Define Octavia SSH key name and file path

This will enable Octavia Ansible roles in tripleo-common to get these values and configure keys for accessing Octavia amphorae via SSH. This patch also makes the Octavia username and project name configurable. Change-Id: I80aa324254e6837e8d3c39e9d05a5e152783f0bb
2018-04-12 14:19:26 +02:00 · 2018-04-12 14:19:26 +02:00 · 38eee383e5
parent 65e828e2b3
commit 38eee383e5
7 changed files with 68 additions and 16 deletions
--- a/docker/services/octavia/octavia-deployment-config.yaml
+++ b/docker/services/octavia/octavia-deployment-config.yaml
@ -47,6 +47,18 @@ parameters:
    default: 'amphora-image'
    description: Glance image tag for identifying the amphora image.
    type: string
+  OctaviaAmphoraSshKeyName:
+    type: string
+    default: 'octavia-ssh-key'
+    description: SSH key name.
+  OctaviaAmphoraSshKeyFile:
+    type: string
+    default: '/home/stack/.ssh/id_rsa.pub'
+    description: Public key file path. User will be able to SSH into amphorae
+      with the provided key. User may, in most cases, also elevate to root
+      from user 'centos' (CentOS), 'ubuntu' (Ubuntu) or 'cloud-user' (RHEL)
+      (depends on how amphora image was created). Logging in to amphorae
+      provides a convenient way to e.g. debug load balancing services.
  OctaviaControlNetwork:
    description: The name for the neutron network used for the amphora
                 control network
@ -114,6 +126,18 @@ parameters:
    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
    type: string
    hidden: true
+  OctaviaUserName:
+    description: The username for the Octavia database and keystone accounts.
+    type: string
+    default: 'octavia'
+  OctaviaPassword:
+    description: The password for the Octavia database and keystone accounts.
+    type: string
+    hidden: true
+  OctaviaProjectName:
+    description: The project name for the keystone Octavia account.
+    type: string
+    default: 'service'

 outputs:
  role_data:
@ -135,6 +159,11 @@ outputs:
              amp_image_name: { get_param: OctaviaAmphoraImageName }
              amp_image_filename: {get_param: OctaviaAmphoraImageFilename }
              amp_image_tag: { get_param: OctaviaAmphoraImageTag }
+              amp_ssh_key_name: { get_param: OctaviaAmphoraSshKeyName }
+              amp_ssh_key_path: { get_param: OctaviaAmphoraSshKeyFile }
+              auth_username: { get_param: OctaviaUserName }
+              auth_password: { get_param: OctaviaPassword }
+              auth_project_name: { get_param: OctaviaProjectName }
              lb_mgmt_net_name: { get_param: OctaviaControlNetwork }
              lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet }
              lb_sec_group_name: { get_param: OctaviaControlSubnet }
--- a/puppet/services/octavia-api.yaml
+++ b/puppet/services/octavia-api.yaml
@ -30,10 +30,18 @@ parameters:
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
+  OctaviaUserName:
+    description: The username for the Octavia database and keystone accounts.
+    type: string
+    default: 'octavia'
  OctaviaPassword:
-    description: The password for the Octavia's database account.
+    description: The password for the Octavia database and keystone accounts.
    type: string
    hidden: true
+  OctaviaProjectName:
+    description: The project name for the keystone Octavia account.
+    type: string
+    default: 'service'
  KeystoneRegion:
    type: string
    default: 'regionOne'
@ -79,7 +87,7 @@ outputs:
            octavia::db::database_connection:
              make_url:
                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
-                username: octavia
+                username: {get_param: OctaviaUserName}
                password: {get_param: OctaviaPassword}
                host: {get_param: [EndpointMap, MysqlInternal, host]}
                path: /octavia
@ -87,7 +95,7 @@ outputs:
                  read_default_file: /etc/my.cnf.d/tripleo.cnf
                  read_default_group: tripleo
            octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            octavia::keystone::authtoken::project_name: 'service'
+            octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
            octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
            octavia::api::sync_db: true
            tripleo.octavia_api.firewall_rules:
@ -110,7 +118,7 @@ outputs:
          tripleo_fluentd_sources_octavia_api:
            - {get_param: OctaviaApiLoggingSource}
        keystone:
-          octavia::keystone::auth::tenant: 'service'
+          octavia::keystone::auth::tenant: {get_param: OctaviaProjectName}
          octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]}
          octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] }
          octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] }
@ -118,7 +126,7 @@ outputs:
          octavia::keystone::auth::region: {get_param: KeystoneRegion}
        mysql:
          octavia::db::mysql::password: {get_param: OctaviaPassword}
-          octavia::db::mysql::user: octavia
+          octavia::db::mysql::user: {get_param: OctaviaUserName}
          octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
          octavia::db::mysql::dbname: octavia
          octavia::db::mysql::allowed_hosts:
--- a/puppet/services/octavia-base.yaml
+++ b/puppet/services/octavia-base.yaml
@ -70,10 +70,18 @@ parameters:
    description: Driver or drivers to handle sending notifications.
    constraints:
      - allowed_values: [ 'messagingv2', 'noop' ]
+  OctaviaUserName:
+    description: The username for the Octavia database and keystone accounts.
+    type: string
+    default: 'octavia'
  OctaviaPassword:
-    description: The password for the Octavia's database account.
+    description: The password for the Octavia database and keystone accounts.
    type: string
    hidden: true
+  OctaviaProjectName:
+    description: The project name for the keystone Octavia account.
+    type: string
+    default: 'service'
  OctaviaCaCertFile:
    type: string
    default: '/etc/octavia/certs/ca_01.pem'
@ -125,9 +133,9 @@ outputs:
             octavia::rabbit_port: {get_param: RabbitClientPort}
             octavia::service_auth::auth_url: {get_param: [EndpointMap, KeystonePublic, uri]}
             octavia::service_auth::auth_type: 'password'
-             octavia::service_auth::username: 'octavia'
+             octavia::service_auth::username: {get_param: OctaviaUsername}
             octavia::service_auth::password: {get_param: OctaviaPassword}
-             octavia::service_auth::project_name: 'service'
+             octavia::service_auth::project_name: {get_param: OctaviaProjectName}
             octavia::service_auth::project_domain_name: 'Default'
             octavia::service_auth::user_domain_name: 'Default'
             octavia::service_auth::auth_type: 'password'
--- a/puppet/services/octavia-health-manager.yaml
+++ b/puppet/services/octavia-health-manager.yaml
@ -85,6 +85,3 @@ outputs:
            - {get_param: OctaviaHealthManagerLoggingSource}
      step_config: |
        include tripleo::profile::base::octavia::health_manager
-
-
-
--- a/puppet/services/octavia-housekeeping.yaml
+++ b/puppet/services/octavia-housekeeping.yaml
@ -84,5 +84,3 @@ outputs:
            - {get_param: OctaviaHousekeepingLoggingSource}
      step_config: |
        include tripleo::profile::base::octavia::housekeeping
-
-
--- a/puppet/services/octavia-worker.yaml
+++ b/puppet/services/octavia-worker.yaml
@ -46,6 +46,10 @@ parameters:
    default: []
    description: List of networks to attach to amphorae.
    type: comma_delimited_list
+  OctaviaAmphoraSshKeyName:
+    type: string
+    default: 'octavia-ssh-key'
+    description: SSH key name.
  OctaviaLoadBalancerTopology:
    default: ''
    description: Load balancer topology configuration.
@ -76,6 +80,10 @@ parameters:
                 a file on the host with the path provided in OctaviaClientCertFile
                 with the certificate data.
    type: string
+  OctaviaProjectName:
+    description: The project name for the keystone Octavia account.
+    type: string
+    default: 'service'

 conditions:
  octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]}
@ -104,13 +112,14 @@ outputs:
          - get_attr: [OctaviaBase, role_data, config_settings]
          - octavia::worker::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList}
            octavia::worker::amp_flavor_id: {get_param: OctaviaFlavorId}
+            octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag}
+            octavia::worker::amp_project_name: {get_param: OctaviaProjectName}
+            octavia::worker::amp_ssh_key_name: {get_param: OctaviaAmphoraSshKeyName}
            octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
            octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
            octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
+            octavia::worker::enable_ssh_access: true
            octavia::certificates::client_cert: {get_param: OctaviaClientCertFile}
-            octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag}
-            octavia::worker::amp_project_name: 'service'
-            octavia::worker::enable_ssh_access: false
          -
            if:
            - octavia_topology_unset
--- a/releasenotes/notes/octavia-amphora-ssh-245a21a35598440a.yaml
+++ b/releasenotes/notes/octavia-amphora-ssh-245a21a35598440a.yaml
@ -0,0 +1,3 @@
+---
+features:
+  - Allow users to specify SSH name and public key to add to Octavia amphorae.