutron_ovn_pki_install_certificates }}"
|
||||
# notify:
|
||||
# - Restart octavia services
|
||||
# - Restart uwsgi services
|
||||
when:
|
||||
- neutron_plugin_type == 'ml2.ovn'
|
||||
- octavia_ovn_enabled
|
||||
- neutron_ovn_ssl
|
||||
tags:
|
||||
- octavia-config
|
||||
- pki
|
||||
|
||||
- import_tasks: octavia_install.yml
|
||||
tags:
|
||||
|
|
|
@ -33,12 +33,14 @@
|
|||
venv_install_destination_path: "{{ octavia_bin | dirname }}"
|
||||
venv_install_distro_package_list: "{{ octavia_distro_packages }}"
|
||||
venv_pip_install_args: "{{ octavia_pip_install_args }}"
|
||||
venv_pip_packages: "{{ octavia_pip_packages | union(octavia_user_pip_packages) +
|
||||
(octavia_oslomsg_amqp1_enabled | bool) | ternary(octavia_optional_oslomsg_amqp1_pip_packages, []) }}"
|
||||
venv_pip_packages: "{{ octavia_venv_packages }}"
|
||||
venv_facts_when_changed:
|
||||
- section: "octavia"
|
||||
option: "venv_tag"
|
||||
value: "{{ octavia_venv_tag }}"
|
||||
- section: "neutron"
|
||||
option: "venv_tag"
|
||||
value: "{{ neutron_venv_tag }}"
|
||||
tags:
|
||||
- octavia-install
|
||||
when: octavia_install_method == 'source'
|
||||
|
|
|
@ -16,7 +16,7 @@ auth_strategy = {{ octavia_auth_strategy }}
|
|||
allow_tls_terminated_listeners = {{ octavia_tls_listener_enabled }}
|
||||
|
||||
default_provider_driver = {{ octavia_default_provider_driver }}
|
||||
enabled_provider_drivers = {{ octavia_enabled_provider_drivers | join(',') }}
|
||||
enabled_provider_drivers = {{ octavia_enabled_provider_drivers | select() | join(',') }}
|
||||
|
||||
[oslo_messaging]
|
||||
topic = octavia_prov
|
||||
|
@ -188,3 +188,24 @@ endpoint_type = {{ octavia_clients_endpoint }}
|
|||
[neutron]
|
||||
region_name = {{ keystone_service_region }}
|
||||
endpoint_type = {{ octavia_clients_endpoint }}
|
||||
|
||||
{% if octavia_enabled_provider_agents | length > 0 %}
|
||||
[driver_agent]
|
||||
enabled_provider_agents = "{{ octavia_enabled_provider_agents | join(',') }}
|
||||
{% endif %}
|
||||
|
||||
{% if octavia_ovn_enabled %}
|
||||
{% if neutron_plugin_type == 'ml2.ovn' %}
|
||||
[ovn]
|
||||
ovn_nb_connection = {{ neutron_ovn_nb_connection }}
|
||||
ovn_sb_connection = {{ neutron_ovn_sb_connection }}
|
||||
{% if neutron_ovn_ssl %}
|
||||
ovn_sb_ca_cert={{ ["/etc/octavia/certs", neutron_ovn_ssl_ca_cert] | join('/') }}
|
||||
ovn_sb_certificate={{ ["/etc/octavia/certs", neutron_ovn_ssl_cert] | join('/') }}
|
||||
ovn_sb_private_key={{ ["/etc/octavia/certs", neutron_ovn_ssl_key] | join('/') }}
|
||||
ovn_nb_ca_cert={{ ["/etc/octavia/certs", neutron_ovn_ssl_ca_cert] | join('/') }}
|
||||
ovn_nb_certificate={{ ["/etc/octavia/certs", neutron_ovn_ssl_cert] | join('/') }}
|
||||
ovn_nb_private_key={{ ["/etc/octavia/certs", neutron_ovn_ssl_key] | join('/') }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -15,6 +15,43 @@
|
|||
|
||||
_octavia_is_first_play_host: "{{ (octavia_services['octavia-api']['group'] in group_names and inventory_hostname == (groups[octavia_services['octavia-api']['group']] | intersect(ansible_play_hosts)) | first) | bool }}"
|
||||
|
||||
###
|
||||
### Python code details
|
||||
###
|
||||
|
||||
octavia_pip_packages:
|
||||
- cryptography
|
||||
- keystonemiddleware
|
||||
- osprofiler
|
||||
- PyMySQL
|
||||
- pymemcache
|
||||
- python-glanceclient
|
||||
- python-keystoneclient
|
||||
- python-memcached
|
||||
- python-neutronclient
|
||||
- python-novaclient
|
||||
- python-openstackclient
|
||||
- python-octaviaclient
|
||||
- "git+{{ octavia_git_repo }}@{{ octavia_git_install_branch }}#egg=octavia"
|
||||
- systemd-python
|
||||
- "tooz[{{ octavia_coordination_driver }}]"
|
||||
|
||||
# Specific pip packages provided by the user
|
||||
octavia_user_pip_packages: []
|
||||
|
||||
octavia_optional_oslomsg_amqp1_pip_packages:
|
||||
- oslo.messaging[amqp1]
|
||||
octavia_optional_ovn_octavia_provider_pip_packages:
|
||||
- "git+{{ octavia_ovn_octavia_provider_git_repo }}@{{ octavia_ovn_octavia_provider_git_install_branch }}#egg=ovn-octavia-provider"
|
||||
|
||||
octavia_venv_packages: >-
|
||||
{%- set pkg_list = octavia_pip_packages | union(octavia_user_pip_packages) + (octavia_oslomsg_amqp1_enabled | bool) | ternary(octavia_optional_oslomsg_amqp1_pip_packages, []) %}
|
||||
{%- if ('ml2.ovn' in neutron_plugin_type) and
|
||||
('ovn' in octavia_enabled_provider_drivers) %}
|
||||
{%- set _ = pkg_list.extend(octavia_optional_ovn_octavia_provider_pip_packages) %}
|
||||
{%- endif %}
|
||||
{{- pkg_list | unique }}
|
||||
|
||||
#
|
||||
# Compile a list of the services on a host based on whether
|
||||
# the host is in the host group and the service is enabled.
|
||||
|
|
Loading…
Reference in New Issue