Import octavia roles and playbooks from tripleo-common

This change imports all of the octavia playbooks and roles from
`tripleo-common/playbooks/`. This change ensures all of the resources
imported are meeting the required lint checks for import and structures
the roles such that they'll automatically be installed in the
`usr/share/ansible/roles/` path making them available to the rest of
the tripleo ecosystem.

Change-Id: Ib4ff59a4c372f95cc7a183e8ef724bb1cbf72fed
Signed-off-by: Kevin Carter <kecarter@redhat.com>

tripleo_ansible/playbooks/octavia-files.yaml

@@ -0,0 +1,95 @@
+---
+- hosts: Undercloud[0]
+  remote_user: stack
+  gather_facts: true
+  vars:
+    amp_ssh_key_name: "{{ amp_ssh_key_name }}"
+    amp_ssh_key_path: "{{ amp_ssh_key_path }}"
+    amp_ssh_key_data: "{{ amp_ssh_key_data }}"
+    amp_to_raw: "{{ amp_to_raw | bool }}"
+    auth_username: "{{ auth_username }}"
+    auth_password: "{{ auth_password }}"
+    auth_project_name: "{{ auth_project_name }}"
+  environment:
+    OS_USERNAME: "{{ os_username }}"
+    OS_USER_DOMAIN_NAME: "Default"
+    OS_PROJECT_DOMAIN_NAME: "Default"
+    NOVA_VERSION: "1.1"
+    OS_PROJECT_NAME: "{{ os_project_name }}"
+    OS_PASSWORD: "{{ os_password }}"
+    COMPUTE_API_VERSION: "1.1"
+    OS_CLOUDNAME: "overcloud"
+    OS_AUTH_URL: "{{ os_auth_url }}"
+    OS_IDENTITY_API_VERSION: "{{ os_identity_api_version }}"
+    OS_IMAGE_API_VERSION: "2"
+    OS_AUTH_TYPE: "{{ os_auth_type }}"
+  roles:
+    - octavia-undercloud
+
+- hosts: octavia_nodes[0]
+  gather_facts: true
+  vars:
+    generate_certs: "{{ generate_certs }}"
+    octavia_confd_prefix: "/var/lib/config-data/puppet-generated/octavia"
+    openssl_temp_dir: "/tmp/octavia-ssl"
+    ca_cert_path: "{{ ca_cert_path }}"
+    ca_private_key_path: "{{ ca_private_key_path }}"
+    ca_passphrase: "{{ ca_passphrase }}"
+    client_cert_path: "{{ client_cert_path }}"
+    auth_project_name: "{{ auth_project_name }}"
+    auth_username: "{{ auth_username }}"
+    auth_password: "{{ auth_password }}"
+  environment:
+    OS_USERNAME: "{{ os_username }}"
+    OS_USER_DOMAIN_NAME: "Default"
+    OS_PROJECT_DOMAIN_NAME: "Default"
+    NOVA_VERSION: "1.1"
+    OS_PROJECT_NAME: "{{ os_project_name }}"
+    OS_PASSWORD: "{{ os_password }}"
+    COMPUTE_API_VERSION: "1.1"
+    OS_CLOUDNAME: "overcloud"
+    OS_AUTH_URL: "{{ os_auth_url }}"
+    OS_IDENTITY_API_VERSION: "{{ os_identity_api_version }}"
+    OS_IMAGE_API_VERSION: "2"
+    OS_AUTH_TYPE: "{{ os_auth_type }}"
+  roles:
+    - octavia-overcloud-config
+
+- hosts: octavia_nodes
+  gather_facts: true
+  vars:
+    octavia_confd_prefix: "/var/lib/config-data/puppet-generated/octavia"
+    lb_mgmt_net_id: "{{ hostvars[groups['octavia_nodes'][0]]['lb_mgmt_net_id'] }}"
+    lb_mgmt_secgroup_id: "{{ hostvars[groups['octavia_nodes'][0]]['lb_mgmt_secgroup_id'] }}"
+    private_key_content: "{{ hostvars[groups['octavia_nodes'][0]]['private_key_content'] }}"
+    ca_cert_content: "{{ hostvars[groups['octavia_nodes'][0]]['ca_cert_content'] }}"
+    service_pem_content: "{{ hostvars[groups['octavia_nodes'][0]]['service_pem_content'] }}"
+    generate_certs: "{{ generate_certs }}"
+    ca_cert_path: "{{ ca_cert_path }}"
+    ca_private_key_path: "{{ ca_private_key_path }}"
+    ca_passphrase: "{{ ca_passphrase }}"
+    client_cert_path: "{{ client_cert_path }}"
+    auth_project_name: "{{ auth_project_name }}"
+  environment:
+    OS_USERNAME: "{{ os_username }}"
+    OS_USER_DOMAIN_NAME: "Default"
+    OS_PROJECT_DOMAIN_NAME: "Default"
+    NOVA_VERSION: "1.1"
+    OS_PROJECT_NAME: "{{ os_project_name }}"
+    OS_PASSWORD: "{{ os_password }}"
+    COMPUTE_API_VERSION: "1.1"
+    OS_CLOUDNAME: "overcloud"
+    OS_AUTH_URL: "{{ os_auth_url }}"
+    OS_IDENTITY_API_VERSION: "{{ os_identity_api_version }}"
+    OS_IMAGE_API_VERSION: "2"
+    OS_AUTH_TYPE: "{{ os_auth_type }}"
+  roles:
+    - octavia-controller-config
+
+- hosts: octavia_nodes
+  gather_facts: true
+  vars:
+    octavia_confd_prefix: "/var/lib/config-data/puppet-generated/octavia"
+    container_cli: "{{ container_cli }}"
+  roles:
+    - octavia-controller-post-config

tripleo_ansible/playbooks/rotate-keys.yaml

@@ -0,0 +1,75 @@
+---
+- hosts: keystone
+  tasks:
+  - name: Check for containerized keystone fernet repository
+    stat:
+      path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/
+    register: containerized_keystone_dir
+
+  - name: populate service facts
+    service_facts:
+
+  - name: Set container facts
+    set_fact:
+      is_container: containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir
+      podman_enabled: '"tripleo_keystone.service" in ansible_facts.services'
+
+  - name: Rotate fernet keys for keystone container
+    block:
+      - name: Set keystone facts
+        set_fact:
+          keystone_base: /var/lib/config-data/puppet-generated/keystone
+
+      - name: Remove previous fernet keys
+        shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/*
+        args:
+          warn: false
+
+      - name: Persist fernet keys to repository
+        copy:
+          dest: "{{ keystone_base }}{{ item.key }}"
+          content: "{{ item.value.content }}"
+          mode: 0600
+        with_dict: "{{ fernet_keys }}"
+        no_log: true
+
+      - name: Set permissions to match container's user
+        shell: chown --reference={{ keystone_base }}/etc/keystone/fernet-keys {{ keystone_base }}{{ item.key }}
+        with_dict: "{{ fernet_keys }}"
+        no_log: true
+
+      - name: Restart keystone container with docker
+        shell: docker restart keystone
+        when: not podman_enabled
+
+      - name: Restart keystone container
+        service:
+          name: tripleo_keystone
+          state: restarted
+        when: podman_enabled
+    when:
+      - is_container | bool
+
+  - name: Rotate fernet keys for keystone (no container)
+    block:
+      - name: Remove previous fernet keys
+        shell: rm -rf /etc/keystone/fernet-keys/*
+        args:
+          warn: false
+
+      - name: Persist fernet keys to repository
+        copy:
+          dest: "{{ item.key }}"
+          content: "{{ item.value.content }}"
+          mode: 0600
+          owner: keystone
+          group: keystone
+        with_dict: "{{ fernet_keys }}"
+        no_log: true
+
+      - name: Reload apache
+        service:
+          name: httpd
+          state: reloaded
+    when:
+      - not (is_container | bool)

tripleo_ansible/playbooks/swift_ring_rebalance.yaml

@@ -0,0 +1,129 @@
+---
+
+- name: Update Swift rings
+  hosts: swift_storage,swift_proxy
+  gather_facts: false
+  any_errors_fatal: true
+  max_fail_percentage: 0
+  vars:
+    base_directory: "/var/lib/config-data/puppet-generated/swift/"
+    rebalance_is_safe: false
+  environment:
+    OS_STORAGE_URL: "{{ hostvars.localhost.undercloud_swift_url }}"
+    OS_AUTH_TOKEN: "{{ hostvars.localhost.os_auth_token }}"
+  tasks:
+    - name: Get reference ring checksum
+      run_once: true
+      block:
+        - name: Ensure /tmp/swift-rings directory exists
+          file: path=/tmp/swift-rings state=directory
+
+        - name: Fetch Swift rings from undercloud
+          command: swift --insecure download -o /tmp/swift-rings.tar.gz overcloud-swift-rings swift-rings.tar.gz
+
+        - name: Extract Swift rings
+          unarchive:
+            src: /tmp/swift-rings.tar.gz
+            dest: /tmp/swift-rings
+            remote_src: true
+
+        - name: Get reference ring checksum
+          stat:
+            path: /tmp/swift-rings/etc/swift/object.ring.gz
+          register: result_reference
+
+    - name: Get file attributes of object rings
+      stat:
+        path: "{{ base_directory }}/etc/swift/object.ring.gz"
+      register: result
+
+    - name: Abort playbook run if consistency check fails
+      fail:
+        msg: "object.ring.gz does not match reference checksum"
+      when:
+        - (result.stat.exists | bool)
+        - (result_reference.stat.exists | bool)
+        - (result_reference.stat.checksum != result.stat.checksum)
+
+    - name: Deploy missing Swift rings
+      when:
+        - not (result.stat.exists | bool)
+      block:
+        - name: Fetch missing Swift rings from undercloud
+          command: swift --insecure download -o /tmp/swift-rings.tar.gz overcloud-swift-rings swift-rings.tar.gz
+
+        - name: Extract missing Swift rings
+          unarchive:
+            src: /tmp/swift-rings.tar.gz
+            dest: /{{ base_directory }}
+            remote_src: true
+          become: true
+
+    - name: Get recon data
+      command: cat /var/cache/swift/object.recon
+      register: recon
+      become: true
+
+    - name: Check if it is safe to continue rebalancing
+      set_fact:
+        rebalance_is_safe: true
+      when:
+        - (result.stat.exists | bool)
+        - ((recon.stdout | from_json).object_replication_last | int) > ((result.stat.mtime) | int)
+
+    - name: Show warning and stop playbook run if unsafe
+      debug:
+        msg: "Rebalancing is unsafe at the moment, stopping. Please try again later"
+      when:
+        - not (rebalance_is_safe | bool)
+
+    # We exit here in case there is at least one host that fails the above check
+    - meta: end_play
+      when:
+        - not (rebalance_is_safe | bool)
+
+    - name: Rebalance Swift rings
+      run_once: true
+      block:
+        - name: Ensure /tmp/swift-rings directory exists
+          file: path=/tmp/swift-rings state=directory
+
+        - name: Fetch Swift rings from undercloud
+          command: swift --insecure download -o /tmp/swift-rings.tar.gz overcloud-swift-rings swift-rings.tar.gz
+
+        - name: Extract Swift rings
+          unarchive:
+            src: /tmp/swift-rings.tar.gz
+            dest: /tmp/swift-rings
+            remote_src: true
+
+        # Can't use with_fileglob (see https://github.com/ansible/ansible/issues/17136)
+        - name: Rebalance Swift rings
+          command: swift-ring-builder /tmp/swift-rings/etc/swift/{{ item }} rebalance
+          with_items:
+            - object.builder
+            - container.builder
+            - account.builder
+          failed_when: result.rc > 1
+          register: result
+
+        - name: Create Swift ring archive
+          archive:
+            path:
+              - "/tmp/swift-rings/etc"
+            dest: /tmp/swift-rings.tar.gz
+
+        - name: Copy Swift rings to the undercloud
+          command: swift --insecure upload --object-name swift-rings.tar.gz overcloud-swift-rings /tmp/swift-rings.tar.gz
+
+    - name: Update Swift rings on all nodes
+      block:
+        - name: Fetch Swift rings from undercloud
+          command: swift --insecure download -o /tmp/swift-rings.tar.gz overcloud-swift-rings swift-rings.tar.gz
+
+        - name: Extract Swift rings
+          unarchive:
+            src: /tmp/swift-rings.tar.gz
+            dest: /{{ base_directory }}
+            remote_src: true
+          become: true

tripleo_ansible/roles/octavia-controller-config/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: octavia config updated
+  set_fact:
+    octavia_config_updated: true

tripleo_ansible/roles/octavia-controller-config/meta/main.yml

@@ -0,0 +1,45 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: OpenStack
+  description: TripleO OpenStack Role -- octavia-controller-config
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.7
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: Fedora
+      versions:
+        - 28
+    - name: CentOS
+      versions:
+        - 7
+
+  galaxy_tags:
+    - tripleo
+
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies:
+  - octavia_common

tripleo_ansible/roles/octavia-controller-config/tasks/certificate.yml

@@ -0,0 +1,27 @@
+---
+
+- name: making sure octavia worker configuration directory exists
+  file:
+    path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}"
+    state: directory
+    selevel: s0
+    setype: svirt_sandbox_file_t
+  become: true
+
+- name: Copying key info to octavia
+  become: true
+  copy:
+    content: "{{ item.content }}"
+    dest: "{{ octavia_confd_prefix }}/{{ item.path }}"
+    selevel: s0
+    setype: svirt_sandbox_file_t
+  no_log: true
+  loop:
+    - content: "{{ private_key_content }}"
+      path: "{{ ca_private_key_path }}"
+    - content: "{{ ca_cert_content }}"
+      path: "{{ ca_cert_path }}"
+    - content: "{{ service_pem_content }}"
+      path: "{{ client_cert_path }}"
+  notify:
+    - octavia config updated

tripleo_ansible/roles/octavia-controller-config/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Set node name fact
+  set_fact:
+    node_hostname: "{{ ansible_hostname }}"
+
+- include_tasks: certificate.yml
+  when:
+    - generate_certs | bool
+
+- include_tasks: netport.yml
+
+- include_tasks: netinterface.yml
+
+- name: making sure octavia common configuration directory exists
+  file:
+    path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common"
+    state: directory
+    selevel: s0
+    setype: svirt_sandbox_file_t
+  become: true
+
+- include_tasks: octavia.yml

tripleo_ansible/roles/octavia-controller-config/tasks/netinterface.yml

@@ -0,0 +1,22 @@
+---
+- name: create br-int interface file
+  become: true
+  become_user: root
+  template:
+    dest: "/etc/sysconfig/network-scripts/ifcfg-br-int"
+    src: "ifcfg-br-int.j2"
+    force: false
+
+- name: create octavia management interface
+  become: true
+  become_user: root
+  template:
+    dest: "/etc/sysconfig/network-scripts/ifcfg-{{ mgmt_port_dev }}"
+    src: "ifcfg.j2"
+
+- name: Bring the management port interface up
+  become: true
+  become_user: root
+  command: "ifup {{ mgmt_port_dev }}"
+  notify:
+    - octavia config updated

tripleo_ansible/roles/octavia-controller-config/tasks/netport.yml

@@ -0,0 +1,77 @@
+---
+- name: create management port
+  shell: |-
+    set -o pipefail
+    port_id="$(openstack port show octavia-health-manager-{{ node_hostname }}-listen-port -f value -c id 2> /dev/null)"
+    if [[ -z "${port_id}" ]]; then
+      neutron port-create {{ lb_mgmt_net_name }} --binding:host_id={{ node_hostname }} \
+                                                 --no-security-groups \
+                                                 --port-security-enabled=False \
+                                                 --device-owner Octavia:health-mgr \
+                                                 --name octavia-health-manager-{{ node_hostname }}-listen-port \
+                                                 -f value \
+                                                 -c id
+    fi
+  register: out_mgmt_port
+  changed_when: (out_mgmt_port.stdout | length) > 0
+  notify:
+    - octavia config updated
+
+- name: getting management port
+  shell: |
+    openstack port show octavia-health-manager-{{ node_hostname }}-listen-port -f value -c id
+  register: out_mgmt_port_id
+  changed_when: false
+
+- name: setting fact for management network controller port ID
+  set_fact:
+    mgmt_port_id: "{{ out_mgmt_port_id.stdout }}"
+
+- name: get management port mac
+  shell: |
+    openstack port show {{ mgmt_port_id }} -f value -c mac_address
+  register: out_mgmt_port_mac
+  changed_when: false
+
+- name: setting fact for management network controller port MAC
+  set_fact:
+    mgmt_port_mac: "{{ out_mgmt_port_mac.stdout }}"
+
+- name: get management port ip
+  shell: |
+    set -o pipefail
+    openstack port show {{ mgmt_port_id }} -f value -c fixed_ips | cut -f1 -d, | cut -f2 -d= | tr -d "'"
+  register: out_mgmt_port_ip
+  changed_when: false
+
+- name: setting fact for management network controller port IP
+  set_fact:
+    mgmt_port_ip: "{{ out_mgmt_port_ip.stdout }}"
+
+- name: get management port net mask
+  shell: |
+    set -o pipefail
+    subnet_id=$(openstack port show {{ mgmt_port_id }} -f value -c fixed_ips  | cut -f2 -d, | cut -f2 -d= | tr -d "'" 2> /dev/null)
+    openstack subnet show $subnet_id -f value -c cidr 2> /dev/null
+  register: out_mgmt_subnet_cidr
+
+- name: setting fact for management subnet cidr
+  set_fact:
+    mgmt_subnet_cidr: "{{ out_mgmt_subnet_cidr.stdout }}"
+
+- name: setting fact for management network netmask
+  set_fact:
+    mgmt_port_netmask: "{{ mgmt_subnet_cidr | ipaddr('netmask') }}"
+
+- name: get MTU for managment port
+  shell: |
+    openstack network show {{ lb_mgmt_net_name }} -f value -c mtu
+  register: out_mgmt_port_mtu
+
+- name: setting fact for management port MTU
+  set_fact:
+    mgmt_port_mtu: "{{ out_mgmt_port_mtu.stdout }}"
+
+- name: creating fact for management network health manager controller IP
+  set_fact:
+    o_hm_ip: "{{ mgmt_port_ip }}:5555"

tripleo_ansible/roles/octavia-controller-config/tasks/octavia.yml

@@ -0,0 +1,62 @@
+---
+
+- name: making sure octavia worker configuration directory exists
+  file:
+    path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker"
+    state: directory
+    selevel: s0
+    setype: svirt_sandbox_file_t
+  become: true
+
+- name: setting [controller_worker]/amp_boot_network_list
+  become: true
+  become_user: root
+  ini_file:
+    path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf"
+    section: controller_worker
+    option: amp_boot_network_list
+    value: "{{ lb_mgmt_net_id }}"
+    selevel: s0
+    setype: svirt_sandbox_file_t
+
+- name: setting [controller_worker]/amp_secgroup_list
+  become: true
+  become_user: root
+  ini_file:
+    path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf"
+    section: controller_worker
+    option: amp_secgroup_list
+    value: "{{ lb_mgmt_secgroup_id }}"
+    selevel: s0
+    setype: svirt_sandbox_file_t
+
+- name: making sure octavia health manager configuration directory exists
+  file:
+    path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-health-manager"
+    state: directory
+    selevel: s0
+    setype: svirt_sandbox_file_t
+  become: true
+
+- name: create octavia health manager configuration file
+  become: true
+  become_user: root
+  template:
+    dest: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
+    src: "manager-post-deploy.conf.j2"
+    selevel: s0
+    setype: svirt_sandbox_file_t
+
+- name: gather facts about the service project
+  shell: |
+    openstack project show "{{ auth_project_name }}" -c id -f value
+  register: project_id_result
+
+- name: setting [controller_worker]/amp_image_owner_id
+  become: true
+  become_user: root
+  ini_file:
+    path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf"
+    section: controller_worker
+    option: amp_image_owner_id
+    value: "{{ project_id_result.stdout }}"

tripleo_ansible/roles/octavia-controller-config/templates/ifcfg-br-int.j2

@@ -0,0 +1,6 @@
+DEVICETYPE=ovs
+TYPE=OVSBridge
+BOOTPROTO=none
+DEVICE=br-int
+NM_CONTROLLED=no
+ONBOOT=yes

tripleo_ansible/roles/octavia-controller-config/templates/ifcfg.j2

@@ -0,0 +1,19 @@
+TYPE=OVSIntPort
+OVS_BRIDGE=br-int
+DEVICETYPE=ovs
+ONBOOT=yes
+BOOTPROTO=static
+IPV6_AUTOCONF=no
+DEVICE={{ mgmt_port_dev }}
+IPADDR={{ mgmt_port_ip }}
+NETMASK={{ mgmt_port_netmask }}
+NM_CONTROLLED=no
+MACADDR={{ mgmt_port_mac }}
+MTU={{ mgmt_port_mtu }}
+OVS_EXTRA="-- set Interface {{ mgmt_port_dev }} external-ids:iface-status=active \
+           -- set Interface {{ mgmt_port_dev }} external-ids:attached-mac={{ mgmt_port_mac }} \
+           -- set Interface {{ mgmt_port_dev }} external-ids:iface-id={{mgmt_port_id }} \
+           -- set Interface {{ mgmt_port_dev }} external-ids:skip_cleanup=true \
+           -- set Interface {{ mgmt_port_dev }} mac=\"{{ mgmt_port_mac }}\" \
+           -- set Interface {{ mgmt_port_dev }} other-config:hwaddr={{ mgmt_port_mac }}"
+

tripleo_ansible/roles/octavia-controller-config/templates/manager-post-deploy.conf.j2

@@ -0,0 +1,2 @@
+[health_manager]
+bind_ip = {{ mgmt_port_ip }}

tripleo_ansible/roles/octavia-controller-post-config/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+octavia_config_updated: false

tripleo_ansible/roles/octavia-controller-post-config/meta/main.yml

@@ -0,0 +1,45 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: OpenStack
+  description: TripleO OpenStack Role -- octavia-overcloud-post-config
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.7
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: Fedora
+      versions:
+        - 28
+    - name: CentOS
+      versions:
+        - 7
+
+  galaxy_tags:
+    - tripleo
+
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies:
+  - octavia_common

tripleo_ansible/roles/octavia-controller-post-config/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+
+- name: Show debug information
+  debug:
+    msg: "Octavia services will be restarted because of updated configuration"
+  when:
+    - octavia_config_updated
+
+- name: create ip list
+  set_fact:
+    o_hm_ip_list: "{% for octavia_node in groups['octavia_nodes'] %}{{ hostvars[octavia_node].o_hm_ip }}, {%endfor%}"
+
+- name: create ip list (remove the last two characters)
+  set_fact:
+    o_hm_ip_list: "{{ o_hm_ip_list[:-2] }}"
+
+- name: read the current IP list
+  become: true
+  become_user: root
+  shell: |
+      awk -F '=' -e '/^controller_ip_port_list/ { print $2; }' "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf"
+  register: config_contents
+  failed_when: config_contents.rc != 0
+  changed_when: false
+  ignore_errors: true
+
+- name: retrieve current ip list
+  set_fact:
+    current_ip_list: "{{ config_contents.stdout }}"
+
+# This isn't perfect as they execution order will make them not match, but we can avoid a restart
+# if things have stayed the same.
+- name: check if ip list needs updating
+  set_fact:
+    octavia_config_updated: true
+  when:
+    - current_ip_list != o_hm_ip_list
+
+- name: update octavia worker config file
+  become: true
+  become_user: root
+  ini_file:
+    section: "health_manager"
+    option: "controller_ip_port_list"
+    value: "{{ o_hm_ip_list }}"
+    path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf"
+    selevel: s0
+    setype: svirt_sandbox_file_t
+  when:
+    - octavia_config_updated
+
+- name: restart octavia containers
+  become: true
+  become_user: root
+  shell: "{{ container_cli }} restart $(sudo {{ container_cli }} ps -f name=octavia -q)"
+  when:
+    - octavia_config_updated

tripleo_ansible/roles/octavia-overcloud-config/meta/main.yml

@@ -0,0 +1,45 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: OpenStack
+  description: TripleO OpenStack Role -- octavia-overcloud-config
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.7
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: Fedora
+      versions:
+        - 28
+    - name: CentOS
+      versions:
+        - 7
+
+  galaxy_tags:
+    - tripleo
+
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies:
+  - octavia_common

tripleo_ansible/roles/octavia-overcloud-config/tasks/certs_gen.yml

@@ -0,0 +1,87 @@
+---
+
+- name: delete temporary ssl directory
+  become: true
+  file: path={{ openssl_temp_dir }} state=absent
+
+- name: create temporary ssl directories
+  become: true
+  file: path={{ openssl_temp_dir }}/private recurse=yes
+
+- name: create temporary ssl newcerts directory
+  become: true
+  file: path={{ openssl_temp_dir }}/newcerts recurse=yes
+
+- name: create index.txt
+  become: true
+  copy: content="" dest={{ openssl_temp_dir }}/index.txt force=no
+
+- name: create serial file
+  become: true
+  copy: content="01" dest={{ openssl_temp_dir }}/serial
+
+- name: create openssl configuration file from template
+  become: true
+  copy: src="/etc/pki/tls/openssl.cnf" dest="{{ openssl_temp_dir }}/openssl.cnf" remote_src=yes
+
+- name: update openssl directory entry in the configuration file
+  become: true
+  ini_file: path="{{ openssl_temp_dir }}/openssl.cnf" section=" CA_default " option="dir" value="{{ openssl_temp_dir }}"
+
+- name: update openssl ca certificate file in the configuration file
+  become: true
+  replace: path="{{ openssl_temp_dir }}/openssl.cnf" regexp="cacert.pem" replace="ca_01.pem"
+
+- name: Generating certificate authority private key
+  become: true
+  shell: |
+    openssl genrsa -passout pass:{{ ca_passphrase }} -des3 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
+
+- name: Reading private key
+  become: true
+  shell: cat {{ openssl_temp_dir }}/private/cakey.pem
+  register: private_key_data
+
+- name: Setting private key fact
+  set_fact:
+    private_key_content: "{{ private_key_data.stdout }}"
+
+- name: Generating certificate authority certificate
+  become: true
+  shell: |
+    openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
+                -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
+                -days 365 -config {{ openssl_temp_dir }}/openssl.cnf \
+                -out {{ openssl_temp_dir }}/ca_01.pem
+
+- name: Reading CA certificate
+  become: true
+  shell: cat {{ openssl_temp_dir }}/ca_01.pem
+  register: ca_cert_data
+
+- name: Setting CA certificate fact
+  set_fact:
+    ca_cert_content: "{{ ca_cert_data.stdout }}"
+
+- name: Generating service private key & certificate request
+  become: true
+  shell: |
+    openssl req  -newkey rsa:2048 -nodes -config {{ openssl_temp_dir }}/openssl.cnf -keyout {{ openssl_temp_dir }}/client.key \
+                  -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
+                  -out {{ openssl_temp_dir }}/client.csr
+
+- name: Signing service certificate request
+  become: true
+  shell: |
+    openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
+                -days 365 -out {{ openssl_temp_dir }}/client-.pem -batch
+
+- name: Read service private key and public certifcate
+  become: true
+  shell: |
+    cat {{ openssl_temp_dir }}/client-.pem {{ openssl_temp_dir }}/client.key
+  register: service_key_data
+
+- name: Set service key fact
+  set_fact:
+    service_pem_content: "{{ service_key_data.stdout }}"

tripleo_ansible/roles/octavia-overcloud-config/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+# Previously was a stack in the overcloud
+- include_tasks: network.yml
+
+- include_tasks: quotas.yml
+
+- include_tasks: certs_gen.yml
+  when:
+    - generate_certs | bool

tripleo_ansible/roles/octavia-overcloud-config/tasks/network.yml

@@ -0,0 +1,103 @@
+---
+- name: create management network for load balancers
+  shell: |
+    if [[ $(openstack network show {{ lb_mgmt_net_name }} > /dev/null; echo $?) -eq 1 ]]; then
+      openstack network create -f value -c id {{ lb_mgmt_net_name }}
+    fi
+  register: out_lb_mgmt_net
+  changed_when: (out_lb_mgmt_net.stdout | length) > 0
+
+- name: getting management network ID
+  shell: |
+    openstack network show {{ lb_mgmt_net_name }} -f value -c id
+  register: out_lb_mgmt_net_id
+  changed_when: false
+
+- name: setting management network ID fact
+  set_fact:
+    lb_mgmt_net_id: "{{ out_lb_mgmt_net_id.stdout }}"
+
+- name: create subnet
+  shell: |
+    set -o pipefail
+    if [[ $(openstack subnet show {{ lb_mgmt_subnet_name }} > /dev/null; echo $?) -eq 1 ]]; then
+      openstack subnet create {{ lb_mgmt_subnet_name }} \
+        --allocation-pool=start={{ lb_mgmt_subnet_pool_start }},end={{ lb_mgmt_subnet_pool_end }} \
+        --gateway={{ lb_mgmt_subnet_gateway }} \
+        --network {{ lb_mgmt_net_id }} \
+        --subnet-range {{ lb_mgmt_subnet_cidr }}
+    fi
+  register: lb_mgmt_subnet_result
+  changed_when: (lb_mgmt_subnet_result.stdout | length) > 0
+
+- name: create security group (get the security group id)
+  shell: |
+    set -o pipefail
+    if [[ $(openstack security group show {{ lb_mgmt_sec_grp_name }} > /dev/null; echo $?) -eq 1 ]]; then
+      openstack security group create --project service --project-domain Default {{ lb_mgmt_sec_grp_name }} -f value -c id
+    else
+      openstack security group show {{ lb_mgmt_sec_grp_name }} -f value -c id
+    fi
+  register: lb_mgmt_secgroup_result
+  changed_when: (lb_mgmt_secgroup_result.stdout | length) > 0
+
+- name: setting fact for management network security group
+  set_fact:
+    lb_mgmt_secgroup_id: "{{ lb_mgmt_secgroup_result.stdout }}"
+
+- name: create security group rule to open amphora management ssh port
+  shell: |-
+    set -o pipefail
+    SECGROUP="$(openstack security group rule list {{ lb_mgmt_sec_grp_name }} --protocol tcp \
+                                                                              --ingress -f value 2>&1 | grep "0.0.0.0/0 22:22")"
+    if [[ -z "${SECGROUP}" ]]; then
+      openstack security group rule create --protocol tcp --dst-port 22 {{ lb_mgmt_sec_grp_name }}
+    fi
+  register: sec_group_rule_one
+  changed_when: (sec_group_rule_one.stdout | length) > 0
+  environment:
+    OS_USERNAME: "{{ auth_username }}"
+    OS_PASSWORD: "{{ auth_password }}"
+    OS_PROJECT_NAME: "{{ auth_project_name }}"
+
+- name: create security group rule to open amphora management API port
+  shell: |-
+    set -o pipefail
+    SECGROUP="$(openstack security group rule list {{ lb_mgmt_sec_grp_name }} --protocol tcp \
+                                                                              --ingress -f value 2>&1 | grep "0.0.0.0/0 9443:9443")"
+    if [[ -z "${SECGROUP}" ]]; then
+      openstack security group rule create --protocol tcp --dst-port 9443 {{ lb_mgmt_sec_grp_name }}
+    fi
+  register: sec_group_rule_two
+  changed_when: (sec_group_rule_two.stdout | length) > 0
+  environment:
+    OS_USERNAME: "{{ auth_username }}"
+    OS_PASSWORD: "{{ auth_password }}"
+    OS_PROJECT_NAME: "{{ auth_project_name }}"
+
+- name: create security group for health manager
+  shell: |-
+    set -o pipefail
+    if [[ $(openstack security group show {{ lb_health_mgr_sec_grp_name }} > /dev/null; echo $?) -eq 1 ]]; then
+      openstack security group create --project service --project-domain Default {{ lb_health_mgr_sec_grp_name }} -f value -c id
+    else
+      openstack security group show {{ lb_health_mgr_sec_grp_name }} -f value -c id
+    fi
+  register: lb_health_manager_sec_grp_result
+  changed_when: (lb_health_manager_sec_grp_result.stdout | length) > 0
+
+- name: create security group rule for health manager
+  shell: |-
+    set -o pipefail
+    SECGROUP="$(openstack security group rule list {{ lb_health_mgr_sec_grp_name }} \
+                  --protocol udp \
+                  --ingress -f value 2>&1 | grep "0.0.0.0/0 5555:5555")"
+    if [[ -z "${SECGROUP}" ]]; then
+      openstack security group rule create --protocol udp --dst-port 5555 {{ lb_health_mgr_sec_grp_name }}
+    fi
+  register: health_mgr_sec_grp_rule
+  changed_when: (health_mgr_sec_grp_rule.stdout | length) > 0
+  environment:
+    OS_USERNAME: "{{ auth_username }}"
+    OS_PASSWORD: "{{ auth_password }}"
+    OS_PROJECT_NAME: "{{ auth_project_name }}"

tripleo_ansible/roles/octavia-overcloud-config/tasks/quotas.yml

@@ -0,0 +1,5 @@
+---
+
+- name: increase quotas for project used for amphora
+  shell: |
+    openstack quota set --cores -1 --ram -1 --ports -1 --instances -1 --secgroups -1 --secgroup-rules -1 {{ auth_project_name }}

tripleo_ansible/roles/octavia-undercloud/meta/main.yml

@@ -0,0 +1,45 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: OpenStack
+  description: TripleO OpenStack Role -- octavia-undercloud
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.7
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: Fedora
+      versions:
+        - 28
+    - name: CentOS
+      versions:
+        - 7
+
+  galaxy_tags:
+    - tripleo
+
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies:
+  - octavia_common

tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml

@@ -0,0 +1,134 @@
+---
+- name: check if name is a symlink
+  stat:
+    path: "{{ image_filename }}"
+  register: symlnk_check
+
+- name: bypass image naming logic if image name is provided (backwards-compatibility)
+  set_fact:
+    amphora_image: "{{ amphora_image_name }}"
+  when:
+    - amphora_image_name is defined
+    - not ((amphora_image_name | length) < 1)
+
+- name: set the actual glance image name if it is a symlink
+  set_fact:
+    amphora_image: "{{ (symlnk_check.stat.lnk_target | basename | splitext)[0] }}"
+  when:
+    - amphora_image is undefined
+    - symlnk_check is defined and (symlnk_check.stat.islnk | bool)
+
+- name: set the actual glance image name if it is not a symlink
+  set_fact:
+    amphora_image: "{{ (image_file_result.stat.path | basename | splitext)[0] }}"
+  when:
+    - amphora_image is undefined
+    - (image_file_result.stat.exists | bool) and (not (symlnk_check.stat.islnk | bool))
+
+- name: gather facts about the service project
+  shell: |
+    openstack project show "{{ auth_project_name }}" -c id -f value
+  register: project_id_result
+
+- name: check there's an image in glance already
+  shell: |
+    openstack image list --property owner={{ project_id_result.stdout }} --private --name {{ amphora_image }} -c ID -f value
+  environment:
+    OS_USERNAME: "{{ auth_username }}"
+    OS_PASSWORD: "{{ auth_password }}"
+    OS_PROJECT_NAME: "{{ auth_project_name }}"
+  register: glance_id_result
+  ignore_errors: true
+
+- name: set image id fact
+  set_fact:
+    image_id: "{{ glance_id_result.stdout }}"
+  when:
+    - glance_id_result.rc == 0
+
+- name: get checksum if there's an image in glance already
+  shell: |
+    openstack image show {{ glance_id_result.stdout }} -c checksum -f value
+  environment:
+    OS_USERNAME: "{{ auth_username }}"
+    OS_PASSWORD: "{{ auth_password }}"
+    OS_PROJECT_NAME: "{{ auth_project_name }}"
+  when:
+    - image_id is defined
+  register: glance_results
+  ignore_errors: true
+
+- name: set current_md5 fact from glance if image already exists there
+  set_fact:
+    current_md5: "{{ glance_results.stdout }}"
+  when:
+    - glance_results.rc == 0
+
+- name: determine if the image needs to be replaced
+  set_fact:
+    replace_image: "{{ current_md5 != image_file_result.stat.md5 }}"
+  when:
+    - current_md5 is defined
+
+- name: move existing image if the names match and the md5s are not the same
+  shell: |
+    ts=`openstack image show {{ image_id }} -f value -c created_at`
+    ts=${ts//:/}
+    ts=${ts//-/}
+    openstack image set {{ image_id }} --name "{{ amphora_image }}_$ts"
+  environment:
+    OS_USERNAME: "{{ auth_username }}"
+    OS_PASSWORD: "{{ auth_password }}"
+    OS_PROJECT_NAME: "{{ auth_project_name }}"
+  when:
+    - replace_image is defined and replace_image | bool
+
+- name: decide whether to upload new image
+  set_fact:
+    upload_image: true
+  when:
+    - (current_md5 is not defined) or (replace_image is defined and replace_image | bool)
+
+- block:
+    - name: create temporary directory
+      tempfile:
+        state: directory
+      register: amp_tmp_dir
+
+    - name: set RAW file name
+      set_fact:
+        raw_filename: "{{ amp_tmp_dir.path }}/{{ image_filename|splitext|first|basename }}.img"
+
+    - name: convert image from qcow2 to raw
+      shell: |
+        qemu-img convert -f qcow2 -O raw {{ image_filename }} {{ raw_filename }}
+
+    - name: setting amphora format to raw
+      set_fact:
+        raw_format: raw
+  when:
+    - amp_to_raw | bool
+
+- name: upload image to glance
+  shell: |
+    openstack image create --disk-format {{ raw_format|default('qcow2') }} \
+      --container-format bare --tag {{ amp_image_tag }} \
+      --file {{ raw_filename|default(image_filename) }} \
+      --property hw_architecture={{ amp_hw_arch }} \
+      --private {{ amphora_image }}
+  environment:
+    OS_USERNAME: "{{ auth_username }}"
+    OS_PASSWORD: "{{ auth_password }}"
+    OS_PROJECT_NAME: "{{ auth_project_name }}"
+  register: image_result
+  changed_when: (image_result.stdout | length) < 1
+  when:
+    - image_file_result.stat.exists | bool
+    - upload_image is defined
+
+- name: delete converted raw image
+  file:
+    path: "{{ amp_tmp_dir.path }}"
+    state: absent
+  when:
+    - amp_to_raw | bool

tripleo_ansible/roles/octavia-undercloud/tasks/main.yml

@@ -0,0 +1,76 @@
+---
+
+- name: set file if already set by heat variable (backwards-compatibility)
+  set_fact:
+    image_filename: "{{ amp_image_filename }}"
+  when:
+    - amp_image_filename is defined and
+    - not ((amp_image_filename | length) < 1)
+
+- name: set location if CentOS
+  set_fact:
+    image_filename: "/usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2"
+  when:
+    - ansible_distribution == 'CentOS'
+    - not (image_filename is defined)
+
+- name: set location if Red Hat
+  set_fact:
+    image_filename: "/usr/share/openstack-octavia-amphora-images/octavia-amphora.qcow2"
+  when:
+    - ansible_distribution == 'RedHat'
+    - not (image_filename is defined)
+
+- name: check if amphora image file exists
+  stat:
+    path: "{{ image_filename }}"
+    follow: true
+    get_md5: true
+  register: image_file_result
+
+- include_tasks: image_mgmt.yml
+  when:
+    - image_file_result.stat.exists | bool
+
+- name: use ssh pub key file if provided and is readable
+  block:
+    - name: check if pub key file exists
+      stat: path="{{ amp_ssh_key_path }}"
+      register: key_file_result
+      ignore_errors: true
+
+    - name: fail if ssh pub key file does not exist or is not readable
+      fail: msg="{{ amp_ssh_key_path }} does not exist or is not readable by user {{ ansible_user }}"
+      when:
+        - (key_file_result | failed) or (not (key_file_result.stat.exists | bool)) or (not (key_file_result.stat.readable | bool))
+
+    - name: Set final key fact
+      set_fact:
+        amp_ssh_key_path_final: "{{ amp_ssh_key_path }}"
+  when:
+    - amp_ssh_key_path is defined
+    - (amp_ssh_key_path | length) > 0
+
+- name: defaulting to public key from undercloud default keypair
+  block:
+    - name: create temp pub key file
+      tempfile: state=file
+      register: ssh_key_tmp_file
+
+    - name: copy ssh public key content to temp file
+      copy: content="{{ amp_ssh_key_data }}" dest="{{ ssh_key_tmp_file.path }}"
+
+    - name: Set final key fact
+      set_fact:
+        amp_ssh_key_path_final: "{{ ssh_key_tmp_file.path }}"
+  when:
+    - amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1)
+
+- name: upload pub key to overcloud
+  shell: |-
+    openstack keypair show {{ amp_ssh_key_name }} || \
+      openstack keypair create --public-key {{ amp_ssh_key_path_final }} {{ amp_ssh_key_name }}
+  environment:
+    OS_USERNAME: "{{ auth_username }}"
+    OS_PASSWORD: "{{ auth_password }}"
+    OS_PROJECT_NAME: "{{ auth_project_name }}"

tripleo_ansible/roles/octavia_common/defaults/main.yml

@@ -0,0 +1,19 @@
+---
+amp_image_name: ""
+amp_image_filename: ""
+amp_image_tag: "amphora-image"
+amp_ssh_key_name: "octavia-ssh-key"
+amp_ssh_key_path: ""
+amp_to_raw: false
+amp_hw_arch: "x86_64"
+auth_username: "octavia"
+auth_project_name: "service"
+lb_mgmt_net_name: "lb-mgmt-net"
+lb_mgmt_subnet_name: "lb-mgmt-subnet"
+lb_mgmt_subnet_cidr: "172.24.0.0/16"
+lb_mgmt_subnet_gateway: "172.24.0.1"
+lb_mgmt_subnet_pool_start: "172.24.0.2"
+lb_mgmt_subnet_pool_end: "172.24.255.254"
+lb_mgmt_sec_grp_name: "lb-mgmt-sec-grp"
+lb_health_mgr_sec_grp_name: "lb-health-mgr-sec-grp"
+mgmt_port_dev: "o-hm0"

tripleo_ansible/roles/octavia_common/meta/main.yml

@@ -0,0 +1,44 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: OpenStack
+  description: TripleO OpenStack Role -- octavia_common
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.7
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: Fedora
+      versions:
+        - 28
+    - name: CentOS
+      versions:
+        - 7
+
+  galaxy_tags:
+    - tripleo
+
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies: []