openstack/openstack-ansible-os_octavia
Code Issues Proposed changes
openstack-ansible-os_octavia/defaults/main.yml
Dmitriy Rabotyagov 03f797df2a Define ovn provider agent when OVN is used 
Defining OVN provider agent is required for the OVN driver as it is
responsible for connection to NB DB and listens to the events in it.

Without the any provider being enabled octavia-driver-agent service is
not doing anything. Moreover, assinged FIP to the LB VIP will not be
working properly, as that needs update to the LB inside of OVN, which
is performed only when agent detects changes to the VIP port.

Change-Id: I82b4cd6749f42220be799c3a3e0d6bc14255125f
2024-08-27 21:34:12 +02:00

734 lines
31 KiB
YAML
Raw Blame History

---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Verbosity Options
debug: False
# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
octavia_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
octavia_service_setup_host_python_interpreter: >-
{{
openstack_service_setup_host_python_interpreter | default(
(octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
# Set installation method.
octavia_install_method: "{{ service_install_method | default('source') }}"
octavia_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"
## Allow TLS listener
octavia_tls_listener_enabled: True
# Legacy policy disables the requirement for load-balancer service users to
# have one of the load-balancer:* roles. It provides a similar policy to
# legacy OpenStack policies where any user or admin has access to load-balancer
# resources that they own. Users with the admin role has access to all
# load-balancer resources, whether they own them or not.
octavia_legacy_policy: False
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
octavia_package_state: "{{ package_state | default('latest') }}"
# Source git repo/branch settings
octavia_git_repo: https://opendev.org/openstack/octavia
octavia_git_install_branch: master
octavia_upper_constraints_url: >-
{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
octavia_ovn_octavia_provider_git_repo: https://opendev.org/openstack/ovn-octavia-provider
octavia_ovn_octavia_provider_git_install_branch: master
octavia_git_constraints:
- "--constraint {{ octavia_upper_constraints_url }}"
octavia_pip_install_args: "{{ pip_install_options | default('') }}"
# Name of the virtual env to deploy into
octavia_venv_tag: "{{ venv_tag | default('untagged') }}"
octavia_bin: "{{ _octavia_bin }}"
octavia_clients_endpoint: internal
octavia_auth_strategy: keystone
## Barbican certificates
octavia_barbican_enabled: false
## Cinder Volume
octavia_cinder_enabled: False
cinder_default_availability_zone: "{{ octavia_amp_availability_zone }}"
octavia_cinder_volume_size: 16
octavia_cinder_volume_type: "volumes-hdd"
## Database info
octavia_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
octavia_db_setup_python_interpreter: >-
{{
openstack_db_setup_python_interpreter | default(
(octavia_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
octavia_galera_address: "{{ galera_address | default('127.0.0.1') }}"
octavia_galera_user: octavia
octavia_galera_database: octavia
octavia_galera_persistence_database: octavia_persistence
octavia_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
octavia_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
octavia_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
octavia_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
octavia_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
octavia_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"
octavia_galera_port: "{{ galera_port | default('3306') }}"
## Coordination info
# NOTE: Only Zookeeper and Redis are supported for Octavia
octavia_coordination_driver: "{{ coordination_driver | default('zookeeper') }}"
octavia_coordination_group: "{{ coordination_host_group | default('zookeeper_all') }}"
octavia_coordination_enable: "{{ octavia_coordination_group in groups and groups[octavia_coordination_group] | length > 0 }}"
octavia_coordination_namespace: octavia_jobboard
octavia_coordination_client_ssl: "{{ coordination_client_ssl | default(True) }}"
octavia_coordination_verify_cert: "{{ coordination_verify_cert | default(True) }}"
octavia_coordination_port: "{{ coordination_port | default(octavia_coordination_client_ssl | ternary('2281', '2181')) }}"
## Oslo Messaging
# RPC
octavia_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
octavia_oslomsg_rpc_setup_host: "{{ (octavia_oslomsg_rpc_host_group in groups) | ternary(groups[octavia_oslomsg_rpc_host_group][0], 'localhost') }}"
octavia_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
octavia_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
octavia_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
octavia_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
octavia_oslomsg_rpc_userid: octavia
octavia_oslomsg_rpc_policies: []
# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues
# are not used - vhost name will be prefixed with leading `/`.
octavia_oslomsg_rpc_vhost:
- name: /octavia
state: "{{ octavia_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
- name: octavia
state: "{{ octavia_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"
octavia_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}"
octavia_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"
# Notify
octavia_oslomsg_notify_configure: "{{ oslomsg_notify_configure | default(octavia_ceilometer_enabled) }}"
octavia_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
octavia_oslomsg_notify_setup_host: >-
{{ (octavia_oslomsg_notify_host_group in groups) | ternary(groups[octavia_oslomsg_notify_host_group][0], 'localhost') }}
octavia_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
octavia_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
octavia_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
octavia_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
octavia_oslomsg_notify_userid: "{{ octavia_oslomsg_rpc_userid }}"
octavia_oslomsg_notify_password: "{{ octavia_oslomsg_rpc_password }}"
octavia_oslomsg_notify_vhost: "{{ octavia_oslomsg_rpc_vhost }}"
octavia_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
octavia_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
octavia_oslomsg_notify_policies: []
## RabbitMQ integration
octavia_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
octavia_oslomsg_rabbit_stream_fanout: "{{ oslomsg_rabbit_stream_fanout | default(octavia_oslomsg_rabbit_quorum_queues) }}"
octavia_oslomsg_rabbit_transient_quorum_queues: "{{ oslomsg_rabbit_transient_quorum_queues | default(octavia_oslomsg_rabbit_stream_fanout) }}"
octavia_oslomsg_rabbit_qos_prefetch_count: "{{ oslomsg_rabbit_qos_prefetch_count | default(octavia_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}"
octavia_oslomsg_rabbit_queue_manager: "{{ oslomsg_rabbit_queue_manager | default(octavia_oslomsg_rabbit_quorum_queues) }}"
octavia_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
octavia_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"
## (Qdrouterd) integration
# TODO(ansmith): Change structure when more backends will be supported
octavia_oslomsg_amqp1_enabled: "{{ octavia_oslomsg_rpc_transport == 'amqp' }}"
octavia_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"
## octavia User / Group
octavia_system_user_name: octavia
octavia_system_group_name: octavia
octavia_system_shell: /bin/false
octavia_system_comment: octavia system user
octavia_system_home_folder: "/var/lib/{{ octavia_system_user_name }}"
octavia_system_slice_name: octavia
octavia_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"
## Auth
octavia_service_region: "{{ service_region | default('RegionOne') }}"
octavia_service_project_name: "service"
octavia_service_user_name: "octavia"
octavia_service_role_names:
- admin
- service
octavia_service_token_roles:
- service
octavia_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
octavia_service_project_domain_id: default
octavia_service_user_domain_id: default
octavia_keystone_auth_plugin: "{{ octavia_keystone_auth_type }}"
octavia_keystone_auth_type: password
## octavia api service type and data
octavia_service_name: octavia
octavia_service_description: "Octavia Load Balancing Service"
octavia_service_port: 9876
octavia_service_proto: http
octavia_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(octavia_service_proto) }}"
octavia_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(octavia_service_proto) }}"
octavia_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(octavia_service_proto) }}"
octavia_service_type: load-balancer
octavia_service_publicuri: "{{ octavia_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ octavia_service_port }}"
octavia_service_adminuri: "{{ octavia_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ octavia_service_port }}"
octavia_service_internaluri: "{{ octavia_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ octavia_service_port }}"
octavia_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
## RPC
octavia_rpc_thread_pool_size: 64
octavia_rpc_conn_pool_size: 30
## Timeouts
octavia_amp_active_retries: 10
## Plugin dirs
octavia_plugin_dirs:
- /usr/lib/octavia
- /usr/local/lib/octavia
###
### Python code details
###
octavia_pip_packages:
- cryptography
- keystonemiddleware
- osprofiler
- PyMySQL
- pymemcache
- python-glanceclient
- python-keystoneclient
- python-memcached
- python-neutronclient
- python-novaclient
- python-openstackclient
- python-octaviaclient
- "git+{{ octavia_git_repo }}@{{ octavia_git_install_branch }}#egg=octavia"
- systemd-python
- "tooz[{{ octavia_coordination_driver }}]"
# Specific pip packages provided by the user
octavia_user_pip_packages: []
octavia_optional_oslomsg_amqp1_pip_packages:
- oslo.messaging[amqp1]
octavia_optional_ovn_octavia_provider_pip_packages:
- "git+{{ octavia_ovn_octavia_provider_git_repo }}@{{ octavia_ovn_octavia_provider_git_install_branch }}#egg=ovn-octavia-provider"
# Memcached override
octavia_memcached_servers: "{{ memcached_servers }}"
octavia_api_init_overrides: {}
octavia_worker_init_overrides: {}
octavia_housekeeping_init_overrides: {}
octavia_health_manager_init_overrides: {}
octavia_driver_agent_init_overrides:
Service:
Killmode: process
## Service Name-Group Mapping
octavia_services:
octavia-api:
group: octavia-api
service_name: octavia-api
start_order: 4
init_config_overrides: "{{ octavia_api_init_overrides }}"
wsgi_app: True
wsgi_name: octavia-wsgi
uwsgi_overrides: "{{ octavia_api_uwsgi_ini_overrides }}"
uwsgi_port: "{{ octavia_service_port }}"
uwsgi_bind_address: "{{ octavia_uwsgi_bind_address }}"
uwsgi_tls: "{{ octavia_backend_ssl | ternary(octavia_uwsgi_tls, {}) }}"
octavia-worker:
group: octavia-worker
service_name: octavia-worker
start_order: 1
init_config_overrides: "{{ octavia_worker_init_overrides }}"
execstarts: "{{ octavia_bin }}/octavia-worker"
execreloads: "/bin/kill -HUP $MAINPID"
octavia-housekeeping:
group: octavia-housekeeping
service_name: octavia-housekeeping
start_order: 3
init_config_overrides: "{{ octavia_housekeeping_init_overrides }}"
execstarts: "{{ octavia_bin }}/octavia-housekeeping"
execreloads: "/bin/kill -HUP $MAINPID"
octavia-health-manager:
group: octavia-health-manager
service_name: octavia-health-manager
start_order: 2
init_config_overrides: "{{ octavia_health_manager_init_overrides }}"
execstarts: "{{ octavia_bin }}/octavia-health-manager"
execreloads: "/bin/kill -HUP $MAINPID"
octavia-driver-agent:
group: octavia-api
service_name: octavia-driver-agent
service_en: "{{ octavia_ovn_enabled }}"
start_order: 5
init_config_overrides: "{{ octavia_driver_agent_init_overrides }}"
execstarts: "{{ octavia_bin }}/octavia-driver-agent --config-file /etc/octavia/octavia.conf"
execreloads: "/bin/kill -HUP $MAINPID"
# Required secrets for the role
octavia_required_secrets:
- keystone_auth_admin_password
- octavia_container_mysql_password
- octavia_oslomsg_rpc_password
- octavia_oslomsg_notify_password
- octavia_service_password
- memcached_encryption_key
## Octavia configs
# Load balancer topology options are SINGLE, ACTIVE_STANDBY
octavia_loadbalancer_topology: ACTIVE_STANDBY
# Image tag for the amphora image in glance
octavia_glance_image_tag: octavia-amphora-image
# add here the id of the image owner to avoid faked images being used
octavia_amp_image_owner_id:
# download the image from an artefact server
# Note: The default is the Octavia test image so don't use that in prod
octavia_download_artefact: True
# The URL to download from
octavia_artefact_url: http://tarballs.openstack.org/octavia/test-images/test-only-amphora-x64-haproxy-ubuntu-focal.qcow2
# Set the directory where the downloaded image will be stored
# on the octavia_service_setup_host host. If the host is localhost,
# then the user running the playbook must have access to it.
octavia_amp_image_path: "{{ lookup('env', 'HOME') }}/openstack-ansible/octavia"
octavia_amp_image_path_owner: "{{ lookup('env', 'USER') }}"
# enable uploading image to glance automatically
octavia_amp_image_upload_enabled: "{{ octavia_download_artefact }}"
octavia_amp_image_resource:
- name: amphora-x64-haproxy
url: "{{ octavia_artefact_url }}"
# Image checksum is required for rotating old images
# checksum:
disk_format: qcow2
keep_copies: 1
tags:
- "{{ octavia_glance_image_tag }}"
owner: "{{ octavia_service_project_name }}"
owner_domain: "{{ octavia_service_project_domain_id }}"
image_download_path: "{{ octavia_amp_image_path }}"
# Name of the Octavia security group
octavia_security_group_name: octavia_sec_grp
# Restrict access to only authorized hosts
octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}"
# ssh enabled - switch to True if you need ssh access to the amphora
octavia_ssh_enabled: False
octavia_ssh_key_name: octavia_key
# port the agent listens on
octavia_agent_port: "9443"
octavia_health_manager_port: 5555
# Octavia Nova flavor
octavia_amp_flavor_name: "m1.amphora"
octavia_amp_ram: 1024
octavia_amp_vcpu: 1
octavia_amp_disk: 20
# octavia_amp_extra_specs:
# only increase when it's a really busy system since this is by deployed host,
# e.g. 3 hosts, 5 workers (this param) per host, results in 15 worker total
octavia_task_flow_max_workers: 5
# Enable provisioning status sync with neutron db
octavia_sync_provisioning_status: False
# this controls if Octavia should add an anti-affinity hint to make sure
# two amphora are not placed pn the same host (the most common setup of
# ant affinity features in Nova).
octavia_enable_anti_affinity: True
# Some installations put hardware more suited for load balancing in special
# availability zones. This allows to target a specific availability zone
# for amphora creation
octavia_amp_availability_zone: nova
# List of haproxy template files to copy from deployment host to octavia hosts
# octavia_user_haproxy_templates:
# - src: "/etc/openstack_deploy/octavia/haproxy_templates/base.cfg.j2"
# dest: "/etc/octavia/templates/base.cfg.j2"
# - src: "/etc/openstack_deploy/octavia/haproxy_templates/haproxy.cfg.j2"
# dest: "/etc/octavia/templates/haproxy.cfg.j2"
# - src: "/etc/openstack_deploy/octavia/haproxy_templates/macros.cfg.j2"
# dest: "/etc/octavia/templates/macros.cfg.j2"
octavia_user_haproxy_templates: {}
# Path of custom haproxy template file
# octavia_haproxy_amphora_template: /etc/octavia/templates/haproxy.cfg.j2
# Name of the Octavia management network in Neutron
octavia_neutron_management_network_name: lbaas-mgmt
# Name of the Neutron provider net in the system (flat, vlan, ...)
octavia_provider_network_name: lbaas
# Network type
octavia_provider_network_type: flat
# Network segmentation ID if vlan, gre...
# octavia_provider_segmentation_id:
# Network CIDR
octavia_management_net_subnet_cidr: 172.29.232.0/22
# Example allocation range:
# octavia_management_net_subnet_allocation_pools: "172.29.232.10-172.29.235.200"
octavia_management_net_subnet_allocation_pools: ""
# Do we require the Neutron DHCP server
octavia_management_net_dhcp: "True"
# Should Octavia set up the network and subnet?
octavia_service_net_setup: True
# This should match net_name from provider_networks structure in openstack_user_config
octavia_provider_inventory_net_name: "{{ octavia_provider_network_name }}"
# This gets container managment network structure based on octavia_provider_inventory_net_name
octavia_provider_network: >-
{{ provider_networks | map(attribute='network') | selectattr('net_name', 'defined') | selectattr(
'net_name', 'equalto', octavia_provider_inventory_net_name) | list | first
}}
# The name of the network address pool
octavia_container_network_name: "{{ octavia_provider_network['ip_from_q'] }}_address"
octavia_hm_group: "octavia-health-manager"
# Note: We use some heuristics here but if you do anything special make sure to use the
# ip addresses on the right network. This will use the container networking to figure out the ip
octavia_hm_hosts: >-
{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{%
if not loop.last %},{% endif %}{% endfor %}
# Set this to the right container port aka the eth you connect to the octavia
# management network
octavia_container_interface: "{{ octavia_provider_network.container_interface }}"
# Set this to true to drop the iptables rules
octavia_ip_tables_fw: True
# The iptable rules
octavia_iptables_rules:
- # Allow icmp
chain: INPUT
protocol: icmp
ctstate: NEW
icmp_type: 8
jump: ACCEPT
- # Allow existing connections:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
ctstate: RELATED,ESTABLISHED
jump: ACCEPT
- # Allow heartbeat:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
protocol: udp
destination_port: "{{ octavia_health_manager_port }}"
jump: ACCEPT
- # Reject INPUT:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp-port-unreachable
- # Reject FORWARD:
chain: FORWARD
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp-port-unreachable
- # Allow icmp6
chain: INPUT
protocol: icmpv6
jump: ACCEPT
ip_version: ipv6
- # Allow existing connections
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
ctstate: RELATED,ESTABLISHED
jump: ACCEPT
ip_version: ipv6
- # Allow heartbeat
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
protocol: udp
destination_port: "{{ octavia_health_manager_port }}"
jump: ACCEPT
ip_version: ipv6
- # Reject INPUT
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp6-port-unreachable
ip_version: ipv6
- # Reject FORWARD
chain: FORWARD
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp6-port-unreachable
ip_version: ipv6
# uWSGI Settings
octavia_wsgi_processes_max: 16
octavia_wsgi_processes: >-
{{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }}
octavia_wsgi_threads: 1
octavia_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
octavia_uwsgi_tls:
crt: "{{ octavia_api_ssl_cert }}"
key: "{{ octavia_api_ssl_key }}"
# Set up the drivers
# Provider agents are optional and not required for a successful Octavia provider driver
# Possible options: amphora_agent, noop_agent, ovn
octavia_enabled_provider_agents:
- "{{ (octavia_ovn_enabled | bool) | ternary('ovn', None) }}"
octavia_enabled_provider_drivers:
- "amphorav2:'The Octavia Amphora v2 driver.'"
- "{{ (octavia_ovn_enabled | bool) | ternary(\"ovn:'The Octavia OVN provider driver.'\", False) }}"
octavia_default_provider_driver: "amphorav2"
octavia_amphora_driver: amphora_haproxy_rest_driver
octavia_compute_driver: compute_nova_driver
octavia_network_driver: allowed_address_pairs_driver
# OVN Defaults
octavia_ovn_enabled: "{{ neutron_plugin_type | default('ml2.ovn') == 'ml2.ovn' }}"
octavia_ovn_ssl: "{{ neutron_ovn_ssl | default(True) }}"
octavia_ovn_proto: "{{ (octavia_ovn_ssl) | ternary('ssl', 'tcp') }}"
octavia_ovn_nb_connection: >-
{{ octavia_ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,' + octavia_ovn_proto + ':') }}:6641
octavia_ovn_sb_connection: >-
{{ octavia_ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,' + octavia_ovn_proto + ':') }}:6642
#
# Certificate generation
#
# Set the host which will execute the openssl_* modules
# for the certificate generation. The host must already
# have access to pyOpenSSL.
octavia_cert_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# Set the directory where the certificates will be stored
# on the above host. If the host is localhost, then the user
# running the playbook must have access to it.
octavia_cert_dir: "{{ openstack_pki_dir | default(lookup('env', 'HOME') ~ '/openstack-ansible') }}"
octavia_cert_keys_dir: "{{ octavia_cert_dir }}/certs/private/"
octavia_cert_certs_dir: "{{ octavia_cert_dir }}/certs/certs/"
octavia_cert_dir_owner: "{{ lookup('env', 'USER') }}"
octavia_cert_dest_dir: "/etc/octavia/certs"
octavia_cert_client_req_common_name: 'www.example.com' # change this to something more real
octavia_cert_client_req_country_name: 'US'
octavia_cert_client_req_state_or_province_name: 'Denial'
octavia_cert_client_req_locality_name: 'Nowhere'
octavia_cert_client_req_organization_name: 'Dis'
octavia_cert_validity_days: 1825 # 5 years
octavia_generate_certs: True # generate self signed client certs
octavia_generate_client_cert: True
octavia_generate_ca: True
octavia_regenerate_client_cert: ''
octavia_regenerate_ca: ''
# OVN server certificate
# The local address used for the ovn certificate
octavia_ovn_node_address: "{{ management_address | default('127.0.0.1') }}"
# OVN destination files for SSL certificates
octavia_ovn_pki_intermediate_cert_name: "{{ octavia_api_intermediate_cert_name }}"
octavia_ovn_pki_intermediate_chain_path: >-
{{ octavia_cert_dir ~ '/roots/' ~ octavia_ovn_pki_intermediate_cert_name ~ '/certs/' ~ octavia_ovn_pki_intermediate_cert_name ~ '-chain.crt' }}
octavia_ovn_ssl_cert: "octavia_ovn.pem"
octavia_ovn_ssl_key: "octavia_ovn.key"
octavia_ovn_ssl_ca_cert: "octavia_ovn-ca.pem"
octavia_cert_authorities:
- name: "OctaviaServerRoot"
country: "{{ octavia_cert_client_req_country_name }}"
state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
organization_name: "{{ octavia_cert_client_req_organization_name }}"
locality_name: "{{ octavia_cert_client_req_locality_name }}"
cn: "Octavia Server CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_passphrase: "{{ octavia_ca_private_key_passphrase }}"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+{{ octavia_cert_validity_days }}d"
- name: "OctaviaClientRoot"
country: "{{ octavia_cert_client_req_country_name }}"
state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
organization_name: "{{ octavia_cert_client_req_organization_name }}"
locality_name: "{{ octavia_cert_client_req_locality_name }}"
cn: "Octavia Client CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_passphrase: "{{ octavia_cert_client_password }}"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+{{ octavia_cert_validity_days }}d"
octavia_cert_certificates:
# Communication between haproxy and octavia API
- name: "octavia-api_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ octavia_api_cert_san }}"
signed_by: "{{ octavia_api_intermediate_cert_name }}"
condition: "{{ octavia_backend_ssl | bool }}"
# Communication between octavia control plane and amphoras
- name: "octavia_client"
provider: ownca
cn: "{{ octavia_cert_client_req_common_name }}"
signed_by: "OctaviaClientRoot"
ownca_key_passphrase: "{{ octavia_cert_client_password }}"
key_usage:
- nonRepudiation
- digitalSignature
- keyEncipherment
extended_key_usage:
- clientAuth
- emailProtection
condition: "{{ octavia_generate_certs | bool }}"
# OVN NB/SB communication
- name: "octavia_ovn_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ octavia_ovn_node_address }}"
signed_by: "{{ octavia_ovn_pki_intermediate_cert_name }}"
condition: "{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}"
# Installation details for SSL certificates
octavia_cert_install_certificates:
# Communication between haproxy and octavia API
- src: "{{ octavia_api_user_ssl_cert | default(octavia_cert_certs_dir ~ 'octavia-api_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ octavia_api_ssl_cert }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_user_name }}"
mode: "0644"
condition: "{{ octavia_backend_ssl | bool }}"
- src: "{{ octavia_api_user_ssl_key | default(octavia_cert_keys_dir ~ 'octavia-api_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ octavia_api_ssl_key }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_user_name }}"
mode: "0600"
condition: "{{ octavia_backend_ssl | bool }}"
# Server CA
- src: "{{ octavia_ca_certificate | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/certs/OctaviaServerRoot.crt') }}"
dest: "{{ octavia_cert_dest_dir }}/server_ca.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
- src: "{{ octavia_ca_private_key | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/private/OctaviaServerRoot.key.pem') }}"
dest: "{{ octavia_cert_dest_dir }}/ca_key.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# Client CA
- src: "{{ octavia_client_ca | default(octavia_cert_dir ~ '/roots/OctaviaClientRoot/certs/OctaviaClientRoot.crt') }}"
dest: "{{ octavia_cert_dest_dir }}/client_ca.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# Client certificate
- src: "{{ octavia_client_cert | default(octavia_cert_certs_dir ~ '/octavia_client.crt') }}"
dest: "{{ octavia_cert_dest_dir }}/client.pem.crt"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
- src: "{{ octavia_client_key | default(octavia_cert_keys_dir ~ '/octavia_client.key.pem') }}"
dest: "{{ octavia_cert_dest_dir }}/client.pem.key"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# OVN certificates
- src: "{{ octavia_ovn_user_ssl_cert | default(octavia_cert_certs_dir ~ 'octavia_ovn_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ [octavia_cert_dest_dir, octavia_ovn_ssl_cert] | join('/') }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0644"
condition: "{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}"
- src: "{{ octavia_ovn_user_ssl_key | default(octavia_cert_keys_dir ~ 'octavia_ovn_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ [octavia_cert_dest_dir, octavia_ovn_ssl_key] | join('/') }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0600"
condition: "{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}"
- src: "{{ octavia_ovn_user_ssl_ca_cert | default(octavia_ovn_pki_intermediate_chain_path) }}"
dest: "{{ [octavia_cert_dest_dir, octavia_ovn_ssl_ca_cert] | join('/') }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0644"
condition: "{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}"
# Custom client CA
# octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem"
## Custom client certs
# octavia_client_cert: "{{ octavia_cert_dir }}/client.pem"
# octavia_client_key: "{{ octavia_cert_dir }}/client.key.pem"
## server
# octavia_server_ca: "{{ octavia_ca_certificate }}"
## ca certs
# octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem"
octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}"
# octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
# Custom OVN certs
# octavia_ovnnb_user_ssl_cert: <path to cert on ansible deployment host>
# octavia_ovnnb_user_ssl_key: <path to cert on ansible deployment host>
# octavia_ovnsb_user_ssl_cert: <path to cert on ansible deployment host>
# octavia_ovnsb_user_ssl_key: <path to cert on ansible deployment host>
# Quotas for the Octavia user - assuming active/passive topology
octavia_num_instances: 10000 # 5000 LB in active/passive
octavia_ram: "{{ (octavia_num_instances | int) * 1024 }}"
octavia_num_server_groups: "{{ ((octavia_num_instances | int) * 0.5) | int | abs }}"
octavia_num_server_group_members: 50
octavia_num_cores: "{{ octavia_num_instances }}"
octavia_num_secgroups: "{{ (octavia_num_instances | int) * 1.5 | int | abs }}" # average 3 listener per lb
octavia_num_ports: "{{ (octavia_num_instances | int) * 10 }}" # at least instances * 10
octavia_num_security_group_rules: "{{ (octavia_num_secgroups | int) * 100 }}"
## Tunable overrides
octavia_octavia_conf_overrides: {}
octavia_api_paste_ini_overrides: {}
octavia_policy_overrides: {}
octavia_api_uwsgi_ini_overrides: {}
###
### Backend TLS
###
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
octavia_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
# octavia server certificate
octavia_api_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
octavia_api_cert_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
# octavia destination files for SSL certificates
octavia_api_ssl_cert: "{{ octavia_cert_dest_dir }}/octavia-api.pem"
octavia_api_ssl_key: "{{ octavia_cert_dest_dir }}/octavia-api.key"
# Define user-provided SSL certificates
# octavia_api_user_ssl_cert: <path to cert on ansible deployment host>
# octavia_api_user_ssl_key: <path to cert on ansible deployment host>
View Git Blame Copy Permalink