When a user creates a HA load balancer in Octavia, Octavia creates
server groups as part of the load balancer resources. However because
the default quotas related to server group are very low and we have all
load balancer resources in the common service project, users can create
very limited number of HA load balancers by default.
This patch disables the quota limits of the server-group-members and
server-groups of the service project, so that HA load balancer creation
is not blocked by these quotas.
Closes-Bug: #1914018
Change-Id: I0048fec8c1e19bd20b1edcd23f2490456fe1cd12
Use environment variables for passphrases in openssl related tasks in
Octavia roles. It hides plain text passphrases from deployment logs.
Change-Id: I153b56ad19c9a9f6eea23a0a64eb78c02cbe30ce
Closes-Bug: 1889523
Current validity period of Octavia CA and certificates is one year, this
is too short for cloud deployments: Octavia services can no longer
control a load balancer that has been running for more than one year
(dataplane still works, but cannot be configured).
This commit defines these values:
- Octavia CA validity period is 50 years.
- Octavia client certificate validity period is 10 years.
For existing deployment, the existing CA private key is fetched from
controllers, is updated using AES256 cipher if needed, then the key is
used to generate a new CA. Using an existing private key for this CA
allows to keep compability with existing client certificates.
Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
Related-Bug: #1869203
Adds an octavia related role to pick up CA (cert and private key pairs)
and client certificate from controllers and modifies existing roles to
use them instead of generating new ones.
Depends-On: https://review.opendev.org/714982
Change-Id: I5c18a59bf11e3915ef5f88c1eb2af1b4713af35b
Co-Authored-By: Gregory Thiemonge <gthiemon@redhat.com>
Related-Bug: #1849548
Related-Bug: #1849550
This change replaces all of the roles references in our various files with the
new role name. This is being done because Ansible no longer allows hyphens in
role names.
Change-Id: Ie899714aca49781ccd240bb259901d76f177d2ae
Signed-off-by: Kevin Carter <kecarter@redhat.com>
All roles that have a hyphen in them need to be renamed to use an
underscore. This change creates a symlink to all roles using their
original name which will ensure we maintain compatibility with
the rest of the TripleO stack. This is being done because roles with
hyphens are no longer valid within collections.
A temp PBR update has been made to accomodate all of the symlinks to
the legacy role names.
[0] https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html#roles-directory
Change-Id: Id00a3670351990e5489a297c4c7200f8c05af096
Signed-off-by: Kevin Carter <kecarter@redhat.com>
Srinivas Atmakuri
Gregory Thiemonge
Brent Eagles
Bogdan Dobrelya
Kevin Carter