Merge "Run Octavia configuration on the overcloud"

2018-01-22 19:50:12 +00:00 · 2018-01-22 19:50:12 +00:00 · 2ebc2ee3af
parent 23aa82de04 9d692aaa2f
commit 2ebc2ee3af
9 changed files with 188 additions and 6 deletions
--- a/docker/services/octavia-worker.yaml
+++ b/docker/services/octavia-worker.yaml
@ -66,7 +66,10 @@ outputs:
        config_volume: octavia
        puppet_tags: octavia_config
        step_config:
-          get_attr: [OctaviaWorkerPuppetBase, role_data, step_config]
+          list_join:
+            - "\n"
+            - - "['nova_flavor'].each |String $val| { noop_resource($val) }"
+              - {get_attr: [OctaviaWorkerPuppetBase, role_data, step_config]}
        config_image: {get_param: DockerOctaviaConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/octavia_worker.json:
@ -108,6 +111,15 @@ outputs:
                  - /var/log/containers/octavia:/var/log/octavia
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      docker_puppet_tasks:
+        step_5:
+          config_volume: octavia
+          puppet_tags: nova_flavor
+          step_config:
+            get_attr: [OctaviaWorkerPuppetBase, role_data, step_config]
+          config_image: {get_param: DockerOctaviaConfigImage}
+          volumes:
+            - /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
      host_prep_tasks:
        - name: create persistent logs directory
          file:
@ -120,6 +132,13 @@ outputs:
              Log files from octavia containers can be found under
              /var/log/containers/octavia and /var/log/containers/httpd/octavia-api.
          ignore_errors: true
+        - name: Ensure packages required for configuring octavia are present
+          yum: name={{item}}  state=present
+          tags: step4
+          with_items:
+            - python2-neutronclient
+            - python2-openstackclient
+            - openssl
      upgrade_tasks:
        - name: Stop and disable octavia_worker service
          when: step|int == 2
--- a/docker/services/octavia/octavia-deployment-config.yaml
+++ b/docker/services/octavia/octavia-deployment-config.yaml
@ -0,0 +1,155 @@
+heat_template_version: pike
+
+description: >
+  Configuration of Octavia as-a-service resources in the overcloud.
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  OctaviaPostWorkflowName:
+    description: Mistral workflow name for octavia configuration steps
+                 once the overcloud is ready.
+    type: string
+    default: 'tripleo.octavia_post.v1.octavia_post_deploy'
+  OctaviaAmphoraImageName:
+    description: The glance image name used when spawning amphorae
+    type: string
+    default: 'octavia-amphora'
+  OctaviaAmphoraImageFilename:
+    description: Filename for the amphora image
+    type: string
+    default: '/usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2'
+  OctaviaAmphoraImageTag:
+    default: 'amphora-image'
+    description: Glance image tag for identifying the amphora image.
+    type: string
+  OctaviaControlNetwork:
+    description: The name for the neutron network used for the amphora
+                 control network
+    type: string
+    default: 'lb-mgmt-net'
+  OctaviaControlSubnet:
+    description: The name for the neutron subnet used for the amphora
+      control network
+    type: string
+    default: 'lb-mgmt-subnet'
+  OctaviaControlSecurityGroup:
+    description: The name for the neutron security group used to
+      control access on the amphora control network
+    type: string
+    default: 'lb-mgmt-sec-group'
+  OctaviaControlSubnetCidr:
+    description: Subnet for amphora control subnet in CIDR form.
+    type: string
+    default: '192.168.199.0/24'
+  OctaviaControlSubnetGateway:
+    description: IP address for control network gateway
+    type: string
+    default: '192.168.199.1'
+  OctaviaControlSubnetPoolStart:
+    description: First address in amphora control subnet address
+                 pool.
+    type: string
+    default: '192.168.199.50'
+  OctaviaControlSubnetPoolEnd:
+    description: First address in amphora control subnet address
+                 pool.
+    type: string
+    default: '192.168.199.200'
+  OctaviaCaCertFile:
+    type: string
+    default: '/etc/octavia/certs/ca_01.pem'
+    description: Octavia CA certificate file path.
+  OctaviaCaKeyFile:
+    type: string
+    default: '/etc/octavia/certs/private/cakey.pem'
+    description: Octavia CA private key file path.
+  OctaviaCaKeyPassphrase:
+    description: CA private key passphrase.
+    type: string
+    hidden: true
+  OctaviaClientCertFile:
+    default: '/etc/octavia/certs/client.pem'
+    description: client certificate for amphoras
+    type: string
+  OctaviaGenerateCerts:
+    type: boolean
+    default: false
+    description: Enable internal generation of certificates for secure
+                 communication with amphorae for isolated private clouds or
+                 systems where security is not a concern. Otherwise, use
+                 OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and
+                 OctaviaClientCert to configure Octavia.
+  OctaviaMgmtPortDevName:
+    type: string
+    default: "o-hm0"
+    description: Name of the octavia management network interface using
+                 for communication between octavia worker/health-manager
+                 with the amphora machine.
+  AdminPassword:
+    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
+    type: string
+    hidden: true
+
+outputs:
+  role_data:
+    description: Role data for the Octavia configuration service
+    value:
+      service_name: octavia_deployment_config
+      upgrade_tasks: []
+      puppet_config:
+        config_image: ''
+        config_volume: ''
+        step_config: ''
+      docker_config: {}
+      config_settings: {}
+      workflow_tasks:
+        step5:
+          - name: octavia_post_workflow
+            workflow: { get_param: OctaviaPostWorkflowName }
+            input:
+              amp_image_name: { get_param: OctaviaAmphoraImageName }
+              amp_image_filename: {get_param: OctaviaAmphoraImageFilename }
+              amp_image_tag: { get_param: OctaviaAmphoraImageTag }
+              lb_mgmt_net_name: { get_param: OctaviaControlNetwork }
+              lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet }
+              lb_sec_group_name: { get_param: OctaviaControlSubnet }
+              lb_mgmt_subnet_cidr: { get_param: OctaviaControlSubnetCidr }
+              lb_mgmt_subnet_gateway: { get_param: OctaviaControlSubnetGateway }
+              lb_mgmt_subnet_pool_start: { get_param: OctaviaControlSubnetPoolStart }
+              lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd }
+              ca_cert_path: { get_param: OctaviaCaCertFile }
+              ca_private_key_path: { get_param: OctaviaCaKeyFile }
+              ca_passphrase: { get_param: OctaviaCaKeyPassphrase }
+              client_cert_path: { get_param: OctaviaClientCertFile }
+              generate_certs: { get_param: OctaviaGenerateCerts }
+              mgmt_port_dev: { get_param: OctaviaMgmtPortDevName }
+              overcloud_password: { get_param: AdminPassword }
+              overcloud_project: 'admin'
+              overcloud_admin: 'admin'
+              octavia_ansible_playbook: '/usr/share/tripleo-common/playbooks/octavia-files.yaml'
+              overcloud_pub_auth_uri: { get_param: [EndpointMap, KeystoneV3Public, uri] }
--- a/environments/services-docker/octavia.yaml
+++ b/environments/services-docker/octavia.yaml
@ -3,11 +3,14 @@ resource_registry:
  OS::TripleO::Services::OctaviaHousekeeping: ../../docker/services/octavia-housekeeping.yaml
  OS::TripleO::Services::OctaviaHealthManager: ../../docker/services/octavia-health-manager.yaml
  OS::TripleO::Services::OctaviaWorker: ../../docker/services/octavia-worker.yaml
+  OS::TripleO::Services::OctaviaDeploymentConfig: ../../docker/services/octavia/octavia-deployment-config.yaml

 parameter_defaults:
    NeutronServicePlugins: "qos,router,trunk,lbaasv2"
    NeutronEnableForceMetadata: true
-    OctaviaCaCertFile: '/etc/octavia/certs/ca_01.pem'
-    OctaviaCaKeyFile: '/etc/octavia/certs/private/cakey.pem'
-    OctaviaCaKeyPassphrase: 'foobar'
-    OctaviaClientCertFile: '/etc/octavia/certs/client.pem'
+
+    # This flag enables internal generation of certificates for communication
+    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
+    # and OctaviaClient cert to configure secure production environments.
+    OctaviaGenerateCerts: true
+
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -303,6 +303,7 @@ resource_registry:
  OS::TripleO::Services::OctaviaHealthManager: OS::Heat::None
  OS::TripleO::Services::OctaviaHousekeeping: OS::Heat::None
  OS::TripleO::Services::OctaviaWorker: OS::Heat::None
+  OS::TripleO::Services::OctaviaDeploymentConfig: OS::Heat::None
  OS::TripleO::Services::MySQLClient: puppet/services/database/mysql-client.yaml
  OS::TripleO::Services::Vpp: OS::Heat::None
  OS::TripleO::Services::NeutronVppAgent: OS::Heat::None
--- a/puppet/services/octavia-worker.yaml
+++ b/puppet/services/octavia-worker.yaml
@ -60,7 +60,7 @@ parameters:
    description: Dictionary describing the nova flavor for amphora.
    type: json
  OctaviaManageNovaFlavor:
-    default: false
+    default: true
    description: Configure the nova flavor for the amphora.
    type: boolean
  OctaviaClientCertFile:
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@ -121,6 +121,7 @@
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
    - OS::TripleO::Services::OctaviaApi
+    - OS::TripleO::Services::OctaviaDeploymentConfig
    - OS::TripleO::Services::OctaviaHealthManager
    - OS::TripleO::Services::OctaviaHousekeeping
    - OS::TripleO::Services::OctaviaWorker
--- a/roles/ControllerNoCeph.yaml
+++ b/roles/ControllerNoCeph.yaml
@ -117,6 +117,7 @@
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
    - OS::TripleO::Services::OctaviaApi
+    - OS::TripleO::Services::OctaviaDeploymentConfig
    - OS::TripleO::Services::OctaviaHealthManager
    - OS::TripleO::Services::OctaviaHousekeeping
    - OS::TripleO::Services::OctaviaWorker
--- a/roles/ControllerOpenstack.yaml
+++ b/roles/ControllerOpenstack.yaml
@ -95,6 +95,7 @@
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
    - OS::TripleO::Services::OctaviaApi
+    - OS::TripleO::Services::OctaviaDeploymentConfig
    - OS::TripleO::Services::OctaviaHealthManager
    - OS::TripleO::Services::OctaviaHousekeeping
    - OS::TripleO::Services::OctaviaWorker
--- a/roles_data.yaml
+++ b/roles_data.yaml
@ -124,6 +124,7 @@
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
    - OS::TripleO::Services::OctaviaApi
+    - OS::TripleO::Services::OctaviaDeploymentConfig
    - OS::TripleO::Services::OctaviaHealthManager
    - OS::TripleO::Services::OctaviaHousekeeping
    - OS::TripleO::Services::OctaviaWorker