From 9d692aaa2fef3c9ea25d3f0c45e5d32a48721116 Mon Sep 17 00:00:00 2001 From: Or Idgar Date: Mon, 25 Sep 2017 13:09:40 +0000 Subject: [PATCH] Run Octavia configuration on the overcloud Fully configuring Octavia requires resources such as the load balancer management network and amphora image to be created in the overcloud during deployment. This is handled through some ansible driven through a mistral workflow. This patch enables configuring and triggering this workflow from heat. Co-Authored-By: Brent Eagles Depends-on: If07ded033be9f44b7c7a7e09214032fa89a02e77 Change-Id: I2d10dbd33b3a0ed0463096849d01aa2c1b9f293e --- docker/services/octavia-worker.yaml | 21 ++- .../octavia/octavia-deployment-config.yaml | 155 ++++++++++++++++++ environments/services-docker/octavia.yaml | 11 +- overcloud-resource-registry-puppet.j2.yaml | 1 + puppet/services/octavia-worker.yaml | 2 +- roles/Controller.yaml | 1 + roles/ControllerNoCeph.yaml | 1 + roles/ControllerOpenstack.yaml | 1 + roles_data.yaml | 1 + 9 files changed, 188 insertions(+), 6 deletions(-) create mode 100644 docker/services/octavia/octavia-deployment-config.yaml diff --git a/docker/services/octavia-worker.yaml b/docker/services/octavia-worker.yaml index 19ee74aaf7..f42e60a2ab 100644 --- a/docker/services/octavia-worker.yaml +++ b/docker/services/octavia-worker.yaml @@ -66,7 +66,10 @@ outputs: config_volume: octavia puppet_tags: octavia_config step_config: - get_attr: [OctaviaWorkerPuppetBase, role_data, step_config] + list_join: + - "\n" + - - "['nova_flavor'].each |String $val| { noop_resource($val) }" + - {get_attr: [OctaviaWorkerPuppetBase, role_data, step_config]} config_image: {get_param: DockerOctaviaConfigImage} kolla_config: /var/lib/kolla/config_files/octavia_worker.json: @@ -108,6 +111,15 @@ outputs: - /var/log/containers/octavia:/var/log/octavia environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + docker_puppet_tasks: + step_5: + config_volume: octavia + puppet_tags: nova_flavor + step_config: + get_attr: [OctaviaWorkerPuppetBase, role_data, step_config] + config_image: {get_param: DockerOctaviaConfigImage} + volumes: + - /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro host_prep_tasks: - name: create persistent logs directory file: @@ -120,6 +132,13 @@ outputs: Log files from octavia containers can be found under /var/log/containers/octavia and /var/log/containers/httpd/octavia-api. ignore_errors: true + - name: Ensure packages required for configuring octavia are present + yum: name={{item}} state=present + tags: step4 + with_items: + - python2-neutronclient + - python2-openstackclient + - openssl upgrade_tasks: - name: Stop and disable octavia_worker service when: step|int == 2 diff --git a/docker/services/octavia/octavia-deployment-config.yaml b/docker/services/octavia/octavia-deployment-config.yaml new file mode 100644 index 0000000000..2ecc7b0f7f --- /dev/null +++ b/docker/services/octavia/octavia-deployment-config.yaml @@ -0,0 +1,155 @@ +heat_template_version: pike + +description: > + Configuration of Octavia as-a-service resources in the overcloud. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaPostWorkflowName: + description: Mistral workflow name for octavia configuration steps + once the overcloud is ready. + type: string + default: 'tripleo.octavia_post.v1.octavia_post_deploy' + OctaviaAmphoraImageName: + description: The glance image name used when spawning amphorae + type: string + default: 'octavia-amphora' + OctaviaAmphoraImageFilename: + description: Filename for the amphora image + type: string + default: '/usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2' + OctaviaAmphoraImageTag: + default: 'amphora-image' + description: Glance image tag for identifying the amphora image. + type: string + OctaviaControlNetwork: + description: The name for the neutron network used for the amphora + control network + type: string + default: 'lb-mgmt-net' + OctaviaControlSubnet: + description: The name for the neutron subnet used for the amphora + control network + type: string + default: 'lb-mgmt-subnet' + OctaviaControlSecurityGroup: + description: The name for the neutron security group used to + control access on the amphora control network + type: string + default: 'lb-mgmt-sec-group' + OctaviaControlSubnetCidr: + description: Subnet for amphora control subnet in CIDR form. + type: string + default: '192.168.199.0/24' + OctaviaControlSubnetGateway: + description: IP address for control network gateway + type: string + default: '192.168.199.1' + OctaviaControlSubnetPoolStart: + description: First address in amphora control subnet address + pool. + type: string + default: '192.168.199.50' + OctaviaControlSubnetPoolEnd: + description: First address in amphora control subnet address + pool. + type: string + default: '192.168.199.200' + OctaviaCaCertFile: + type: string + default: '/etc/octavia/certs/ca_01.pem' + description: Octavia CA certificate file path. + OctaviaCaKeyFile: + type: string + default: '/etc/octavia/certs/private/cakey.pem' + description: Octavia CA private key file path. + OctaviaCaKeyPassphrase: + description: CA private key passphrase. + type: string + hidden: true + OctaviaClientCertFile: + default: '/etc/octavia/certs/client.pem' + description: client certificate for amphoras + type: string + OctaviaGenerateCerts: + type: boolean + default: false + description: Enable internal generation of certificates for secure + communication with amphorae for isolated private clouds or + systems where security is not a concern. Otherwise, use + OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and + OctaviaClientCert to configure Octavia. + OctaviaMgmtPortDevName: + type: string + default: "o-hm0" + description: Name of the octavia management network interface using + for communication between octavia worker/health-manager + with the amphora machine. + AdminPassword: + description: The password for the keystone admin account, used for monitoring, querying neutron etc. + type: string + hidden: true + +outputs: + role_data: + description: Role data for the Octavia configuration service + value: + service_name: octavia_deployment_config + upgrade_tasks: [] + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + config_settings: {} + workflow_tasks: + step5: + - name: octavia_post_workflow + workflow: { get_param: OctaviaPostWorkflowName } + input: + amp_image_name: { get_param: OctaviaAmphoraImageName } + amp_image_filename: {get_param: OctaviaAmphoraImageFilename } + amp_image_tag: { get_param: OctaviaAmphoraImageTag } + lb_mgmt_net_name: { get_param: OctaviaControlNetwork } + lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet } + lb_sec_group_name: { get_param: OctaviaControlSubnet } + lb_mgmt_subnet_cidr: { get_param: OctaviaControlSubnetCidr } + lb_mgmt_subnet_gateway: { get_param: OctaviaControlSubnetGateway } + lb_mgmt_subnet_pool_start: { get_param: OctaviaControlSubnetPoolStart } + lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd } + ca_cert_path: { get_param: OctaviaCaCertFile } + ca_private_key_path: { get_param: OctaviaCaKeyFile } + ca_passphrase: { get_param: OctaviaCaKeyPassphrase } + client_cert_path: { get_param: OctaviaClientCertFile } + generate_certs: { get_param: OctaviaGenerateCerts } + mgmt_port_dev: { get_param: OctaviaMgmtPortDevName } + overcloud_password: { get_param: AdminPassword } + overcloud_project: 'admin' + overcloud_admin: 'admin' + octavia_ansible_playbook: '/usr/share/tripleo-common/playbooks/octavia-files.yaml' + overcloud_pub_auth_uri: { get_param: [EndpointMap, KeystoneV3Public, uri] } diff --git a/environments/services-docker/octavia.yaml b/environments/services-docker/octavia.yaml index 3af17478b8..64f2ccb3fd 100644 --- a/environments/services-docker/octavia.yaml +++ b/environments/services-docker/octavia.yaml @@ -3,11 +3,14 @@ resource_registry: OS::TripleO::Services::OctaviaHousekeeping: ../../docker/services/octavia-housekeeping.yaml OS::TripleO::Services::OctaviaHealthManager: ../../docker/services/octavia-health-manager.yaml OS::TripleO::Services::OctaviaWorker: ../../docker/services/octavia-worker.yaml + OS::TripleO::Services::OctaviaDeploymentConfig: ../../docker/services/octavia/octavia-deployment-config.yaml parameter_defaults: NeutronServicePlugins: "qos,router,trunk,lbaasv2" NeutronEnableForceMetadata: true - OctaviaCaCertFile: '/etc/octavia/certs/ca_01.pem' - OctaviaCaKeyFile: '/etc/octavia/certs/private/cakey.pem' - OctaviaCaKeyPassphrase: 'foobar' - OctaviaClientCertFile: '/etc/octavia/certs/client.pem' + + # This flag enables internal generation of certificates for communication + # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase + # and OctaviaClient cert to configure secure production environments. + OctaviaGenerateCerts: true + diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 8d47a6f191..54db54f7f6 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -303,6 +303,7 @@ resource_registry: OS::TripleO::Services::OctaviaHealthManager: OS::Heat::None OS::TripleO::Services::OctaviaHousekeeping: OS::Heat::None OS::TripleO::Services::OctaviaWorker: OS::Heat::None + OS::TripleO::Services::OctaviaDeploymentConfig: OS::Heat::None OS::TripleO::Services::MySQLClient: puppet/services/database/mysql-client.yaml OS::TripleO::Services::Vpp: OS::Heat::None OS::TripleO::Services::NeutronVppAgent: OS::Heat::None diff --git a/puppet/services/octavia-worker.yaml b/puppet/services/octavia-worker.yaml index eaa6830f25..06014b4569 100644 --- a/puppet/services/octavia-worker.yaml +++ b/puppet/services/octavia-worker.yaml @@ -60,7 +60,7 @@ parameters: description: Dictionary describing the nova flavor for amphora. type: json OctaviaManageNovaFlavor: - default: false + default: true description: Configure the nova flavor for the amphora. type: boolean OctaviaClientCertFile: diff --git a/roles/Controller.yaml b/roles/Controller.yaml index f2b0616198..67c0f1b72e 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -120,6 +120,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaDeploymentConfig - OS::TripleO::Services::OctaviaHealthManager - OS::TripleO::Services::OctaviaHousekeeping - OS::TripleO::Services::OctaviaWorker diff --git a/roles/ControllerNoCeph.yaml b/roles/ControllerNoCeph.yaml index f03dcc12da..8eb9a1f4b6 100644 --- a/roles/ControllerNoCeph.yaml +++ b/roles/ControllerNoCeph.yaml @@ -116,6 +116,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaDeploymentConfig - OS::TripleO::Services::OctaviaHealthManager - OS::TripleO::Services::OctaviaHousekeeping - OS::TripleO::Services::OctaviaWorker diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 5b4a46949e..e61d174a64 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -94,6 +94,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaDeploymentConfig - OS::TripleO::Services::OctaviaHealthManager - OS::TripleO::Services::OctaviaHousekeeping - OS::TripleO::Services::OctaviaWorker diff --git a/roles_data.yaml b/roles_data.yaml index 8590c07ace..4960124f77 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -123,6 +123,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaDeploymentConfig - OS::TripleO::Services::OctaviaHealthManager - OS::TripleO::Services::OctaviaHousekeeping - OS::TripleO::Services::OctaviaWorker