L3 routed networks - subnet fixed_ips (3/3)

When using neutron routed networks we need to specify either the subnet or a ip address in the fixed-ips-request when creating neutron ports. a) For the Vip's: Adds VipSubnetMap and VipSubnetMapDefaults parameters in service_net_map.yaml. The two maps are merged, so that the operator can override the subnet where VIP port should be hosted. For example: parameter_defaults: VipSubnetMap: ctlplane: ctlplane-leaf1 InternalApi: internal_api_leaf1 Storage: storage_leaf1 redis: internal_api_leaf1 b) For overcloud node ports: Enrich 'networks' in roles defenition to include both network and subnet data. Changes the list to a map instead of a list of strings. New schema: - name: <role_name> networks: <network_name> subnet: <subnet_name> For backward compatibility a conditional is used to check if the data is a map or not. In either case the internal list of role networks is created as '_role_networks' in the jinja2 templates. When the data is a map, and the map contains the 'subnet' key the subnet specified in roles_data.yaml is used as the subnet in the fixed-ips-reqest when ports are created. If subnet is not set (or role.networks is not a map) the default will be {{network.name_lower}}_subnet. Also, since the fixed_ips request passed to Vip ports are no longer [] by default, the conditinal has been updated to test for 'ip_address' entries in the request. Partial: blueprint tripleo-routed-networks-templates Depends-On: I773a38fd903fe287132151a4d178326a46890969 Change-Id: I77edc82723d00bfece6752b5dd2c79137db93443
2018-07-12 18:27:08 +02:00 · 2018-07-12 18:27:08 +02:00 · 2f2d8183e6
parent 2c44fe081b
commit 2f2d8183e6
59 changed files with 559 additions and 201 deletions
--- a/environments/network-isolation-no-tunneling.j2.yaml
+++ b/environments/network-isolation-no-tunneling.j2.yaml
@ -23,12 +23,23 @@ resource_registry:

  # Port assignments for each role are determined by the role definition.
 {%- for role in roles %}
+{#-     Convert net map or net list to internal list of networks #}
+{#-     NOTE(hjensas): For backward compatibility support role data with both #}
+{#-                    networks map (new schema) and network list (old schema). #}
+{%-     set _role_networks = [] %}
+{%-     if role.networks is mapping %}
+{%-         for key,val in role.networks.items() %}
+{%-             set _role_networks = _role_networks.append(key) %}
+{%-         endfor %}
+{%-     else %}
+{%-         set _role_networks = role.networks %}
+{%-     endif %}
  # Port assignments for the {{role.name}} role.
-  {%- for network in networks %}
-    {%- if network.name in role.networks|default([]) and network.enabled|default(true) and network.name != 'Tenant'%}
+{%-     for network in networks %}
+{%-         if network.name in _role_networks and network.enabled|default(true) and network.name != 'Tenant'%}
  OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: ../network/ports/{{network.name_lower|default(network.name.lower())}}.yaml
-    {%- elif network.enabled|default(true) %}
+{%-         elif network.enabled|default(true) %}
  OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: ../network/ports/noop.yaml
-    {%- endif %}
-  {%- endfor %}
-{% endfor %}
+{%-         endif %}
+{%-     endfor %}
+{%- endfor %}
--- a/environments/network-isolation-v6.j2.yaml
+++ b/environments/network-isolation-v6.j2.yaml
@ -35,16 +35,27 @@ resource_registry:

  # Port assignments by role, edit role definition to assign networks to roles.
 {%- for role in roles %}
+{#-     Convert net map or net list to internal list of networks #}
+{#-     NOTE(hjensas): For backward compatibility support role data with both #}
+{#-                    networks map (new schema) and network list (old schema). #}
+{%-     set _role_networks = [] %}
+{%-     if role.networks is mapping %}
+{%-         for key,val in role.networks.items() %}
+{%-             set _role_networks = _role_networks.append(key) %}
+{%-         endfor %}
+{%-     else %}
+{%-         set _role_networks = role.networks %}
+{%-     endif %}
  # Port assignments for the {{role.name}}
-  {%- for network in networks %}
-    {%- if network.name in role.networks|default([]) and network.enabled|default(true) and network.name != 'Tenant' %}
+{%-     for network in networks %}
+{%-         if network.name in _role_networks and network.enabled|default(true) and network.name != 'Tenant' %}
  OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: ../network/ports/{{network.name_lower|default(network.name.lower())}}_v6.yaml
-    {%- elif network.name in role.networks|default([]) and network.enabled|default(true) and network.name == 'Tenant' %}
-    # IPv4 until OVS and Neutron support IPv6 tunnel endpoints
+{%-         elif network.name in _role_networks and network.enabled|default(true) and network.name == 'Tenant' %}
+  # IPv4 until OVS and Neutron support IPv6 tunnel endpoints
  OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: ../network/ports/{{network.name_lower|default(network.name.lower())}}.yaml
-    {%- endif %}
-  {%- endfor %}
-{% endfor %}
+{%-         endif %}
+{%-     endfor %}
+{%- endfor %}


 parameter_defaults:
--- a/environments/network-isolation.j2.yaml
+++ b/environments/network-isolation.j2.yaml
@ -24,10 +24,21 @@ resource_registry:

  # Port assignments by role, edit role definition to assign networks to roles.
 {%- for role in roles %}
+{#-     Convert net map or net list to internal list of networks #}
+{#-     NOTE(hjensas): For backward compatibility support role data with both #}
+{#-                    networks map (new schema) and network list (old schema). #}
+{%-     set _role_networks = [] %}
+{%-     if role.networks is mapping %}
+{%-         for key,val in role.networks.items() %}
+{%-             set _role_networks = _role_networks.append(key) %}
+{%-         endfor %}
+{%-     else %}
+{%-         set _role_networks = role.networks %}
+{%-     endif %}
  # Port assignments for the {{role.name}}
-  {%- for network in networks %}
-    {%- if network.name in role.networks|default([]) and network.enabled|default(true) %}
+{%-     for network in networks %}
+{%-         if network.name in _role_networks and network.enabled|default(true) %}
  OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: ../network/ports/{{network.name_lower|default(network.name.lower())}}.yaml
-    {%- endif %}
-  {%- endfor %}
-{% endfor %}
+{%-         endif %}
+{%-     endfor %}
+{%- endfor %}
--- a/network/config/2-linux-bonds-vlans/role.role.j2.yaml
+++ b/network/config/2-linux-bonds-vlans/role.role.j2.yaml
@ -1,3 +1,14 @@
+{#- Convert net map or net list to internal list of networks #}
+{#- NOTE(hjensas): For backward compatibility support role data with both #}
+{#-                networks map (new schema) and network list (old schema). #}
+{%- set _role_networks = [] %}
+{%- if role.networks is mapping %}
+{%-     for key,val in role.networks.items() %}
+{%-         set _role_networks = _role_networks.append(key) %}
+{%-     endfor %}
+{%- else %}
+{%-     set _role_networks = role.networks %}
+{%- endif %}
 heat_template_version: rocky
 description: >
  Software Config to drive os-net-config with 2 Linux bonds. One bond is on a
@ -32,7 +43,7 @@ parameters:
      guaranteed to pass through the data path of the segments in the network.
      (The parameter is automatically resolved from the ctlplane network's mtu attribute.)
    type: number
-{%- for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{%- for network in networks if network.enabled|default(true) and network.name in _role_networks %}

  {{network.name}}IpSubnet:
    default: ''
@ -110,7 +121,7 @@ resources:
          expression: $.data.max()
          data:
            - {get_param: ControlPlaneMtu}
-{%- for network in networks if network.enabled|default(true) and network.name in role.networks and not network.name.startswith('Tenant') %}
+{%- for network in networks if network.enabled|default(true) and network.name in _role_networks and not network.name.startswith('Tenant') %}
            - {get_param: {{network.name}}Mtu}
 {%- endfor %}

@ -127,7 +138,7 @@ resources:
          expression: $.data.max()
          data:
            - {get_param: ControlPlaneMtu}
-{%- for network in networks if network.name.startswith('Tenant') and network.enabled|default(true) and network.name in role.networks %}
+{%- for network in networks if network.name.startswith('Tenant') and network.enabled|default(true) and network.name in _role_networks %}
            - {get_param: {{network.name}}Mtu}
 {%- endfor %}

@ -183,7 +194,7 @@ resources:
                    name: nic3
                    mtu:
                      get_attr: [MinViableMtuBondApi, value]
-{%- for network in networks if network.enabled|default(true) and network.name in role.networks and not network.name.startswith('Tenant') %}
+{%- for network in networks if network.enabled|default(true) and network.name in _role_networks and not network.name.startswith('Tenant') %}
              - type: vlan
                device: bond_api
                mtu:
@ -224,7 +235,7 @@ resources:
                    name: nic5
                    mtu:
                      get_attr: [MinViableMtuBondData, value]
-  {%- for network in networks if network.name.startswith('Tenant') and network.name in role.networks and network.enabled|default(true) %}
+  {%- for network in networks if network.name.startswith('Tenant') and network.name in _role_networks and network.enabled|default(true) %}
              - type: vlan
                device: bond-data
                mtu:
@ -247,7 +258,7 @@ resources:
              - type: ovs_user_bridge
                name: br-dpdk0
                use_dhcp: false
-  {%- for network in networks if network.name.startswith('Tenant') and network.name in role.networks and network.enabled|default(true) %}
+  {%- for network in networks if network.name.startswith('Tenant') and network.name in _role_networks and network.enabled|default(true) %}
                ovs_extra:
                  - str_replace:
                      template: set port br-dpdk0 tag=_VLAN_TAG_
--- a/network/config/bond-with-vlans/role.role.j2.yaml
+++ b/network/config/bond-with-vlans/role.role.j2.yaml
@ -1,3 +1,14 @@
+{#- Convert net map or net list to internal list of networks #}
+{#- NOTE(hjensas): For backward compatibility support role data with both #}
+{#-                networks map (new schema) and network list (old schema). #}
+{%- set _role_networks = [] %}
+{%- if role.networks is mapping %}
+{%-     for key,val in role.networks.items() %}
+{%-         set _role_networks = _role_networks.append(key) %}
+{%-     endfor %}
+{%- else %}
+{%-     set _role_networks = role.networks %}
+{%- endif %}
 heat_template_version: rocky
 description: >
  Software Config to drive os-net-config with 2 bonded nics on a bridge with VLANs attached for the {{role.name}} role.
@ -168,7 +179,7 @@ resources:
                    name: nic3
                    mtu:
                      get_attr: [MinViableMtu, value]
-{%-     for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{%-     for network in networks if network.enabled|default(true) and network.name in _role_networks %}
                - type: vlan
                  mtu:
                    get_param: {{network.name}}Mtu
@ -207,7 +218,7 @@ resources:
                  name: nic3
                  mtu:
                    get_attr: [MinViableMtu, value]
-{%-     for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{%-     for network in networks if network.enabled|default(true) and network.name in _role_networks %}
              - type: vlan
                device: bond_api
                mtu:
--- a/network/config/multiple-nics/role.role.j2.yaml
+++ b/network/config/multiple-nics/role.role.j2.yaml
@ -1,3 +1,14 @@
+{#- Convert net map or net list to internal list of networks #}
+{#- NOTE(hjensas): For backward compatibility support role data with both #}
+{#-                networks map (new schema) and network list (old schema). #}
+{%- set _role_networks = [] %}
+{%- if role.networks is mapping %}
+{%-     for key,val in role.networks.items() %}
+{%-         set _role_networks = _role_networks.append(key) %}
+{%-     endfor %}
+{%- else %}
+{%-     set _role_networks = role.networks %}
+{%- endif %}
 heat_template_version: rocky
 description: >
  Software Config to drive os-net-config to configure multiple interfaces for the {{role.name}} role.
@ -123,7 +134,7 @@ resources:
 {%- set nics_used = [1] %}
 {%- for network in networks if network.enabled|default(true) and network.name not in role.networks_skip_config|default([]) %}
 {%-     if network.name not in ["External", "Tenant"] %}
-{%-         if network.name in role.networks %}
+{%-         if network.name in _role_networks %}
              - type: interface
                name: nic{{loop.index + 1}}
                mtu:
@ -153,7 +164,7 @@ resources:
                dns_servers:
                  get_param: DnsServers
                use_dhcp: false
-{%-         if network.name in role.networks %}
+{%-         if network.name in _role_networks %}
                addresses:
                - ip_netmask:
                    get_param: {{network.name}}IpSubnet
--- a/network/config/single-nic-linux-bridge-vlans/role.role.j2.yaml
+++ b/network/config/single-nic-linux-bridge-vlans/role.role.j2.yaml
@ -1,3 +1,14 @@
+{#- Convert net map or net list to internal list of networks #}
+{#- NOTE(hjensas): For backward compatibility support role data with both #}
+{#-                networks map (new schema) and network list (old schema). #}
+{%- set _role_networks = [] %}
+{%- if role.networks is mapping %}
+{%-     for key,val in role.networks.items() %}
+{%-         set _role_networks = _role_networks.append(key) %}
+{%-     endfor %}
+{%- else %}
+{%-     set _role_networks = role.networks %}
+{%- endif %}
 heat_template_version: rocky
 description: >
  Software Config to drive os-net-config to configure VLANs for the {{role.name}} role.
@ -31,7 +42,7 @@ parameters:
      guaranteed to pass through the data path of the segments in the network.
      (The parameter is automatically resolved from the ctlplane network's mtu attribute.)
    type: number
-{% for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{% for network in networks if network.enabled|default(true) and network.name in _role_networks %}
  {{network.name}}IpSubnet:
    default: ''
    description: IP address/subnet on the {{network.name_lower}} network
@ -93,7 +104,7 @@ resources:
          expression: $.data.max()
          data:
            - {get_param: ControlPlaneMtu}
-{%- for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{%- for network in networks if network.enabled|default(true) and network.name in _role_networks %}
            - {get_param: {{network.name}}Mtu}
 {%- endfor %}

@ -142,7 +153,7 @@ resources:
                  mtu:
                    get_attr: [MinViableMtu, value]
                  primary: true
-{%- for network in networks if network.enabled|default(true) and network.name in role.networks
+{%- for network in networks if network.enabled|default(true) and network.name in _role_networks
    and network.name not in role.networks_skip_config|default([]) %}
              - type: vlan
                mtu:
--- a/network/config/single-nic-vlans/role.role.j2.yaml
+++ b/network/config/single-nic-vlans/role.role.j2.yaml
@ -1,3 +1,14 @@
+{#- Convert net map or net list to internal list of networks #}
+{#- NOTE(hjensas): For backward compatibility support role data with both #}
+{#-                networks map (new schema) and network list (old schema). #}
+{%- set _role_networks = [] %}
+{%- if role.networks is mapping %}
+{%-     for key,val in role.networks.items() %}
+{%-         set _role_networks = _role_networks.append(key) %}
+{%-     endfor %}
+{%- else %}
+{%-     set _role_networks = role.networks %}
+{%- endif %}
 heat_template_version: rocky
 description: >
  Software Config to drive os-net-config to configure VLANs for the {{role.name}} role.
@ -143,7 +154,7 @@ resources:
                    get_attr: [MinViableMtu, value]
                  # force the MAC address of the bridge to this interface
                  primary: true
-{%- for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{%- for network in networks if network.enabled|default(true) and network.name in _role_networks %}
                - type: vlan
                  mtu:
                    get_param: {{network.name}}Mtu
--- a/network/ports/ctlplane_vip.yaml
+++ b/network/ports/ctlplane_vip.yaml
@ -45,7 +45,9 @@ parameters:
 conditions:
  fixed_ip_not_set:
    equals:
-    - get_param: FixedIPs
+    - yaql:
+        expression: $.data.where($.get('ip_address'))
+        data: {get_param: FixedIPs}
    - []

 resources:
--- a/network/ports/port.j2
+++ b/network/ports/port.j2
@ -51,7 +51,9 @@ conditions:
    - ctlplane
  fixed_ip_not_set:
    equals:
-    - get_param: FixedIPs
+    - yaql:
+        expression: $.data.where($.get('ip_address'))
+        data: {get_param: FixedIPs}
    - []
  net_is_ctlplane_and_fixed_ip_not_set:
    and:
--- a/network/ports/vip.yaml
+++ b/network/ports/vip.yaml
@ -49,7 +49,9 @@ conditions:
    - ctlplane
  fixed_ip_not_set:
    equals:
-    - get_param: FixedIPs
+    - yaql:
+        expression: $.data.where($.get('ip_address'))
+        data: {get_param: FixedIPs}
    - []
  net_is_ctlplane_and_fixed_ip_not_set:
    and:
--- a/network/ports/vip_v6.yaml
+++ b/network/ports/vip_v6.yaml
@ -49,7 +49,9 @@ conditions:
    - ctlplane
  fixed_ip_not_set:
    equals:
-    - get_param: FixedIPs
+    - yaql:
+        expression: $.data.where($.get('ip_address'))
+        data: {get_param: FixedIPs}
    - []
  net_is_ctlplane_and_fixed_ip_not_set:
    and:
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@ -95,6 +95,26 @@ parameters:
                 via parameter_defaults in the resource registry.
    type: json

+  ControlPlaneSubnet:
+    description: The name of the undercloud Neutron control plane subnet
+    default: ctlplane-subnet
+    type: string
+
+  VipSubnetMap:
+    description: Map of (network_name or service_name) -> subnet_name that
+                 defines which subnet to host the VIP.
+    default: {}
+    type: json
+
+  VipSubnetMapDefaults:
+    default:
+      ctlplane: ctlplane-subnet
+{%- for network in networks if network.vip|default(false) %}
+      {{network.name}}: {{network.name_lower}}_subnet
+{%- endfor %}
+      redis: internal_api_subnet
+    type: json
+
  # We define mappings to work around names that break when doing the
  # CamelCase to snake_case conversion to align with service_names
  ServiceNetMapDeprecatedMapping:
@ -141,6 +161,19 @@ resources:
             - {get_param: ServiceNetMap}
             - keys: {get_param: ServiceNetMapDeprecatedMapping}

+  VipSubnetMapValue:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        map_merge:
+          # (hjensas): We need to map_replace the ctlplane-subnet to support
+          # legacy parameter ControlPlaneSubnet.
+          - map_replace:
+            - {get_param: VipSubnetMapDefaults}
+            - values:
+                ctlplane-subnet: {get_param: ControlPlaneSubnet}
+          - {get_param: VipSubnetMap}

 outputs:
  service_net_map:
@ -155,3 +188,6 @@ outputs:
        expression: dict($.data.map.items().select([ regex(`([a-z0-9])([A-Z])`).replace($[0], '\\1_\\2').toLower(), $[1]]))
        data:
          map: {get_attr: [ServiceNetMapValue, value]}
+
+  vip_subnet_map:
+    value: {get_attr: [VipSubnetMapValue, value]}
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@ -110,8 +110,6 @@ parameters:
        Control the IP allocation for the ControlVirtualIP port. E.g.
        [{'ip_address':'1.2.3.4'}]
    type: json
-{%- for network in networks if network.vip|default(false) %}
-{%- if network.name == 'External' %}
  # TODO (dsneddon) Legacy name, eventually refactor to match network name
  PublicVirtualFixedIPs:
    default: []
@ -119,14 +117,13 @@ parameters:
        Control the IP allocation for the PublicVirtualInterface port. E.g.
        [{'ip_address':'1.2.3.4'}]
    type: json
-{%- else %}
+{%- for network in networks if network.vip|default(false) and network.name != 'External' %}
  {{network.name}}VirtualFixedIPs:
    default: []
    description: >
        Control the IP allocation for the {{network.name}}VirtualInterface port. E.g.
        [{'ip_address':'1.2.3.4'}]
    type: json
-{%- endif %}
 {%- endfor %}
  RabbitCookieSalt:
    type: string
@ -269,6 +266,23 @@ conditions:
  ctlplane_subnet_cidr_set:
    not:
      equals: [{get_param: ControlPlaneSubnetCidr}, '']
+{%- for network in networks if network.name != 'External' %}
+  {{network.name_lower}}_virtual_fixed_ip_set:
+    not:
+      equals:
+        - get_param: {{network.name}}VirtualFixedIPs
+        - []
+{%- endfor %}
+  public_virtual_fixed_ip_set:
+    not:
+      equals:
+        - get_param: PublicVirtualFixedIPs
+        - []
+  redis_virtual_fixed_ip_set:
+    not:
+      equals:
+        - get_param: RedisVirtualFixedIPs
+        - []

 resources:

@ -799,20 +813,20 @@ resources:
    type: OS::TripleO::Network

  ControlVirtualIP:
+    depends_on: [Networks, ServiceNetMap]
    type: OS::TripleO::Network::Ports::ControlPlaneVipPort
-    depends_on: Networks
    properties:
      name: control_virtual_ip
      network: {get_param: NeutronControlPlaneID}
      fixed_ips:
        if:
        - control_fixed_ip_not_set
-        - [{subnet: {get_param: ControlPlaneSubnet}}]
+        - [{subnet: {get_attr: [ServiceNetMap, vip_subnet_map, ctlplane]}}]
        - get_param: ControlFixedIPs
      replacement_policy: AUTO

  RedisVirtualIP:
-    depends_on: Networks
+    depends_on: [Networks, ServiceNetMap]
    type: OS::TripleO::Network::Ports::RedisVipPort
    properties:
      ControlPlaneIP: {get_attr: [ControlVirtualIP, fixed_ips, 0, ip_address]}
@ -825,13 +839,17 @@ resources:
      PortName: redis_virtual_ip
      NetworkName: {get_attr: [ServiceNetMap, service_net_map, RedisNetwork]}
      ServiceName: redis
-      FixedIPs: {get_param: RedisVirtualFixedIPs}
+      FixedIPs:
+        if:
+        - redis_virtual_fixed_ip_set
+        - {get_param: RedisVirtualFixedIPs}
+        - [{subnet: {get_attr: [ServiceNetMap, vip_subnet_map, redis]}}]

 {%- for network in networks if network.vip|default(false) %}
 {%- if network.name == 'External' %}
  # The public VIP is on the External net, falls back to ctlplane
  PublicVirtualIP:
-    depends_on: Networks
+    depends_on: [Networks, ServiceNetMap]
    type: OS::TripleO::Network::Ports::ExternalVipPort
    properties:
      ControlPlaneIP: {get_attr: [ControlVirtualIP, fixed_ips, 0, ip_address]}
@ -842,10 +860,14 @@ resources:
          - {str_split: ['/', {get_attr: [ControlVirtualIP, subnets, 0, cidr]}, 1]}
      ControlPlaneNetwork: {get_param: NeutronControlPlaneID}
      PortName: public_virtual_ip
-      FixedIPs: {get_param: PublicVirtualFixedIPs}
+      FixedIPs:
+        if:
+        - public_virtual_fixed_ip_set
+        - {get_param: PublicVirtualFixedIPs}
+        - [{subnet: {get_attr: [ServiceNetMap, vip_subnet_map, {{network.name}}]}}]
 {%- else %}
  {{network.name}}VirtualIP:
-    depends_on: Networks
+    depends_on: [Networks, ServiceNetMap]
    type: OS::TripleO::Network::Ports::{{network.name}}VipPort
    properties:
      ControlPlaneIP: {get_attr: [ControlVirtualIP, fixed_ips, 0, ip_address]}
@ -855,7 +877,11 @@ resources:
          - {get_param: ControlPlaneSubnetCidr}
          - {str_split: ['/', {get_attr: [ControlVirtualIP, subnets, 0, cidr]}, 1]}
      PortName: {{network.name_lower}}_virtual_ip
-      FixedIPs: {get_param: {{network.name}}VirtualFixedIPs}
+      FixedIPs:
+        if:
+        - {{network.name_lower}}_virtual_fixed_ip_set
+        - {get_param: {{network.name}}VirtualFixedIPs}
+        - [{subnet: {get_attr: [ServiceNetMap, vip_subnet_map, {{network.name}}]}}]
 {%- endif %}
 {%- endfor %}

--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@ -466,7 +466,11 @@ resources:
        if:
          - {{role.name}}_{{network.name}}_fixed_ip_set
          - [{ip_address: {get_param: [{{role.name}}IPs, '{{network.name_lower}}', {get_param: NodeIndex}]}}]
-          - []
+{%-     if role.networks is mapping and role.networks.get(network.name) %}
+          - [{subnet: {{role.networks[network.name].get('subnet', network.name_lower + '_subnet')}}}]
+{%-     else %}
+          - [{subnet: {{network.name_lower}}_subnet}]
+{%-     endif %}
      ControlPlaneSubnetCidr:
        if:
          - ctlplane_subnet_cidr_set
@ -476,7 +480,6 @@ resources:
          - yaql:
              expression: str("{0}".format($.data).split("/")[-1])
              data: {get_attr: [{{server_resource_name}}, addresses, ctlplane, 0, subnets, 0, cidr]}
-
      IPPool:
        map_merge:
 {%- if role.deprecated_param_ips is defined %}
--- a/releasenotes/notes/composable-network-subnets-fbfcb6283a54ace7.yaml
+++ b/releasenotes/notes/composable-network-subnets-fbfcb6283a54ace7.yaml
@ -0,0 +1,48 @@
+---
+features:
+  - |
+    Composable Networks now support creating L3 routed networks. L3 networks
+    use multiple L2 network segments and multiple ip subnets. In addition to
+    the base subnet automatically created for any composable network,
+    additional subnets can be defined under the ``subnets`` key for each
+    network in the data file (``network_data.yaml``) used by composable
+    networks. Please refer to the ``network_data_subnets_routed.yaml`` file for
+    an example demonstrating how to define composable L3 routed networks.
+  - |
+    For composable roles it is now possible to control which subnet in a L3
+    routed network will host network ports for the role. This is done by
+    setting the subnet for each network in the role defenition
+    (``roles_data.yaml``). For example::
+
+      - name: <role_name>
+        networks:
+        InternalApi:
+          subnet: internal_api_leaf2
+        Tenant:
+          subnet: tenant_leaf2
+        Storage:
+          subnet: storage_leaf2
+  - |
+    To enable control of which subnet is used for virtual IPs on L3 routed
+    composable networks the new parameter ``VipSubnetMap`` where added. This
+    allow the user to override the subnet where the VIP port should be hosted.
+    For example::
+
+      parameter_defaults:
+        VipSubnetMap:
+          ctlplane: ctlplane-leaf1
+          InternalApi: internal_api_leaf1
+          Storage: storage_leaf1
+          redis: internal_api_leaf1
+upgrade:
+  - |
+    Deployments using custom names for subnets must also set the subnet to use
+    for the roles used in the deployment. I.e if ``NetworkNameSubnetName``
+    parameter was used to define a non-default subnet name for any network, the
+    role defenition (``roles_data.yaml``) and ``VipSubnetMap`` parameter
+    must use the same value.
+
+    .. Warning:: The update will fail if ``<NetworkName>SubnetName`` was used
+                 to set a custom subnet name, and the role defenition and/or
+                 the ``VipSubnetMap`` is not set to match the custom subnet
+                 name.
--- a/roles/BlockStorage.yaml
+++ b/roles/BlockStorage.yaml
@ -5,9 +5,12 @@
  description: |
    Cinder Block Storage node role
  networks:
-    - InternalApi
-    - Storage
-    - StorageMgmt
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  uses_deprecated_params: False
  deprecated_nic_config_name: 'cinder-storage.yaml'
  ServicesDefault:
--- a/roles/CephAll.yaml
+++ b/roles/CephAll.yaml
@ -5,8 +5,10 @@
  description: |
    Standalone Storage Full Role (OSD + MON + RGW + MDS + MGR + RBD Mirroring)
  networks:
-    - Storage
-    - StorageMgmt
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  HostnameFormatDefault: '%stackname%-ceph-all-%index%'
  ServicesDefault:
    - OS::TripleO::Services::Aide
--- a/roles/CephFile.yaml
+++ b/roles/CephFile.yaml
@ -5,8 +5,10 @@
  description: |
    Standalone Scale-out File Role (OSD + MDS)
  networks:
-    - Storage
-    - StorageMgmt
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  HostnameFormatDefault: '%stackname%-ceph-file-%index%'
  ServicesDefault:
    - OS::TripleO::Services::Aide
--- a/roles/CephObject.yaml
+++ b/roles/CephObject.yaml
@ -5,8 +5,10 @@
  description: |
    Standalone Scale-out Object Role (OSD + RGW)
  networks:
-    - Storage
-    - StorageMgmt
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  HostnameFormatDefault: '%stackname%-ceph-object-%index%'
  ServicesDefault:
    - OS::TripleO::Services::Aide
--- a/roles/CephStorage.yaml
+++ b/roles/CephStorage.yaml
@ -5,8 +5,10 @@
  description: |
    Ceph OSD Storage node role
  networks:
-    - Storage
-    - StorageMgmt
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  uses_deprecated_params: False
  deprecated_nic_config_name: 'ceph-storage.yaml'
  ServicesDefault:
--- a/roles/Compute.yaml
+++ b/roles/Compute.yaml
@ -6,9 +6,12 @@
    Basic Compute Node role
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  HostnameFormatDefault: '%stackname%-novacompute-%index%'
  RoleParametersDefault:
    TunedProfileName: "virtual-host"
--- a/roles/ComputeAlt.yaml
+++ b/roles/ComputeAlt.yaml
@ -6,9 +6,12 @@
   Alternate Compute Node role
  CountDefault: 0
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  HostnameFormatDefault: '%stackname%-novacomputealt-%index%'
  disable_constraints: True
  RoleParametersDefault:
--- a/roles/ComputeDVR.yaml
+++ b/roles/ComputeDVR.yaml
@ -6,9 +6,12 @@
    DVR enabled Compute Node role
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  HostnameFormatDefault: '%stackname%-novacompute-dvr-%index%'
  RoleParametersDefault:
    TunedProfileName: "virtual-host"
--- a/roles/ComputeHCI.yaml
+++ b/roles/ComputeHCI.yaml
@ -5,10 +5,14 @@
  description: |
    Compute Node role hosting Ceph OSD too
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
-    - StorageMgmt
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  RoleParametersDefault:
    TunedProfileName: "throughput-performance"
  ServicesDefault:
--- a/roles/ComputeInstanceHA.yaml
+++ b/roles/ComputeInstanceHA.yaml
@ -6,9 +6,12 @@
    Compute Instance HA Node role to be used with -e environments/compute-instanceha.yaml
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  HostnameFormatDefault: '%stackname%-novacomputeiha-%index%'
  RoleParametersDefault:
    TunedProfileName: "virtual-host"
--- a/roles/ComputeLiquidio.yaml
+++ b/roles/ComputeLiquidio.yaml
@ -6,9 +6,12 @@
    Compute Node with Cavium Liquidio smart NIC
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  networks_skip_config:
    - Tenant
  HostnameFormatDefault: '%stackname%-lionovacompute-%index%'
--- a/roles/ComputeOvsDpdk.yaml
+++ b/roles/ComputeOvsDpdk.yaml
@ -6,9 +6,12 @@
    Compute OvS DPDK Role
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  deprecated_nic_config_name: 'compute-dpdk.yaml'
  RoleParametersDefault:
    VhostuserSocketGroup: "hugetlbfs"
--- a/roles/ComputeOvsDpdkRT.yaml
+++ b/roles/ComputeOvsDpdkRT.yaml
@ -6,9 +6,12 @@
    Compute OvS DPDK RealTime Role
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  ImageDefault: overcloud-realtime-compute
  RoleParametersDefault:
    VhostuserSocketGroup: "hugetlbfs"
--- a/roles/ComputePPC64LE.yaml
+++ b/roles/ComputePPC64LE.yaml
@ -6,9 +6,12 @@
    Basic Compute Node role for ppc64le servers
  CountDefault: 0
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  HostnameFormatDefault: '%stackname%-novacomputeppc64le-%index%'
  ImageDefault: ppc64le-overcloud-full
  RoleParametersDefault:
--- a/roles/ComputeRealTime.yaml
+++ b/roles/ComputeRealTime.yaml
@ -9,9 +9,12 @@
    accordingly to the hardware of the real-time compute nodes.
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  HostnameFormatDefault: '%stackname%-computerealtime-%index%'
  ImageDefault: overcloud-realtime-compute
  RoleParametersDefault:
--- a/roles/ComputeSriov.yaml
+++ b/roles/ComputeSriov.yaml
@ -6,9 +6,12 @@
    Compute SR-IOV Role
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  RoleParametersDefault:
    TunedProfileName: "cpu-partitioning"
  ServicesDefault:
--- a/roles/ComputeSriovRT.yaml
+++ b/roles/ComputeSriovRT.yaml
@ -6,9 +6,12 @@
    Compute SR-IOV RealTime Role
  CountDefault: 1
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
  ImageDefault: overcloud-realtime-compute
  RoleParametersDefault:
    TunedProfileName: "realtime-virtual-host"
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@ -10,11 +10,16 @@
    - primary
    - controller
  networks:
-    - External
-    - InternalApi
-    - Storage
-    - StorageMgmt
-    - Tenant
+    External:
+      subnet: external_subnet
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
+    Tenant:
+      subnet: tenant_subnet
  # For systems with both IPv4 and IPv6, you may specify a gateway network for
  # each, such as ['ControlPlane', 'External']
  default_route_networks: ['External']
--- a/roles/ControllerAllNovaStandalone.yaml
+++ b/roles/ControllerAllNovaStandalone.yaml
@ -10,11 +10,16 @@
    - primary
    - controller
  networks:
-    - External
-    - InternalApi
-    - Storage
-    - StorageMgmt
-    - Tenant
+    External:
+      subnet: external_subnet
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
+    Tenant:
+      subnet: tenant_subnet
  default_route_networks: ['External']
  HostnameFormatDefault: '%stackname%-controller-%index%'
  ServicesDefault:
--- a/roles/ControllerNoCeph.yaml
+++ b/roles/ControllerNoCeph.yaml
@ -10,11 +10,16 @@
    - primary
    - controller
  networks:
-    - External
-    - InternalApi
-    - Storage
-    - StorageMgmt
-    - Tenant
+    External:
+      subnet: external_subnet
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
+    Tenant:
+      subnet: tenant_subnet
  default_route_networks: ['External']
  HostnameFormatDefault: '%stackname%-controller-no-ceph-%index%'
  # Deprecated & backward-compatible values (FIXME: Make parameters consistent)
--- a/roles/ControllerNovaStandalone.yaml
+++ b/roles/ControllerNovaStandalone.yaml
@ -9,11 +9,16 @@
    - primary
    - controller
  networks:
-    - External
-    - InternalApi
-    - Storage
-    - StorageMgmt
-    - Tenant
+    External:
+      subnet: external_subnet
+    InternalApi:
+      subnet: interanl_api_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
+    Tenant:
+      subnet: tenant_subnet
  default_route_networks: ['External']
  HostnameFormatDefault: '%stackname%-controller-%index%'
  ServicesDefault:
--- a/roles/ControllerOpenstack.yaml
+++ b/roles/ControllerOpenstack.yaml
@ -10,11 +10,16 @@
    - primary
    - controller
  networks:
-    - External
-    - InternalApi
-    - Storage
-    - StorageMgmt
-    - Tenant
+    External:
+      subnet: external_subnet
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
+    Tenant:
+      subnet: tenant_subnet
  default_route_networks: ['External']
  HostnameFormatDefault: '%stackname%-controller-%index%'
  ServicesDefault:
--- a/roles/ControllerStorageNfs.yaml
+++ b/roles/ControllerStorageNfs.yaml
@ -13,12 +13,18 @@
    - primary
    - controller
  networks:
-    - External
-    - InternalApi
-    - Storage
-    - StorageMgmt
-    - StorageNFS
-    - Tenant
+    External:
+      subnet: external_subnet
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
+    StorageNFS:
+      subnet: storage_nfs_subnet
+    Tenant:
+      subnet: tenant_subnet
  HostnameFormatDefault: '%stackname%-controller-%index%'
  # Deprecated & backward-compatible values (FIXME: Make parameters consistent)
  # Set uses_deprecated_params to True if any deprecated params are used.
--- a/roles/Database.yaml
+++ b/roles/Database.yaml
@ -5,7 +5,8 @@
  description: |
    Standalone database role with the database being managed via Pacemaker
  networks:
-    - InternalApi
+    InternalApi:
+      subnet: internal_api_subnet
  HostnameFormatDefault: '%stackname%-database-%index%'
  ServicesDefault:
    - OS::TripleO::Services::Aide
--- a/roles/HciCephAll.yaml
+++ b/roles/HciCephAll.yaml
@ -5,10 +5,14 @@
  description: |
    HCI Full Stack Role (OSD + MON + Nova + RGW + MDS + MGR + RBD Mirroring)
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
-    - StorageMgmt
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  HostnameFormatDefault: '%stackname%-hci-ceph-all-%index%'
  RoleParametersDefault:
    TunedProfileName: "throughput-performance"
--- a/roles/HciCephFile.yaml
+++ b/roles/HciCephFile.yaml
@ -5,10 +5,14 @@
  description: |
    HCI Scale-out File Role (OSD + Nova + MDS)
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
-    - StorageMgmt
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  HostnameFormatDefault: '%stackname%-hci-ceph-file-%index%'
  RoleParametersDefault:
    TunedProfileName: "throughput-performance"
--- a/roles/HciCephMon.yaml
+++ b/roles/HciCephMon.yaml
@ -5,10 +5,14 @@
  description: |
    HCI Scale-out Block Full Role (OSD + MON + MGR + Nova)
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
-    - StorageMgmt
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  HostnameFormatDefault: '%stackname%-hci-ceph-mon-%index%'
  RoleParametersDefault:
    TunedProfileName: "throughput-performance"
--- a/roles/HciCephObject.yaml
+++ b/roles/HciCephObject.yaml
@ -5,10 +5,14 @@
  description: |
    HCI Scale-out Object Role (OSD + Nova + RGW)
  networks:
-    - InternalApi
-    - Tenant
-    - Storage
-    - StorageMgmt
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  HostnameFormatDefault: '%stackname%-hci-ceph-object-%index%'
  RoleParametersDefault:
    TunedProfileName: "throughput-performance"
--- a/roles/IronicConductor.yaml
+++ b/roles/IronicConductor.yaml
@ -5,8 +5,10 @@
  description: |
    Ironic Conductor node role
  networks:
-    - InternalApi
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
  HostnameFormatDefault: '%stackname%-ironic-%index%'
  ServicesDefault:
    - OS::TripleO::Services::Aide
--- a/roles/Messaging.yaml
+++ b/roles/Messaging.yaml
@ -5,7 +5,8 @@
  description: |
    Standalone messaging role with backends being managed via Pacemaker
  networks:
-    - InternalApi
+    InternalApi:
+      subnet: internal_api_subnet
  HostnameFormatDefault: '%stackname%-messaging-%index%'
  ServicesDefault:
    - OS::TripleO::Services::Aide
--- a/roles/Networker.yaml
+++ b/roles/Networker.yaml
@ -5,8 +5,10 @@
  description: |
    Standalone networking role to run Neutron agents on their own.
  networks:
-    - InternalApi
-    - Tenant
+    InternalApi:
+      subnet: internal_api_subnet
+    Tenant:
+      subnet: tenant_subnet
  HostnameFormatDefault: '%stackname%-networker-%index%'
  ServicesDefault:
    - OS::TripleO::Services::Aide
--- a/roles/Novacontrol.yaml
+++ b/roles/Novacontrol.yaml
@ -5,8 +5,10 @@
  description: |
    Standalone nova-control role to run Nova control agents on their own.
  networks:
-    - InternalApi
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
  HostnameFormatDefault: '%stackname%-novacontrol-%index%'
  ServicesDefault:
    - OS::TripleO::Services::AuditD
--- a/roles/ObjectStorage.yaml
+++ b/roles/ObjectStorage.yaml
@ -5,9 +5,12 @@
  description: |
    Swift Object Storage node role
  networks:
-    - InternalApi
-    - Storage
-    - StorageMgmt
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
+    StorageMgmt:
+      subnet: storage_mgmt_subnet
  # Deprecated & backward-compatible values (FIXME: Make parameters consistent)
  # Set uses_deprecated_params to True if any deprecated params are used.
  uses_deprecated_params: True
--- a/roles/OpenShiftAllInOne.yaml
+++ b/roles/OpenShiftAllInOne.yaml
@ -13,9 +13,12 @@
    - controller
    - openshift
  networks:
-    - External
-    - InternalApi
-    - Storage
+    External:
+      subnet: external_subnet
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
  # For systems with both IPv4 and IPv6, you may specify a gateway network for
  # each, such as ['ControlPlane', 'External']
  default_route_networks: ['External']
--- a/roles/OpenShiftInfra.yaml
+++ b/roles/OpenShiftInfra.yaml
@ -11,8 +11,10 @@
  tags:
    - openshift
  networks:
-    - InternalApi
-    - Storage
+    InternalApi:
+      subnet: internal_api_subnet
+    Storage:
+      subnet: storage_subnet
  # For systems with both IPv4 and IPv6, you may specify a gateway network for
  # each, such as ['ControlPlane', 'External']
  default_route_networks: ['ControlPlane']