From 82d0705476b9270496e3bc5c5714ba2f72348e79 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Thu, 13 Jun 2019 17:29:13 -0500 Subject: [PATCH] Import octavia roles and playbooks from tripleo-common This change imports all of the octavia playbooks and roles from `tripleo-common/playbooks/`. This change ensures all of the resources imported are meeting the required lint checks for import and structures the roles such that they'll automatically be installed in the `usr/share/ansible/roles/` path making them available to the rest of the tripleo ecosystem. Change-Id: Ib4ff59a4c372f95cc7a183e8ef724bb1cbf72fed Signed-off-by: Kevin Carter --- tripleo_ansible/playbooks/octavia-files.yaml | 95 +++++++++++++ tripleo_ansible/playbooks/rotate-keys.yaml | 75 ++++++++++ .../playbooks/swift_ring_rebalance.yaml | 129 +++++++++++++++++ .../handlers/main.yml | 5 + .../octavia-controller-config/meta/main.yml | 45 ++++++ .../tasks/certificate.yml | 27 ++++ .../octavia-controller-config/tasks/main.yml | 23 +++ .../tasks/netinterface.yml | 22 +++ .../tasks/netport.yml | 77 ++++++++++ .../tasks/octavia.yml | 62 ++++++++ .../templates/ifcfg-br-int.j2 | 6 + .../templates/ifcfg.j2 | 19 +++ .../templates/manager-post-deploy.conf.j2 | 2 + .../defaults/main.yml | 3 + .../meta/main.yml | 45 ++++++ .../tasks/main.yml | 57 ++++++++ .../octavia-overcloud-config/meta/main.yml | 45 ++++++ .../tasks/certs_gen.yml | 87 ++++++++++++ .../octavia-overcloud-config/tasks/main.yml | 10 ++ .../tasks/network.yml | 103 ++++++++++++++ .../octavia-overcloud-config/tasks/quotas.yml | 5 + .../roles/octavia-undercloud/meta/main.yml | 45 ++++++ .../octavia-undercloud/tasks/image_mgmt.yml | 134 ++++++++++++++++++ .../roles/octavia-undercloud/tasks/main.yml | 76 ++++++++++ .../roles/octavia_common/defaults/main.yml | 19 +++ .../roles/octavia_common/meta/main.yml | 44 ++++++ 26 files changed, 1260 insertions(+) create mode 100644 tripleo_ansible/playbooks/octavia-files.yaml create mode 100644 tripleo_ansible/playbooks/rotate-keys.yaml create mode 100644 tripleo_ansible/playbooks/swift_ring_rebalance.yaml create mode 100644 tripleo_ansible/roles/octavia-controller-config/handlers/main.yml create mode 100644 tripleo_ansible/roles/octavia-controller-config/meta/main.yml create mode 100644 tripleo_ansible/roles/octavia-controller-config/tasks/certificate.yml create mode 100644 tripleo_ansible/roles/octavia-controller-config/tasks/main.yml create mode 100644 tripleo_ansible/roles/octavia-controller-config/tasks/netinterface.yml create mode 100644 tripleo_ansible/roles/octavia-controller-config/tasks/netport.yml create mode 100644 tripleo_ansible/roles/octavia-controller-config/tasks/octavia.yml create mode 100644 tripleo_ansible/roles/octavia-controller-config/templates/ifcfg-br-int.j2 create mode 100644 tripleo_ansible/roles/octavia-controller-config/templates/ifcfg.j2 create mode 100644 tripleo_ansible/roles/octavia-controller-config/templates/manager-post-deploy.conf.j2 create mode 100644 tripleo_ansible/roles/octavia-controller-post-config/defaults/main.yml create mode 100644 tripleo_ansible/roles/octavia-controller-post-config/meta/main.yml create mode 100644 tripleo_ansible/roles/octavia-controller-post-config/tasks/main.yml create mode 100644 tripleo_ansible/roles/octavia-overcloud-config/meta/main.yml create mode 100644 tripleo_ansible/roles/octavia-overcloud-config/tasks/certs_gen.yml create mode 100644 tripleo_ansible/roles/octavia-overcloud-config/tasks/main.yml create mode 100644 tripleo_ansible/roles/octavia-overcloud-config/tasks/network.yml create mode 100644 tripleo_ansible/roles/octavia-overcloud-config/tasks/quotas.yml create mode 100644 tripleo_ansible/roles/octavia-undercloud/meta/main.yml create mode 100644 tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml create mode 100644 tripleo_ansible/roles/octavia-undercloud/tasks/main.yml create mode 100644 tripleo_ansible/roles/octavia_common/defaults/main.yml create mode 100644 tripleo_ansible/roles/octavia_common/meta/main.yml diff --git a/tripleo_ansible/playbooks/octavia-files.yaml b/tripleo_ansible/playbooks/octavia-files.yaml new file mode 100644 index 000000000..f9adc55db --- /dev/null +++ b/tripleo_ansible/playbooks/octavia-files.yaml @@ -0,0 +1,95 @@ +--- +- hosts: Undercloud[0] + remote_user: stack + gather_facts: true + vars: + amp_ssh_key_name: "{{ amp_ssh_key_name }}" + amp_ssh_key_path: "{{ amp_ssh_key_path }}" + amp_ssh_key_data: "{{ amp_ssh_key_data }}" + amp_to_raw: "{{ amp_to_raw | bool }}" + auth_username: "{{ auth_username }}" + auth_password: "{{ auth_password }}" + auth_project_name: "{{ auth_project_name }}" + environment: + OS_USERNAME: "{{ os_username }}" + OS_USER_DOMAIN_NAME: "Default" + OS_PROJECT_DOMAIN_NAME: "Default" + NOVA_VERSION: "1.1" + OS_PROJECT_NAME: "{{ os_project_name }}" + OS_PASSWORD: "{{ os_password }}" + COMPUTE_API_VERSION: "1.1" + OS_CLOUDNAME: "overcloud" + OS_AUTH_URL: "{{ os_auth_url }}" + OS_IDENTITY_API_VERSION: "{{ os_identity_api_version }}" + OS_IMAGE_API_VERSION: "2" + OS_AUTH_TYPE: "{{ os_auth_type }}" + roles: + - octavia-undercloud + +- hosts: octavia_nodes[0] + gather_facts: true + vars: + generate_certs: "{{ generate_certs }}" + octavia_confd_prefix: "/var/lib/config-data/puppet-generated/octavia" + openssl_temp_dir: "/tmp/octavia-ssl" + ca_cert_path: "{{ ca_cert_path }}" + ca_private_key_path: "{{ ca_private_key_path }}" + ca_passphrase: "{{ ca_passphrase }}" + client_cert_path: "{{ client_cert_path }}" + auth_project_name: "{{ auth_project_name }}" + auth_username: "{{ auth_username }}" + auth_password: "{{ auth_password }}" + environment: + OS_USERNAME: "{{ os_username }}" + OS_USER_DOMAIN_NAME: "Default" + OS_PROJECT_DOMAIN_NAME: "Default" + NOVA_VERSION: "1.1" + OS_PROJECT_NAME: "{{ os_project_name }}" + OS_PASSWORD: "{{ os_password }}" + COMPUTE_API_VERSION: "1.1" + OS_CLOUDNAME: "overcloud" + OS_AUTH_URL: "{{ os_auth_url }}" + OS_IDENTITY_API_VERSION: "{{ os_identity_api_version }}" + OS_IMAGE_API_VERSION: "2" + OS_AUTH_TYPE: "{{ os_auth_type }}" + roles: + - octavia-overcloud-config + +- hosts: octavia_nodes + gather_facts: true + vars: + octavia_confd_prefix: "/var/lib/config-data/puppet-generated/octavia" + lb_mgmt_net_id: "{{ hostvars[groups['octavia_nodes'][0]]['lb_mgmt_net_id'] }}" + lb_mgmt_secgroup_id: "{{ hostvars[groups['octavia_nodes'][0]]['lb_mgmt_secgroup_id'] }}" + private_key_content: "{{ hostvars[groups['octavia_nodes'][0]]['private_key_content'] }}" + ca_cert_content: "{{ hostvars[groups['octavia_nodes'][0]]['ca_cert_content'] }}" + service_pem_content: "{{ hostvars[groups['octavia_nodes'][0]]['service_pem_content'] }}" + generate_certs: "{{ generate_certs }}" + ca_cert_path: "{{ ca_cert_path }}" + ca_private_key_path: "{{ ca_private_key_path }}" + ca_passphrase: "{{ ca_passphrase }}" + client_cert_path: "{{ client_cert_path }}" + auth_project_name: "{{ auth_project_name }}" + environment: + OS_USERNAME: "{{ os_username }}" + OS_USER_DOMAIN_NAME: "Default" + OS_PROJECT_DOMAIN_NAME: "Default" + NOVA_VERSION: "1.1" + OS_PROJECT_NAME: "{{ os_project_name }}" + OS_PASSWORD: "{{ os_password }}" + COMPUTE_API_VERSION: "1.1" + OS_CLOUDNAME: "overcloud" + OS_AUTH_URL: "{{ os_auth_url }}" + OS_IDENTITY_API_VERSION: "{{ os_identity_api_version }}" + OS_IMAGE_API_VERSION: "2" + OS_AUTH_TYPE: "{{ os_auth_type }}" + roles: + - octavia-controller-config + +- hosts: octavia_nodes + gather_facts: true + vars: + octavia_confd_prefix: "/var/lib/config-data/puppet-generated/octavia" + container_cli: "{{ container_cli }}" + roles: + - octavia-controller-post-config diff --git a/tripleo_ansible/playbooks/rotate-keys.yaml b/tripleo_ansible/playbooks/rotate-keys.yaml new file mode 100644 index 000000000..7de808ce8 --- /dev/null +++ b/tripleo_ansible/playbooks/rotate-keys.yaml @@ -0,0 +1,75 @@ +--- +- hosts: keystone + tasks: + - name: Check for containerized keystone fernet repository + stat: + path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/ + register: containerized_keystone_dir + + - name: populate service facts + service_facts: + + - name: Set container facts + set_fact: + is_container: containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir + podman_enabled: '"tripleo_keystone.service" in ansible_facts.services' + + - name: Rotate fernet keys for keystone container + block: + - name: Set keystone facts + set_fact: + keystone_base: /var/lib/config-data/puppet-generated/keystone + + - name: Remove previous fernet keys + shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/* + args: + warn: false + + - name: Persist fernet keys to repository + copy: + dest: "{{ keystone_base }}{{ item.key }}" + content: "{{ item.value.content }}" + mode: 0600 + with_dict: "{{ fernet_keys }}" + no_log: true + + - name: Set permissions to match container's user + shell: chown --reference={{ keystone_base }}/etc/keystone/fernet-keys {{ keystone_base }}{{ item.key }} + with_dict: "{{ fernet_keys }}" + no_log: true + + - name: Restart keystone container with docker + shell: docker restart keystone + when: not podman_enabled + + - name: Restart keystone container + service: + name: tripleo_keystone + state: restarted + when: podman_enabled + when: + - is_container | bool + + - name: Rotate fernet keys for keystone (no container) + block: + - name: Remove previous fernet keys + shell: rm -rf /etc/keystone/fernet-keys/* + args: + warn: false + + - name: Persist fernet keys to repository + copy: + dest: "{{ item.key }}" + content: "{{ item.value.content }}" + mode: 0600 + owner: keystone + group: keystone + with_dict: "{{ fernet_keys }}" + no_log: true + + - name: Reload apache + service: + name: httpd + state: reloaded + when: + - not (is_container | bool) diff --git a/tripleo_ansible/playbooks/swift_ring_rebalance.yaml b/tripleo_ansible/playbooks/swift_ring_rebalance.yaml new file mode 100644 index 000000000..b71d4ae54 --- /dev/null +++ b/tripleo_ansible/playbooks/swift_ring_rebalance.yaml @@ -0,0 +1,129 @@ +--- + +- name: Update Swift rings + hosts: swift_storage,swift_proxy + gather_facts: false + any_errors_fatal: true + max_fail_percentage: 0 + vars: + base_directory: "/var/lib/config-data/puppet-generated/swift/" + rebalance_is_safe: false + environment: + OS_STORAGE_URL: "{{ hostvars.localhost.undercloud_swift_url }}" + OS_AUTH_TOKEN: "{{ hostvars.localhost.os_auth_token }}" + tasks: + - name: Get reference ring checksum + run_once: true + block: + - name: Ensure /tmp/swift-rings directory exists + file: path=/tmp/swift-rings state=directory + + - name: Fetch Swift rings from undercloud + command: swift --insecure download -o /tmp/swift-rings.tar.gz overcloud-swift-rings swift-rings.tar.gz + + - name: Extract Swift rings + unarchive: + src: /tmp/swift-rings.tar.gz + dest: /tmp/swift-rings + remote_src: true + + - name: Get reference ring checksum + stat: + path: /tmp/swift-rings/etc/swift/object.ring.gz + register: result_reference + + - name: Get file attributes of object rings + stat: + path: "{{ base_directory }}/etc/swift/object.ring.gz" + register: result + + - name: Abort playbook run if consistency check fails + fail: + msg: "object.ring.gz does not match reference checksum" + when: + - (result.stat.exists | bool) + - (result_reference.stat.exists | bool) + - (result_reference.stat.checksum != result.stat.checksum) + + - name: Deploy missing Swift rings + when: + - not (result.stat.exists | bool) + block: + - name: Fetch missing Swift rings from undercloud + command: swift --insecure download -o /tmp/swift-rings.tar.gz overcloud-swift-rings swift-rings.tar.gz + + - name: Extract missing Swift rings + unarchive: + src: /tmp/swift-rings.tar.gz + dest: /{{ base_directory }} + remote_src: true + become: true + + - name: Get recon data + command: cat /var/cache/swift/object.recon + register: recon + become: true + + - name: Check if it is safe to continue rebalancing + set_fact: + rebalance_is_safe: true + when: + - (result.stat.exists | bool) + - ((recon.stdout | from_json).object_replication_last | int) > ((result.stat.mtime) | int) + + - name: Show warning and stop playbook run if unsafe + debug: + msg: "Rebalancing is unsafe at the moment, stopping. Please try again later" + when: + - not (rebalance_is_safe | bool) + + # We exit here in case there is at least one host that fails the above check + - meta: end_play + when: + - not (rebalance_is_safe | bool) + + - name: Rebalance Swift rings + run_once: true + block: + - name: Ensure /tmp/swift-rings directory exists + file: path=/tmp/swift-rings state=directory + + - name: Fetch Swift rings from undercloud + command: swift --insecure download -o /tmp/swift-rings.tar.gz overcloud-swift-rings swift-rings.tar.gz + + - name: Extract Swift rings + unarchive: + src: /tmp/swift-rings.tar.gz + dest: /tmp/swift-rings + remote_src: true + + # Can't use with_fileglob (see https://github.com/ansible/ansible/issues/17136) + - name: Rebalance Swift rings + command: swift-ring-builder /tmp/swift-rings/etc/swift/{{ item }} rebalance + with_items: + - object.builder + - container.builder + - account.builder + failed_when: result.rc > 1 + register: result + + - name: Create Swift ring archive + archive: + path: + - "/tmp/swift-rings/etc" + dest: /tmp/swift-rings.tar.gz + + - name: Copy Swift rings to the undercloud + command: swift --insecure upload --object-name swift-rings.tar.gz overcloud-swift-rings /tmp/swift-rings.tar.gz + + - name: Update Swift rings on all nodes + block: + - name: Fetch Swift rings from undercloud + command: swift --insecure download -o /tmp/swift-rings.tar.gz overcloud-swift-rings swift-rings.tar.gz + + - name: Extract Swift rings + unarchive: + src: /tmp/swift-rings.tar.gz + dest: /{{ base_directory }} + remote_src: true + become: true diff --git a/tripleo_ansible/roles/octavia-controller-config/handlers/main.yml b/tripleo_ansible/roles/octavia-controller-config/handlers/main.yml new file mode 100644 index 000000000..b9cab0cb4 --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/handlers/main.yml @@ -0,0 +1,5 @@ +--- + +- name: octavia config updated + set_fact: + octavia_config_updated: true diff --git a/tripleo_ansible/roles/octavia-controller-config/meta/main.yml b/tripleo_ansible/roles/octavia-controller-config/meta/main.yml new file mode 100644 index 000000000..6f32a98ac --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/meta/main.yml @@ -0,0 +1,45 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- octavia-controller-config + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Fedora + versions: + - 28 + - name: CentOS + versions: + - 7 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: + - octavia_common diff --git a/tripleo_ansible/roles/octavia-controller-config/tasks/certificate.yml b/tripleo_ansible/roles/octavia-controller-config/tasks/certificate.yml new file mode 100644 index 000000000..d12f2dc16 --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/tasks/certificate.yml @@ -0,0 +1,27 @@ +--- + +- name: making sure octavia worker configuration directory exists + file: + path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" + state: directory + selevel: s0 + setype: svirt_sandbox_file_t + become: true + +- name: Copying key info to octavia + become: true + copy: + content: "{{ item.content }}" + dest: "{{ octavia_confd_prefix }}/{{ item.path }}" + selevel: s0 + setype: svirt_sandbox_file_t + no_log: true + loop: + - content: "{{ private_key_content }}" + path: "{{ ca_private_key_path }}" + - content: "{{ ca_cert_content }}" + path: "{{ ca_cert_path }}" + - content: "{{ service_pem_content }}" + path: "{{ client_cert_path }}" + notify: + - octavia config updated diff --git a/tripleo_ansible/roles/octavia-controller-config/tasks/main.yml b/tripleo_ansible/roles/octavia-controller-config/tasks/main.yml new file mode 100644 index 000000000..704797beb --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/tasks/main.yml @@ -0,0 +1,23 @@ +--- + +- name: Set node name fact + set_fact: + node_hostname: "{{ ansible_hostname }}" + +- include_tasks: certificate.yml + when: + - generate_certs | bool + +- include_tasks: netport.yml + +- include_tasks: netinterface.yml + +- name: making sure octavia common configuration directory exists + file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" + state: directory + selevel: s0 + setype: svirt_sandbox_file_t + become: true + +- include_tasks: octavia.yml diff --git a/tripleo_ansible/roles/octavia-controller-config/tasks/netinterface.yml b/tripleo_ansible/roles/octavia-controller-config/tasks/netinterface.yml new file mode 100644 index 000000000..0d60eea84 --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/tasks/netinterface.yml @@ -0,0 +1,22 @@ +--- +- name: create br-int interface file + become: true + become_user: root + template: + dest: "/etc/sysconfig/network-scripts/ifcfg-br-int" + src: "ifcfg-br-int.j2" + force: false + +- name: create octavia management interface + become: true + become_user: root + template: + dest: "/etc/sysconfig/network-scripts/ifcfg-{{ mgmt_port_dev }}" + src: "ifcfg.j2" + +- name: Bring the management port interface up + become: true + become_user: root + command: "ifup {{ mgmt_port_dev }}" + notify: + - octavia config updated diff --git a/tripleo_ansible/roles/octavia-controller-config/tasks/netport.yml b/tripleo_ansible/roles/octavia-controller-config/tasks/netport.yml new file mode 100644 index 000000000..4250aca7c --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/tasks/netport.yml @@ -0,0 +1,77 @@ +--- +- name: create management port + shell: |- + set -o pipefail + port_id="$(openstack port show octavia-health-manager-{{ node_hostname }}-listen-port -f value -c id 2> /dev/null)" + if [[ -z "${port_id}" ]]; then + neutron port-create {{ lb_mgmt_net_name }} --binding:host_id={{ node_hostname }} \ + --no-security-groups \ + --port-security-enabled=False \ + --device-owner Octavia:health-mgr \ + --name octavia-health-manager-{{ node_hostname }}-listen-port \ + -f value \ + -c id + fi + register: out_mgmt_port + changed_when: (out_mgmt_port.stdout | length) > 0 + notify: + - octavia config updated + +- name: getting management port + shell: | + openstack port show octavia-health-manager-{{ node_hostname }}-listen-port -f value -c id + register: out_mgmt_port_id + changed_when: false + +- name: setting fact for management network controller port ID + set_fact: + mgmt_port_id: "{{ out_mgmt_port_id.stdout }}" + +- name: get management port mac + shell: | + openstack port show {{ mgmt_port_id }} -f value -c mac_address + register: out_mgmt_port_mac + changed_when: false + +- name: setting fact for management network controller port MAC + set_fact: + mgmt_port_mac: "{{ out_mgmt_port_mac.stdout }}" + +- name: get management port ip + shell: | + set -o pipefail + openstack port show {{ mgmt_port_id }} -f value -c fixed_ips | cut -f1 -d, | cut -f2 -d= | tr -d "'" + register: out_mgmt_port_ip + changed_when: false + +- name: setting fact for management network controller port IP + set_fact: + mgmt_port_ip: "{{ out_mgmt_port_ip.stdout }}" + +- name: get management port net mask + shell: | + set -o pipefail + subnet_id=$(openstack port show {{ mgmt_port_id }} -f value -c fixed_ips | cut -f2 -d, | cut -f2 -d= | tr -d "'" 2> /dev/null) + openstack subnet show $subnet_id -f value -c cidr 2> /dev/null + register: out_mgmt_subnet_cidr + +- name: setting fact for management subnet cidr + set_fact: + mgmt_subnet_cidr: "{{ out_mgmt_subnet_cidr.stdout }}" + +- name: setting fact for management network netmask + set_fact: + mgmt_port_netmask: "{{ mgmt_subnet_cidr | ipaddr('netmask') }}" + +- name: get MTU for managment port + shell: | + openstack network show {{ lb_mgmt_net_name }} -f value -c mtu + register: out_mgmt_port_mtu + +- name: setting fact for management port MTU + set_fact: + mgmt_port_mtu: "{{ out_mgmt_port_mtu.stdout }}" + +- name: creating fact for management network health manager controller IP + set_fact: + o_hm_ip: "{{ mgmt_port_ip }}:5555" diff --git a/tripleo_ansible/roles/octavia-controller-config/tasks/octavia.yml b/tripleo_ansible/roles/octavia-controller-config/tasks/octavia.yml new file mode 100644 index 000000000..d98c959a3 --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/tasks/octavia.yml @@ -0,0 +1,62 @@ +--- + +- name: making sure octavia worker configuration directory exists + file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" + state: directory + selevel: s0 + setype: svirt_sandbox_file_t + become: true + +- name: setting [controller_worker]/amp_boot_network_list + become: true + become_user: root + ini_file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf" + section: controller_worker + option: amp_boot_network_list + value: "{{ lb_mgmt_net_id }}" + selevel: s0 + setype: svirt_sandbox_file_t + +- name: setting [controller_worker]/amp_secgroup_list + become: true + become_user: root + ini_file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf" + section: controller_worker + option: amp_secgroup_list + value: "{{ lb_mgmt_secgroup_id }}" + selevel: s0 + setype: svirt_sandbox_file_t + +- name: making sure octavia health manager configuration directory exists + file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-health-manager" + state: directory + selevel: s0 + setype: svirt_sandbox_file_t + become: true + +- name: create octavia health manager configuration file + become: true + become_user: root + template: + dest: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf" + src: "manager-post-deploy.conf.j2" + selevel: s0 + setype: svirt_sandbox_file_t + +- name: gather facts about the service project + shell: | + openstack project show "{{ auth_project_name }}" -c id -f value + register: project_id_result + +- name: setting [controller_worker]/amp_image_owner_id + become: true + become_user: root + ini_file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf" + section: controller_worker + option: amp_image_owner_id + value: "{{ project_id_result.stdout }}" diff --git a/tripleo_ansible/roles/octavia-controller-config/templates/ifcfg-br-int.j2 b/tripleo_ansible/roles/octavia-controller-config/templates/ifcfg-br-int.j2 new file mode 100644 index 000000000..78d904f8b --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/templates/ifcfg-br-int.j2 @@ -0,0 +1,6 @@ +DEVICETYPE=ovs +TYPE=OVSBridge +BOOTPROTO=none +DEVICE=br-int +NM_CONTROLLED=no +ONBOOT=yes diff --git a/tripleo_ansible/roles/octavia-controller-config/templates/ifcfg.j2 b/tripleo_ansible/roles/octavia-controller-config/templates/ifcfg.j2 new file mode 100644 index 000000000..7b2f33ff2 --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/templates/ifcfg.j2 @@ -0,0 +1,19 @@ +TYPE=OVSIntPort +OVS_BRIDGE=br-int +DEVICETYPE=ovs +ONBOOT=yes +BOOTPROTO=static +IPV6_AUTOCONF=no +DEVICE={{ mgmt_port_dev }} +IPADDR={{ mgmt_port_ip }} +NETMASK={{ mgmt_port_netmask }} +NM_CONTROLLED=no +MACADDR={{ mgmt_port_mac }} +MTU={{ mgmt_port_mtu }} +OVS_EXTRA="-- set Interface {{ mgmt_port_dev }} external-ids:iface-status=active \ + -- set Interface {{ mgmt_port_dev }} external-ids:attached-mac={{ mgmt_port_mac }} \ + -- set Interface {{ mgmt_port_dev }} external-ids:iface-id={{mgmt_port_id }} \ + -- set Interface {{ mgmt_port_dev }} external-ids:skip_cleanup=true \ + -- set Interface {{ mgmt_port_dev }} mac=\"{{ mgmt_port_mac }}\" \ + -- set Interface {{ mgmt_port_dev }} other-config:hwaddr={{ mgmt_port_mac }}" + diff --git a/tripleo_ansible/roles/octavia-controller-config/templates/manager-post-deploy.conf.j2 b/tripleo_ansible/roles/octavia-controller-config/templates/manager-post-deploy.conf.j2 new file mode 100644 index 000000000..71a8ec7bb --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-config/templates/manager-post-deploy.conf.j2 @@ -0,0 +1,2 @@ +[health_manager] +bind_ip = {{ mgmt_port_ip }} diff --git a/tripleo_ansible/roles/octavia-controller-post-config/defaults/main.yml b/tripleo_ansible/roles/octavia-controller-post-config/defaults/main.yml new file mode 100644 index 000000000..487a9990a --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-post-config/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +octavia_config_updated: false diff --git a/tripleo_ansible/roles/octavia-controller-post-config/meta/main.yml b/tripleo_ansible/roles/octavia-controller-post-config/meta/main.yml new file mode 100644 index 000000000..778e1ab9f --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-post-config/meta/main.yml @@ -0,0 +1,45 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- octavia-overcloud-post-config + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Fedora + versions: + - 28 + - name: CentOS + versions: + - 7 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: + - octavia_common diff --git a/tripleo_ansible/roles/octavia-controller-post-config/tasks/main.yml b/tripleo_ansible/roles/octavia-controller-post-config/tasks/main.yml new file mode 100644 index 000000000..247637860 --- /dev/null +++ b/tripleo_ansible/roles/octavia-controller-post-config/tasks/main.yml @@ -0,0 +1,57 @@ +--- + +- name: Show debug information + debug: + msg: "Octavia services will be restarted because of updated configuration" + when: + - octavia_config_updated + +- name: create ip list + set_fact: + o_hm_ip_list: "{% for octavia_node in groups['octavia_nodes'] %}{{ hostvars[octavia_node].o_hm_ip }}, {%endfor%}" + +- name: create ip list (remove the last two characters) + set_fact: + o_hm_ip_list: "{{ o_hm_ip_list[:-2] }}" + +- name: read the current IP list + become: true + become_user: root + shell: | + awk -F '=' -e '/^controller_ip_port_list/ { print $2; }' "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf" + register: config_contents + failed_when: config_contents.rc != 0 + changed_when: false + ignore_errors: true + +- name: retrieve current ip list + set_fact: + current_ip_list: "{{ config_contents.stdout }}" + +# This isn't perfect as they execution order will make them not match, but we can avoid a restart +# if things have stayed the same. +- name: check if ip list needs updating + set_fact: + octavia_config_updated: true + when: + - current_ip_list != o_hm_ip_list + +- name: update octavia worker config file + become: true + become_user: root + ini_file: + section: "health_manager" + option: "controller_ip_port_list" + value: "{{ o_hm_ip_list }}" + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf" + selevel: s0 + setype: svirt_sandbox_file_t + when: + - octavia_config_updated + +- name: restart octavia containers + become: true + become_user: root + shell: "{{ container_cli }} restart $(sudo {{ container_cli }} ps -f name=octavia -q)" + when: + - octavia_config_updated diff --git a/tripleo_ansible/roles/octavia-overcloud-config/meta/main.yml b/tripleo_ansible/roles/octavia-overcloud-config/meta/main.yml new file mode 100644 index 000000000..3877b2996 --- /dev/null +++ b/tripleo_ansible/roles/octavia-overcloud-config/meta/main.yml @@ -0,0 +1,45 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- octavia-overcloud-config + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Fedora + versions: + - 28 + - name: CentOS + versions: + - 7 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: + - octavia_common diff --git a/tripleo_ansible/roles/octavia-overcloud-config/tasks/certs_gen.yml b/tripleo_ansible/roles/octavia-overcloud-config/tasks/certs_gen.yml new file mode 100644 index 000000000..b410f47ac --- /dev/null +++ b/tripleo_ansible/roles/octavia-overcloud-config/tasks/certs_gen.yml @@ -0,0 +1,87 @@ +--- + +- name: delete temporary ssl directory + become: true + file: path={{ openssl_temp_dir }} state=absent + +- name: create temporary ssl directories + become: true + file: path={{ openssl_temp_dir }}/private recurse=yes + +- name: create temporary ssl newcerts directory + become: true + file: path={{ openssl_temp_dir }}/newcerts recurse=yes + +- name: create index.txt + become: true + copy: content="" dest={{ openssl_temp_dir }}/index.txt force=no + +- name: create serial file + become: true + copy: content="01" dest={{ openssl_temp_dir }}/serial + +- name: create openssl configuration file from template + become: true + copy: src="/etc/pki/tls/openssl.cnf" dest="{{ openssl_temp_dir }}/openssl.cnf" remote_src=yes + +- name: update openssl directory entry in the configuration file + become: true + ini_file: path="{{ openssl_temp_dir }}/openssl.cnf" section=" CA_default " option="dir" value="{{ openssl_temp_dir }}" + +- name: update openssl ca certificate file in the configuration file + become: true + replace: path="{{ openssl_temp_dir }}/openssl.cnf" regexp="cacert.pem" replace="ca_01.pem" + +- name: Generating certificate authority private key + become: true + shell: | + openssl genrsa -passout pass:{{ ca_passphrase }} -des3 -out {{ openssl_temp_dir }}/private/cakey.pem 2048 + +- name: Reading private key + become: true + shell: cat {{ openssl_temp_dir }}/private/cakey.pem + register: private_key_data + +- name: Setting private key fact + set_fact: + private_key_content: "{{ private_key_data.stdout }}" + +- name: Generating certificate authority certificate + become: true + shell: | + openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \ + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ + -days 365 -config {{ openssl_temp_dir }}/openssl.cnf \ + -out {{ openssl_temp_dir }}/ca_01.pem + +- name: Reading CA certificate + become: true + shell: cat {{ openssl_temp_dir }}/ca_01.pem + register: ca_cert_data + +- name: Setting CA certificate fact + set_fact: + ca_cert_content: "{{ ca_cert_data.stdout }}" + +- name: Generating service private key & certificate request + become: true + shell: | + openssl req -newkey rsa:2048 -nodes -config {{ openssl_temp_dir }}/openssl.cnf -keyout {{ openssl_temp_dir }}/client.key \ + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ + -out {{ openssl_temp_dir }}/client.csr + +- name: Signing service certificate request + become: true + shell: | + openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \ + -days 365 -out {{ openssl_temp_dir }}/client-.pem -batch + +- name: Read service private key and public certifcate + become: true + shell: | + cat {{ openssl_temp_dir }}/client-.pem {{ openssl_temp_dir }}/client.key + register: service_key_data + +- name: Set service key fact + set_fact: + service_pem_content: "{{ service_key_data.stdout }}" diff --git a/tripleo_ansible/roles/octavia-overcloud-config/tasks/main.yml b/tripleo_ansible/roles/octavia-overcloud-config/tasks/main.yml new file mode 100644 index 000000000..c3fa50a6a --- /dev/null +++ b/tripleo_ansible/roles/octavia-overcloud-config/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +# Previously was a stack in the overcloud +- include_tasks: network.yml + +- include_tasks: quotas.yml + +- include_tasks: certs_gen.yml + when: + - generate_certs | bool diff --git a/tripleo_ansible/roles/octavia-overcloud-config/tasks/network.yml b/tripleo_ansible/roles/octavia-overcloud-config/tasks/network.yml new file mode 100644 index 000000000..bbbcf89a0 --- /dev/null +++ b/tripleo_ansible/roles/octavia-overcloud-config/tasks/network.yml @@ -0,0 +1,103 @@ +--- +- name: create management network for load balancers + shell: | + if [[ $(openstack network show {{ lb_mgmt_net_name }} > /dev/null; echo $?) -eq 1 ]]; then + openstack network create -f value -c id {{ lb_mgmt_net_name }} + fi + register: out_lb_mgmt_net + changed_when: (out_lb_mgmt_net.stdout | length) > 0 + +- name: getting management network ID + shell: | + openstack network show {{ lb_mgmt_net_name }} -f value -c id + register: out_lb_mgmt_net_id + changed_when: false + +- name: setting management network ID fact + set_fact: + lb_mgmt_net_id: "{{ out_lb_mgmt_net_id.stdout }}" + +- name: create subnet + shell: | + set -o pipefail + if [[ $(openstack subnet show {{ lb_mgmt_subnet_name }} > /dev/null; echo $?) -eq 1 ]]; then + openstack subnet create {{ lb_mgmt_subnet_name }} \ + --allocation-pool=start={{ lb_mgmt_subnet_pool_start }},end={{ lb_mgmt_subnet_pool_end }} \ + --gateway={{ lb_mgmt_subnet_gateway }} \ + --network {{ lb_mgmt_net_id }} \ + --subnet-range {{ lb_mgmt_subnet_cidr }} + fi + register: lb_mgmt_subnet_result + changed_when: (lb_mgmt_subnet_result.stdout | length) > 0 + +- name: create security group (get the security group id) + shell: | + set -o pipefail + if [[ $(openstack security group show {{ lb_mgmt_sec_grp_name }} > /dev/null; echo $?) -eq 1 ]]; then + openstack security group create --project service --project-domain Default {{ lb_mgmt_sec_grp_name }} -f value -c id + else + openstack security group show {{ lb_mgmt_sec_grp_name }} -f value -c id + fi + register: lb_mgmt_secgroup_result + changed_when: (lb_mgmt_secgroup_result.stdout | length) > 0 + +- name: setting fact for management network security group + set_fact: + lb_mgmt_secgroup_id: "{{ lb_mgmt_secgroup_result.stdout }}" + +- name: create security group rule to open amphora management ssh port + shell: |- + set -o pipefail + SECGROUP="$(openstack security group rule list {{ lb_mgmt_sec_grp_name }} --protocol tcp \ + --ingress -f value 2>&1 | grep "0.0.0.0/0 22:22")" + if [[ -z "${SECGROUP}" ]]; then + openstack security group rule create --protocol tcp --dst-port 22 {{ lb_mgmt_sec_grp_name }} + fi + register: sec_group_rule_one + changed_when: (sec_group_rule_one.stdout | length) > 0 + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" + +- name: create security group rule to open amphora management API port + shell: |- + set -o pipefail + SECGROUP="$(openstack security group rule list {{ lb_mgmt_sec_grp_name }} --protocol tcp \ + --ingress -f value 2>&1 | grep "0.0.0.0/0 9443:9443")" + if [[ -z "${SECGROUP}" ]]; then + openstack security group rule create --protocol tcp --dst-port 9443 {{ lb_mgmt_sec_grp_name }} + fi + register: sec_group_rule_two + changed_when: (sec_group_rule_two.stdout | length) > 0 + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" + +- name: create security group for health manager + shell: |- + set -o pipefail + if [[ $(openstack security group show {{ lb_health_mgr_sec_grp_name }} > /dev/null; echo $?) -eq 1 ]]; then + openstack security group create --project service --project-domain Default {{ lb_health_mgr_sec_grp_name }} -f value -c id + else + openstack security group show {{ lb_health_mgr_sec_grp_name }} -f value -c id + fi + register: lb_health_manager_sec_grp_result + changed_when: (lb_health_manager_sec_grp_result.stdout | length) > 0 + +- name: create security group rule for health manager + shell: |- + set -o pipefail + SECGROUP="$(openstack security group rule list {{ lb_health_mgr_sec_grp_name }} \ + --protocol udp \ + --ingress -f value 2>&1 | grep "0.0.0.0/0 5555:5555")" + if [[ -z "${SECGROUP}" ]]; then + openstack security group rule create --protocol udp --dst-port 5555 {{ lb_health_mgr_sec_grp_name }} + fi + register: health_mgr_sec_grp_rule + changed_when: (health_mgr_sec_grp_rule.stdout | length) > 0 + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" diff --git a/tripleo_ansible/roles/octavia-overcloud-config/tasks/quotas.yml b/tripleo_ansible/roles/octavia-overcloud-config/tasks/quotas.yml new file mode 100644 index 000000000..9a655a3a7 --- /dev/null +++ b/tripleo_ansible/roles/octavia-overcloud-config/tasks/quotas.yml @@ -0,0 +1,5 @@ +--- + +- name: increase quotas for project used for amphora + shell: | + openstack quota set --cores -1 --ram -1 --ports -1 --instances -1 --secgroups -1 --secgroup-rules -1 {{ auth_project_name }} diff --git a/tripleo_ansible/roles/octavia-undercloud/meta/main.yml b/tripleo_ansible/roles/octavia-undercloud/meta/main.yml new file mode 100644 index 000000000..2641c141f --- /dev/null +++ b/tripleo_ansible/roles/octavia-undercloud/meta/main.yml @@ -0,0 +1,45 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- octavia-undercloud + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Fedora + versions: + - 28 + - name: CentOS + versions: + - 7 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: + - octavia_common diff --git a/tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml b/tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml new file mode 100644 index 000000000..c44b891ca --- /dev/null +++ b/tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml @@ -0,0 +1,134 @@ +--- +- name: check if name is a symlink + stat: + path: "{{ image_filename }}" + register: symlnk_check + +- name: bypass image naming logic if image name is provided (backwards-compatibility) + set_fact: + amphora_image: "{{ amphora_image_name }}" + when: + - amphora_image_name is defined + - not ((amphora_image_name | length) < 1) + +- name: set the actual glance image name if it is a symlink + set_fact: + amphora_image: "{{ (symlnk_check.stat.lnk_target | basename | splitext)[0] }}" + when: + - amphora_image is undefined + - symlnk_check is defined and (symlnk_check.stat.islnk | bool) + +- name: set the actual glance image name if it is not a symlink + set_fact: + amphora_image: "{{ (image_file_result.stat.path | basename | splitext)[0] }}" + when: + - amphora_image is undefined + - (image_file_result.stat.exists | bool) and (not (symlnk_check.stat.islnk | bool)) + +- name: gather facts about the service project + shell: | + openstack project show "{{ auth_project_name }}" -c id -f value + register: project_id_result + +- name: check there's an image in glance already + shell: | + openstack image list --property owner={{ project_id_result.stdout }} --private --name {{ amphora_image }} -c ID -f value + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" + register: glance_id_result + ignore_errors: true + +- name: set image id fact + set_fact: + image_id: "{{ glance_id_result.stdout }}" + when: + - glance_id_result.rc == 0 + +- name: get checksum if there's an image in glance already + shell: | + openstack image show {{ glance_id_result.stdout }} -c checksum -f value + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" + when: + - image_id is defined + register: glance_results + ignore_errors: true + +- name: set current_md5 fact from glance if image already exists there + set_fact: + current_md5: "{{ glance_results.stdout }}" + when: + - glance_results.rc == 0 + +- name: determine if the image needs to be replaced + set_fact: + replace_image: "{{ current_md5 != image_file_result.stat.md5 }}" + when: + - current_md5 is defined + +- name: move existing image if the names match and the md5s are not the same + shell: | + ts=`openstack image show {{ image_id }} -f value -c created_at` + ts=${ts//:/} + ts=${ts//-/} + openstack image set {{ image_id }} --name "{{ amphora_image }}_$ts" + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" + when: + - replace_image is defined and replace_image | bool + +- name: decide whether to upload new image + set_fact: + upload_image: true + when: + - (current_md5 is not defined) or (replace_image is defined and replace_image | bool) + +- block: + - name: create temporary directory + tempfile: + state: directory + register: amp_tmp_dir + + - name: set RAW file name + set_fact: + raw_filename: "{{ amp_tmp_dir.path }}/{{ image_filename|splitext|first|basename }}.img" + + - name: convert image from qcow2 to raw + shell: | + qemu-img convert -f qcow2 -O raw {{ image_filename }} {{ raw_filename }} + + - name: setting amphora format to raw + set_fact: + raw_format: raw + when: + - amp_to_raw | bool + +- name: upload image to glance + shell: | + openstack image create --disk-format {{ raw_format|default('qcow2') }} \ + --container-format bare --tag {{ amp_image_tag }} \ + --file {{ raw_filename|default(image_filename) }} \ + --property hw_architecture={{ amp_hw_arch }} \ + --private {{ amphora_image }} + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" + register: image_result + changed_when: (image_result.stdout | length) < 1 + when: + - image_file_result.stat.exists | bool + - upload_image is defined + +- name: delete converted raw image + file: + path: "{{ amp_tmp_dir.path }}" + state: absent + when: + - amp_to_raw | bool diff --git a/tripleo_ansible/roles/octavia-undercloud/tasks/main.yml b/tripleo_ansible/roles/octavia-undercloud/tasks/main.yml new file mode 100644 index 000000000..d2053f1c7 --- /dev/null +++ b/tripleo_ansible/roles/octavia-undercloud/tasks/main.yml @@ -0,0 +1,76 @@ +--- + +- name: set file if already set by heat variable (backwards-compatibility) + set_fact: + image_filename: "{{ amp_image_filename }}" + when: + - amp_image_filename is defined and + - not ((amp_image_filename | length) < 1) + +- name: set location if CentOS + set_fact: + image_filename: "/usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2" + when: + - ansible_distribution == 'CentOS' + - not (image_filename is defined) + +- name: set location if Red Hat + set_fact: + image_filename: "/usr/share/openstack-octavia-amphora-images/octavia-amphora.qcow2" + when: + - ansible_distribution == 'RedHat' + - not (image_filename is defined) + +- name: check if amphora image file exists + stat: + path: "{{ image_filename }}" + follow: true + get_md5: true + register: image_file_result + +- include_tasks: image_mgmt.yml + when: + - image_file_result.stat.exists | bool + +- name: use ssh pub key file if provided and is readable + block: + - name: check if pub key file exists + stat: path="{{ amp_ssh_key_path }}" + register: key_file_result + ignore_errors: true + + - name: fail if ssh pub key file does not exist or is not readable + fail: msg="{{ amp_ssh_key_path }} does not exist or is not readable by user {{ ansible_user }}" + when: + - (key_file_result | failed) or (not (key_file_result.stat.exists | bool)) or (not (key_file_result.stat.readable | bool)) + + - name: Set final key fact + set_fact: + amp_ssh_key_path_final: "{{ amp_ssh_key_path }}" + when: + - amp_ssh_key_path is defined + - (amp_ssh_key_path | length) > 0 + +- name: defaulting to public key from undercloud default keypair + block: + - name: create temp pub key file + tempfile: state=file + register: ssh_key_tmp_file + + - name: copy ssh public key content to temp file + copy: content="{{ amp_ssh_key_data }}" dest="{{ ssh_key_tmp_file.path }}" + + - name: Set final key fact + set_fact: + amp_ssh_key_path_final: "{{ ssh_key_tmp_file.path }}" + when: + - amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1) + +- name: upload pub key to overcloud + shell: |- + openstack keypair show {{ amp_ssh_key_name }} || \ + openstack keypair create --public-key {{ amp_ssh_key_path_final }} {{ amp_ssh_key_name }} + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" diff --git a/tripleo_ansible/roles/octavia_common/defaults/main.yml b/tripleo_ansible/roles/octavia_common/defaults/main.yml new file mode 100644 index 000000000..84b0f0c8d --- /dev/null +++ b/tripleo_ansible/roles/octavia_common/defaults/main.yml @@ -0,0 +1,19 @@ +--- +amp_image_name: "" +amp_image_filename: "" +amp_image_tag: "amphora-image" +amp_ssh_key_name: "octavia-ssh-key" +amp_ssh_key_path: "" +amp_to_raw: false +amp_hw_arch: "x86_64" +auth_username: "octavia" +auth_project_name: "service" +lb_mgmt_net_name: "lb-mgmt-net" +lb_mgmt_subnet_name: "lb-mgmt-subnet" +lb_mgmt_subnet_cidr: "172.24.0.0/16" +lb_mgmt_subnet_gateway: "172.24.0.1" +lb_mgmt_subnet_pool_start: "172.24.0.2" +lb_mgmt_subnet_pool_end: "172.24.255.254" +lb_mgmt_sec_grp_name: "lb-mgmt-sec-grp" +lb_health_mgr_sec_grp_name: "lb-health-mgr-sec-grp" +mgmt_port_dev: "o-hm0" diff --git a/tripleo_ansible/roles/octavia_common/meta/main.yml b/tripleo_ansible/roles/octavia_common/meta/main.yml new file mode 100644 index 000000000..9c55c4081 --- /dev/null +++ b/tripleo_ansible/roles/octavia_common/meta/main.yml @@ -0,0 +1,44 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- octavia_common + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Fedora + versions: + - 28 + - name: CentOS + versions: + - 7 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: []